SFF for pfSense



  • After trying pfSense on a few re-purposed appliances (too loud, power hungry and could not keep up with my connection speed), some low power ATOM builds (low power and zero/little noise but would choke then you turned on features/VPN) I finally found something that works for me.  Dell SFF 7010 (the USFF was really nice and small but no way to put in another NIC).  Here is what I put together

    $25  Barebone 7010 (Ebay, local pickup in near new condition)
    $75  Core i5-3470T (not a 15w XXXXU CPU but at 35w it was a good compromise and solid single core performance).
    $30  HP NC365T Quad Port (not using this for this build but I needed to replace the NC360T that I am pulling to put in here)
    $0  120GB Intel S3500 SSD (have a few of these collecting dust)
    $0  8GB RAM (two 4GB DDR sticks) again in the parts bin.

    I'm in the process of cleaning up the TIM from the custom heatsink on this guy and the CPU was delivered today.  Hopefully it's pretty quiet and can handle my needs.  But this will allow me to move away from running pfSense on a VM.


  • Banned

    To get a really definitive answer you'll need to post what exactly you want to run, what packages (IPS, VPN, etc.), how many users, how much bandwidth, etc.

    That being said, it's probably safe to say that your setup will meet most things you'll throw at it. More than likely an i5 with AES-NI for a router is dramatic overkill to say the least.



  • Fair enough on the i5 but the prices of those J1900 class mini-appliances I said why not?  I want to be able to keep VPN going most if not all the time and get as close to full speed on my gig connection.


  • Banned

    Yeah j1900 would be very disappointing for you on VPN.

    Gigabit does require decent equipment and trying to get gigabit VPN can be tough depending on the type of protocol you use. OpenVPN is generally considered the most secure but is single threaded and CPU intensive.
    I don't know how fast you'll get on the VPN but I'd be interested to hear how it goes.

    Check out an i340 or i350 NIC, the more work your NIC can offload your CPU the better for your VPN throughout. They can also be had of eBay, used or Chinese knockoffs are fine for home user, many on the forums have had great success with them.



  • I believe that the HP cards are i340/i350 cards just re-branded as HP.


  • Banned

    yeah you're right, it looks like they are i340's.

    I'm interested to hear what performance you get!



  • I should be able to put the PC together tonight and maybe install pfsense tomorrow.  I'll have to figure out how to test this so I can publish performance figures.  I just found a G3220T that I had forgotten about.  I'll test both of them.  I almost bought a NC375T until I found out that it doesn't have an intel chipset.



  • @Nnyan:

    I should be able to put the PC together tonight and maybe install pfsense tomorrow.  I'll have to figure out how to test this so I can publish performance figures.  I just found a G3220T that I had forgotten about.  I'll test both of them.  I almost bought a NC375T until I found out that it doesn't have an intel chipset.

    NC364T for a 4 port or NC360T for a 2 port are what you want.  Both are based on the Intel 82571EB chipset and come with low profile brackets (but make sure the seller includes them).



  • I have the NC360T for the pfSense box and the NC365T for the ESXi box.  Turns out the Core i5-3470T was bad so I returned that.  I found an i3-3240 so I threw that in.  I'll finish the build this weekend and I'll see if I'm happy with that chip.  If not I'll keep my eye out on ebay for a 35w I5.


  • Banned

    What was so bad about it? Was the CPU actually defective or was performance no good?

    If you're looking for respectable encrypted VPN throughput then the 3240 is likely not going to impress you as it has no AES-NI at all.
    Encryption performance is highly dependent on AES-NI, hardware or software that doesn't support it will cause performance to decrease dramatically.
    It's also worth noting that AES-NI from 2012 is not the same animal as AES-NI from 2017. If VPN is disappointing you but performance is good elsewhere, you might be better suited by a modern CPU.



  • It was defective.  I just happen to have an i3-3240 gathering dust (and I did notice that I needed to go to the i5's to get AES-NI) so I'm throwing that in for now until I can find a decent deal on another i5-3470T.  I'm currently using the SFF as a test box and so far so good.  I got EXSi 6.5a and ProxMox installed on it with no issues (separate SSD's I have a bunch of small ones 60-100GB) so I'll use it to test a few different firewalls.  If I get solid performance from it I'll use it as my firewall/gateway.  If not I'll just keep running pfsense in a VM like I am now (current server has L5640 cpu's and I have no performance issues, the upgraded virtualization servers have E5-2670s).  Either way I think I'll keep my eyes on good deals on these SFF's since they make nice small ESXi servers.


Log in to reply