Need help fast - CPU for 1Gb/s
-
I need help to decide which CPU to go with.
I get 1Gb/s from my ISP to my router and i have around 10 computers/servers on my network.
So i need a firewall with 1Gb/s throughput while a couple of packages is turned on.
Im not going to use VPN that much, but im going to use squid, snort an other packages.Is the G4400 good enough for my requirement? (its cheap but mb need a better nic)
Or should i spend a litle more for the c2758? (everything in one board cpu/mb/nic)
I could even streatch me for a xeon e3 1245v5 or a lower modell, but is it overkill and a power drain? -
Price range?
New low end xeons are a bad idea, you would be better off getting an older server pull off of ebay which will always be cheaper and have better performance - new server cpus are a total ripoff.
Check http://cpubenchmark.net/ for single threaded performance in your price range, aim to get at least two cores and don't forget about AMD.
At that speed you will need quality network interfaces as well, forget about the embedded on motherboard ones they're almost always going to be garbage and this gives you more mobo choices; I would get your self a port 10gigabit ethernet pci-e server pull nic from ebay. (there's a couple different brands compatible with pfsense, check the freebsd list and search for those chipsets and your preferred access medium)
How do you receive your internet? Copper ethernet from the modem? Straight Fiber from the wall?
Is there anything else you may want in the future? Virtualization? Adv. Security Features? (no ME/PSP hardware backdoors that 99.9% mobos have) You're gonna blow change on this so you want to get something that'll last and that is capable of at least 2gbps.
EDIT:
I don't make any direct suggestions without a listed price range and what you want out of this (incl if you want quiet/almost quiet, etc), however I will say that the atom's are junk because of the bad single threaded performance and the g4400 is bad too because it has only two cores/threads. - the xeon you suggested is overkill and and a compatible motherboard will make this a very expensive router and suck down a lot of juice.Having everything embedded on one board is pointless and means you can't ever upgrade or add a wireless card, another nic, etc.
-
Price range?
New low end xeons are a bad idea, you would be better off getting an older server pull off of ebay which will always be cheaper and have better performance - new server cpus are a total ripoff.
Check http://cpubenchmark.net/ for single threaded performance in your price range, aim to get at least two cores and don't forget about AMD.
At that speed you will need quality network interfaces as well, forget about the embedded on motherboard ones they're almost always going to be garbage and this gives you more mobo choices; I would get your self a port 10gigabit ethernet pci-e server pull nic from ebay. (there's a couple different brands compatible with pfsense, check the freebsd list and search for those chipsets and your preferred access medium)
How do you receive your internet? Copper ethernet from the modem? Straight Fiber from the wall?
Is there anything else you may want in the future? Virtualization? Adv. Security Features? (no ME/PSP hardware backdoors that 99.9% mobos have) You're gonna blow change on this so you want to get something that'll last and that is capable of at least 2gbps.
My budget is around 6-700 for everything except chassi (already have a spare 2u just laying around).
Did a quick compare on the CPUs ive been looking at http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2674&cmp%5B%5D=2564&cmp%5B%5D=2630
If im reading this right the xeon 1245 knocks everything out of the water but its also the most expensive one around 300dollars here.
last is the c2758 which comes with a MB and good Intel NIC for the same price range as the xeon cpu cost.
The g4500 was a a tiny bit better then c2758 in cpu mark, but singel thread mark its almost exactly the same as the xeon, but this cpu only cost 60 dollars and only have 2 cores/2 threads.
How importent is multi core/hyper threads? i supposed pfsense supported it and would take full advantage of it.My internet is fiber directly to the moden and CAT6a from there to my router and switch (pfsense is going to replace the router is what i had in mind since its a bottleneck. Stuff that uses the LAN alot is connected with fiber from the switch.
As it is my first pfsense i would like to future proof it a litle, there are certain stuff such as squid, snort etc that i want to use, but i might want to add other stuff later on. I wont use VPN alot, if i do ill use it when im on vacation in order to VPN directly to my network, so the bandwith on the VPN isnt something that i bother with.
-
At that speed you will need quality network interfaces as well, forget about the embedded on motherboard ones they're almost always going to be garbage…
I'm a bit more pragmatic about things and see no point in not trying the integrated interfaces to see how they work. On five motherboards I have only had issues with a single interface and on that mobo I'm still using the other interface.
Having everything embedded on one board is pointless and means you can't ever upgrade or add a wireless card, another nic, etc.
Not pointless for everyone. It saves money and, sometimes much more important in soho applications, physical size of case.
There's no way I could justify an old huge noisy and power-hungry server as firewall in my home applications. Luckily the world isn't only black and white and there's room for different solutions to different applications.
Wireless is in my opinion often much better implemented with APs separate from the firewall.
My main firewall is a mini-itx mobo in a very small case with a Xeon E3-1220L V2 and it manages the gigabit internet connection, Snort and two (max 100 Mbit/sec) IPSec-tunnels very well. I've never seen more than 50 % CPU usage on it.
-
@P3R:
At that speed you will need quality network interfaces as well, forget about the embedded on motherboard ones they're almost always going to be garbage…
I'm a bit more pragmatic about things and see no point in not trying the integrated interfaces to see how they work. On five motherboards I have only had issues with a single interface and on that mobo I'm still using the other interface.
Having everything embedded on one board is pointless and means you can't ever upgrade or add a wireless card, another nic, etc.
Not pointless for everyone. It saves money and, sometimes much more important in soho applications, physical size of case.
There's no way I could justify an old huge noisy and power-hungry server as firewall in my home applications. Luckily the world isn't only black and white and there's room for different solutions to different applications.
I agree, this firewall is going to be in my livingroom, so if i can keep the noize down its a huge plus.
Thtas why embedded cards are good, and since the 2758 comes with atleast 4 intel i350 NIC means that i wont be needing any additional NIC.@P3R:
Wireless is in my opinion often much better implemented with APs separate from the firewall.
WiFi is in my opinion a big security risk, so if it cant be plugged in it cant access my network.
@P3R:
My main firewall is a mini-itx mobo in a very small case with a Xeon E3-1220L V2 and it manages the gigabit internet connection, Snort and two (max 100 Mbit/sec) IPSec-tunnels very well. I've never seen more than 50 % CPU usage on it.
This is exactly what i need, raw data regarding performance and no speculations, thanks.
Based on your information, its souns like the e3-1245v2 is totaly overkill for a 1Gb/s firewall.
if im reading these test, are the g4500 even better then the 1220L? (does the HT have a huge impact on performance?)
http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2630&cmp%5B%5D=2183
http://cpuboss.com/cpus/Intel-Xeon-E3-1220LV2-vs-Intel-Pentium-G4500 -
WiFi is in my opinion a big security risk, so if it cant be plugged in it cant access my network.
Yes wired is of course more secure but many devices (tablets and smartphones) today doesn't offer wired network connections so once again I'm being a bit more pragmatic. Wireless with WPA2 on a separate firewalled vlan is secure enough for my soho usage.
Based on your information, its souns like the e3-1245v2 is totaly overkill for a 1Gb/s firewall.
I agree.
if im reading these test, are the g4500 even better then the 1220L?
It's superior regarding single threaded performance due to it's higher clock. My aim with the build was low power and low noise and that's why I ended up with this CPU at the time.
(does the HT have a huge impact on performance?)
I don't think so but I don't really know.
-
@P3R:
WiFi is in my opinion a big security risk, so if it cant be plugged in it cant access my network.
Yes wired is of course more secure but many devices (tablets and smartphones) today doesn't offer wired network connections so once again I'm being a bit more pragmatic. Wireless with WPA2 on a separate firewalled vlan is secure enough for my soho usage.
I get that, which is why devices which cant be plugged in wont be able to connect to the LAN. They can access the internet but first they nee the password to login and their mac needs to be in my server over allowed devices. Once they have access they have a very limited bandwith and a firewall is inspecting the trafic and blocking certain stuff.
@P3R:
if im reading these test, are the g4500 even better then the 1220L?
It's superior regarding single threaded performance due to it's higher clock. My aim with the build was low power and low noise and that's why I ended up with this CPU at the time.
I dont care that much about power since its super cheap here. (100w running 24/7 cost $8/month)
Regarding noise i dont care that much about that as well since the servers are placed in anoher room, the only noize is going to be the CPU cooler which isnt that loud anyway. -
Or should i spend a litle more for the c2758? (everything in one board cpu/mb/nic)
Intel Xeon D-1518 would reach that Limit and is powerful enough to realize all your Needs.
I could even stretch me for a xeon e3 1245v5 or a lower model, but is it overkill and a power drain?
Its the best bet in that game at the Moment nothing beats a Xeon E3, it is really powerful and on top power saving too.
-
@BlueKobold:
Or should i spend a litle more for the c2758? (everything in one board cpu/mb/nic)
Intel Xeon D-1518 would reach that Limit and is powerful enough to realize all your Needs.
A D is overkill and overpriced.
I could even stretch me for a xeon e3 1245v5 or a lower model, but is it overkill and a power drain?
Its the best bet in that game at the Moment nothing beats a Xeon E3, it is really powerful and on top power saving too.
The E3 is also overkill. For this person's requirements (doesn't care about fanless/embedded) the G4500 is fine, or a couple of bucks more for a i3-6100 will get a little more clock speed & hyperthreading.
-
You could get an AMD Biostar AM1ML, that plus a nic and a AMD APU 5350 would run you about $70, low power consumption and you can run it fanless if you want.
It is what I have and it is great, there is no ME/PSP and you can install coreboot (free open source firmware replacement) on it.
https://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/Hey just so everyone knows it is possible to run even 140W server chips near quiet with a 4U tower cooler and large size fans at 100% cpu utilization.
-
Taiidan: I have bad experience with AMD so i rather stick with Intel.
VAMike: I agree that the D is to expensive.
I can get the i3-6300 for the same price as the 6100, would it be a upgrade or a downgrade?Just to clearify for the rest!!
I want 1Gb/s throughput on the pfsense. Im not interested in VPN but im going to use package inspection, filters and other stuff which i might not know about yet.
If i can get a embedded version, thats fine but not a requirement since i can always replace fans for a more silent one.
The performance is importent to me, but i like to keep the cost as minimal as possible. -
I can get the i3-6300 for the same price as the 6100, would it be a upgrade or a downgrade?
For the same price, no reason not to get the 6300.
-
Get the Xeon E3. The C2758 is OK for closer to 1gig throughput but E3 will give better performance with resource intensive packages like snort/suricata, while keeping up with 1gig throughput.
-
I can get the i3-6300 for the same price as the 6100, would it be a upgrade or a downgrade?
For the same price, no reason not to get the 6300.
sweet :)
Looking back on previus entry by P3R, how does this 6300 compare against the e3-1220L? it was running 1Gb/s using 50%, can i aspect the same or even better?Get the Xeon E3. The C2758 is OK for closer to 1gig throughput but E3 will give better performance with resource intensive packages like snort/suricata, while keeping up with 1gig throughput.
I want to be using snort and suricata is definitely something that i want.
Do you believe the i3 6300 can run those + purchase other packages that i dont know yet while keeping up with 1Gb/s? -
I would expect to see 1Gbps firewall and NAT throughput using any of those CPUs. Though it does depend on your traffic type. If you are passing all VoIP with tiny packets you might struggle.
Just to add a random number I can pass 1Gps firewall and NAT using iperf (not a real world test but….) in a box I have here running a Core2 E4500 from 2008. Intel NICs on that helps. The G4400 annihilates that in every test.
http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2564&cmp%5B%5D=936&cmp%5B%5D=2634If you plan to add Snort or Squid or other packages then multicore becomes more important. The igb driver can use multiple CPU cores quite well. There become too many variables though when adding packages to give any sort of throughput estimate. If you need 1Gbps with Snort and a load of signatures then get the most powerful CPU you can.
Steve
-
If you plan to add Snort or Squid or other packages then multicore becomes more important. The igb driver can use multiple CPU cores quite well. There become too many variables though when adding packages to give any sort of throughput estimate. If you need 1Gbps with Snort and a load of signatures then get the most powerful CPU you can.
Thats what i though at first too, but i also liek to keep the cost down and not have to pay or overkill stuff which i wont take full advantage of.
on the topic of multicore, how come c2758 is the top of the line in pfsense store when xeon appear to be so much better?
does those 8cores really do that much difference compared to 4? -
Top of the line in the pfSense store is the Xeon D-1541 based XG-1541:
https://store.pfsense.org/XG-1541-1U-pfSense-Security-Gateway-Appliance-P88.aspx
Which is much more powerful. :)
Steve
-
Top of the line in the pfSense store is the Xeon D-1541 based XG-1541:
https://store.pfsense.org/XG-1541-1U-pfSense-Security-Gateway-Appliance-P88.aspx
Which is much more powerful. :)
Steve
Okey, next best then :P
But still, how any cores do you really need? -
Looking back on previus entry by P3R, how does this 6300 compare against the e3-1220L? it was running 1Gb/s using 50%, can i aspect the same or even better?
The 6300 is several times faster.
-
I can get the i3-6300 for the same price as the 6100, would it be a upgrade or a downgrade?
For the same price, no reason not to get the 6300.
sweet :)
Looking back on previus entry by P3R, how does this 6300 compare against the e3-1220L? it was running 1Gb/s using 50%, can i aspect the same or even better?Get the Xeon E3. The C2758 is OK for closer to 1gig throughput but E3 will give better performance with resource intensive packages like snort/suricata, while keeping up with 1gig throughput.
I want to be using snort and suricata is definitely something that i want.
Do you believe the i3 6300 can run those + purchase other packages that i dont know yet while keeping up with 1Gb/s?i3 6300 can run resource intensive packages. But IDS/IPS, Squid, Clamav scans may slow response times (like site retrieval response) when network activity is high. Go with the Xeon :-)
