Need pfsense Low Power Build Advice
-
Hi All,
I have decided to build a dedicated pfSense device for my home Fios connection, which is currently 150/150 Mbps. I need something inexpensive, low-power, yet with enough performance to handle any and all apps I choose to install, such as OpenVPN, Squid, Snort, etc.
Requirements:
Mini-ITX (possibly MicroATX
Minimum 2.0 Ghz processor with AES-NI
VT-X/D would be bonus
At least 3 Intel gigabit NIC ports (even if it means PCIe)
Decent PCIe on board (not 1x)
At least 8 GB RAM
SSD or M.2 perhaps?
Quiet
Power supply (Pico?)
Case recommendationsI was considering a C2758 or Xeon D-1518 but I think I'd rather not spend so much on a home firewall and build something very cost effective myself. Is this doable?
I don't think I'm interested in J1900 or anything else that may fall short of performance.
If you could provide me with a complete build list, I'd be real grateful but a motherboard and CPU recommendation would go a long way too. Thanks so much, everyone.
-
Just get an i3 with matching motherboard. It will suit your needs perfectly.
I have a 2nd gen i3 with vmware and using pfSense and Ubuntu DNS/DHCP for my layer 3 network. It barely hits 15% with full 150Mbps downloads. Have Suricata, Squid and pfBlocker installed. I have done internal tests and it hits gigabit speeds without breaking a sweat. First I had a Xeon on vmware, then moved down to i5 and now on i3. Just getting a super fast processor and burning electricity for no reason isn't my way to do things. Even the i3 is quite powerful and its serves my complex and demanding network with no issues till date.
If you have a simple network then all you need is a simple switch for the extra ports. If you are planning to go for vlans then just get a smart or managed switch depending on what you need.
The C2758 is getting old now (at least in my view). The Xeon-1518 is way too much for what you need and its not cheap. Not worth it unless you need to go virtual and have multiple vms installed OR have gigabit WAN routing requirements.
-
D1518 isn't worth it unless you're deploying racks of 10G connected equipment while maxing out the RAM. Otherwise an E3 is probably a better choice–but i3 or one of the kaby lake celerons is probably more sensible for this application.
-
Just get an i3 with matching motherboard. It will suit your needs perfectly.
I have a 2nd gen i3 with vmware and using pfSense and Ubuntu DNS/DHCP for my layer 3 network. It barely hits 15% with full 150Mbps downloads. Have Suricata, Squid and pfBlocker installed. I have done internal tests and it hits gigabit speeds without breaking a sweat. First I had a Xeon on vmware, then moved down to i5 and now on i3. Just getting a super fast processor and burning electricity for no reason isn't my way to do things. Even the i3 is quite powerful and its serves my complex and demanding network with no issues till date.
If you have a simple network then all you need is a simple switch for the extra ports. If you are planning to go for vlans then just get a smart or managed switch depending on what you need.
The C2758 is getting old now (at least in my view). The Xeon-1518 is way too much for what you need and its not cheap. Not worth it unless you need to go virtual and have multiple vms installed OR have gigabit WAN routing requirements.
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
I managed to find this. It says it's an Intel Core i3-7100 Kaby Lake Dual-Core 3.9 GHz LGA 1151 51W. What do you think?
-
150/150 Mbps. …inexpensive, low-power, yet with enough performance...
Requirements:
Mini-ITX
Minimum 2.0 Ghz processor with AES-NI
VT-X/D
At least 3 Intel gigabit NIC ports (even if it means PCIe)
Decent PCIe on board (not 1x)
At least 8 GB RAM
SSD
QuietThis is pretty much a description of a J3355B with an i340-t4.
mini-itx
2.0Ghz, Latest Goldmont AES-NI
VT-X&D
ebay i340-t4
PCIe v2.0 x2 mode = 8.0Gbits/s bidirectional for 4x gigbit NICs
8GB DDR3L 1866 SODIMM
2xSATA
No moving parts at all if you go pico-psuhttps://www.newegg.com/Product/Product.aspx?Item=N82E16813157726
https://www.newegg.com/Product/Product.aspx?Item=N82E16820233581&cm_re=ddr3l--20-233-581--Product
http://www.ebay.com/itm/PicoPSU-80-12V-DC-DC-ATX-Power-Supply-w-60W-AC-Adapter-/191942916682?hash=item2cb0b07a4a:g:hqsAAOSw0UdXrdzB
or
https://www.newegg.com/Product/Product.aspx?Item=9SIA24G3RH5343https://smile.amazon.com/Transcend-Half-Slim-Solid-State-TS16GHSD370/dp/B00OPHX8XK/ref=sr_1_11?s=pc&ie=UTF8&qid=1486056413&sr=1-11&refinements=p_n_feature_three_browse-bin%3A14027456011%2Cp_n_feature_keywords_two_browse-bin%3A4929543011
or with 2.4 coming out your could mirror a pair of USB's in ZFS
https://smile.amazon.com/SanDisk-SDCZ33-016G-B35-2PK-Everything-Stromboli-Lanyard/dp/B00DTZA5S0/ref=sr_1_8?ie=UTF8&qid=1486056220&sr=8-8&keywords=sandisk+cruzer+fitWhole system, assuming you don't have any parts laying around you can reuse: $222 - $252 depending on whether you want pico-PSU v PSU and USBx2 v SSD.
-
Just get an i3 with matching motherboard. It will suit your needs perfectly.
I have a 2nd gen i3 with vmware and using pfSense and Ubuntu DNS/DHCP for my layer 3 network. It barely hits 15% with full 150Mbps downloads. Have Suricata, Squid and pfBlocker installed. I have done internal tests and it hits gigabit speeds without breaking a sweat. First I had a Xeon on vmware, then moved down to i5 and now on i3. Just getting a super fast processor and burning electricity for no reason isn't my way to do things. Even the i3 is quite powerful and its serves my complex and demanding network with no issues till date.
If you have a simple network then all you need is a simple switch for the extra ports. If you are planning to go for vlans then just get a smart or managed switch depending on what you need.
The C2758 is getting old now (at least in my view). The Xeon-1518 is way too much for what you need and its not cheap. Not worth it unless you need to go virtual and have multiple vms installed OR have gigabit WAN routing requirements.
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
I managed to find this. It says it's an Intel Core i3-7100 Kaby Lake Dual-Core 3.9 GHz LGA 1151 51W. What do you think?
https://ark.intel.com/products/97455/Intel-Core-i3-7100-Processor-3M-Cache-3_90-GHz
Intel
AES New Instructions Yes -
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
https://ark.intel.com/products/97455/Intel-Core-i3-7100-Processor-3M-Cache-3_90-GHz
Intel AES New Instructions YesHe was saying that i3's don't have AES-NI until 4th Gen, which would be i3-4xxx.
Which, older generations will consume more power for less performance, better to get a low end current generation CPU than a high end old generation CPU. For your stated needs you don't need much in the way of CPU performance, good AES-NI will do most of the work for your VPN while allowing you to use a low power, cheap CPU.
-
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
There's no reason to look at a 3 year old i3. Start with kaby lake unless there's a good deal on a skylake, maybe $120 for an i3-7100 or less for i3-6100, or <$50 for a G3930 which would be more than enough for this.
-
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
https://ark.intel.com/products/97455/Intel-Core-i3-7100-Processor-3M-Cache-3_90-GHz
Intel AES New Instructions YesHe was saying that i3's don't have AES-NI until 4th Gen, which would be i3-4xxx.
Which, older generations will consume more power for less performance, better to get a low end current generation CPU than a high end old generation CPU. For your stated needs you don't need much in the way of CPU performance, good AES-NI will do most of the work for your VPN while allowing you to use a low power, cheap CPU.
The power consumption difference in terms of $$ between old gen and new gen processors is matter of cents per month. The OP hasn't mentioned the number of VPN users that will be connecting to the box. 1 or 2 VPNs are not going to make a huge difference.
Unless you need all new hardware, which I won't as to recoupe the $$ spent will never happen, go to pcpartpicker and configure a 4th gen or later system. Search on ebay and you should find everything you need well under $350. Your needs are not that high. You don't need too much power but then you don't need something that will under perform in future. An i3 or celeron (anything 4th gen or later) should be ample for your needs for a long time. Even if tomorrow you decide to jump on 1 gigabit WAN, you won't have to change anything.
-
Thanks, but from what I've read, the i3 doesn't support AES-NI until 4th generation. Is that correct|?
https://ark.intel.com/products/97455/Intel-Core-i3-7100-Processor-3M-Cache-3_90-GHz
Intel AES New Instructions YesHe was saying that i3's don't have AES-NI until 4th Gen, which would be i3-4xxx.
Which, older generations will consume more power for less performance, better to get a low end current generation CPU than a high end old generation CPU. For your stated needs you don't need much in the way of CPU performance, good AES-NI will do most of the work for your VPN while allowing you to use a low power, cheap CPU.
The power consumption difference in terms of $$ between old gen and new gen processors is matter of cents per month. The OP hasn't mentioned the number of VPN users that will be connecting to the box. 1 or 2 VPNs are not going to make a huge difference.
Unless you need all new hardware, which I won't as to recoupe the $$ spent will never happen, go to pcpartpicker and configure a 4th gen or later system. Search on ebay and you should find everything you need well under $350. Your needs are not that high. You don't need too much power but then you don't need something that will under perform in future. An i3 or celeron (anything 4th gen or later) should be ample for your needs for a long time. Even if tomorrow you decide to jump on 1 gigabit WAN, you won't have to change anything.
Thanks. I will do that. You think I should just a get a Celeron instead of a Kaby Lake i3-7700?
No more than two VPN connections, I would think.
-
Celeron is just fine. If the price difference is not much then go for the i3.