Help with hardware build

teh g

I've been poking a bit around the forums to see if I can get a good build going. I'm relatively new to the homebrew router scene, and want to make sure I get something that will cover my needs now, and in the future.

Here are my current requirements:

250/25 internet speeds now
Going to have gigabit internet Soon
Potentially will use a VPN for outgoing traffic
Might setup a VPN server on the box to make use of my Pi-Hole that I have on the network now
Will probably use some of the firewall functionality, not sure which pieces
I'd like the box to be fairly small, I was thinking mini-ITX and a passively cooled system
Currently only three devices plugged directly into my router (two PCs and my Pi-Hole)
Will leverage my current wireless router in bridge mode to give WiFi to my house

There is probably more, but who knows :D

I was thinking of one of the low TDP LGA1151 CPUs, 2x4GB sticks of memory, and one of the Intel PCIe 2.0 NICs. The place I am uncertain of, is how many cores and what speed should I settle on for good throughput?

Jailer

Why low TDP CPU? Are you planning on cooling issues?

teh g

@Jailer:

Why low TDP CPU? Are you planning on cooling issues?

I was hoping for something passively cooled or extremely quiet. I work at home, so with my desktop, my work laptop, and four monitors, my electric bill is already pretty high.

Jailer

Low TDP won't save on consumption, they are designed for thermally constrained installations and will throttle performance to stay within a certain temperature threshold. What you end up with is more CPU time spent on tasks than a standard part and the power consumption ends up being near the same. I can understand the noise factor though.

You'll likely have to have some sort of active cooling for something powerful enough for Gbit WAN and VPN.

teh g

@Jailer:

Low TDP won't save on consumption, they are designed for thermally constrained installations and will throttle performance to stay within a certain temperature threshold. What you end up with is more CPU time spent on tasks than a standard part and the power consumption ends up being near the same. I can understand the noise factor though.

You'll likely have to have some sort of active cooling for something powerful enough for Gbit WAN and VPN.

I'd be OK with some active cooling, as long as it isn't super loud and doesn't generate a ton of heat. My office gets a bit warmer in the summer.

Jailer

I find the factory Intel coolers to be near silent, but then again my hearing is very poor.

teh g

@Jailer:

I find the factory Intel coolers to be near silent, but then again my hearing is very poor.

Any suggestions on number of cores or speed I should aim for?

pfBasic

The larger your heatsink and fan the quieter it will be. That being said, you want a small case, so you'll have to compromise somewhere.

How much VPN throughput do you want to see? How often will you be using it? OpenVPN or something else?

Are you planning on running packages, if so which ones?

These are the details that are the most important for your build and the build will vary wildly by what you want.

Just NAT on gigabit with light occasional VPN usage you can do with a passively cooled celeron given the number of devices ar on your network.

If you are expecting to route all of your traffic through your VPN and achieve higher speeds then you will need a pretty beefy CPU, active cooling and you still won't get gigabit throughput.

My guess is that you are looking for something in between. The more details you can provide the better of a recommendation you will get!

teh g

@pfBasic:

How much VPN throughput do you want to see? How often will you be using it? OpenVPN or something else?

If I am using the pfSense box as a VPN client, really the higher the better. I don't mind some throughput loss though. I'd probably use OpenVPN, unless there was a better solution.

As for when using it as a server, that will almost exclusively be when I am traveling, which is not too often. There is a decent chance I won't use it as a server anyway, since I don't have a dedicated IP. PrivateInternetAccess covers most of my needs there.

@pfBasic:

Are you planning on running packages, if so which ones?

I haven't looked at an exhaustive list, since I am still a bit of a noob :D. But some ones that looked interesting; Squid and SquidGuard (assuming this accomplishes something like Pi-Hole), Snort and DarkStat might be nice as well.

@pfBasic:

Just NAT on gigabit with light occasional VPN usage you can do with a passively cooled celeron given the number of devices ar on your network.

If you are expecting to route all of your traffic through your VPN and achieve higher speeds then you will need a pretty beefy CPU, active cooling and you still won't get gigabit throughput.

My guess is that you are looking for something in between. The more details you can provide the better of a recommendation you will get!

I've got a pretty large number of wireless devices, but I assume most of the legwork will be done by the wireless routers in bridge mode.

I think for the sake of cost, power, and noise, I can definitely deal with a lower throughput on the VPN side. Assuming maxing out the VPN won't break my home network. I'd hate to make the wife mad :D

pfBasic

@teh:

as a VPN client, really the higher the better. I don't mind some throughput loss though… ...I think for the sake of cost, power, and noise, I can definitely deal with a lower throughput on the VPN side. Assuming maxing out the VPN won't break my home network.

There is a decent chance I won't use it as a server anyway, since I don't have a dedicated IP. PrivateInternetAccess covers most of my needs there.

Well the higher the better but I'm willing to sacrifice is a bit ambiguous haha. You won't crash your network, you'll just cap out at a certain speed. PIA and an OpenVPN server on pfSense provide two totally different services. PIA provides encryption and anonymity. An OpenVPN server provides encryption so that you can access your home network remotely (it can provide anonymity if you then route your server into a VPN client gateway, but by default it does not).

@teh:

Squid and SquidGuard, Snort and DarkStat might be nice as well.

I too thought squidguard would be great, but in practice it was a PITA with no noticeable improvements in my case (caching isn't very effective in a home use scenario), and oyu have ot MiTM all of your devices to do much of anything on HTTPS. If you decide to go this route I believe the performance impact will be minmimal but I don't really know.
Darkstat shouldn't have any noticeable impact.
Any IDS/IPS will have a significant impact. You'll need something pretty damn powerful if you want to do packet inspection at gigabit speeds. I would recommend going with suricata over snort as it supports multithreading. I don't know what to recommend you for gigabit packet inspection and it will depend on the rulesets you are using.

@teh:

I've got a pretty large number of wireless devices, but I assume most of the legwork will be done by the wireless routers in bridge mode.

The router as an AP will provide wireless access to your clients but that's it, it won't offload anything from your pfSense box performance wise. It really shouldn't matter that much unless you have a lot of users trying to use a lot of bandwidth at the same time.

Your desired use case is still pretty ambiguous, it sounds like you want to play around with the box and figure it out as you go.

I would recommend something along the lines of an i3-7100.
I don't know where it will cap out at but it won't do any serious IDS/IPS at gigabit speeds, it also won't give you gigabit VPN. It's dramatic overkill for NAT at gigabit.
But from what it sounds like you are looking to do I think it will be a good compromise between performance and cost.

EDIT: forgot to add, I would recommend a used i340-t4 for NICs, they are way more power efficient than the PRO/1000's and more affordable than the i350's.

Dazdigo

If you are going with an i3, you might want to look if it supports ECC memory. Some of the i3 have support for it and if it does, use ECC memory. It is slightly more expensive but it would make the system more stable if you plan to leave it on forever.

teh g

@pfBasic:

Well the higher the better but I'm willing to sacrifice is a bit ambiguous haha. You won't crash your network, you'll just cap out at a certain speed. PIA and an OpenVPN server on pfSense provide two totally different services. PIA provides encryption and anonymity. An OpenVPN server provides encryption so that you can access your home network remotely (it can provide anonymity if you then route your server into a VPN client gateway, but by default it does not).

I was mixing up OpenVPN as a client vs server. The main use will be as a client connecting to PIA. I'd like to have the VPN service as the limit. Lets assume I will stay around 250 mbps for the time being, and have that as the soft cap for PIA.

On the OpenVPN server side, I don't think I need a ton of speed. I have consumer internet, so my upload speeds are pretty limited. I doubt I will use that too much yet, but I'd like to "future proof" myself. Maybe 100 mbps as a limit for impact there?

@pfBasic:

I too thought squidguard would be great, but in practice it was a PITA with no noticeable improvements in my case (caching isn't very effective in a home use scenario), and oyu have ot MiTM all of your devices to do much of anything on HTTPS. If you decide to go this route I believe the performance impact will be minmimal but I don't really know.

I definitely do not want to mitm myself to snoop on HTTPS traffic. I hadn't thought about that (I've only done some cursory research into the packages).

@pfBasic:

Darkstat shouldn't have any noticeable impact.
Any IDS/IPS will have a significant impact. You'll need something pretty damn powerful if you want to do packet inspection at gigabit speeds. I would recommend going with suricata over snort as it supports multithreading. I don't know what to recommend you for gigabit packet inspection and it will depend on the rulesets you are using.

I suppose from a pure user standpoint, I don't have a pressing need for packet inspection anyway. I think I can get away with a fairly basic firewall.

@pfBasic:

The router as an AP will provide wireless access to your clients but that's it, it won't offload anything from your pfSense box performance wise. It really shouldn't matter that much unless you have a lot of users trying to use a lot of bandwidth at the same time.

Your desired use case is still pretty ambiguous, it sounds like you want to play around with the box and figure it out as you go.

I would recommend something along the lines of an i3-7100.
I don't know where it will cap out at but it won't do any serious IDS/IPS at gigabit speeds, it also won't give you gigabit VPN. It's dramatic overkill for NAT at gigabit.
But from what it sounds like you are looking to do I think it will be a good compromise between performance and cost.

Sorry, I don't even know what I want. This is a whole new world for me. It all started with setting up Pi-Hole on my network…

I updated the requirements to be slightly less vague.

250/25 internet speeds now
Going to have gigabit internet Soon
Will use PIA on the pfSense box, aiming for ~250mbps
Low chance for OpenVPN server on the box, only need ~100mbps throughput
Some basic firewalling on the pfSense
I'd like the box to be fairly small, I was thinking mini-ITX and a passively cooled system
Currently only three devices plugged directly into my router (two PCs and my Pi-Hole)
Will leverage my current wireless router in bridge mode to give WiFi to my house
If this box can take over my Pi-Hole function, all the better
Packages I will install: Darkstat, probably others I will find that are cool…

Here are some must haves, and why I am annoyed with my current router. This might help get to clearer requirements…

Assign static IPs to devices via the router. I really like knowing what is doing what on my network, and having the same IP makes it WAY easier
View traffic data since I love graphs
Block ads and malicious domains (currently done on Pi-Hole device)

Thanks for all the help so far everyone. This has been wicked helpful.

pfBasic

@Dazdigo:

If you are going with an i3, you might want to look if it supports ECC memory. Some of the i3 have support for it and if it does, use ECC memory. It is slightly more expensive but it would make the system more stable if you plan to leave it on forever.

No, don't waste money on ECC RAM for a firewall/router that's for home use. That's just silly. If you have it lying around and the system you buy happens to support it then by all means. But in no way is ECC RAM a meaningful purchase for a home firewall/router.

pfBasic

@teh:

Here are some must haves, and why I am annoyed with my current router. This might help get to clearer requirements…

Assign static IPs to devices via the router. I really like knowing what is doing what on my network, and having the same IP makes it WAY easier

View traffic data since I love graphs

Block ads and malicious domains (currently done on Pi-Hole device)

Well feature wise you will be very happy with pfSense.
I've never used pi-hole but it looks like it's a hardware ad-blocker. If I understand that correctly you won't need it anymore with pfSense, pfBlockerNG & DNSBL is an excellent package that will block ads and more.

250Mbps OpenVPN by itself can be done by the i3 I posted for sure. Where it gets difficult is passively cooled in a small case @ 250Mbps VPN and Gigabit NAT. Even a C2758 caps out at ~218Mbps UDP AES-128 https://store.pfsense.org/C2758/. That performance surprised me, I thought a C2758 would do a lot better @ 2.4Ghz & AES-NI, but it is older.

You could get a pretty cheap CPU that could do 250Mbps OpenVPN or Gigabit NAT, but not both at the same time. Or you could pay a lot and get everything you want.

teh g

@pfBasic:

Well feature wise you will be very happy with pfSense.
I've never used pi-hole but it looks like it's a hardware ad-blocker. If I understand that correctly you won't need it anymore with pfSense, pfBlockerNG & DNSBL is an excellent package that will block ads and more.

250Mbps OpenVPN by itself can be done by the i3 I posted for sure. Where it gets difficult is passively cooled in a small case @ 250Mbps VPN and Gigabit NAT. Even a C2758 caps out at ~218Mbps UDP AES-128 https://store.pfsense.org/C2758/. That performance surprised me, I thought a C2758 would do a lot better @ 2.4Ghz & AES-NI, but it is older.

You could get a pretty cheap CPU that could do 250Mbps OpenVPN or Gigabit NAT, but not both at the same time. Or you could pay a lot and get everything you want.

Yup, Pi-Hole is a DNS level ad-blocker.

For OpenDNS Server, I'd settle for 50-100 Mbps for outside clients connecting in, as I will rarely use it. For using OpenDNS as a client to connect to PIA, I'd love to max out my current line (250 Mbps) since I can with the PIA client on my PC. Basically aiming for feature parity there.

Future proofing myself for Gigabit NAT is probably the most important bit. Will having a solid NIC (one of the Intel ones you've recommended in the past) help out there? What CPU would hit the Gigabit NAT and what would you (roughly) expect for OpenVPN speeds? What CPU would powerhouse through all of it? I might be able to convince my wife to let me spend more and get something insane :D

pfBasic

You don't need to use OpenDNS on pfSense either. You could use it as a substitute for pfBlockerNG on a lower powered system but in general it's best to use Unbound as a DNS resolver and use pfBlockerNG & DNSBL to do all of your DNS filtering.

Gigabit NAT by itself is easy. I often recommend the J3355B and J3455-ITX for the majority of home use cases. They are very cheap passively cooled modern SoC's.
J3355 is better for VPN because it has two cores clocked higher.
J3455 is more powerful overall with four cores but they are clocked lower. You also have to either physically modify your NIC or motherboard or buy the micro-ATX board to make it work.
Either one of these will do gigabit NAT alone.

I own a J3355B for an HTPC and have tested it on pfSense, it maxed my 150Mbps line on OpenVPN AES-128-CBC @ ~33% total CPU usage on a single OpenVPN instance (only using one CPU core for VPN). It costs $55 for SoC. It will do Gigabit NAT, and it will do 250Mbps OpenVPN AES-128. It will not do them at the same time, and it will not handle heavy packages well. Check out my thread on it for more details, https://forum.pfsense.org/index.php?topic=127793.0.

The Goldmont chips (includes Apollo Lake J3355 & 3455) got an upgrade to their AES-NI (it's still slower than full blown desktop AES-NI) but apparently it was a pretty good one for low end chips. I expected the C2758 to meet all of your needs, but as I posted it gets <250Mbps max on AES-128 and it has a base freq of 2.4GHz while the J3355 is only 2.0 bursting to 2.5.

Really CPU wise what you are asking is very reasonable, I think a G4620 could do everything you want no problem.

The problem is getting all of that performance into a passively cooled package in a small case. There are some xeons that are sold passively cooled but I don't think they are really intended to be used that way, they would also be way overkill for what you need and cost a lot of money.

The options as I see it are:

Settle for lower performance hardware if you are more interested in saving money and/or you are willing to give up gigabit WAN
Actively cool a CPU, if noise and case size are non-negotiable then check out watercoolers with large radiators. (water cooled firewall is just silly, but again, if size, noise and performance are non-negotiable….)
Use a larger case that can fit a large passive heatsink < This would be my recommendation
Spend a whole lot of money and get everything you want

teh g

@pfBasic:

You don't need to use OpenDNS on pfSense either. You could use it as a substitute for pfBlockerNG on a lower powered system but in general it's best to use Unbound as a DNS resolver and use pfBlockerNG & DNSBL to do all of your DNS filtering.

I shouldn't drink and ask technical questions. When I mentioned OpenDNS earlier, I meant OpenVPN. I'd plan on using public DNSm Unbound, pfBlockerNG, and DNSBL as you suggested.

@pfBasic:

Gigabit NAT by itself is easy. I often recommend the J3355B and J3455-ITX for the majority of home use cases. They are very cheap passively cooled modern SoC's.
J3355 is better for VPN because it has two cores clocked higher.
J3455 is more powerful overall with four cores but they are clocked lower. You also have to either physically modify your NIC or motherboard or buy the micro-ATX board to make it work.
Either one of these will do gigabit NAT alone.

I own a J3355B for an HTPC and have tested it on pfSense, it maxed my 150Mbps line on OpenVPN AES-128-CBC @ ~33% total CPU usage on a single OpenVPN instance (only using one CPU core for VPN). It costs $55 for SoC. It will do Gigabit NAT, and it will do 250Mbps OpenVPN AES-128. It will not do them at the same time, and it will not handle heavy packages well. Check out my thread on it for more details, https://forum.pfsense.org/index.php?topic=127793.0.

The Goldmont chips (includes Apollo Lake J3355 & 3455) got an upgrade to their AES-NI (it's still slower than full blown desktop AES-NI) but apparently it was a pretty good one for low end chips. I expected the C2758 to meet all of your needs, but as I posted it gets <250Mbps max on AES-128 and it has a base freq of 2.4GHz while the J3355 is only 2.0 bursting to 2.5.

Really CPU wise what you are asking is very reasonable, I think a G4620 could do everything you want no problem.

The problem is getting all of that performance into a passively cooled package in a small case. There are some xeons that are sold passively cooled but I don't think they are really intended to be used that way, they would also be way overkill for what you need and cost a lot of money.

This is all amazing information. Thank you. Either the C2758 or the G4620 sound like decent bang for my buck. I'd like to have something built that will be fairly future proof, so spending a bit more now to get something beefier will be pretty worth while. The C2758 is somewhat attractive due to the lower power usage. I'd have to poke around at some benchmarks to see what the overall difference will be with the two. Is there a summarized thread where people have posted their throughput with OpenVPN, NAT, etc with different hardware?

@pfBasic:

The options as I see it are:

Settle for lower performance hardware if you are more interested in saving money and/or you are willing to give up gigabit WAN

Actively cool a CPU, if noise and case size are non-negotiable then check out watercoolers with large radiators. (water cooled firewall is just silly, but again, if size, noise and performance are non-negotiable….)

Use a larger case that can fit a large passive heatsink < This would be my recommendation

Spend a whole lot of money and get everything you want

I'd be OK with a slightly larger case or actively cooling the CPU. I'd probably lean more towards slightly larger case just to avoid extra noise in my office.

Once I do finish asking you all these questions, and getting amazingly detailed answers, I will make sure to do a summary and put it in the OP so hopefully others can glean some info.

pfBasic

@teh:

I shouldn't drink and ask technical questions.

;D

@teh:

Either the C2758 or the G4620 sound like decent bang for my buck. I'd like to have something built that will be fairly future proof… …The C2758 is somewhat attractive due to the lower power usage… …Is there a summarized thread where people have posted their throughput with OpenVPN, NAT, etc with different hardware?

I’d go with the G4620. The C2758 really isn’t suited for your needs. You don’t need 8 cores and it won’t help you for VPN. I mentioned it because I thought it would do the trick for your VPN needs but apparently it isn’t very impressive for VPN. It’s also pretty expensive, so it would be a long time until you got your money back in electricity savings. Additionally, it has had some issues, so if you do go that route, purchase carefully: https://forum.pfsense.org/index.php?topic=125105.0.

Unfortunately, no there isn’t a thread like that, at least not an up to date one.

@teh:

I'd be OK with a slightly larger case or actively cooling the CPU. I'd probably lean more towards slightly larger case just to avoid extra noise in my office.

To get the Pentium working for you at very low to inaudible sound levels, you’ll need to get a larger case than you had originally desired with good ventilation, fit the biggest heatsink you can in there, and use the biggest case fan you can. The larger the heatsink and the larger the fan, the lower the fan RPM = the lower the noise level. The compromise you want to make between case size and noise is up to you.
When your system will be idling when not under heavy load and during those time periods your fan will be either off or at very low RPM depending on the size of the heatsink (even if it’s a smaller heatsink it won’t be screaming at idle). Also, your PSU is going to have a smaller, higher RPM fan in it unless you invest in a fanless unit, so you only need to be quieter than that fan. Just some things to keep in mind when making your decision.

@teh:

I will make sure to do a summary and put it in the OP so hopefully others can glean some info.

Thank you, that would be very helpful! It would be great to see real world CPU utilization with different packages and VPN throughputs, especially at gigabit WAN speeds! It would really be very helpful to make more educated recommendations in the future!

teh g

@pfBasic:

To get the Pentium working for you at very low to inaudible sound levels, you’ll need to get a larger case than you had originally desired with good ventilation, fit the biggest heatsink you can in there, and use the biggest case fan you can. The larger the heatsink and the larger the fan, the lower the fan RPM = the lower the noise level. The compromise you want to make between case size and noise is up to you.
When your system will be idling when not under heavy load and during those time periods your fan will be either off or at very low RPM depending on the size of the heatsink (even if it’s a smaller heatsink it won’t be screaming at idle). Also, your PSU is going to have a smaller, higher RPM fan in it unless you invest in a fanless unit, so you only need to be quieter than that fan. Just some things to keep in mind when making your decision.

Any thoughts on a decently small (but still larger) case, heatsink and fan? I've had good luck with Noctua fans, and they can be fairly quiet.

What's the OpenVPN performance I can expect if I go the passive cooling, small case route? Would I still be able to run all the other packages and hit gigabit NAT?

pfBasic

I don't know much of anything about cooling hardware. Noctua is from what I know a great brand, but they can be expensive. All I can say is that in any application if you need X amount of airflow you can spin something big slower or you can spin something small faster to achieve X airflow, the big thing spinning slowly will always be substantially quieter.
So putting a little fan directly on your cpu cooler will result in higher dB than putting a huge case fan in the side of your box blowing over the whole CPU.

If you get a case that has one whole side of it vented, then get a really big ass fan that covers as much of that vented surface area as possible and plug the fan into the CPU fan controller, it will probably work very well for you while being inaudible more than a few feet away.
For example, I use a 230mm fan in the side of my desktop, and can barely hear it when the case is open and I'm looking at it inches from my face because it operates at very low RPM.
https://smile.amazon.com/gp/product/B008UYZ102/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

Something like this will get you great cooling as it can fit a 200mm fan and a 140mm cooler, but it's not small.
https://www.hardocp.com/article/2014/08/15/thermaltake_core_v1_miniitx_case_review/7
https://www.amazon.com/Thermaltake-Core-Gaming-Computer-CA-1B8-00S1WN-00/dp/B00M2UKGSM?psc=1&SubscriptionId=AKIAIS7SSXKLFPKG5TPA&tag=11018812-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B00M2UKGSM
I wouldn't expect your CPU to thermally throttle using something like this, but this is where you have to decide what kind of compromises you want to make.
Again, you could get a really small case that fits a water cooler, but that just seems wrong for a firewall.

Gigabit NAT can be done by an old low end celeron, so don't worry about that with a full blown desktop CPU. Even running VPN maxed out, VPN is single threaded so it will only max one core unless you use gateway groups.

IDK what that pentium will max out on VPN, as a total guess I would think 4-500Mbps @ AES-128-CBC?