Core 2 duo PC for pfSense in business deployment
-
That's a workable box all around with the exception of IPsec. You might hit a wall without the AES-NI on your Core2. It all depends on what your VPN expectations are.
The other concern is the power consumption. you will be running at least 100w each. If you can hold off a bit, you could get the new SG-3100. As long as your not running Snort with a ton of rules or ntopng you should be fine. You also get support!
-
Depending on how long you need it to be supported by pfSense you may want to get a box that has AES instruction support.
On top of that, something in a more rugged form factor (smaller and more sturdy than a PC) might be beneficial.The SG-3100 would be a good fit, but if you really need something cheap you might end up with the china boxes like those Qotom-Q310G4 (or one with a lower end CPU). They are about 150e delivered.
Ideally you'd get one with a C-series Atom, that'd be a good fit.If you still want to go the desktop PC route, check the CPU on ark.intel.com for AES.
-
Thank you very much for your input guys, I do want longevity, but I find the small boxes are more annoying to work with, if a PC has a problem you just replace a part.
But I will check out the CPU and those options you guys mentioned.EDIT: WOW thank you for the AES-NI warning, I didn't know about it, and unfortunately I have like 6 boxes ill have to replace because of it.
Cheers
-
it will be fine as basic dhcp or vpn server until about 100mbs
after pfsense begins to require aes-ni, switch them to opensense or ipfire
-
after pfsense begins to require aes-ni, switch them to opensense or ipfire
You can just keep it running on the version you are currently on. That is until a security problem has been found in one of the components and netgate is not fixing that version anymore. That's a couple years down the road. And at that time you will want to buy more power efficient hardware anyway.
-
it will be fine as basic dhcp or vpn server until about 100mbs
after pfsense begins to require aes-ni, switch them to opensense or ipfire
Or just get a AES-NI capable CPU… by the time pfSense no longer supports CPU's without AES acceleration, those CPU's will be more than 15 years old. I'm not saying old hardware is bad by definition, but other components from that era will be getting hard to get, and what's there will be slowly dying. Then there is the waste of power and lack of performance compared to current hardware...
If you're still running a service on a Core2Duo-era machine at that point, it's going to be comparable to running it on a Pentium 3 now.
-
… unfortunately I have like 6 boxes ill have to replace because of it.
As others have said you will need to plan to replace those in ~2 years. Unfortunately there are no socket 775 CPUs that support AES-NI even if you fit a Xeon 771 CPU with one of those adapters.
But can you really be relying on hardware that old if this is a business critical deployment?
Until that time though I imagine that would fit your requirements just fine.
Steve
-
That's a workable box all around with the exception of IPsec. You might hit a wall without the AES-NI on your Core2. It all depends on what your VPN expectations are.
The other concern is the power consumption. you will be running at least 100w each. If you can hold off a bit, you could get the new SG-3100. As long as your not running Snort with a ton of rules or ntopng you should be fine. You also get support!
Im using a old Core 2 Duo 2.4Ghz HP Elite 8000 which is on 24/7 and the machine only uses 35watts on idle.
-
That's a workable box all around with the exception of IPsec. You might hit a wall without the AES-NI on your Core2. It all depends on what your VPN expectations are.
The other concern is the power consumption. you will be running at least 100w each. If you can hold off a bit, you could get the new SG-3100. As long as your not running Snort with a ton of rules or ntopng you should be fine. You also get support!
Im using a old Core 2 Duo 2.4Ghz HP Elite 8000 which is on 24/7 and the machine only uses 35watts on idle.
What will you do when the motherboard fails?
-
… the machine only uses 35watts on idle.
That's about 5-times what an APU2 consumes under load.
-
… the machine only uses 35watts on idle.
That's about 5-times what an APU2 consumes under load.
So what? It would be at least 5 years to recoup the purchase price in these parts, and from a green perspective it's probably neutral at best to throw out a working system to replace it with another one. Tossing out an idle power consumption without any context is ridiculously common on this board but really pointless.
-
I am using Lenovo M58p E8400 and another one with E8500 in a small LAN without any problem for ~2-3 years.
It have extra:- 2 x LAN Gb cards ( 2 + 1 ports )
- 1 USB Ethernet 100 Mbps. ( for guest AP when need it )
It run without any problem: Suricata, pfBlockerNG, OVPN site-2-site and OVPN server for mobile, postfix…
OVPN speed it is max ~100Mbps without compression.This MB have Intel AMT 5.0 so you can control it remote, power ON/OFF....
Consumption on work ~45-60W.I can recommend it for home and small office if you have one.
-
@n3by This was all pre pandemic. When the pandemic hit and people started doing Zoom, Meet, and other encrypted calls, my core 2 duo box struggled. People were unhappy.
I purchase a cheap I-5 on I-Bay, 80 dollars at the time, and that fixed the problem. Actually, because they were so cheap, I bought two of them and did HA.
-
Things move on after 6 years! One of which is that there's no AES-NI requirement so C2Ds are still good.
Steve
-
@stephenw10 Yeah I remember when they made that decision. I guess as long as the core 2 unit can keep up without the AES instruction support that's ok, but I had other things bite me, like docker and UISP refusing to run on CORE 2s. With hardware that can do AES so cheaply why take that chance? I suppose if you are just using it at home it might be all right, but if you get any number of users there are going to be problems. Teleconferencing is so ubiquitous that I think using a core 2 duo on any size audience is asking for discontent from your users.
One of the installs I have has 17 apartments and I was using a core 2 unit. As teleconferencing came on I could watch it fall behind on DNS and I could see latency encroach. So that might be maybe 34 users with 2 devices each so say 70 devices. So with Roku, Firesticks, and other streaming devices and then the pandemic it got pretty dicey and people started to complain. Now granted I run Suricata and pfBlocker. With the 3rd gen I-5s things were obviously much better. Just recently I bought a couple of used 6th gen I-7s for 120 each. Yea, they say that that is way over kill, but my users commented that the response improved. I noted that the gui response for management improved too.
You can run pfSense on some marginal equipment. BSD is pretty awesome, but if you can find the nickels it is worth spending them. If you can afford the Netgate equipment that is even better.
-
Absolutely. Even 6 years ago C2D was so old it should not have been running in anything critical. Hardware that age may fail. At any time!
-
