New Build Hardware Advice

  • So i am a little new to pfsense and am looking to build a box. It will basically be for personal home use, about 3 computers, 1-3 phones, a nas, and possibly a plex server for 2 people in the future. im still unsure out packages, ill probably go for snort, along with vpn (probably 2 connections). im undecided on squid caching, but would hope to be able to implement it in the future if i do go for it. the budget i would like to keep under $250.

    after looking through i think i have a possible build, but i want to make sure it can handle the load now, along with some extra room for additional connections in the future.

    -ASRock J3455M Intel Quad-Core Processor J3455 (up to 2.3GHz) Micro ATX Motherboard/CPU Combo -

    -G.SKILL 4GB Ram -

    -EVGA 450 B1 100-B1-0450-K1 80+ BRONZE 450W Power Supply -

    -x2 Intel EXPI9301CTBLK Network Adapter 10/100/1000Mbps PCI-E -

    -Western Digital Blue WD800JD 80GB HDD -

    i would really appreciate the opinions if this build would work, or what could/needs to be changed.

    Thank you.

  • Banned

    A few things that we need to know in order to give you better guidance.

    What is your desired WAN connection speed? (The speed you pay for from your ISP)

    Do you want to push all/most of your traffic through the VPN all the time or use it in specific cases but normally not use VPN?


    Squid caching is probably effectively useless on a network of your size, I would skip squid entirely since you don't already have a reason you need it.

    Snort is single threaded, suricata is multi-threaded,if you are going to pay for a quad core CPU then I'd recommend suricata.
    OpenVPN is also single threaded so you might be better off switching to the dual core J3355B with higher clock speeds.

    J3455 & 3355 are excellent CPU's in my opinion, however they can only handle so much if you are implementing both an IDS/IPS and VPN usage, so knowing your WAN speed is important. My guess is though that this a a good CPU range for you.

    I would highly recommend that you get a picoPSU instead of the one you posted.
    PSU's are not efficicient when they are drawing way less power than they were designed for, so buying way more PSU tan you need is actually bad for you.
    Also, picoPSU's don't have fans (use less power and are totally silent) and are very efficient at the power levels you will need. PicoPSU's also keep most of the heat out of the case since the AC/DC converter is outside of the case.
    I recommend this:
    The AC/DC converter is ~88% efficient so it is comprable to an 80+ PSU, but no fan and better suited to a routers power draw.

    -x2 Intel EXPI9301CTBLK Network Adapter 10/100/1000Mbps PCI-E

    This is the only thing on your list that's a definite no way!
    This is a desktop quality NIC that is nearly a decade old, and the price you listed is no good for even one of them!
    Go on eBay, search "i340-t4" filter your search results to items shipping from North America Only to exclude chinese knockoffs, sort by Price + Shipping Lowest. Buy the cheapest one from a reputable seller not listed as for parts/not working. I got mine for $30. You can usually find them just about any day for ~$35 shipped.
    This is a WAY better NIC than what you posted, only uses one slot and only needs PCIev2.x @ 1x speeds for max throughput on all four ports.
    If you only need two ports then just get an i340-t2 if it's significantly cheaper. But don't plan on using the NIC that comes on the motherboard, it's crap.

    Don't use a HDD unless you use squid (I recommend you don't), they consume a lot of power, generate a lot of heat and have moving parts.
    Get either a cheap SSD or use pfSense 2.4.0 BETA (it's actually extremely stable, I haven't hadn't even one problem with ir) and install to USB 2.0 flash drives using a RAM Disk.

  • Thanks for the reply.

    So to add additional information,

    Internet wan is 300 down, 30 up.
    I plan on using a vpn for one computer consistantly, and a 2nd computer for specific purposes inconsistently. so one computer minimum, and 2 maximum (but not all the time).

    i took into account the advice on the dual core vs quad, the nic, and i love the picoPSU idea, never knew about them before.

    So how does my new list look now for what i am trying to do?

    -ASRock J3355M Intel Dual-Core Processor J3355 (up to 2.5GHz) Micro ATX Motherboard/CPU Combo -

    -G.SKILL 4GB Ram -

    -picoPSU-90 + 100W Adapter Power Kit -

    -IBM Intel I340-T4 Quad Port Gigabit Ethernet Adapter -

    as far as the storage, i am a little confuse about what to use from what iv been searching now. im hearing some ssd's or usb flash's die quickly, but that may not be completely true. and after looking at a few more packages, like monitoring/stats, if i wanted to go with a usb flash, would it still be good for the loggs and stuff (to save a copy, not lose it in ram)? and what is the other downsides to an hdd other than power(does it really use a whole lot more?)or sound?  would a usb and cheap hdd from my first list be a good combo?

    thanks again for the opinions and advice.

  • Banned

    J3355 is probably a good fit for you. It will probably hit 300Mbps on a single thread, and almost certainly will if you use two clients in a gateway group so it can use both cores.

    As far as SSD or Flash drive vs HDD. Don't worry about writes on a modern SSD, they;ll be fine. For a flash drive, you definitely need to use a RAM disk. If cost isn't an issue for you then go for a low end, small SSD (64GB or less). As far as power draw is concerned, going from a HDD to a flash drive install my system draws about 7W less, an SSD draws more than flash drives but not a lot more.

  • im still curious, since the ssd's im looking at are still a little pricier compared to the hdd, is an hdd going to impact or bottle neck an area of preformance, like speed/bandwidth or additional packages like snort/vpn?

    if i do go with a ssd, is there anything specific i need to look for for an ssd? i found 3 that seem decent.

    -Silicon Power Slim S60 2.5" 60GB SATA III MLC Internal Solid State Drive (SSD) SP060GBSS3S60S25 -

    -Kingston A400 2.5" 120GB SATA III TLC Internal Solid State Drive (SSD) SA400S37/120G -

    -SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) -

    are there any other potential ssd's? i dont know if id be comfortable using a mega cheap weird brand drive.

    and if i go with an ssd, is there any settings i would need to look out for, so the ssd can last as long as possible? i keep hearing about enabling trim, but is there anything else?

    and finally, if im saving some logs and stats and stuff, thats not going to be a problem while using an ssd and impact its longevity is it?

    Sorry for so many questions.

  • HDD vs SSD will mostly just impact your boot time.  Performance of pfSense itself won't be affected either way.  SSD can help with packages like Squid, performance wise.

    All that said, I'd go with SSD just for reliability… simply the lack of moving parts.  Any of those you linked will do fine. I'm using that same Silicon Power SSD in my build, first with just pfSense and now with ESXi.

  • Banned

    First off, I just realized that you posted switching from a J3455 micro-ATX board to a J3355B, but posted the same RAM.
    The mini-ITX J3355B uses 204 pin SO-DIMM, so you'll be very dissapointed if you purchase the 240 pin RAM for it.
    I recommend something along the lines of this:
    It's $8 more than what you posted for double the RAM and it's Samsung, good stuff!

    Now to answer your question!

    any settings i would need to look out for, so the ssd can last as long as possible? i keep hearing about enabling trim, but is there anything else?

    There just so happens to be something built into pfSense that is extremely effective at increasing the lifespan of any write sensitive media!
    RAM Disks! All it does is create a "virtual" permanent storage disk out of your RAM. RAM is extremely fast and not at all write-sensitive. I believe that RAM disks used to cause a few issues in pfSense, and I can't speak to it's reliability in 2.3.x, but it looks like they improved it significantly in 2.4.0 and I can personally vouch that my system using a RAM disk performs without any issue whatsoever.

    I've run iostat -xw 1 for extended periods of time then looked through the results later. (this command tells you how many writes are happening to your disks). The results are virtually no writes to the disk for the massive majority of the time. What this means is that pfSense boots up by reading from your disk, then it is performing all of the frequent writes (logging, tables, etc.) to the RAM disk, not your install disk.
    It will write to disk when installing package,s updating packages, updating pfSense, during the scheduled times that it writes your logs to disk, or during a proper shutdown to write your logs to disk. There are other times but the general idea is that you dramatically reduce writes to your disk by using a RAM disk.

    Reasons not to use a RAM disk:

    • You get frequent power outages or system crashes, this won't result in anything catastrophic, but you will lose your logs during an improper shutdown. (not all of them, just the period between the last write to disk and the unexpected shutdown)

    • You don't have enough RAM. I run a whole lot of things on my pfSense, and have 8GB of RAM. I significantly over-provisioned my RAM Disk @ 2.3GB, I've never seen it use 1GB, and my system is generally using less than 4GB of my RAM. All that to say, you can almost certainly run a RAM disk without issue with 4GB of RAM, if you get the 8GB RAM I linked, then 100% you can use a RAM disk.

    So yeah you can dramatically reduce writes to your physical drive. This is really great because it allows you to use crappy install drives!
    If you decide to go the RAM Disk route, I recommend a 2.4.0 BETA install on cheap flash drives in a mirror.

    Why? ZFS has some real advantages over UFS in pfSense as can be seen throughout this forum (UFS corruption issues)
    I'm betting you'll get years of use out of that configuration, when one of the USB drives finally fails, you're system will keep on running. All you have to do is pull another flash drive out of a drawer that is >/= the ones you installed to, swap it with the failed drive and type a command into your console and your system will mirror the working drive to it and you wait another few years.

    Alternatively, you can install to an SSD, but if using a RAM disk then don't be afraid to buy those cheap shitty SSD's, because you will very rarely be writing to them.

    My reason for not choosing HDD is the same as posted above, no moving parts. Also less power draw and less heat in your case. Just the power savings alone from not using a HDD will probably save you ~$9+/yr in electricity in the continental US for a 24/7 system. Obviously that's nothing to write home about, but even if you blow out a USB drive every other year it more than offsets that cost while providing you with the reliability of ZFS and mirrored drives.

  • I think things are finally starting to click for me.

    Using the ram disk sounds way better now that i understand it more.

    i have another question though. so if i use a usb to boot, and ram disks,  couldnt i technically use a second usb to offload the logs onto? since it would only write to it on certain intervals i want, wouldnt it still last a pretty good amount of time?
    would there be any major problems doing this method?

    and i would imagine there is a way to get the logs off of the router from there too right? like ftp or something?

  • Banned

    I'm sure you could but I don't know how. Probably a better use of that extra thing drive would be to set it up as a hot spare, check it the link in my signature about ZFS installs.

    You can very easily export your logs in config. Xml, or you can download them individually. You could also setup ELK or something like that.

  • @bobjohn8887:

    and i would imagine there is a way to get the logs off of the router from there too right? like ftp or something?

    If you have a need for long term log storage any syslog server will do.  If you just want to grab the files SFTP or SCP works great and you don't need to set anything else up on the pfSense side if you're willing to use a password.  Manually a client like WinSCP (if on Windows) will work or for something more automated set up SSH key login (very easy) and a simple cron job to grab whatever files you need on a schedule. I do this to back up my /conf directory nightly.

    All that said, I'd just buy a small SSD and be done with it.  If you're logging heavily, chances are that you'll want to use a remote syslog server anyway.  If not, why complicate things?

  • I want to thank you both pfBasic and and whosmatt for all the help and advice.

    i think i really only have one more question for right now. i know you were asking about my wan speed, but i didnt want a misunderstanding. with the setup (ASRock J3355M), am i also going to be able to pull off at least somewhat close to gigabit just on the lan too (basically for nas and possible future plex server)?

  • Banned

    Yes, you can do gigabit on your LAN so long as you have a good (read: intel) gigabit NIC, on both ends. There are exceptions to this, if for example you are doing IDS/IPS packet inspections on your internal interfaces then that could slow things down, but in general you should not have any issues hitting gigabit on LAN with just about any CPU so long as your NICs are good.

    EDIT: This could also be slowed down if you are passing your traffic through a crappy switch (i.e., your NAS has solid gigabit NIC, pfSense ahs solid gigabit NIC, but you connecting via a crappy switch that slows things down, or you are running a really long line of CAT5, running it over/near powerful electrical lines, etc.).
    In short, there are a multitude of ways that your connection could be degraded, but the J3355 won't slow you down on LAN.

    Note that full gigabit does not = 1000Mbps, but very close


    942 gbps IS full gigabit.  Ethernet overhead is 7 bytes preamble + 1 byte Start of frame delimiter + 6 bytes MAC destination + 6 bytes MAC source + 2 bytes ethertype + 4 bytes frame check sequence (CRC) + 12 bytes Inter packet gap (time with nothing on the wire).

    7 + 1 + 6 + 6 + 2 + 4 + 12 = 38 bytes
    With a 1500 byte payload this is 1538 bytes sent for 1500 bytes of payload.
    IPv4 headers are 20 bytes (no IP options).
    TCP headers are 20 bytes (no TCP options).

    So you really send 1460 bytes of payload for 1538 bytes on the wire.

    1460/1538 = 0.9493

    So perfection is 949.3Mbps.

    A single 802.1q vlan header is another 4 bytes of overhead.

    Now you're sending 1542 bytes for 1460 bytes of payload.

    1460/1542 = 0.9468, or 946.8 Mbps.

  • Awesome.

    And yet another question, … lol.

    are there any other quad nic's you would suggest. the I340-T4's are still looking pretty pricey right now on ebay. im keeping my eye out, but is there any others i can be looking at too?

  • Banned

    You can get quad port PRO/1000's, but they are power hogs. That NIC can consume more power than a J3455 by itself.

    So it depends on how much more expensive i340's are than PRO/1000's right now, how much electricity costs in your area, and how long you expect to have this in service.
    If electricity is negligible and i340's are way more expensive right now then go for the PRO/1000 (so long as you don't need any virtualization features).

    I would personally buy a chinese knockoff i340 off of eBay before I got a quad PRO/1000, plenty of people use them without any noticeable difference to the official product (which is also made in china). You might get some nutcase in a tin foil hat claiming that knockoffs have government backdoors in them  ::). You can ignore any of that crap, no one important puts knockoff NIC's in their system and China doesn't care about all of our cat pictures.

    Incidentally, if you are in the US I see this for sale right now $35 shipped. You won't find them much cheaper than that.

    NOTE: that NIC has a standard bracket, if you need low profile either order one seperately or just remove the one it ships with, cut and bend it to fit and reinstall.

  • So after some consideration, i finally was about to order parts.

    however, the Asrock J3355M Micro ATX cpu/motherboard i was going to get looks to now be out of stock basically everywhere, and i kind of dont want to wait 1-2 months, according to amazon. I know i can always get the J3355B, but i sort of like the possibility of the extra pcie slots in the micro atx board, for possibly another nic or if i down the line upgrade use the parts for something else. so i started looking and see there is the Asrock D1800M

    everything looks about the same, just the processor has a higher base frequency but it seems to be an older chip compared to the J3355.

    everything is basically the same price, so should i go with the D1800M, or go with the J3355B?


  • Banned

    J1800 has no AES-NI,  normally not a big deal for you since you aren't asking much in the way of VPN performance, but it could be an issue since you also want to use an IDS/IPS, and it's an older (slower) architecture. All of those things combined may frustrate you.

    I'd go up instead of down. You can get a J3455M shipped now (or soon with the ASRock) for just a little more. The ASUS one is even more but it's same day shipping if you're a prime member.

  • I almost forgot about the quad core J3455M. i know you said early on that my stuff would be better with a dual core, higher core speed. but would going with the quad core really be a noticeable decrease in performance? if so, i can probably live with the J3355B, if not i probably will go for the quad core.

  • Banned

    The higher clock speed will give you a noticeable improvement in an single OpenVPN instance. That said it sounds like you aren't looking to use the VPN heavily. You can also create multiple VPN clients (up to one per core is useful) and combine them in a gateway group. Not all kinds of traffic will be able to take advantage of this configuration, but you will see real world performance improvements.

    The J3455 will also perform better for you on an IDS if you switch from snort to suricata which supports multithreading. IDS/IPS is going to be your major CPU hog in this application especially if you load it up with rules.

    If your only concern is PCIe expansion, the J3355B might still be an option. You can use a passive riser card that goes from an x16 slot to two x4+ slots and add up to 8 gigabit ethernet ports (2xquad port NICs) on the J3355B's one slot if you really wanted to. This will create some weird issues with fitting it into a case neatly but technically speaking it will work just fine.

  • So i decided to go with the J3355B. obviously i switched up the ram to fit the board. but i just ordered all of my parts!

    Thank you pfBasic for all the advice and answering all the numerous questions, it was very helpful!

    I can now officially start my my Pfsense journey on real hardware!

    Thanks again.

  • Banned

    Congratulations! Please let us know how it all works out for you and feel free to ask any questions you may have setting it all up.

Log in to reply