Questions on a new pfSense build - i5 7400, ASRock H270M-ITX/ac



  • Hi all,

    New here, but an IT systems admin that has finally had enough of trying to run his home network (borderlining on enterprise-grade home network) through an Asus AC3200 router. The ASUS is a great router, but it can't keep up with the amount of traffic I'm pushing through it consistently (2 plex servers, 40+ wired devices, constant IO 24/7)… I have to reboot it almost daily and even then it could perform better.

    It's finally time to build a machine that can handle my firewalling appropriatly, and keep up with the traffic I'm trying to send through it. I've been researching and researching across these forms for days, and here's what I have come up with:

    +Motherboard: ASRock H270M-ITX/ac LGA 1151 Intel H270
    – My thought here is it has two onboard Intel NICs, the 1219V (apparently one of the best Intel desktop-grade NICs?), and the 1211, and it has onboard AC. I have heard Wifi is... sketchy... on pfSense? Or at least, it takes more processing power....

    +Intel i5 7400 Kaby Lake
    – 3.0 quad core, turbo to 3.5 - I realize this is probably way overkill, but I figure better to over-prepare than under, yeah? And if I do create a wifi network off this, the 7400 should handle that fine. Using stock heatsink and fan... doubt I'll need anything better, especially if this is as overkill as I'm guessing it is.

    +Corsair LPX 8GB DDR4 DRAM 2133MHz C13
    – I've read different things... some say 2gb is plenty, some say 4... one thread said if you're going to buy 4, might as well buy 8. Especially if it's only a few $ more for 8... and the mobo supports DDR4 2133 so I might as well use that.

    +Samsung PM951 128GB NVMe M.2 SSD
    – I really don't feel like I need this... but it's $80... and it's an NVMe ssd, and I figure the board has an onboard M.2 ultra slot, might as well get the speed increase of NVMe if I need to buy SOMETHING, yes? If I'm wrong on that, let me know. It may be that I won't see ANY performance gains from running pfSense on a regular 32GB ssd vs this one, but if this one could offer any performance gains at all, seems like it might be worth it.

    +Intel PRO/1000 Pt Dual Port Server Adapter
    – Not sure if I need this, but figured I have the slots on the mobo, might be useful to have a couple extra intel pro nics... this was the cheapest dual PCI intel pro card I could find... at only $45 doesn't seem like a bad deal. Says server grade, but obviously I can run it for desktop grade as well. Says it supports teaming, but I don't really have any uses for that so I probably won't use it.

    +Thermaltake Core V1 Mini ITX Cube Case
    –It's a little bigger than is probably necessary, but I have the space for it, and it looks nice... and it's cheap.

    Thoughts and/or advice on this would be great. I don't KNOW what resource-heavy processes I might need, but I'd rather have a system that can perform flawlessly with the high amount of traffic I'm pushing through it, even if I spend a little more and only use 10-30% of the CPU most of the time. That way if I NEED it, and all of a sudden have to have all my devices pulling data through at the same time, I want it to be able to handle it. I'm fairly sure that's the bottleneck on my asus, is that it's a 1.7Ghz dual core processor, and I'm just pushing a Ton through it.

    Outside of this, my whole network is connected by gigabit (Cat6/Cat7) and 5 or 8 port Netgear ProSafe Plus GS108E managed switches... everything is there for peak performance... I just need the device that can run it all with the most uptime, performance, and stability as possible. Do you guys think this will do the trick? Or is this still way overkill....?



  • How fast is your internet connection?



  • Sorry, meant to add that. I have 1Gbps fiber up and down



  • Regarding WiFi, you should probably keep the AC3200 and set it to AP-only mode (presuming it does WiFi without problems). There's also no WiFi AC support in FreeBSD/pfSense.
    If you just want to Firewall/Route/NAT, then a Core i5 or i3 might be overkill. If you want to run IPS/IDS or OpenVPN, things look different. For OpenVPN I'd head for a CPU with high single tread performance, it only uses one core ATM.



  • i started researching setup in december and bought the system that is very close to what you are planning ~ a month ago.
    i chose low TDP i3-7100T. had no time to put it together until yesterday (burnin and power consumption measures). tests will show, but imho it will perform (i will be moving forward with the build in the following days). if you really want that i5, look for low TDP.
    i will not even try to touch onboard WIFI, have enough existing cheap wireless routers to refitted as AP.
    for me it is still todo, but fyi - better start searching for low power, high efficiency on small loads PSU (as system eats ~60W at 100% load) ;)



  • @kroko:

    if you really want that i5, look for low TDP.

    Why low TDP? Won't make much difference in power usage when idle, only spare some heat/cooling/watts when under load.



  • @athurdent:

    Why low TDP? Won't make much difference in power usage when idle, only spare some heat/cooling/watts when under load.

    the op has constant high load scenario

    @maxtoid:

    the amount of traffic I'm pushing through it consistently (2 plex servers, 40+ wired devices, constant IO 24/7)

    my use case is not that much constant WAN load throughout the day (considerable constant LAN loading though), however there is offsite backup task each night via VPN. this is the moment we hit it.
    sure, it's all math based. difference in price between i3 7100 and i3 7100T was 3 EUR. delta is 16W. having known variable 0.13EUR/kWh yielded results that low TDP gives ROI in 3/(0.00013*16)/24=60 days considering full time 100%. last 24hours of 100% system burnin has already cost much less ;) and less heat is always good.



  • I don't think you can get an i3 7100 to 100% by just downloading at 1 GB/sec. I use my 7100 for a KVM host and the virtual pfSense uses 8% interrupt and is 90% idle when iperf-ing 1GB/sec through it (only NAT/Firewall). That is not real life, I know, but maybe you can run a test through your system and watch the CPU usage.
    Unless you need something cool and quiet to put in the living room, I don't think you should look for low TDP. But YMMV, just my 2 cent.
    I used a T i3 for 5 years with my KVM host and would not buy a T model again. :)



  • thanks @athurdent for sharing experience. i thought going with T was justified as price difference is negligible. will see how it behaves on VPN tests. this is what i went for when DIYing - avoiding SoC, so I can swap the CPU any time (i5, i7, E3).



  • I'm running this board (H270M-ITX/ac) with an i5-7500. The watt meter is usually hovering around 19-22watts/hr . easy to cool and fans are all silent, including the stock intel cpu fan. CPU usually around 30-40c depending on load.

    this board only has one PWM/DC fan header so you have to do this trick. you can play around with it but this is how I did it. i used a noctua pwm extension cable I had and connected it to the only mobo fan header. Then I connected a y splitter to the other end. That gave me two male PWM connections. Then I connected two more PWM Y splitters to each end of the first PWM Y splitter. that gives me 4 PWM fan headers for my case. I happen to have 4x 120mm fans. Why go through all this trouble? Well, all my fans are DC. So in the UEFI I set the case fan header to DC mode and put it on Silent setting. Now all my fans are silent and I dont have to deal with molex adapters, extra power cables, or current reducing adapters and its very nooice

    i just need to figure out why this board freezes when you type sysctl -a , and you can shut it down but you cant reboot it



  • @meruem:

    this board only has one PWM/DC fan header so you have to do this trick. you can play around with it but this is how I did it. i used a noctua pwm extension cable I had and connected it to the only mobo fan header. Then I connected a y splitter to the other end. That gave me two male PWM connections. Then I connected two more PWM Y splitters to each end of the first PWM Y splitter. that gives me 4 PWM fan headers for my case. I happen to have 4x 120mm fans.

    Keep in mind, that 1 PWM/DC header on a motherboard only can provide a maximum of 0,5A,
    So in practice, more then 3 fans at 1 header is not recommended.
    That's why molex to Fan connectors are made, that way you can go far beyond the 0,5A and go untill the 5V powerline of your PSU max out.
    Also, by adding more then 1 fan to a PWM/DC header on your motherboard,
    you are heating up your motherboard, because it draws much more power through it for feeding all those fans.

    Grtz
    DeLorean


  • Banned

    NVMe SSD will be no difference. SSD over HDD is no performance gain, just faster boots, no moving parts, lower power. Definitely recommend SSD but it isn't a Performance upgrade.

    If you are money conscious (your OP suggests you are) then an i5 is silly. You will almost certainly never use it. "Future proofing" is almost always an excuse to buy something cooler in the computer world. Realistically speaking, it will probably be a VERY long time before you need to upgrade beyond an i3 (you actually will probably never need an i3).

    The RAM you can find ways to use (TLD). You might even find yourself wanting more in the future depending on what you do with your box. On the other hand you might never find yourself exceeding 2GB usage, it just depends.

    For the NIC, if you don't need more than two NICs now (you probably don't if you have a half decent switch). Then I'd pass for now. If you do eventually need one then check out used server pull server grade NICs. They offer more features for less power consumption and you can get them for cheap. My i340-t4 was I think $35.

    Definitely about wifi on pfsense like the plague, especially since you already own a solid router. Just use it as an AP. Is also recommend avoiding DDWRT, OpenWRT, Tomato, etc. Those are excellent when trying to do more work a SOHO router, but when using it only as an AP they are often actually slower than stock firmware. About the only reason I could think of to switch to one of those is if your stock firmware doesn't support VLANs.



  • @maxtoid:

    I have heard Wifi is… sketchy... on pfSense? Or at least, it takes more processing power....

    It's more that wifi hardware support is sketchy on FreeBSD generally than pfSense specifically.  I've used pfSense as an AP in the distant past (with 802.11g hardware), so theoretically it is capable as far as the software is concerned, given well-supported wireless NICs.  Those are hard or impossible to find (especially in the AC realm).  Add into that physical placement of the antennas. You're always better off having your radio close to the antennas (no excess coax cable carrying high frequency RF), and since the antennas are ideally situated outside of any cabinet, preferably on a wall or ceiling, you're looking at one or more remote APs.  If you don't want to reuse your current router as an AP (and depending on where the stability problems you spoke of lie, you may not), then the Ubiquiti hardware is wonderful.  Start with a single AP and add more if needed, simply by plugging them in and adopting them.  And they're definitely more aesthetically pleasing.  They're no more intrusive than a smoke detector.  You can even disable the LED lighting in software.

    TL;DR: Even if AC hardware was well-supported in FreeBSD, you're nearly always better off with external APs, mostly for ease of placement.



  • @DeLorean:

    @meruem:

    this board only has one PWM/DC fan header so you have to do this trick. you can play around with it but this is how I did it. i used a noctua pwm extension cable I had and connected it to the only mobo fan header. Then I connected a y splitter to the other end. That gave me two male PWM connections. Then I connected two more PWM Y splitters to each end of the first PWM Y splitter. that gives me 4 PWM fan headers for my case. I happen to have 4x 120mm fans.

    Keep in mind, that 1 PWM/DC header on a motherboard only can provide a maximum of 0,5A,
    So in practice, more then 3 fans at 1 header is not recommended.
    That's why molex to Fan connectors are made, that way you can go far beyond the 0,5A and go untill the 5V powerline of your PSU max out.
    Also, by adding more then 1 fan to a PWM/DC header on your motherboard,
    you are heating up your motherboard, because it draws much more power through it for feeding all those fans.

    Grtz
    DeLorean

    I agree 100%. However in this case, I double checked the manual before I did it. It says:

    "The Chassis Optional/Water Pump Fan supports the water cooler fan of maximum 1.5A (18W) fan power."

    Because I was looking at this mobo (after I bought it) and couldn't understand the one fan header concept on a 2017 board. Then when I was digging through my extra computer fan components, I noticed on a noctua box I had, it actually recommended chaining y-splitters to be able to keep fan speeds in sync with each other. Being I come from a time before adequately powered fan headers, I was blown away by the concept. It certainly makes more sense doing it this way when you think about it. barring speciality need situations

    So I did 4 splits. Just an example, each fan 12v*0.1a = 1.2watts

    4x0.1a = 0.4amp.
    4x1.2w = 4.8watts.

    Got some spare room there for what I did.

    Now it's starting to make sense why mobo's have specially labeled water pump fan headers, more power on that header to aggregate the radiator fans and the pump all powered from one mobo header.



  • @pfBasic:

    Definitely about wifi on pfsense like the plague, especially since you already own a solid router. Just use it as an AP. Is also recommend avoiding DDWRT, OpenWRT, Tomato, etc. Those are excellent when trying to do more work a SOHO router, but when using it only as an AP they are often actually slower than stock firmware. About the only reason I could think of to switch to one of those is if your stock firmware doesn't support VLANs.

    I like the Synology router because it can go into "Ap" mode with just setting click. But it also removes all the cool features like analytics. havent yet found a decently priced AP. the only stock firmware I like is synology. every other vendor has a web ui that looks like it was made in china for $100



  • @maxtoid:

    Hi all,

    New here, but an IT systems admin that has finally had enough of trying to run his home network (borderlining on enterprise-grade home network) through an Asus AC3200 router. The ASUS is a great router, but it can't keep up with the amount of traffic I'm pushing through it consistently (2 plex servers, 40+ wired devices, constant IO 24/7)… I have to reboot it almost daily and even then it could perform better.

    It's finally time to build a machine that can handle my firewalling appropriatly, and keep up with the traffic I'm trying to send through it. I've been researching and researching across these forms for days, and here's what I have come up with:

    +Motherboard: ASRock H270M-ITX/ac LGA 1151 Intel H270
    – My thought here is it has two onboard Intel NICs, the 1219V (apparently one of the best Intel desktop-grade NICs?), and the 1211, and it has onboard AC. I have heard Wifi is... sketchy... on pfSense? Or at least, it takes more processing power....

    ...

    +Thermaltake Core V1 Mini ITX Cube Case
    –It's a little bigger than is probably necessary, but I have the space for it, and it looks nice... and it's cheap.

    Thoughts and/or advice on this would be great. I don't KNOW what resource-heavy processes I might need, but I'd rather have a system that can perform flawlessly with the high amount of traffic I'm pushing through it, even if I spend a little more and only use 10-30% of the CPU most of the time. That way if I NEED it, and all of a sudden have to have all my devices pulling data through at the same time, I want it to be able to handle it. I'm fairly sure that's the bottleneck on my asus, is that it's a 1.7Ghz dual core processor, and I'm just pushing a Ton through it.

    Outside of this, my whole network is connected by gigabit (Cat6/Cat7) and 5 or 8 port Netgear ProSafe Plus GS108E managed switches... everything is there for peak performance... I just need the device that can run it all with the most uptime, performance, and stability as possible. Do you guys think this will do the trick? Or is this still way overkill....?

    I'm about to build a machine to run pfsense.  I chose the same motherboard and case with 8GB RAM, but I went with a Core i3-7100 CPU. I'm re-purposing a 120GB Samsung 840 SSD.  I'd have all the parts right now, but Fedex delivered them to the wrong address this morning!  >:( Looking forward to getting started on this project.  I too have 1 gig fiber u/d, and my house is wired with CAT6.  ;D



  • Hi guys,

    I have the same MB model and i want to install pfsense on it. For the ones that have it, can you tell me if the built wifi card is recognized by pfsense? I know it is easier and better to have an external AP, but i just want to know the compatibility feature before i install it.
    And also, does pfsense recognize both NICs?

    Thanks.



  • anyone?


  • Netgate Administrator

    Hard to say exactly what that wifi chip is beyond Intel and supports 802.11AC.
    However just based on that I can say it may not be supported at all.
    If it is supported it will only run in 802.11N mode at most and it will not run in hostap mode. You could not run it as an access point.

    Steve



  • @stephenw10
    Thank you for reply.
    Probable the wifi card model is this one 0_1535182010668_wifi asrock.JPG
    I found this on another forum.
    But why do you say it won't work as a hostap? Is there a chart somewhere, or how do you have this certitude?


  • Netgate Administrator

    That card is at least supported, by the iwm(4) driver.

    However as it says there it supports station mode (client) only.
    As far as I know no Intel cards support hostap mode, in FreeBSD at least.

    It will also connect only at 802.11N because there is no AC support in FreeBSD.

    Steve



  • ASUS router: It sounds like you need to support a lot of simultaneous connections, so just about anything you build is going to be better than this cheap toy.

    Mobo: Nice dual Intel NICs. pfSense doesn't support AC wifi yet, so the wireless probably won't work. If it isn't Atheros, it's probably never going to work. You should also check that it can run as an AP if you want to use, but you're probably better off using the ASUS as an AP. That's about the only thing it's good for.

    CPU: Maybe overkill. I would build with a power efficient chip rather than a powerful one.

    RAM: Probably overkill unless you are getting a great deal, and you are going to use ZFS and snort.

    Samsung NVMe: Pointless. pfSense only needs IO when it is updating, which is pretty rare. I use USB drives in my build for the cost and power use advantages.

    Intel NIC: Good card. It's probably what I would use if the onboard NICs don't deliver.

    Case: Cheap is good. It doesn't need to do anything but be a box.

    It's a very powerful build that leaves you a lot of room to grow, but you are paying for it with the additional electricity costs. Also, you are reaching the price point where the more compact and power efficient SG-3100 is a competitive option.



  • @signalz and @stephenw10
    Thanks both for you answers. It appears i have no chance using the wifi card onboard, as an host AP. I will move on then...
    Regarding the setup, it is a bit overkill , yes. I have a 35W i3 CPU and 8GB RAM with a normal HDD. I read about the inutility of having a SSD in this case. THe power supply has 250W and it is the smallest one i could find to fit in a 1U case.
    Thank you again guys.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy