Hardware upgrade required or not?



  • Currently i am running pfsense in very old pc components.  Intel Pentium 4 D820+D946GZIS(mb) + 1GB DDR-400 + Intel quad 340-T4(ebay) + 450W (unknown brand). I am using this to replace my original wifi router which stops working when i connect it to DSL. This is just home router and the speeds are quiet low, around 20/2 , planning to upgrade to 50/5 but nothing more than that.

    I am quiet happy with the way it is but i have decided to get snort and squid and maybe some time soon get VPN also working. Now for the 3 extra features  will the current hardware support be enough
    Also VPN will be purely educational basis, .i.e, i will be the only one to use it.

    The current issues i have is that system is open and no chassis and its making a lot of noise from fan. So i started reading a lot of threads/post and form my understanding the best possible board could be the Jetway NF9HB-n2930 or the Gigabyte GA-J1900N-D3V or GA-N3150N-D3V. I have been checking the online pricing of these board and due to customs the pricing is ridiculous. n3150 is not to be found and jetway board cost ~$260 and cheapest for j1900 was $150(ebay). I even looked at DQ77KB but was not able find any locally. I still need to check with the local dealers but i highly doubt i would get it and even if i do it wont be any cheaper.

    So in my search i came across this board Asus H110T/CSM. Dual Lan(Realtek+ Intel). I am yet to identify a cheaper processor but so far I found only G4440.

    Basically my criteria is:
    Quiet(Fan less) > reasonably Cheap(<$250) > low power usage(anything less than now)

    So my options are:
    Choice 1 :
    –------------
    Asus H110 = ~$107
    G4440      = ~$68
    DDR4 4GB/8GB = $35/$60
    HTPC Case PT13B = $70(Not sure if the CPU fan will fit else i get local mitx case for $37)
    AC-DC adapter = ?
    TP-LINK TL-SG108E switch = $46

    Total  = ~$280 + ? + $46

    Issue: Don't think this is going to be quiet or low power usage, Also not sure of the Power adapter.

    Choice 2:

    Jetway NF9HG-2930 = ~$260(as per amazon.com, not sure if custom duty is included or not to INDIA)
    DDR3L 1333 4GB = $35
    HTPC Case PT13B = $70
    AC-DC adapter 60w/12v/5a = $10
    TP-LINK TL-SG108E switch = $46

    Total = $375 + $46

    Issue: Just not cheap and availability.

    Choice 3:
    Gigabyte GA-J1900N-D3V = maybe ~ $150
    DDR3L 1333 4GB = $35
    Unbranded local miniitx case with PCI slot = $37
    Existing Intel 340-T4 = NA

    Total = $222

    Issue : Availability , also Quad NIC is PCIx4 and so corresponding boards are also difficult to get. I can get hold of many cheaper J1900 but all of them are with x1 PCIe and not PCIx4 or x16.

    I could probably remove the PT13b case to reduce the price also.. Also not sure if this switch is enough for the job, just in case, though i have not found the use case yet since i am still using the bridge mode on QUAD nic to get the job done.

    Never worked on AMD devices, so not aware of any of them, old or new..

    You suggestions please. Better options available?

    P.S: sorry for the long post.


  • Banned

    Well if you don't want to buy new hardware then I don't think you'll have any trouble doing what you described on your current setup.

    Even so every build you described was very expensive. If you decide to upgrade all you need is a new SoC and new RAM. Reuse everything else that you already have.
    J3355B is $55 and will ever all of your needs. It uses DDR3 laptop RAM that you can get for $20 if you don't have some already.



  • @pfBasic:

    Well if you don't want to buy new hardware then I don't think you'll have any trouble doing what you described on your current setup.

    Yes he will. Before my P4 setup died it was maxing out the CPU and RAM and hitting the page file with a 3/1.5 connection and no VPN ruuning snort and pfBlockerNG.

    Just about any modern CPU/MB combo will do what you want. Choose what is cheapest and available to you and select something with Intel NIC's if you can.


  • Banned

    @Jailer:

    @pfBasic:

    Well if you don't want to buy new hardware then I don't think you'll have any trouble doing what you described on your current setup.

    Yes he will. Before my P4 setup died it was maxing out the CPU and RAM and hitting the page file with a 3/1.5 connection and no VPN ruuning snort and pfBlockerNG.

    Just about any modern CPU/MB combo will do what you want. Choose what is cheapest and available to you and select something with Intel NIC's if you can.

    I stand corrected, but definitely recommend against shopping around for integrated intel NIC's. It drives up the price of the motherboard too much, has no performance advantage and you can get PRO/1000 dual port NIC's on eBay for so cheap it's silly.
    Also, he already has an i340.



  • @pfBasic:

    but definitely recommend against shopping around for integrated intel NIC's. It drives up the price of the motherboard too much, has no performance advantage

    And this is where you and I will have to agree to disagree. There are way too many documented incidents of crappy Realtek NIC's under FreeBSD to recommend them in any fashion. That's also why I stated "if available". If not he can use the NIC he already has.


  • Banned

    Oh no I totally agree with you on realtek and only recommend Intel, or Chelsio.

    All I'm saying is that it isn't useful to chase a motherboard with integrated Intel NICs unless you have a real reason to (sff is a must for example).
    There are way more options at exceptional price points that come with shitty NICs.

    I recommend ignoring NICs when buying motherboards and find what meets all of your other requirements. Then just never use the onboard NIC.



  • @pfBasic:

    All I'm saying is that it isn't useful to chase a motherboard with integrated Intel NICs unless you have a real reason to (sff is a must for example).

    SFF is not a must, but i was hoping i can keep it small and quiet, after all its in my bedroom.. I was also hoping to remove the PSU and make use of some AC-DC adapter to reduce the noise. I don't mind waiting a while to save up and buy it. But considering i am trying to buy outdated specs board and they still not cheap is baffling..  :-\

    So my P4 definitely needs an upgrade.. You mentioned, J3355B, well from basic googling i find the cost is $167 in amazon local :o. I get the point though to get whatever is cheaper with pcie x4 slot. Speaking of x4 slot for i340, J3355B is PCIe x2 mode, does that mean there will drop in speed and do you think this makes any difference for the kind of speeds i am using.

    Also what is the recommend memory requirement? 4gb is enough or 8gb is required? And i am currently running pfsense on 64gb SSD, hope that is more than required..


  • Banned

    Ouch! That's expensive! Where are you located? They are $55 in the US!
    I only recommend the j3355 because it's really cheap, low power, fanless, and will exceed the needs of most home users. If it isn't cheap for you then I don't recommend it if you can get something similar for less.

    A picoPSU 80 (non-WI) will work great for further reducing noise and power usage. EDAC AC/DC converters are often good (~85%+ efficiency), try to find one with a data sheet. That setup is about $40 in US FWIW.
    4GB RAM is plenty, your SSD will work great too!

    PCIe v 2.0 can Max out 4 gigabit ports simultaneously all day long at 1x speeds.
    So long as both the slot and the card are PCIe v2.0+ (i340 is), then you only need to match the physical size of the card, speed won't matter for gigabit NICs.



  • @pfBasic:

    Ouch! That's expensive! Where are you located? They are $55 in the US!
    I only recommend the j3355 because it's really cheap, low power, fanless, and will exceed the needs of most home users. If it isn't cheap for you then I don't recommend it if you can get something similar for less.

    INDIA.. I was using newegg as search tool for cheap board but when i started looking for ht prices locally it just dint make sense..  probably will check some local shops , maybe its cheaper. I have been out of the hardware world for quiet some time now.. or maybe looks for used boards..

    @pfBasic:

    A picoPSU 80 (non-WI) will work great for further reducing noise and power usage. EDAC AC/DC converters are often good (~85%+ efficiency), try to find one with a data sheet. That setup is about $40 in US FWIW.
    4GB RAM is plenty, your SSD will work great too!

    PCIe v 2.0 can Max out 4 gigabit ports simultaneously all day long at 1x speeds.
    So long as both the slot and the card are PCIe v2.0+ (i340 is), then you only need to match the physical size of the card, speed won't matter for gigabit NICs.

    Thanks.. this was helpful..


  • Banned

    Yeah I peeked around out of curiosity, it's a rough market for hardware.

    This is about the best deal I found. It will probably get similar (non-VPN) performance to a J3355, but with way more power draw, and it's got a fan that's probably loud, and the quality might be questionable….

    http://www.ebay.in/itm/Dell-optiplex-740sff-AMD-Athlon-64-X2-Dualcore-5600-2-8ghz-1gb-80gb-No-CD-Drive-/162446319032?hash=item25d28e1db8:g:UfgAAOSw4CFY2LEm

    Still though, if that's the market you have to buy it looks like you could get a J3355, and a stick of DDR3 SO-DIMM 204 pin RAM for less than the builds you posted.

    Honestly if I had to buy in that market I would build a DIY computer case for my router (I still use ten year old cases for my stuff). www.recomputepc.com actually sells computers in pretty cool DIY cases.

    Another thought since the market there is so damned expensive.
    A 50/5 line with snort, squid and light experimental VPN usage will not stress a J3355.
    Both J3355 & i340 support virtualization.
    VMware is free for personal use.
    You could virtualize pfSense and something else in order to get maximum utilization out of your purchase.

    J3355 just so happens to have top-tier hardware video decoding if that is of any use to you?
    You could also run some type of server, TrueOS, a NAS, a normal desktop instance of linux or TrueOS?

    Just trying to think of ways you can get the most bang for your buck when everything is 3x as expensive.



  • @Jailer:

    @pfBasic:

    Well if you don't want to buy new hardware then I don't think you'll have any trouble doing what you described on your current setup.

    Yes he will. Before my P4 setup died it was maxing out the CPU and RAM and hitting the page file with a 3/1.5 connection and no VPN ruuning snort and pfBlockerNG.

    P4 was a very broad range of CPUs.  At least OP's CPU is dual core (not hyperthreaded) as far as I can tell.  I'd at least give it a shot.


  • Banned

    Good point, worst case scenario is the CPU maxes out and you turn off snort, squid & suricata.

    Another thought that hopefully others can chime in on.
    Since you are in a very expensive market making it even more criticial to get the most bang for your buck, I'm thinking suricata might be the better choice for you. It supports multiple cores whereas squid does not.
    My first thought is that anything that can help to more efficiently utilize whatever resources you have available is worth doing.

    But, I don't know if suricata is also more or less resource intensive than snort?
    And I don't know if a P4 would have any issues with multithreading programs?



  • @pfBasic:

    And I don't know if a P4 would have any issues with multithreading programs?

    That's the thing. There were so many different processors under that family.  There are single core 1.6GHz CPUs that are total dogs.  There are 3GHz CPUs with hyperthreading.  And then there are the Pentium D, which is what I think OP has.  Those have 2 real cores at 2.8GHz.  Not world beaters by todays standards, but certainly much better than a single core 1.6GHz model, and MUCH more capable with pfSense.  This is my assumption, that OP's  "Intel Pentium 4 D820" is this: https://ark.intel.com/products/27512/Intel-Pentium-D-Processor-820-2M-Cache-2_80-GHz-800-MHz-FSB

    Should note that if that is indeed OP's CPU, it supports 64 bit meaning it can still be relevant with the newest builds.



  • @pfBasic:

    Yeah I peeked around out of curiosity, it's a rough market for hardware.

    This is about the best deal I found. It will probably get similar (non-VPN) performance to a J3355, but with way more power draw, and it's got a fan that's probably loud, and the quality might be questionable….

    http://www.ebay.in/itm/Dell-optiplex-740sff-AMD-Athlon-64-X2-Dualcore-5600-2-8ghz-1gb-80gb-No-CD-Drive-/162446319032?hash=item25d28e1db8:g:UfgAAOSw4CFY2LEm

    Still though, if that's the market you have to buy it looks like you could get a J3355, and a stick of DDR3 SO-DIMM 204 pin RAM for less than the builds you posted.

    Honestly if I had to buy in that market I would build a DIY computer case for my router (I still use ten year old cases for my stuff). www.recomputepc.com actually sells computers in pretty cool DIY cases.

    Another thought since the market there is so damned expensive.
    A 50/5 line with snort, squid and light experimental VPN usage will not stress a J3355.
    Both J3355 & i340 support virtualization.
    VMware is free for personal use.
    You could virtualize pfSense and something else in order to get maximum utilization out of your purchase.

    J3355 just so happens to have top-tier hardware video decoding if that is of any use to you?
    You could also run some type of server, TrueOS, a NAS, a normal desktop instance of linux or TrueOS?

    Just trying to think of ways you can get the most bang for your buck when everything is 3x as expensive.

    i really don't mind if the cases are old or new, just was looking for small cases and compatible motherboards and PT-13 was something i liked that is all.. Infact i was think of going for matx board which tend to come cheaper but then again they are all non-integrated chips and so fan sound etc.. Problem with DIY cases and me is that i never tend to finish it been like that from my teen days..  ::)

    But to be frank case is not my major issue. Its just noise and since i tend to keep playing around router , i.e, with firewall rules and other things i tend to mess it up and to recover fast i need to access it , so don't want to keep it somewhere far off in a closet or something to avoid the noise..

    Regarding virtualization, I have went this route. Infact i bought the quad port NIC specifically for this reason..
    I have currently a very decent home server for NAS and windows/linux OS virtualized. Using UNRAID for this purpose, simply because its been hassle free to get VM for gaming and GPU pass through.. if I had to avoid gaming then proxmox was my fav hypervisor. And pfsense on proxmox atleast the basic functionality was just too simple and easy, though i had issue initially(learning). Never got around getting snort or other to run simply because i need the gaming to work(just casual gamer but it my only stress breaker)..

    On UNRAID it was a problem, simply because the array at times started giving problems and then i need to stop and start the array which made the VM (pfsense) to go down which meant going under the table reconnecting cables and figuring out the issue during which the router will be down. Since I use pfsense as my primary router it will have impact at times. This was the only reason i decided to start playing with a old PC and now looking for new one..

    I was even considering getting a edgerouter and run pfsense as VM for firewall/snort/squid etc, but was not sure if that made sense..

    But yes J3355 looks better of all options..

    @whosmatt:

    P4 was a very broad range of CPUs.  At least OP's CPU is dual core (not hyperthreaded) as far as I can tell.  I'd at least give it a shot.

    I may be wrong about having a P4.. i just checked again and i have Pentium D 820.. and the board does not support anything more powerful than i already have, i think.. Also getting hold of DDR rams are quiet impossible..

    P.S: Does snort affect throughput drastically?


  • Banned

    You can get fanless SoC on microATX, both the J3355 and J3455 are offered on microATX.

    Note, I don't keep mentioning those two CPU's because I think they are the only option out there. In the US they are very cheap, but if there's something cheaper in your area by all means go that route.

    In your case I agree with matt, at least try your current setup and if it doesn't work then look into buying.
    If you must buy then try to buy the cheapest thing that will do what you need.

    Yes, any IDS/IPS will be a big hit on throughput. By using snort or suricata you are now not only routing all of your packets but inspecting them and then comparing their contents to a bunch of signatures. Just like firewalling, the more rules/signatures you are comparing traffic to the more work your CPU has to do.



  • @vinay2016:

    I may be wrong about having a P4.. i just checked again and i have Pentium D 820

    The Pentium D is basically two P4 CPUs on a single socket.



  • @whosmatt:

    @vinay2016:

    I may be wrong about having a P4.. i just checked again and i have Pentium D 820

    The Pentium D is basically two P4 CPUs on a single socket.

    Thanks for correcting me.. I got the timelines messed , i assumed P4 came after Pentium D..
    I see that your using ESXI .. how do you find it? I mean was it easy to setup? and if your using free version, what is the limitations , i just cant seem to get a concise data. I know it not correct forum but i was curious.

    @pfBasic:

    You can get fanless SoC on microATX, both the J3355 and J3455 are offered on microATX.

    Note, I don't keep mentioning those two CPU's because I think they are the only option out there. In the US they are very cheap, but if there's something cheaper in your area by all means go that route.

    In your case I agree with matt, at least try your current setup and if it doesn't work then look into buying.
    If you must buy then try to buy the cheapest thing that will do what you need.

    Yes, any IDS/IPS will be a big hit on throughput. By using snort or suricata you are now not only routing all of your packets but inspecting them and then comparing their contents to a bunch of signatures. Just like firewalling, the more rules/signatures you are comparing traffic to the more work your CPU has to do.

    That is the idea.. i am going to try and figure out what can be done with my current setup and its limitations.
    Never knew about suricata..
    Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?

    I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)

    I know the idea is to have IDS/IPS on the WAN port , but was just thinking..  :P

    Never thanked you guys for inputs..
    @Jailer, @pfBasic@whosmatt
    Thanks


  • Banned

    @vinay2016:

    Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?

    I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)

    Hm, I'm not really sure what's going on here? Do you mean having two physical pfSense boxes? The "Standalone Pfsense(P4)" & a separate box hosting a "VM Pfsense( for squid/VPN/suricata)? I don't think this is what you mean but I'm having trouble following.

    Also, where did the i340 go in this configuration?

    Realtek is never recommended, if you can at all avoid it just don't utilize your realtek NIC. However, knowing that you are not in a conducive market to just cheaply buy hardware; if it is unavoidable then at least try to put it as far downstream as possible.

    Maybe post a list of all of the hardware that you have available to you, and a description of what exactly it is you are trying to accomplish with the above configuration.

    @vinay2016:

    Never thanked you guys for inputs..
    @Jailer, @pfBasic@whosmatt
    Thanks

    You are very welcome, this is a great community and it's enjoyable contributing to solve problems and make pfSense more useful for more people!



  • @pfBasic:

    @vinay2016:

    Based on crazy idea i have now, can pfsense act as firewall on the LAN, but on WAN output?

    I mean : modem -> Standalone Pfsense(P4) -> Realtek MB port -> VM Pfsense( for squid/VPN/suricata) -> Intel single port NIC card -> L2 Switch(with vlan support)

    Hm, I'm not really sure what's going on here? Do you mean having two physical pfSense boxes? The "Standalone Pfsense(P4)" & a separate box hosting a "VM Pfsense( for squid/VPN/suricata)? I don't think this is what you mean but I'm having trouble following.

    Also, where did the i340 go in this configuration?

    Realtek is never recommended, if you can at all avoid it just don't utilize your realtek NIC. However, knowing that you are not in a conducive market to just cheaply buy hardware; if it is unavoidable then at least try to put it as far downstream as possible.

    Maybe post a list of all of the hardware that you have available to you, and a description of what exactly it is you are trying to accomplish with the above configuration.

    I have 2 systems right now.
    System 1>
    old PC(pentium D) which is running PFSENSE.

    System 2>
    Home server for NAS/media server/gaming etc
    Intel Xeon E3-1246 v3
    32GB RAM
    8TB HDD
    AMD RX480 GPU
    Currently running UNRAID on this. Tried pfsense as VM here but it failed since if hard disk issue come then array stops and VMs go down.
    Tried Proxmox, pfsense worked properly , but could not get few other things so returned to UNRAID.
    Need to try ESXI..

    So the idea was give up the i340 for 2 Dual port Intel NIC cards. Place it in each system and System 1 will act as simple router and pfsense VM on System 2 will act as IDS/VPN endpoint..

    I have not thought it through, but here it is
    Modem -> WAN [ SYSTEM 1] LAN 1 -> LAN 2[ SYSTEM 2] LAN 3 -> switch.
    LAN3 will vbridged port for all VMs. LAN 2 is where IDS will be applied. and since there is no other device it should be same as WAN port.
    Crazy i know..


  • Banned

    It sounds to me like your best bet is to retire the old Pentium X and virtualize everything in your Xeon.

    VMware/ESXI is the most recommended VM I've seen for pfSense among many other things. You've already got a lot of capable hardware on your hands and it sounds like you can do everything you need with what you have.

    Try running VMware/ESXI on your xeon platform. If it's stable for everything you need then gut the Pentium box for its i340 and run pfSense off of your VM. For your stated needs you won't need to provision much at all for pfSense.

    If this fails then I would say try getting all of your pfSense working on just the Pentium box.

    Only if both of the above options fails would I recommend trying to string together two pfSense boxes to do what one low end box can do. I'm guessing that the Pentium box is a huge power hog (especially if you make it work hard on an IDS), it alone is probably costing you ~$40USD/yr to run (just my guess). Your xeon is exponentially more power than the pentium and uses less power.



  • @vinay2016:

    I see that your using ESXI .. how do you find it? I mean was it easy to setup? and if your using free version, what is the limitations , i just cant seem to get a concise data. I know it not correct forum but i was curious.

    I love it.  That said, I'm an IT professional and have been using it extensively for the past 10 years or so, so I'm very comfortable setting it up and managing it.  For home use, the limitations of the free version really don't matter.  If I had a faster WAN connection (I'm 50x5 or so) then I'd use a dedicated pfSense box, but my current VM handles full speed with PIA OpenVPN no problems and allows me to run 8 or so other low consumption VMs for stuff like DNS, pi-hole, Unifi controller, Crashplan, Subsonic, dedicated torrent box, etc.

    EDIT:  regarding limitations of the free version of ESXi, 32GB of RAM on the host used to be a limit but I believe that has been removed in the 6.x versions.  I'd use it on your Xeon system with confidence, except that I always recommend hardware RAID (for safety if not performance).  If that's not an option, a good SSD will be more reliable (and MUCH faster) than any spinning disk.  At home, I don't have disk redundancy on my ESXi system, but I do back up anything important nightly.  This includes my pfSense config, and essential config data from the more important Linux VMs.  I have a separate storage "server" (really a Sheevaplug with a Drobo) that hosts all of my essential data, and that gets backed up constantly by Crashplan on an VM on the ESXi box.  And, anything important on the ESXi box runs from the SSD, mostly for reliability reasons rather than for performance.

    Sorry if that's long-winded, just want to make sure I don't give hasty advice. :)


  • Netgate Administrator

    My own P4 based system could push ~350Mbps and that was a single core bog standard CPU.

    If you exhaust the RAM and start swapping performance is destroyed though especially with whatever ancient slow disk is probably in that. It's easy to eat RAM with Snort and Squid if you just enable everything.

    I might still be running that box were it not for that fact that all the capacitors died on the motherboard and it failed to post. That alone is good reason to upgrade.

    Steve


Log in to reply