Which would be better for my pfsense box?



  • Hi all,

    I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN). My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

    I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

    Any help would be greatly appreciated!



  • @Geran:

    Hi all,

    I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN). My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

    I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

    Any help would be greatly appreciated!

    Both of those seem like overkill compared to a high-clock pentium or i3, so whatever floats your boat.



  • @VAMike:

    Both of those seem like overkill compared to a high-clock pentium or i3, so whatever floats your boat.

    I got these from work as they were being decommissioned so I figured it would be better to use free equipment instead of buying something new. My original plan was to use a high-clock pentium.



  • Go for the Xeon D-1521. It will save you some running costs (not by that much). Virtualize it and install a couple of VMs to consolidate any servers you may be thinking of upgrading. The Xeon D-1521 has enough power to run your pfSense along with 2 or 3 decent power hungry servers.



  • I was wondering if I could get input on which CPU would be better for my pfSense build (with OpenVPN).

    Both a rock solid pice of hardware, but if you might be asking me today what to go with I personally would be answering
    that the Xeon E3-1240v2 will be my hardware. At the moment it is better to set on raw and high GHz, because it is
    single CPU threaded, if this becomes step by step turning around the Xeon D-15xx would be matching more and
    also well, but at the moment and if the CPU is present at your home, I would walk with the Intel Xeon E3 CPU!!!

    • ECC RAM support
    • Low power consumption
    • 24/7/365 server grade CPU
    • able to build a thin and small footprint pfSense firewall box
    • Older hardware (spare parts) is often more cheap to get the hands on!

    My options are a Xeon D-1521 or a Xeon E3-1240v2. My ISP is FIOS "gigabit".

    Are you need to use PPPoE? Or did you not needing it?

    I would like to get the most out of OpenVPN and be ready for AES-Ni when it becomes required by pfSense.

    Then actual the Xeon E3 would be nice matching. Sucks much more electric power, but mostly less then desktop CPus with
    the same clock speed or rate. Might be that others see this different, but there is nothing wrong with older hardware!

    Any help would be greatly appreciated!

    • Intel E3-1240v2
    • Intel DQ77KB mainboard
    • LIAN LI Black Aluminum PC-Q05B
    • 2 GB, 4 GB or 8 GB RAM (2 S0-DIMM)
    • miniPCIe WiFi card if needed or wished
    • mSATA 16 GB, 32 GB, 64 GB or 128 GB

    Blog about all hardware needed for the Intel Xeon E3-1240v2 CPU

    Thin, small, silent and fast to get hands on.



  • I would take the D-1521 it is much newer uses DDR4.
    Ivy Bridge from 2012 versus Broadwell from 2015
    8 cores at 3.4ghz and 69W -versus- 8 cores at 2.4ghz and 45W

    One thing to check is that Supermicro D1521 used 2x10G Ethernet too so that could be a kicker.
    Post your board details for more help.



  • @FranciscoFranco

    But the Xeon E3 has 4 core and with HT also 8 cpu cores, or am I wrong with that?
    And it scales to 3,7GHz in Turbo mode or over (PowerD) that he is getting most
    out of the Open VPN as he stated to reach.

    One thing to check is that Supermicro D1521 used 2x10G Ethernet too so that could be a kicker.

    Ok I consider but the newer Denverton (Intel C3000) offered by Supermicro also many devices with 10 GbE and
    SFP+ ports as well. Will they not able to fit his needs at 1 GBit/s?



  • So for the XeonD, I have this one (http://www.supermicro.com/products/motherboard/xeon/d/X10SDV-4C-TLN2F.cfm) with dual 10GbE. For the 1240v2, it is actually in a Dell R210ii that was decommissioned.

    I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.



  • I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.

    This sounds ok for me, then I would change my mind and say go with the Supermicro Xeon D-15xx board!

    • SC505-203B Case (w/Front I/Os)
    • M.2 SSD (M Key:2280)
    • 2 x 4 GB RAM

    BIOS settings: (if needed)

    • activate the Hyper threading (HT)
    • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

    NIC tunings: (if needed)

    • choose ZFS file system  and TRIM support will be enabled automatically
    • high up mbuf size to something between 125000 - 1000000
    • narrow down the amount of num.queues to 1 till 4
    • enable PowerD (high adaptive)

    OpenVPN settings: (if needed)

    • enables Intel RDRAND (if supported by the hardware)
    • activate UDP fast I/O support
    • enable LZO compression if able to do so on both sites
    • set the buffer to 2 MB less or higher could also be matching
    • AES-NI is activated by default since the pfSense version 2.4.0


  • @BlueKobold:

    @FranciscoFranco

    But the Xeon E3 has 4 core and with HT also 8 cpu cores, or am I wrong with that?
    And it scales to 3,7GHz in Turbo mode or over (PowerD) that he is getting most
    out of the Open VPN as he stated to reach.

    I am not sure about clockspeed for this. Is OpenVPN single threaded? 3.7 is the Turbo boost on only one core right?
    Clockspeed never came into my thoughts. The age first indicator for me.
    Maybe 2 x 10Gbe are not needed. For me it seems like a better board. A 70W chip for Gigabit at home seems undesirable.
    Add in SuperMicro versus Dell and it's a no brainer.



  • I am not sure about clockspeed for this. Is OpenVPN single threaded?

    Sadly yes, but it can handle each tunnel over another single CPU core.

    3.7 is the Turbo boost on only one core right?

    Yes it is.

    Clockspeed never came into my thoughts. The age first indicator for me.

    PPPoE is single threaded and openVPN too and there fore if wants to get out the maximum of OpenVPN the
    higher the clock speed that better the number up scaling for the OpenVPN! For sure if he is not needing the
    PPPoE he is only on times pressed to act over one cpu core by OpenVPN only.

    Maybe 2 x 10Gbe are not needed. For me it seems like a better board. A 70W chip for Gigabit at home seems undesirable.
    Add in SuperMicro versus Dell and it's a no brainer.

    Netgear GS110MX ~200 €
    Netgear GS110EMX ~230 €
    D-Link DGS1510-20 ~250 €

    Will be handle this with easy and also for a DMZ and LAN Switch you get 10 GBit/s, so it is really more attractive
    to use that board I must consider to you.



  • @BlueKobold:

    I would like to get the most out of OpenVPN if possible but I am willing to compromise as well.

    This sounds ok for me, then I would change my mind and say go with the Supermicro Xeon D-15xx board!

    • SC505-203B Case (w/Front I/Os)
    • M.2 SSD (M Key:2280)
    • 2 x 4 GB RAM

    Which M.2 would you recommend?



  • Which M.2 would you recommend?

    I really hav no clue on that, in the next three month I am in the same boat likes you now! I have then to choose
    between Intel Xeon D-15xxN or Intel Denverton C3000 series, both with AES-NI, QAT and DPDK ready and
    a M.2 slot too!!!! So I must then also search on that behavior which M.2 would be supported, I only know that
    there are two different models on entire the market AHCI and NVME M.2 SSDs. And on top of this some models
    are coming with their own BIOS and some not, so it is highly recommended to watch out the compatibility lists
    from each vendor that is in usage I would say on this.

    And so I really don´t know which one is needed for especially your Board or what is supported by the
    vendor Supermicro on your board!



  • nvme ssds have generally better performance, which is mostly irrelevant for a router, and usually need to boot in uefi mode. nvme m.2 usually is m keyed, and will not work in b keyed socket. sata will usually work in either socket and will have fewer compatibility issues.



  • @BlueKobold:

    BIOS settings: (if needed)

    • activate the Hyper threading (HT)
    • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

    NIC tunings: (if needed)

    • choose ZFS file system  and TRIM support will be enabled automatically
    • high up mbuf size to something between 125000 - 1000000
    • narrow down the amount of num.queues to 1 till 4
    • enable PowerD (high adaptive)

    OpenVPN settings: (if needed)

    • enables Intel RDRAND (if supported by the hardware)
    • activate UDP fast I/O support
    • enable LZO compression if able to do so on both sites
    • set the buffer to 2 MB less or higher could also be matching
    • AES-NI is activated by default since the pfSense version 2.4.0

    Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ?

    /Bingo



  • Would those tips be general , and also usable (recommended) for a Qotom i5 setup w. 8G Ram ?

    It is never really able to reproduce on any hardware with the same effect or on custom hardware with the same
    effect. As an small example;

    • Broadcom 10 GbE NICs (not all, but many) use more narrow down the entire mbuf size (65.000) and get often success
    • Intel NICs are often gets served when you high them up between 125000 till 1000000!

    So freeing some things up might be a good sounding idea, but not for nay user or any case of usage fo sure!
    Please accept it is more or less something or more things I´ve seen peoples are starting a service,
    running a packet or in general setting up some things and even after this many or some are running
    in a trap or getting problems after the installation.

    It is able to get the same result or success but not even and with a guaranty for that, it all depends on the
    entire hardware and also the pfSense Version itself because not each version likes the other one pending on
    bug fixes newer functions, options and protocols or given services, it more like a hunting game you will win.

    and also usable (recommended) for a Qotom i5 setup w. 8G Ram

    Let us both imagine you are using firewall, vpn, snort, squid, SquidGuard and pfBlockerNG
    and you turns on the pfBlockerNG & DNSBL + TDL with many IP lists so your ram is going
    down very fast nearly complete in usage, so it makes no sense to say let us highing up the
    mbuf size, but if you gets in problems or you see issues and narrow down the entire IP lists
    in pfBlockerNG that will be in usage, you could do this to solve around any other problems.

    BIOS settings: (if needed)

    • activate the Hyper threading (HT)
    • set the IPMI port to dedicated (often or sometimes shared with the WAN port as fall back)

    Often peoples are reporting they was imagine more from the higher tech spec hardware and because
    the HT function was disabled in the BIOS, so why not telling others please don´t forget to turn it on?
    Did your Qotom box have such a setting the BIOS, if so then try it out and give us (forum members)
    a feedback on this please!!!

    The IPMI Port on some mainboards mostly Supermicro, and we are talking here about a Supermicro
    Xeon D-15xx vs an Intel Xeon E3 system, are the fall back port associated to the WAN port! So if
    then the WAN is one time failing the WAN falls back to the IPMI and you are trying to get the access
    to the Internet back and again and again but without success or any clue why you can´t do so or
    plain why you would not be able to do so!

    NIC tunings: (if needed)

    • choose ZFS file system  and TRIM support will be enabled automatically
    • high up mbuf size to something between 125000 - 1000000
    • narrow down the amount of num.queues to 1 till 4
    • enable PowerD (high adaptive)

    If you need TRIM or you wish it to enable nice to know that since version 2.4.0 ZFS is
    automatic enabling this for you
    Pending on the used NIC driver and CPU for each NIC port pfSense will be open or create
    queues and they can be filled more (mbuf size 1000000) or less (mbuf size 65000) and on
    top of this the amount of this queues will be also able to set up like 1 queue till 4 or more
    queues likes needed or well matching.
    PowerD will be bringing the CPU to scale up if needed and also vice versa scaling down of
    your pfSense box is not so hard stressed by traffic or functions.

    OpenVPN settings: (if needed)

    • enables Intel RDRAND (if supported by the hardware)
    • activate UDP fast I/O support
    • enable LZO compression if able to do so on both sites
    • set the buffer to 2 MB less or higher could also be matching
    • AES-NI is activated by default since the pfSense version 2.4.0

    And this is quitly the greatest part where you weill be able to play around with for weeks to
    get the best settings matching to your configuration and bringing you the most benefits.

    Please don´t forget please you can win and be happy with only one setting and/or with all or
    some of them together. I personally mean that mostly, many things are playing more well
    together as only one hint.

    VPN is a both ended "thing" and if both ends are enabling LZO compression or fast I/O support
    it would makes more sin to me, Intel RDRAND must be supported by hardware and the buffer is
    more or less pending on your RAM size. And what benefit you will see at your pfSense box or
    based on the hardware you are using.