Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which would be better for my pfsense box?

    Scheduled Pinned Locked Moved Hardware
    16 Posts 6 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Geran Brown
      last edited by

      Hi all,

      I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN). My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

      I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

      Any help would be greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • V
        VAMike
        last edited by

        @Geran:

        Hi all,

        I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN). My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

        I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

        Any help would be greatly appreciated!

        Both of those seem like overkill compared to a high-clock pentium or i3, so whatever floats your boat.

        1 Reply Last reply Reply Quote 0
        • G
          Geran Brown
          last edited by

          @VAMike:

          Both of those seem like overkill compared to a high-clock pentium or i3, so whatever floats your boat.

          I got these from work as they were being decommissioned so I figured it would be better to use free equipment instead of buying something new. My original plan was to use a high-clock pentium.

          1 Reply Last reply Reply Quote 0
          • A
            asterix
            last edited by

            Go for the Xeon D-1521. It will save you some running costs (not by that much). Virtualize it and install a couple of VMs to consolidate any servers you may be thinking of upgrading. The Xeon D-1521 has enough power to run your pfSense along with 2 or 3 decent power hungry servers.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN).

              Both a rock solid pice of hardware, but if you might be asking me today what to go with I personally would be answering
              that the Xeon E3-1240v2 will be my hardware. At the moment it is better to set on raw and high GHz, because it is
              single CPU threaded, if this becomes step by step turning around the Xeon D-15xx would be matching more and
              also well, but at the moment and if the CPU is present at your home, I would walk with the Intel Xeon E3 CPU!!!

              • ECC RAM support
              • Low power consumption
              • 24/7/365 server grade CPU
              • able to build a thin and small footprint pfSense firewall box
              • Older hardware (spare parts) is often more cheap to get the hands on!

              My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

              Are you need to use PPPoE? Or did you not needing it?

              I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

              Then actual the Xeon E3 would be nice matching. Sucks much more electric power, but mostly less then desktop CPus with
              the same clock speed or rate. Might be that others see this different, but there is nothing wrong with older hardware!

              Any help would be greatly appreciated!

              • Intel E3-1240v2
              • Intel DQ77KB mainboard
              • LIAN LI Black Aluminum PC-Q05B
              • 2 GB, 4 GB or 8 GB RAM (2 S0-DIMM)
              • miniPCIe WiFi card if needed or wished
              • mSATA 16 GB, 32 GB, 64 GB or 128 GB

              Blog about all hardware needed for the Intel Xeon E3-1240v2 CPU

              Thin, small, silent and fast to get hands on.

              1 Reply Last reply Reply Quote 0
              • F
                FranciscoFranco
                last edited by

                I would take the D-1521 it is much newer uses DDR4.
                Ivy Bridge from 2012 versus Broadwell from 2015
                8 cores at 3.4ghz and 69W -versus- 8 cores at 2.4ghz and 45W

                One thing to check is that Supermicro D1521 used 2x10G Ethernet too so that could be a kicker.
                Post your board details for more help.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  @FranciscoFranco

                  But the Xeon E3 has 4 core and with HT also 8 cpu cores, or am I wrong with that?
                  And it scales to 3,7GHz in Turbo mode or over (PowerD) that he is getting most
                  out of the Open VPN as he stated to reach.

                  One thing to check is that Supermicro D1521 used 2x10G Ethernet too so that could be a kicker.

                  Ok I consider but the newer Denverton (Intel C3000) offered by Supermicro also many devices with 10 GbE and
                  SFP+ ports as well. Will they not able to fit his needs at 1 GBit/s?

                  1 Reply Last reply Reply Quote 0
                  • G
                    Geran Brown
                    last edited by

                    So for the XeonD, I have this one (http://www.supermicro.com/products/motherboard/xeon/d/X10SDV-4C-TLN2F.cfm) with dual 10GbE. For the 1240v2, it is actually in a Dell R210ii that was decommissioned.

                    I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.

                      This sounds ok for me, then I would change my mind and say go with the Supermicro Xeon D-15xx board!

                      • SC505-203B Case (w/Front I/Os)
                      • M.2 SSD (M Key:2280)
                      • 2 x 4 GB RAM

                      BIOS settings: (if needed)

                      • activate the Hyper threading (HT)
                      • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

                      NIC tunings: (if needed)

                      • choose ZFS file system  and TRIM support will be enabled automatically
                      • high up mbuf size to something between 125000 - 1000000
                      • narrow down the amount of num.queues to 1 till 4
                      • enable PowerD (high adaptive)

                      OpenVPN settings: (if needed)

                      • enables Intel RDRAND (if supported by the hardware)
                      • activate UDP fast I/O support
                      • enable LZO compression if able to do so on both sites
                      • set the buffer to 2 MB less or higher could also be matching
                      • AES-NI is activated by default since the pfSense version 2.4.0
                      1 Reply Last reply Reply Quote 0
                      • F
                        FranciscoFranco
                        last edited by

                        @BlueKobold:

                        @FranciscoFranco

                        But the Xeon E3 has 4 core and with HT also 8 cpu cores, or am I wrong with that?
                        And it scales to 3,7GHz in Turbo mode or over (PowerD) that he is getting most
                        out of the Open VPN as he stated to reach.

                        I am not sure about clockspeed for this. Is OpenVPN single threaded? 3.7 is the Turbo boost on only one core right?
                        Clockspeed never came into my thoughts. The age first indicator for me.
                        Maybe 2 x 10Gbe are not needed. For me it seems like a better board. A 70W chip for Gigabit at home seems undesirable.
                        Add in SuperMicro versus Dell and it's a no brainer.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          I am not sure about clockspeed for this. Is OpenVPN single threaded?

                          Sadly yes, but it can handle each tunnel over another single CPU core.

                          3.7 is the Turbo boost on only one core right?

                          Yes it is.

                          Clockspeed never came into my thoughts. The age first indicator for me.

                          PPPoE is single threaded and openVPN too and there fore if wants to get out the maximum of OpenVPN the
                          higher the clock speed that better the number up scaling for the OpenVPN! For sure if he is not needing the
                          PPPoE he is only on times pressed to act over one cpu core by OpenVPN only.

                          Maybe 2 x 10Gbe are not needed. For me it seems like a better board. A 70W chip for Gigabit at home seems undesirable.
                          Add in SuperMicro versus Dell and it's a no brainer.

                          Netgear GS110MX ~200 €
                          Netgear GS110EMX ~230 €
                          D-Link DGS1510-20 ~250 €

                          Will be handle this with easy and also for a DMZ and LAN Switch you get 10 GBit/s, so it is really more attractive
                          to use that board I must consider to you.

                          1 Reply Last reply Reply Quote 0
                          • G
                            Geran Brown
                            last edited by

                            @BlueKobold:

                            I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.

                            This sounds ok for me, then I would change my mind and say go with the Supermicro Xeon D-15xx board!

                            • SC505-203B Case (w/Front I/Os)
                            • M.2 SSD (M Key:2280)
                            • 2 x 4 GB RAM

                            Which M.2 would you recommend?

                            1 Reply Last reply Reply Quote 0
                            • ?
                              Guest
                              last edited by

                              Which M.2 would you recommend?

                              I really hav no clue on that, in the next three month I am in the same boat likes you now! I have then to choose
                              between Intel Xeon D-15xxN or Intel Denverton C3000 series, both with AES-NI, QAT and DPDK ready and
                              a M.2 slot too!!!! So I must then also search on that behavior which M.2 would be supported, I only know that
                              there are two different models on entire the market AHCI and NVME M.2 SSDs. And on top of this some models
                              are coming with their own BIOS and some not, so it is highly recommended to watch out the compatibility lists
                              from each vendor that is in usage I would say on this.

                              And so I really don´t know which one is needed for especially your Board or what is supported by the
                              vendor Supermicro on your board!

                              1 Reply Last reply Reply Quote 0
                              • V
                                VAMike
                                last edited by

                                nvme ssds have generally better performance, which is mostly irrelevant for a router, and usually need to boot in uefi mode. nvme m.2 usually is m keyed, and will not work in b keyed socket. sata will usually work in either socket and will have fewer compatibility issues.

                                1 Reply Last reply Reply Quote 0
                                • bingo600B
                                  bingo600
                                  last edited by

                                  @BlueKobold:

                                  BIOS settings: (if needed)

                                  • activate the Hyper threading (HT)
                                  • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

                                  NIC tunings: (if needed)

                                  • choose ZFS file system  and TRIM support will be enabled automatically
                                  • high up mbuf size to something between 125000 - 1000000
                                  • narrow down the amount of num.queues to 1 till 4
                                  • enable PowerD (high adaptive)

                                  OpenVPN settings: (if needed)

                                  • enables Intel RDRAND (if supported by the hardware)
                                  • activate UDP fast I/O support
                                  • enable LZO compression if able to do so on both sites
                                  • set the buffer to 2 MB less or higher could also be matching
                                  • AES-NI is activated by default since the pfSense version 2.4.0

                                  Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ?

                                  /Bingo

                                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                  pfSense+ 23.05.1 (ZFS)

                                  QOTOM-Q355G4 Quad Lan.
                                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ?

                                    It is never really able to reproduce on any hardware with the same effect or on custom hardware with the same
                                    effect. As an small example;

                                    • Broadcom 10 GbE NICs (not all, but many) use more narrow down the entire mbuf size (65.000) and get often success
                                    • Intel NICs are often gets served when you high them up between 125000 till 1000000!

                                    So freeing some things up might be a good sounding idea, but not for nay user or any case of usage fo sure!
                                    Please accept it is more or less something or more things I´ve seen peoples are starting a service,
                                    running a packet or in general setting up some things and even after this many or some are running
                                    in a trap or getting problems after the installation.

                                    It is able to get the same result or success but not even and with a guaranty for that, it all depends on the
                                    entire hardware and also the pfSense Version itself because not each version likes the other one pending on
                                    bug fixes newer functions, options and protocols or given services, it more like a hunting game you will win.

                                    and also usable (recommended) for a Qotom i5 setup w. 8G Ram

                                    Let us both imagine you are using firewall, vpn, snort, squid, SquidGuard and pfBlockerNG
                                    and you turns on the pfBlockerNG & DNSBL + TDL with many IP lists so your ram is going
                                    down very fast nearly complete in usage, so it makes no sense to say let us highing up the
                                    mbuf size, but if you gets in problems or you see issues and narrow down the entire IP lists
                                    in pfBlockerNG that will be in usage, you could do this to solve around any other problems.

                                    BIOS settings: (if needed)

                                    • activate the Hyper threading (HT)
                                    • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

                                    Often peoples are reporting they was imagine more from the higher tech spec hardware and because
                                    the HT function was disabled in the BIOS, so why not telling others please don´t forget to turn it on?
                                    Did your Qotom box have such a setting the BIOS, if so then try it out and give us (forum members)
                                    a feedback on this please!!!

                                    The IPMI Port on some mainboards mostly Supermicro, and we are talking here about a Supermicro
                                    Xeon D-15xx vs an Intel Xeon E3 system, are the fall back port associated to the WAN port! So if
                                    then the WAN is one time failing the WAN falls back to the IPMI and you are trying to get the access
                                    to the Internet back and again and again but without success or any clue why you can´t do so or
                                    plain why you would not be able to do so!

                                    NIC tunings: (if needed)

                                    • choose ZFS file system  and TRIM support will be enabled automatically
                                    • high up mbuf size to something between 125000 - 1000000
                                    • narrow down the amount of num.queues to 1 till 4
                                    • enable PowerD (high adaptive)

                                    If you need TRIM or you wish it to enable nice to know that since version 2.4.0 ZFS is
                                    automatic enabling this for you
                                    Pending on the used NIC driver and CPU for each NIC port pfSense will be open or create
                                    queues and they can be filled more (mbuf size 1000000) or less (mbuf size 65000) and on
                                    top of this the amount of this queues will be also able to set up like 1 queue till 4 or more
                                    queues likes needed or well matching.
                                    PowerD will be bringing the CPU to scale up if needed and also vice versa scaling down of
                                    your pfSense box is not so hard stressed by traffic or functions.

                                    OpenVPN settings: (if needed)

                                    • enables Intel RDRAND (if supported by the hardware)
                                    • activate UDP fast I/O support
                                    • enable LZO compression if able to do so on both sites
                                    • set the buffer to 2 MB less or higher could also be matching
                                    • AES-NI is activated by default since the pfSense version 2.4.0

                                    And this is quitly the greatest part where you weill be able to play around with for weeks to
                                    get the best settings matching to your configuration and bringing you the most benefits.

                                    Please don´t forget please you can win and be happy with only one setting and/or with all or
                                    some of them together. I personally mean that mostly, many things are playing more well
                                    together as only one hint.

                                    VPN is a both ended "thing" and if both ends are enabling LZO compression or fast I/O support
                                    it would makes more sin to me, Intel RDRAND must be supported by hardware and the buffer is
                                    more or less pending on your RAM size. And what benefit you will see at your pfSense box or
                                    based on the hardware you are using.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.