What do you guys think of this hardware?
-
Hi!
So I'm about to upgrade my router from a ubiquity to a pfSense router.
I have a 1000/1000 connection with 5 servers behind. No more than 50 concurrent connections.
Plannings to run a few OVPN VLANs and suricata.
Motherboard: X8STi-F dual gig nics
CPU: Intel Xeon L5520 2,26 GHz 8MB cache
Memory: HP 4GB DDR3-1066 ECC
Chassi: CSE-512L-260B with 260w powerEDIT: Just noticed that the CPU doesn't support AES-NI? Any recommendations for another CPU for that mobo?
-
ehhh, that's pretty old hardware.
It will work (other than the eventual lack of support for non AES-NI), but you are probably better off abandoning LGA 1366 if possible.
Passmark is a very imperfect benchmark, but also ubiquitous so I'll use it here regardless.
I got a used SFF desktop off eBay for just over $100 about a year ago for pfSense with 8GB DDR3 & i5-2400. The i5-2400 is pretty dated itself, but on passmark is ~34% faster and has AES-NI.
A modern i3 easily beats out both your xeon and my i5.I just put that out there to say that you can probably upgrade that very aged hardware for a very reasonable price.
If that isn't an option, then I'd suggest searching eBay for a used CPU that supports AES-NI in LGA 1366, but I'd avoid that option if I was you.
-
ehhh, that's pretty old hardware.
It will work (other than the eventual lack of support for non AES-NI), but you are probably better off abandoning LGA 1366 if possible.
Passmark is a very imperfect benchmark, but also ubiquitous so I'll use it here regardless.
I got a used SFF desktop off eBay for just over $100 about a year ago for pfSense with 8GB DDR3 & i5-2400. The i5-2400 is pretty dated itself, but on passmark is ~34% faster and has AES-NI.
A modern i3 easily beats out both your xeon and my i5.I just put that out there to say that you can probably upgrade that very aged hardware for a very reasonable price.
If that isn't an option, then I'd suggest searching eBay for a used CPU that supports AES-NI in LGA 1366, but I'd avoid that option if I was you.
Thanks for your reply! Very informative.
I thought I was smart picking cheap server hardware 8) But i3 seems reasonable, low power consumption?
What parts would you pick for my requirements?
-
It really depends on the throughout you want to get on the openvpn connections and how many rules you want on suricata + how many interfaces you want to inspect.
If the answer is really fast, lots of rules and all of the interfaces then it comes down to how much you want to spend vs how much you are willing to compromise.
Those two packages are the two biggest CPU hogs. Clock speed and modern architecture will be the two biggest determining factors.
-
It really depends on the throughout you want to get on the openvpn connections and how many rules you want on suricata + how many interfaces you want to inspect.
If the answer is really fast, lots of rules and all of the interfaces then it comes down to how much you want to spend vs how much you are willing to compromise.
Those two packages are the two biggest CPU hogs. Clock speed and modern architecture will be the two biggest determining factors.
Thanks your reply.
Im new to running openvpn on router level and never run suricata so I cannot say how many connections on openvpn and how many rules on suricata. But lets assume I want to use my 1000mbit connection for 10 people with openvpn, and I want "medium" rules on suricata, if you can say that =)
I was looking an Atom, more specific the A1SRi-2758F motherboard with integrated CPU and AES-NI support. Maybe that is what pfSense has in the XG-2758 1U model?
But I have also been investigation the i3 option, but to much new info to comprehend atm.
What would you buy if you had 300usd and 500usd?
-
You won't get full gigabit openvpn with anything that I'm aware of right now.
With a high clock i3 (i3-7350k) you will probably get in the 6-700Mbps range openvpn.
Suricata is pretty tough to predict as it depends on not only how many rules and how much traffic but also specifically what the rules are inspecting (how they are written).
Given your budget and stated needs I would base a build on an i3-7350k. Reuse any parts you can. Don't worry about dual Intel Nics on the motherboard unless the price is also right.
You can get i340-t2 for ~$20 and t4 for ~$40 on ebay.Get a good PSU if you don't have one you can reuse but don't overbudget your power needs and don't pay for anything more than bronze level.
Use a small SSD, you don't need a high end one just any old SSD.
Get used RAM if possible, you'll want dual channel. If you have no intention of using any other packages than what you already stated then 4gb, if you might end up using pfblockerng, then, told, etc then 8gb+ can be used if you really want to.
-
What would you buy if you had 300usd and 500usd?
Safe more Money and get a small and silent or fan less SG-4860, this should be more then adequate for your Needs!
Symetric 1 GBit/s connection w/ SG-4860 -
Just ignore blue kobold, he likes to give horrible hardware recommendations.
A 2.4GHz atom from 2013 is not going to impress anyone with openvpn and or ids/ips performance.
-
(…) Don't worry about dual Intel Nics on the motherboard unless the price is also right.
You can get i340-t2 for ~$20 and t4 for ~$40 on ebay.This is actually something I've been wondering about. You see a lot of people using the ASRock H270M-ITX/ac mobo with an i3 because it has dual NICs built in. While it's nice to only need to mobo, shouldn't one be able to get better performance using a dedicated NIC such as the T2/T4 you mentioned, compared to built-in NICs (even if they are Intel)?
EDIT: I should add that I'm looking into building a system with the same requirements (gigabit connection, using OpenVPN and suricata). I had settled on using the i3 you mentioned but the other parts are still to be determined, so this thread is very interesting to me.
-
I found this thread: https://forum.pfsense.org/index.php?topic=129393.0 talking about the same subject. And a few performance specs from gig net with openvpn. Just for reference.
I usually go for NC364T Quad-Port nics, but this build I'm going to try out the i340-t2 or i340-t4 to be redundant.
So this build got a little out of hand regarding price. Im currently looking at this setup. Please review:
CPU: i3-7350k, 180USD
Motherboard: Supermicro X11SSL-F Socket lga1151, 255USD
Case: Supermicro CSE-512L-260B Chassis with 260W power supply and some fans, 111USD
CPU Cooler: Noctua NH-L9i, 50USD
Memory: Kingston ValueRAM Server Premier KVR24SE17S8/4MB 4GB, 75USD
HDD: KingFast F6 32GB 2.5" SATA SATA III MLC SSD, 25USD
Extra Quad nic: i350-T4, 45USD180+255+111+50+75+25+45 = 741 USD
This will be a future proof router.
Any thoughts? =)
-
Personally I would skip the supermicro stuff on a home router and cut the price in half, but if you want to spend the cash then goo for it!
-
Personally I would skip the supermicro stuff on a home router and cut the price in half, but if you want to spend the cash then goo for it!
I figure that this machine will be on 24/7 and it will be an "investment" to buy server grade hardware to avoid complications in the future?
-
I figure that this machine will be on 24/7 and it will be an "investment" to buy server grade hardware to avoid complications in the future?
Supermicro C2758 Board ~500 Euros
Supermicro SYS-E300-8D ~800 Euros
Supermicro SYS-E200-8D ~900 Euros -
Again totally personal choice but I think consumer will work fine for many years.
My pfsense box was a lease SFF work station that is about 6 years old now and work fine.
Many others on here are using much much older consumer grade hardware.
Honestly pfsense is probably one of the most gentle applications you could use a computer for.
It will almost never cycle power and will spend the majority of it's life at very reasonable temps.
-
After a lot of hesitation I ordered today what I think is close to the best bang for the buck
Intel Pentium G4560, 2x 3.50 GHz
Motherboard Gigabyte GA-B250M-DS3H
SSD SanDisk X400 256 Go M.2 SATA 6 Gbit/s
8 GB DDR4 2133 CL15 Crucial (2x4GB)
Case Inter-Tech GM-6013
Intel i350T4
Antes psu 350W (I had it already)Total around 375 usd delivered and performance not far from a i3 7350k (around 20% less for around 70% cheaper)
I personally don't need more than 100mb for openvpn -
After a lot of hesitation I ordered today what I think is close to the best bang for the buck
Intel Pentium G4560, 2x 3.50 GHz
Motherboard Gigabyte GA-B250M-DS3H
SSD SanDisk X400 256 Go M.2 SATA 6 Gbit/s
8 GB DDR4 2133 CL15 Crucial (2x4GB)
Case Inter-Tech GM-6013
Intel i350T4
Antes psu 350W (I had it already)Total around 375 usd delivered and performance not far from a i3 7350k (around 20% less for around 70% cheaper)
I personally don't need more than 100mb for openvpnSolid build, it won't break a sweat @ 100Mbps and will do great with IDS/IPS! Enjoy.
-
After a lot of hesitation I ordered today what I think is close to the best bang for the buck
Intel Pentium G4560, 2x 3.50 GHz
Motherboard Gigabyte GA-B250M-DS3H
SSD SanDisk X400 256 Go M.2 SATA 6 Gbit/s
8 GB DDR4 2133 CL15 Crucial (2x4GB)
Case Inter-Tech GM-6013
Intel i350T4
Antes psu 350W (I had it already)Total around 375 usd delivered and performance not far from a i3 7350k (around 20% less for around 70% cheaper)
I personally don't need more than 100mb for openvpnThat cpu seems like a good option to the i3 7250k.
One thing that I noticed in the comparison (https://ark.intel.com/compare/97527,97143) is the ECC memory support. The i3 does not support it, but the G4560 does.
-
I3 has hyoerthreading though
Ecc is usually totally unnecessary in pfsense home use unless your mono requires it
-
I3 has hyoerthreading though
Ecc is usually totally unnecessary in pfsense home use unless your mono requires it
Okey, good to know!
But both of them has hyper threading?
-
I'm sorry you're right, I was thinking Celeron!
If you want max openvpn performance the extra 600MHz on the 7350k will show.
If you are ok with a compromise then the Pentium is an excellent choice.