Another hardware question - please advise


  • Banned

    1.8 GHz is pretty slow for VPN.

    When you are comparing xeons for this build, the most important factor are price and architecture. You don't need anymore cores than the standard 4, but lower clock speeds will hurt your per instance VPN throughout.

    Especially on old hardware like that, 1.8GHz from 2012 will be an OpenVPN dog compared to even a cheap modern Celeron.



  • @pfBasic:

    Especially on old hardware like that, 1.8GHz from 2012 will be an OpenVPN dog compared to even a cheap modern Celeron.

    Thank you. This is very helpful.

    Please forgive me for asking. From architecture perspective, how would E3-1240V2 (3.4GHz, 8MB Cache)-still an EOL in Dell R210 II-stake against D1518 (2.2 GHz, 6MB Cache) please? I know the latter is  still a modern architecture. I do not want to sound rude for comparing two different architecture, especially a popular Xeon D family. I am just trying to understand.

    This is important for me to understand as I want to decide (i) buy the EoL Xeon as the old R210 II would still cost me closer to £500 after adding an SSD, GB quad NIC, etc or (ii) pay more and get/build a xeon E3-1200 v5 or get the Sys-300-D8.

    I am sorry, I keep asking than deciding!  :)


  • Banned

    E3-1240 v2 is Ivy Bridge ~2012 https://ark.intel.com/products/65730/Intel-Xeon-Processor-E3-1240-v2-8M-Cache-3_40-GHz

    D-1518 is Broadwell ~2014 https://ark.intel.com/products/91201/Intel-Xeon-Processor-D-1518-6M-Cache-2_20-GHz

    You can find a CPUs architecture on the Intel ARK database, and here's a link to the heirarchy:
    https://en.wikipedia.org/wiki/List_of_Intel_CPU_microarchitectures

    All of those 4 core models will serve you well.

    Newer architectures are generally just better. You can't compare across architectures.

    2.0GHz Ivy Bridge is not the same as 2.0GHz Kaby Lake.
    Similarly AES-NI instructions get improved over time, etc.

    So if price is similar, go with what's newer. If the new stuff is a whole lot more expensive, then it probably isn't worth it for your situation.

    It's easy to google around and find an old CPU that appears to be a monster (8 core/16 thread xeon) for a price that seems too good to be true. It's because the technology is outdated. Not saying those products are now totally invalid, but you can probably find something newer that looks not nearly as nice on paper that will get similar performance and use less power while doing so.



  • Thank you. Really appreciate your help.  I agree and am aware we can't compare across. I don't think xeon kaby lake has hit the retail market. At least, I can't see anything in the UK yet.

    I was kind of playing around with E3 v5 config. Depending on the CPU and graphics, it is about £900 inc VAT, without a QP intel NIC, which would add another £50-£5. The overall difference in the newer xeon build is give or take 50, depending on the choice of E3 V5 CPU and video card.

    I will any way share the spec, if some were to be interested in.

    Xeon E3-v5

    PCPartPicker part list / Price breakdown by merchant

    CPU: Intel Xeon E3-1275 V5 3.6GHz Quad-Core Processor  (£331.90 @ Alza)
    CPU Cooler: Noctua NH-D15 82.5 CFM CPU Cooler  (£75.95 @ CCL Computers)
    Motherboard: ASRock E3C236D2I Mini ITX LGA1151 Motherboard  (£204.92 @ More Computers)
    Memory: Kingston ValueRAM 4GB (1 x 4GB) DDR4-2133 Memory  (£36.81 @ BT Shop)
    Memory: Kingston ValueRAM 4GB (1 x 4GB) DDR4-2133 Memory  (£36.81 @ BT Shop)
    Storage: ADATA Premier SP550 120GB 2.5" Solid State Drive  (£49.37 @ Amazon UK)
    Case: Fractal Design Node 304 Mini ITX Tower Case  (£64.48 @ Ebuyer)
    Power Supply: Silverstone Strider Platinum 550W 80+ Platinum Certified Fully-Modular ATX Power Supply  (£99.95 @ Amazon UK)
    Total: £900.19
    Prices include shipping, taxes, and discounts when available
    Generated by PCPartPicker 2017-04-21 23:02 BST+0100

    I could not find a paired 2 x 4 GB ECC RAM in PCPitparker UK.

    IBM intel i-340 t4

    http://www.ebay.co.uk/sch/i.html?_from=R40&_sacat=0&_nkw=IBM INTEL QUAD PORT GIGABIT PCI-E SERVER NETWORK ADAPTER CARD 49Y4242 I340-T4 |&rt=nc&LH_PrefLoc=1&_trksid=p2045573.m1684

    The xeon e3-1240 v2 R210-II look very attractive indeed as a new build does not seem worth it for the purpose, unless I leverage this to run multiple services (i) PfSense FW/Router, (ii) VPN, (iii) Suricata, (iv) media server and (v) NAS. My initial thought was to run (i) to (iii) on one platform and (iv) and (v) on the other.

    I am going to think a little, decide and come back.



  • Although running all the above five on a single platform looks attractive, personally, I think it poses a security risk. It also defeats the purpose of running the FW router as a standalone service



  • This is important for me to understand as I want to decide (i) buy the EoL Xeon as the old R210 II would still cost me closer to £500 after adding an SSD, GB quad NIC, etc or (ii) pay more and get/build a xeon E3-1200 v5 or get the Sys-300-D8.

    The question is how much you have to pay more!!! The Xeon D-15x8 platform is able to route 1 GBit/s at the WAN with ease,
    and due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
    2.4, ok its on Beta status but together with the Xeon D-15x8 platform it is playing more nice then the pfSense version 2.3.3-px.

    Xeon E7 = big
    Xeon E5 = mid size
    Xeon E3 = small
    Xeon D-15x8 = Xeon light

    CPU core is not the same as another CPU core, the Xeon D-15x8 platform is a Xeon Core light and its benefits
    will be really nice matching to a firewall, but for raw and strong power machines, the Xeon E3/E5 will be perfect
    and not to beat, in my eyes. Its made for 24/7, supports ECC RAM, USB3 and 1/10GbE will round up that points.

    Often peoples are only looking on some things that could be in their game play, but it is more a detailed thing to know what
    exactly you will reach or you must solve out, or in some special cases it might be making more sense to take then a really
    strong and powerful platform that is really able to fit all your needs.

    Although running all the above five on a single platform looks attractive, personally, I think it poses a security risk. It also defeats the purpose of running the FW router as a standalone service

    Only in some rarely situations it might be good to set up a firewall or a router inside of a VM, and then also only on dedicated machines
    with no other VMs, related to the safety needs.



  • @BlueKobold:

    due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
    2.4

    Please stop with this nonsense about AES-NI not working with OpenVPN 2.3.


  • Banned

    Yeah, you've got a bunch of weird ideas bro.

    • AES-NI doesn't work well on pfSense prior to 2.4

    • OpenVPN 2.4 is multithreaded

    • Only virtualize pfSense on a dedicated machine :o What then would be the point of virtualizing?

    • J1900 can do gigabit+ IDS/IPS….

    Wrong on all accounts.

    Being wrong is one thing, bu you are wrong way more than you are right and you keep spreading the same misinformation over, and over, and over again.
    What's worse is your profile makes you look like you know what you're talking about, sort of….

    Please stop or go away.



  • @pfBasic:

    yeah you'll want a xeon if you want to eventually inspect a total of 5 gigabits of traffic.

    Let's take a step back for a moment.  pfSense is not the right choice for routing 4 or 5Gbps of traffic, packet inspection needs aside.  OP, what Cisco switch do you have?  For that kind of traffic, assuming you really have that need, a L3 switch is a much better choice than using pfSense to route between internal network segments.

    And for packet inspection, with the right switch (which is pretty much any managed switch, L3 or no), you're able to set up a dedicated box for that, one that you don't have to route traffic through.  You can use port mirroring on your switch to send any traffic you like to a dedicated inspection box without imposing slowdowns on the actual routing.

    If those are really your requirements, I'd go one of two ways:

    1. Buy a dedicated small Kaby lake (not Xeon) system with the fastest CPU clock speed you can muster for pfSense.  The fast clock speed is your friend with OpenVPN.  Buy another machine to handle packet inspection and use port mirroring on your switch to send whatever traffic you like to it.

    2.  Buy a beefy 1U server and use it as a hypervisor.  Plan to dedicate at least 2 cores to pfSense and about 1GB of RAM, and if you wish, you can dedicate NICs as well.  That pfSense instance should handle only LAN(s) to WAN routing and VPN, presuming you have a L3 switch.  The rest of the resources on the hypervisor can host another VM (pfSense or otherwise) to handle any packet inspection needs.

    I have my doubts as to whether you really have a requirement for 4Gbps routing, but, again, if you do, pfSense is probably not the best tool for the job.



  • Thanks all for helping me.

    @BlueKobold:

    how much you have to pay more!!! The Xeon D-15x8 platform is able to route 1 GBit/s at the WAN with ease

    The difference between an E3-v2 and D15xx/E3-v5 is double the price. But, thanks for the heads up on the D series. I would be keen to see its VPN THROUGHPUT.

    @whosmatt:

    what Cisco switch do you have?  For that kind of traffic, assuming you really have that need, a L3 switch is a much better choice than using pfSense to route between internal network segments

    1. my requirements, which are given above are: a FW Router - PfSense, VPN for internet facing devices and suricata.

    2. Cisco SG300 managing multiple Vlans and route internal traffic. I want to leverage this switch's features as much as possible without having to knock the front door. I do want to use its L3.

    3. set up a separate server, after the above is complete,  for media, NAS. Etc.  I want to  maximise the speed as much as possible, > 1gb, 4-10 Gb for internal server access and expose it on a few devices that require access to this server. To achieve this, either I need to link aggregate the GB Ports or get a couple of 10 Gb Sfp FC cards, connect the server through this and enable access to devices via a 10 Gb switch or any alternative. I therefore want to future proof the FW Router box  to achieve this speed.

    Isn't packet inspection done at the firewall please? If we run it sepearately, do I need to maintain the routing table here as well? How to filter to ensure anything that comes on this does not bypass the FW and VLAN rules? I'm sorry it may be a naive question.

    I like both the approaches 2 boxes vs 1 server.  Do I need a licence to run a hypervisor please? If I buy a 1u server, I could then run all my requirements (1 and 3)  plus DPI as VMs. One concern is: isn't a good practice to run the FW separately? I guess VM achieves it.

    Thanks again.



  • @VAMike:

    @BlueKobold:

    due to the capable of AES-NI it might be speeding up IPsec VPN and OpenVPN since version 2.4 based on the pfSense version
    2.4

    Please stop with this nonsense about AES-NI not working with OpenVPN 2.3.

    AES-NI is speeding up a IPsec tunnel to +/- 400 MBit/s throughput with a SG-4860 unit from the pfSense store, but but
    not the OpenVPN tunnel due to his TUN/TAP architecture (based on the information from @gonzopancho) that was also
    there in version 2.3! But since OpenVPN 2.4 at first we get multicore CPU usage and on top of that the AES-NI is able
    to sped up then available to chose and use AES-GCM mode. Link

    OpenVPN has problems that will not be solved by faster crypto. The tun/tap interface is the bottleneck.
    Link ok 11 month old and not really
    actual since OpenVPN 2.4 with AES-GCM mode.

    So what was now wrong here!?

    Yeah, you've got a bunch of weird ideas bro.

    Because you said?

    •AES-NI doesn't work well on pfSense prior to 2.4

    OpenVPN is now available on pfSense

    •OpenVPN 2.4 is multithreaded

    Currently, OpenVPN is scaled on SMP machines by adding processes rather than threads.
    OpenVPN Roadmap

    And on pfSense OpenVPN will be able to get for each tunnel another CPU core in usage.
    For sure not a real smp usage but together with the multicore usage of the (pf4) since
    pfSense version 2.2 more then enough as before with only and "real single CPU core threated"

    •J1900 can do gigabit+ IDS/IPS….

    I never said or wrote this!

    Wrong on all accounts.

    If you mean!

    Being wrong is one thing, bu you are wrong way more than you are right and you keep spreading the same misinformation over, and over, and over again.

    What's worse is your profile makes you look like you know what you're talking about, sort of….

    Please stop or go away.

    So I have to leaf that forum now?


  • Banned

    What's wrong is your information.

    There is no multicore support in OpenVPN 2.4

    There is already AES-NI support.


  • Galactic Empire

    @whosmatt:

    Let's take a step back for a moment.  pfSense is not the right choice for routing 4 or 5Gbps of traffic, packet inspection needs aside.

    Huh? What makes you say that? Perhaps I am misunderstanding you so please clarify. Are you saying pfSense can't do more than 4 or 5Gbps? If so, you are very wrong. Only limitation is hardware. Our 8 core Atom based hardware can do that without issues.


  • Galactic Empire

    @pfBasic:

    Please stop or go away.

    That's not nice. Please don't treat others like that.


  • Banned

    •AES-NI doesn't work well on pfSense prior to 2.4

    @BlueKobold:

    OpenVPN is now available on pfSense

    Just so I'm following, your reference that pfSense didn't support AES-NI prior to 2.4 is some reddit conversation? :o

    Here's the convo:
    @https://www.reddit.com/r/PFSENSE/comments/5l45jk/openvpn_240_is_now_available_on_pfsense_24/:

    @Strider3000:

    Whoah… we could finally get AES-NI hardware crypto acceleration for OpenVPN! Hurray for AES-GCM!

    @JigglyWiggly:

    Doesn't AES-NI already work?

    @Strider3000:

    AES-NI accelerates certain AEAD ciphers (AES-GCM). AES-GCM is finally supported in OpenVPN 2.4, not in previous versions. So yes AES-NI is capable of accelerating IPsec in pfSense, but not OpenVPN

    Authenticated Encryption with Associated Data ciphers: in short are ciphers that do their own authentication in house, they don't use a separately configured SHA algorithm. It's all done within the cipher. Popular AEAD ciphers include ChaCha, GCM, probably others.

    I don't know who told that guy that AES-NI only works on AEAD ciphers, but he is wrong. Here is a link to an actual reference, Intel's White Paper on AES-NI where they use it to accelerate CBC (CBC is not an AEAD cipher). CBC is the go-to encryption method for OpenVPN prior to 2.4 AND post 2.4 for a VPN client since almost no VPN providers support GCM.
    https://software.intel.com/sites/default/files/m/d/4/1/d/8/10TB24_Breakthrough_AES_Performance_with_Intel_AES_New_Instructions.final.secure.pdf

    This is what I mean. Some dude on reddit says that pfSense didn't support AES-NI prior to 2.4. You, for some reason just took that silly little piece of trolling as gospel and started repeating it on this forum. Some one will probably believe you if you keep it up….

    –-------------------------------------------------------


    •OpenVPN 2.4 is multithreaded

    @BlueKobold:

    Currently, OpenVPN is scaled on SMP machines by adding processes rather than threads.
    OpenVPN Roadmap

    OpenVPN 2.4 is "multi-threaded" in the way you are referring to in the same way as in previous versions, you make multiple clients and add them to a gateway group. This is not multithreading and has it's own set of limitations. You could also do this in pfSense 2.3. If you would have read to the end of the very short paragraph you quoted you would have seen that OpenVPN is not multithreaded. ;)

    Lack of multithreading is closely tied to the current event system implementation.

    I made the important parts easy to read since you obviously missed it. Also, here's a link to the four line paragraph you quoted: https://community.openvpn.net/openvpn/wiki/RoadMap#Threading

    –-------------------------------------------------------


    •J1900 can do gigabit+ IDS/IPS….

    I never said or wrote this!

    Yes, you did. I guess you aren't paying attention when you make hardware recommendation? You said that if OpenVPN wasn't the main concern then a J1900 could do the job. The OP had already stated they wanted to inspect 1Gb+ of traffic.
    @SSri:

    @pfBasic:

    Do you want to inspect your 4 gigabit LAN traffic or just the WAN?

    A gig to start with. But, would like to keep that possibility down the line. I know, I won't replace this for a few more years unless this fails.

    The IDS/IPS is one of the reasons for going down the Xeon route.

    @BlueKobold:

    If here the main part is not really pointed to the maximum OpenVPN throughput, it could really be that the Qotom J1900
    4-core - 4 x Intel LAN build - 8GB RAM, 120GB mSATA- 10 watts - $260 will do the job also.

    –-------------------------------------------------------


    Being wrong is one thing, bu you are wrong way more than you are right and you keep spreading the same misinformation over, and over, and over again.

    What's worse is your profile makes you look like you know what you're talking about, sort of….

    Please stop or go away.

    @BlueKobold:

    So I have to leaf that forum now?

    ::), obviously not, but maybe don't make recommendation on what others should spend their money on if you aren't paying attention to what they need vs what you are recommending. It would be nice if you would stop repeatedly posting incorrect information on the forums about how pfSense can't handle AES-NI prior to 2.4, or OpenVPN supports multithreading in 2.4, etc.

    What I meant by that was it's fine to be wrong, we all are, myself more than most for sure. But I know people have corrected you multiple times in multiple threads but you just ignore it and keep running around spouting off the same misinformation.
    So yes, please stop.



  • Thanks every one.

    @SSri:

    @whosmatt:

    what Cisco switch do you have?  For that kind of traffic, assuming you really have that need, a L3 switch is a much better choice than using pfSense to route between internal network segments

    1. my requirements, which are given above are: a FW Router - PfSense, VPN for internet facing devices and suricata.

    2. Cisco SG300 managing multiple Vlans and route internal traffic. I want to leverage this switch's features as much as possible without having to knock the front door. I do want to use its L3.

    3. set up a separate server, after the above is complete,  for media, NAS. Etc.  I want to  maximise the speed as much as possible, > 1gb, 4-10 Gb for internal server access and expose it on a few devices that require access to this server. To achieve this, either I need to link aggregate the GB Ports or get a couple of 10 Gb Sfp FC cards, connect the server through this and enable access to devices via a 10 Gb switch or any alternative. I therefore want to future proof the FW Router box  to achieve this speed.

    Isn't packet inspection done at the firewall please? If we run it sepearately, do I need to maintain the routing table here as well? How to filter to ensure anything that comes on this does not bypass the FW and VLAN rules? I'm sorry it may be a naive question.

    I like both the approaches 2 boxes vs 1 server.  Do I need a licence to run a hypervisor please? If I buy a 1u server, I could then run all my requirements (1 and 3)  plus DPI as VMs. One concern is: isn't a good practice to run the FW separately? I guess VM achieves it.

    Thanks again.

    Thought a little about it, weighed the 5 year old EoL E3-1240v2 with the modern architecture,  considering the kind of VPN throughput and IDS/IPS I want. I believe a new CPU (not an EOL),  higher clock frequency, etc would help push a lot of vpn bandwidth than an old machine. Adding, IDS/Ips mean I need more cores/threads.

    I will look out for a new CPU and not E3 1240 V2.

    I know it is going to cost me to go after a new CPU. I need to decide if (a)  i can go down the Kaby lake that has a highest clock frequency, or take Xeon E3 v5  Or D series or even Ryzen and (b) keep requirement (3) above as a separate server or  run multiple services as VMs on a single machine.



  • @ivor:

    @whosmatt:

    Let's take a step back for a moment.  pfSense is not the right choice for routing 4 or 5Gbps of traffic, packet inspection needs aside.

    Huh? What makes you say that? Perhaps I am misunderstanding you so please clarify. Are you saying pfSense can't do more than 4 or 5Gbps? If so, you are very wrong. Only limitation is hardware. Our 8 core Atom based hardware can do that without issues.

    I was basing that on numbers I've seen in a worst case scenario with a stateful pf firewall and small packets.  I stand corrected.



  • I am sorry. I disappeared. I got buried in work.

    I need recommendations to decide if I should go for all in one or multiple servers. This is my ambiguity.

    Either way, I want to run Pfsense/VPN/Suricata in one VM on ESXi.

    My requirements are as follows (I'm sorry, there are too many requirements here. It is not easy to fit all in one! :) )

    1. PfSense-Suricata-VPN-Pocket Inspection as one VM. Maximise VPN throughout as much as possible. As we know, modern architecture and highest clock frequency are the key for VPN. I will leverage my Cisco managed switch to reduce the performance impact of routing pocket inspection through PfSense.
    2. Plex to stream at least 1080p (2-3) and ideally one 1 4k.
    3. Nas / File Sever
    4. Homelab running 3-4 vms as one cluster. This is definitely going to be a different server sporting a dual Xeon e5. I would perhaps grab a used CPU. I won't run this 24 x 7 to save electricity!
    5. I have not considered a back up solution for any of them. This is critical. Perhaps, I will grab a couple of High capacity external hard disks and keep them offsite.

    I have identified the following CPU: I have attached my comments.

    i) E5 2620 v4, 8 cores, 2.1 GHz, 85w TDP, £390 –> Clock speed for VPN throughout maximisation is a concern, although dual xeon would get me (1) - (3) in one box and perhaps a restricted version of homelab (4) as one VM.
    ii) E3 1275 v6, 4 cores, 73w TDP, 3.8 GHz ----> should be enough for (1). A separate server for (2) to (4).
    (iii) E5 1630 v4, 4 cores, 140w, 3.7 GHz, £400
    (iv) E5 1650 v4,  6 cores, 140w, 3.6 GHz £610.

    Considered, can over clock  and ignored the following:

    i3 7350k - a great cpu but I reckon I need 4 cores for (1). I am not sure how light or heavy my rules would be for suricata
    i7 7700k -  heat issue spikes even when a file is opened. Not sure, I don't want to delid and void the warranty. delid is a compelling choice as I want to overclock the K series
    Ryzen 1700 - reports of a PSOD vis-a-vis ESXi. Workaround reported to be reducing the performance by 30%.

    It looks like either E5 2620 v4 or E3 1275 v6.

    Thanks again.



  • Having weighed the options of all in one vs isolated VMs for Pfsense, etc. I have decided the following configuration. Please have a look and advise if they all look fine. Views and recommendations, as usual, are welcome.

    The planned setup :

    • Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
    • VM1 PfSense / VPN
    • VM2 Suricata / Packet Inspection needs.
    • I will set up a separate machine to meet other requirements.

    PCPartPicker part list / Price breakdown by merchant

    CPU: Intel - Core i7-7700K 4.2GHz Quad-Core Processor  (£299.94 @ Aria PC)
    CPU Cooler: NZXT - Kraken X62 Liquid CPU Cooler  (£149.99 @ Novatech)
    Motherboard: ASRock - Z270M Pro4 Micro ATX LGA1151 Motherboard  (£105.91 @ BT Shop)
    Memory: Corsair - Vengeance LPX 16GB (2 x 8GB) DDR4-3000 Memory  (£123.56 @ More Computers)
    Storage: ADATA - Ultimate SU800 128GB 2.5" Solid State Drive  (£52.17 @ Ebuyer)
    Storage: ADATA - Ultimate SU800 128GB 2.5" Solid State Drive  (£52.17 @ Ebuyer)
    Case: Corsair - Air 540 ATX Mid Tower Case  (£124.05 @ Ebuyer)
    Power Supply: EVGA - SuperNOVA G3 (EU) 550W 80+ Gold Certified Fully-Modular ATX Power Supply  (£78.24 @ Aria PC)
    Total: £986.03
    Prices include shipping, taxes, and discounts when available
    Generated by PCPartPicker 2017-05-29 15:10 BST+0100

    Questions:

    (1) Should I choose intel i350 t4 (£41)  or i540-t2 (~£100).

    http://www.ebay.co.uk/itm/Genuine-Intel-Quad-Port-Server-Ethernet-Adapter-I350-T4-PCI-Express-I350T4BLK-/302320524446? hash=item4663b51c9e:g:p1gAAOSwX61ZHVV8

    or

    http://www.ebay.co.uk/itm/Intel-X540-T2-10G-Dual-RJ45-Ports-PCI-Express-Ethernet-Converged-Network-Adapter-/131945268901

    (2) I plan to set port mirroring in my Cisco managed switch and use the second VM as a small box for packet inspection / Suricata needs.

    Can PI / Suricata be installed / run separately than on the PfSense. I am concerned running packet inspection as a part of PfSense will unnecessarily route all internal traffic through this and reduce the Lan traffic performance.

    Thanks,
    SSri



  • I run a lot of the hardware you are looking at in my home.  I have a Cisco SG300-28 switch running in L3mode connected to a pfsense box running on an old Xeon 5148 CPU with a Intel server motherboard with 2 built-in GIG NICs.  I have a 300/20 cable connection and I get about 360 to 370 speed using DSLreports speedtest.  I have the router setup on a separate VLAN so no local devices can slow down the router.  My pfsense box is a simple setup with 1 WAN port and 1 LAN port because the layer 3 switch handles all local VLAN traffic.  My CPU never goes above 3% as the L3 switch is doing most of the heavy lifting.

    What I don't do any more is run VPN as I am retired and have been for number of years.  I am facing the up and coming AES-NI requirement for pfsense 2.5.  So old hardware may have it limits.

    I believe the L3 switch is the best way to handle local VLANs.  I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.



  • @coxhaus:

    I believe the L3 switch is the best way to handle local VLANs.  I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.

    Thank you Coxhaus. I agree. That' what I plan to do here as well.

    In any case,

    @coxhaus:

    I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.

    Fair point. I have 350/20 at the moment. I understand from my ISP engineers that they are internally testing a gigabit service. So, there is no real need for more than a couple of i350s. Nevertheless, I might remove a couple of IoT devices off the switch and plug it directly on the PfSense router ports. Not sure, if this is a sensible approach. But, the price difference is just a few to 10 pounds. So, I may as well through in the 4 ports card.

    I am indeed tempted to grab the 10gig dual cards. I reckon I will buy that for another machine that I plan to build and deploy multiple VMs for media server, nas and home data science lab.

    :)



  • I like lean and mean.  I still see no reason to carry the baggage in pfsense for all the extra ports incase you might use them. Bridging is a slow process in networking. Create an extra VLAN in the L3 switch for what you want to do.  When pfsense fixes drivers for 10GIG ports just switch to 10GIG if you need more.



  • @SSri:

    <snip>The planned setup :

    • Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
    • VM1 PfSense / VPN
    • VM2 Suricata / Packet Inspection needs.
    • I will set up a separate machine to meet other requirements.
      <snip>(2) I plan to set port mirroring in my Cisco managed switch and use the second VM as a small box for packet inspection / Suricata needs.

    Can PI / Suricata be installed / run separately than on the PfSense. I am concerned running packet inspection as a part of PfSense will unnecessarily route all internal traffic through this and reduce the Lan traffic performance.

    Thanks,
    SSri</snip></snip>

    Seeing that there are only 2 vm, personally I would just put both vm in a promiscuous port group and not bother with port mirror.



  • @SSri:

    • Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs

    In this day and age ESXi can boot from the same partition you use to store VMs. Gone are the days where the hypervisor needs a separate partition just to boot from.  No need to split it up.



  • I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run

    esxcli storage core device partition list

    There are 6 system partitions and a vmfs5 partition for local storage on one drive.



  • Sorry for not replying. I have been away on business.

    Thanks every one for valuable advise, which are very helpful.

    After a long thought, I have decided to run PfSense FW-Router-VPN on its own. The rest of the requirements starting with Suricata/Packet Inspection to Home Lab clusters will be run on a beefy server via multiple VMs. I will use the port mirror on my switch to inspect packets on the separate server running Suricata/PI as one of the VMs.

    I have finalised the following specs for the PfSense-VPN.

    PCPartPicker part list / Price breakdown by merchant

    CPU: Intel - Core i3-7350K 4.2GHz Dual-Core Processor  (£147.80 @ Alza)
    CPU Cooler: CRYORIG - M9i 48.4 CFM CPU Cooler  (£22.99 @ Overclockers.co.uk)
    Motherboard: ASRock - Z270M Pro4 Micro ATX LGA1151 Motherboard  (£105.91 @ BT Shop)
    Memory: Corsair - Vengeance LPX 8GB (2 x 4GB) DDR4-3000 Memory  (£67.35 @ CCL Computers)
    Storage: Sandisk - SSD PLUS 120GB 2.5" Solid State Drive  (£48.80 @ Amazon UK)
    Case: Thermaltake - Core V21 MicroATX Mini Tower Case  (£53.99 @ Amazon UK)
    Power Supply: Silverstone - Strider Gold 450W 80+ Gold Certified Fully-Modular SFX Power Supply  (£79.47 @ Scan.co.uk)
    Total: £526.31
    Prices include shipping, taxes, and discounts when available
    Generated by PCPartPicker 2017-06-03 18:11 BST+0100

    • Intel i350 t-2 or t-4.

    I will be ordering the parts next week.

    Thanks all.
    Cheers



  • @gjaltemba:

    I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run

    esxcli storage core device partition list

    There are 6 system partitions and a vmfs5 partition for local storage on one drive.

    You're right. What I meant to say is that the days of the user having to manually set aside storage for the OS are gone; the installer handles everything now.  No need for a separate array just for the install, etc.



  • There was never a requirement for a separate array just a lun. I run esxi 6.5 from a sdcard.



  • https://plugloadsolutions.com/80PlusPowerSuppliesDetail.aspx?id=26&type=2

    Consider a used eBay Dell 80+ gold psu. My psu is the L265EM-00 ATX12V form circa 2011. I got it for $15 USD including shipping. A 10% load for a 500W is 50 watts and may not be realistic for a pfSense firewall that predominantly rests at idle. I chose a 265W psu which is closer to my real world idle state. I also tested it on an old mobo for an hour before plugging it into my kaby lake pfSense mobo.

    Currently I idle at 18.4W with a G4650T CPU, nc364t, liteon msata ssd and packages: openvpn,suricata, pfblockerng, squid and squid guard.



  • @patrick0525:

    Thank you. I will definitely check out a suitable dell psu.

    Cheers.



  • No need to buy an over wattage psu. You may need to buy 24 pin & 12V  extension cable since Dell cables are usually too short and designed for their mobos.



  • Thanks for the heads up.

    Regards



  • I just lowered my idle consumption wattage by adjusting the bios settings for the CPU and system fan from standard cooling to silent cooling. Wattage is now 18.1W



  • Thanks for all help. Cheers


Log in to reply