[RESULTS] Potential build for pfSense + VPN on CLink Gigabit
-
All of this will work and you will get a huge increase in VPN throughput although I can't tell you how much especially since I don't know what you are encrypting at.
I've read that you get a noticeable performance increase on gigabit connections with dual channel RAM, so maybe buy 2x4GB RAM instead of 1x8GB (you don't need 8GB btw unless you are planning to use some heavy packages).
The only other thing I would mention, is tht it doesn't look like that case can accomodate a PCIe card? Maybe it can but frmo looking at pics idk. If it can't that's fine so long as you can do everything you need on two gigabit ports, if not then I'd shop around for a case with room for a pci slot.
-
All of this will work and you will get a huge increase in VPN throughput although I can't tell you how much especially since I don't know what you are encrypting at.
I've read that you get a noticeable performance increase on gigabit connections with dual channel RAM, so maybe buy 2x4GB RAM instead of 1x8GB (you don't need 8GB btw unless you are planning to use some heavy packages).
The only other thing I would mention, is tht it doesn't look like that case can accomodate a PCIe card? Maybe it can but frmo looking at pics idk. If it can't that's fine so long as you can do everything you need on two gigabit ports, if not then I'd shop around for a case with room for a pci slot.
Thanks, pfBasic!
I've changed the RAM, based on your suggestion – it wasn't even an appreciable difference in price. D'oh!
With regards to the PCIe issue, this is an example of why I posted this thread. As I was planning to wire the RT-AC3200, I just assumed I could plug the two wired devices (the media server and PS4) into the AP. I'm guessing this is either not possible or causes a major performance drop?
If so, are there other options that do not involve adding more NICs to the pfSense box but will not massively degrade the connection?
-
No that's probably totally fine. I don't know that model in particular, just make sure that it has gigabit ports and enough of them to connect all of the devices you need.
Keep in mind that when using a SOHO router as an AP that the WAN port is not used for anything, so if you have a WAN port and 4 LAN ports, one of the LAN ports will be connected to pfSense leaving you with three ports to connect your devices to.
If you want to use VLANs then you'll need a switch that supports that, if you don't then your AP will work just fine.
I just wanted to ask the question in case you end up needing more NIC's and can't add them.
-
No that's probably totally fine. I don't know that model in particular, just make sure that it has gigabit ports and enough of them to connect all of the devices you need.
Keep in mind that when using a SOHO router as an AP that the WAN port is not used for anything, so if you have a WAN port and 4 LAN ports, one of the LAN ports will be connected to pfSense leaving you with three ports to connect your devices to.
If you want to use VLANs then you'll need a switch that supports that, if you don't then your AP will work just fine.
I just wanted to ask the question in case you end up needing more NIC's and can't add them.
Ah! That makes sense. Still, changing the case and adding a 4-port Intel PCIe card only added $24 dollars to the build, which is not much in the scope of things. I'm happy with the change, even if I don't end up using the card.
With regards to the VLANs, if you mean something like CLink's Prism TV, then no. If you mean something else…could you elaborate on a use case? I am not familiar with VLANs in any real sense.
-
From what it sounds like you're trying to do I think you'll be fine with the current case and not need a PCIe card. I didn't bring it up to say that it was a bad config, just to make sure it wasn't a small oversight.
VLANs are _V_irtual _L_ocal _A_rea _N_etworks
https://doc.pfsense.org/index.php/VLAN_Trunking
http://resources.intenseschool.com/pfsense-series-configuring-vlans/With two physical ethernet ports you can have a WAN and a LAN. If in the future you wanted to add more networks, you can use more physical ports, or you can use VLANs. In order to use VLANs you need a switch that supports VLANs.
https://www.amazon.com/TP-Link-Gigabit-Ethernet-Managed-TL-SG108E/dp/B00K4DS5KU
https://www.amazon.com/Cisco-SG300-10-10-port-Gigabit-SRW2008-K9-NA/dp/B0041ORN6UI have never used a VLAN so I don't know much of anything about them. It's just an option that you could use down the road to help you expand your network while just using two physical NICs if you needed to. At least that's my understanding of it. If I'm wrong hopefully someone who knows will chime in here.
-
Is there a reason for going with the T series CPU? Are you planning on cooling issues? Low TDP parts are for cooling constrained installations, not for power savings. The T series part will spend more time doing the same amount of work as a standard part and you gain nothing in power savings.
I personally would get an i3 7100 as they both consume the same amount of power at idle which is where it will spend most of it's time and you hobble the performance when you need it with the T part.
If you need more LAN ports don't add more NIC's add a switch. pfSense is a router/firewall not a switch.
Edit: If you want to save a couple bucks you could get a G4620 (Kabylake) or G4520 (Skylake) CPU. They are nearly the same speed as the i3-7100, dual cores with hyperthreading and about $25 cheaper.
-
Is there a reason for going with the T series CPU? Are you planning on cooling issues? Low TDP parts are for cooling constrained installations, not for power savings. The T series part will spend more time doing the same amount of work as a standard part and you gain nothing in power savings.
I personally would get an i3 7100 as they both consume the same amount of power at idle which is where it will spend most of it's time and you hobble the performance when you need it with the T part.
If you need more LAN ports don't add more NIC's add a switch. pfSense is a router/firewall not a switch.
Edit: If you want to save a couple bucks you could get a G4620 (Kabylake) or G4520 (Skylake) CPU. They are nearly the same speed as the i3-7100, dual cores with hyperthreading and about $25 cheaper.
No, actually! I mean, I wanted a very small build, so I thought putting as little load on the cooling system in the cramped space was a good idea. I'm happy to go with a different processor.
Out of curiosity, how much difference due a few tenths of a GHz make in this sort of use? What I mean is, will there be a big difference in performance between 3.6 GHz and 3.9 or 4.1?
-
Depends. How many and what packages, if any, do you plan on running.
-
I seem to have a 50/50 ceiling for the connection. I'd like to push past that. I know that I'm not going to get anywhere near the 900+/900+
It would also be useful to know what kind of speeds you would like to see on your VPN?
-
Depends. How many and what packages, if any, do you plan on running.
To start, just vanilla of Sense. My only real goal at this particular point is routing all traffic through a VPN.
It would also be useful to know what kind of speeds you would like to see on your VPN?
I have no idea what to expect. Considering my absolute worst wired convection without a VPN has been around 600/700, I'd be happy with somewhere around 200 or 300. No idea what's realistic though.
-
Depends. How many and what packages, if any, do you plan on running.
To start, just vanilla of Sense. My only real goal at this particular point is routing all traffic through a VPN.
It would also be useful to know what kind of speeds you would like to see on your VPN?
I have no idea what to expect. Considering my absolute worst wired convection without a VPN has been around 600/700, I'd be happy with somewhere around 200 or 300. No idea what's realistic though.
This sounds attainable on your listed hardware.
-
No, actually! I mean, I wanted a very small build, so I thought putting as little load on the cooling system in the cramped space was a good idea. I'm happy to go with a different processor.
It's certainly not a bad idea, but the regular desktop SKUs these days are very easy to cool, even in a confined space. As long as you're not looking for passive cooling I'd just go with a regular desktop Kaby Lake. Go for the highest base clock you can reasonably afford. That will help you more than any other single factor with PIA. It's also possible, from anecdotal evidence, that the PIA endpoints will restrict your speed through a tunnel more than your local hardware will. If that's the case, multiple simultaneous tunnels are an option. Best case you get much higher speeds. Worst case it's the same as a single tunnel but with resiliency.
-
I'll start by elaborating on my intended implementation. What I'd like to do is build a pfSense box that will serve as the router for my CLink Gigabit connection,
Are you using PPPoE at Clink FTTH? If not you could be lucky with the fan less and silent Jetway NF9HG-2930.
-
I've updated the OP with my results.
Build was completed and configured yesterday. Thus far quite happy!
-
That is really great OpenVPN throughput! How is your client configured?
-
4 ms ping? VPN?
-
4 ms ping? VPN?
I was surprised by that myself. Speedtest could very well be lying, but PIA does have a Seattle connection point.
-
That is really great OpenVPN throughput! How is your client configured?
Yeah, I'm very happy with it. Not to mention surprised.
pfSense is just totally vanilla. For OpenVPN configuration, I am so far using the stock pfSense configuration provided by PIA.
I will be tinkering to add a couple functions soon, but there do not appear to be any DNS leaks thus far, so I'll probably just get to that later this week.
-
The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.
This way all of your DNS requests go straight through the Root Servers but via your VPN.
-
The best way to make sure you will never have a DNS leak is to use Unbound as a Resolver (don't change any settings or add any DNS IP's anywhere in your settings) then under Services / DNS Resolver / General Settings > Outgoing Network Interfaces: Select only your VPN interface.
This way all of your DNS requests go straight through the Root Servers but via your VPN.
Sounds good! Also, I realize only a total scrub would ask this, but that would also mean that I'd effectively lose internet connectivity if the VPN is down, right?
I ask because that is desirable to me.