Budget build question



  • Greetings all,

    I am new this forum. I was hoping to get some advice for my home network

    Currently my main router (ASUS AC68p) is acting as a SAMBA server/OPENVPN server and router.

    I now need it to act as a selective OPENVPN Client but the router's CPU doesn't have capability to do so.

    I'm wondering if I'd have any problems running pfsense on this: https://ca.refurb.io/collections/desktops/products/hp-elite-8300-elite-sff-combo-i5-3470-3-2ghz-8gb-250gb-hdd-19-lcd-monitor-windows-10-home

    Specs:
    CPU: Intel Core i5 3470 3.2ghz
    Memory: 8GB Ram
    279$ ($223 USD)

    My plan is to remove the 250GB HDD and replace with it with a USB key. (will there be any performance hits if I use a USB Key)

    I know its bad to use a pfsense machine as a OPENVPN Server/Samba Server so I'll continue to run both of those through the AC68p.

    My requirements for the pfsense box:
    The ability to segregate certain network devices (VLANS?)
    Selective OpenVPN routing (50-60Mbps)

    I was originally looking at low-power celeron builds, but being in Canada, those things will probably cost significantly more than this i5.

    Alternatively, I could setup my BananaPi (raspberry pi clone) as a router and tell it to forward all incoming traffic through its OpenVPN client.



  • I don't think you'll hit your performance target with a pi. Pretty much any intel/amd with AES-NI will hit that performance target, including an APU2 if that's reasonably priced from where you're buying it. (About $150 here.)



  • PC Engines APU2C4 if you could get it cheap would also my vote.

    If not or you may tell us your total or complete Internet connection speed you might be also lucky
    with the SG-1000 or SG-3100, I don´t know where you are placed in Canada and what fees, tax or
    other fees you have to pay on top of the price, but this might be a really nice box then to reach your goal.



  • Do not buy an i5-3470 for pfSense for nearly 300. No bueno.

    I got an old SFF workstation for pfSense as well, with an i5-2400

    It cost me like $130 out the door after I added an i340t4.
    I run openvpn clients and server, pfBlockerNG, suricata with a moderate ruleset and several more less taxing packages on a 150/10 soon to be 100/100 line - and I don't think I've ever seen usage above 20%.

    Point being, you're paying way too much for not enough.

    For that price, build your own modern, small, low power, silent j3355b setup. Even though you didn't post your actual needs, you almost certainly can accomplish what you need with a j3355b on pfSense. Canada prices might suck but just looking at amazon you can get a j3355b to your door for <$95USD.
    https://www.amazon.ca/dp/B01M9EXCYB/ref=asc_df_B01M9EXCYB1507806000000/?tag=shopbotca-20&creative=395285&creativeASIN=B01M9EXCYB&linkCode=df0&utm_source=shopbot&utm_medium=referral

    And amazon generally isn't the cheapest.

    And ultimately it doesn't matter if you can get the i5 for slightly cheaper than the Celeron so long as the Celeron is the right tool for the job. And from what little detail you've posted about the job it is very likely more than a match for your job.

    Now, if you can get an old SFF i5 workstation for a price that isn't bullshit - go for it!



  • @BlueKobold:

    PC Engines APU2C4 if you could get it cheap would also my vote.

    If not or you may tell us your total or complete Internet connection speed you might be also lucky
    with the SG-1000 or SG-3100, I don´t know where you are placed in Canada and what fees, tax or
    other fees you have to pay on top of the price, but this might be a really nice box then to reach your goal.

    I currently have 100/10 with the option of upgrading to 250/20 for 5$ and 1000/30 for 15$ more than what I currently have.

    I don't see myself upgrading anytime soon, but it would be a shame if I couldn't run 250/20 through the modem.

    @belt9:

    Do not buy an i5-3470 for pfSense for nearly 300. No bueno.

    I got an old SFF workstation for pfSense as well, with an i5-2400

    It cost me like $130 out the door after I added an i340t4.
    I run openvpn clients and server, pfBlockerNG, suricata with a moderate ruleset and several more less taxing packages on a 150/10 soon to be 100/100 line - and I don't think I've ever seen usage above 20%.

    Point being, you're paying way too much for not enough.

    For that price, build your own modern, small, low power, silent j3355b setup. Even though you didn't post your actual needs, you almost certainly can accomplish what you need with a j3355b on pfSense. Canada prices might suck but just looking at amazon you can get a j3355b to your door for <$95USD.
    https://www.amazon.ca/dp/B01M9EXCYB/ref=asc_df_B01M9EXCYB1507806000000/?tag=shopbotca-20&creative=395285&creativeASIN=B01M9EXCYB&linkCode=df0&utm_source=shopbot&utm_medium=referral

    And amazon generally isn't the cheapest.

    And ultimately it doesn't matter if you can get the i5 for slightly cheaper than the Celeron so long as the Celeron is the right tool for the job. And from what little detail you've posted about the job it is very likely more than a match for your job.

    Now, if you can get an old SFF i5 workstation for a price that isn't bullshit - go for it!

    I actually thought that was a good deal for an i5 CPU, but I've been out of the loop for a long time. My main computer is a used ivy bridge-e that I picked up.

    I'll look into j3355b. I already have some ddr3 SDram , and a Pico PSU lying around.

    Edit: found it on ebay : www.ebay.ca/itm/272879825517?

    I also found the 3455 for 100$ : https://www.amazon.ca/gp/aw/d/B01M7OUO62/

    I couldn't find anything conclusive, will pfsense benefit from a quad core vs a dual core?



  • @Roy360:

    Edit: found it on ebay : www.ebay.ca/itm/272879825517?

    I also found the 3455 for 100$ : https://www.amazon.ca/gp/aw/d/B01M7OUO62/

    I couldn't find anything conclusive, will pfsense benefit from a quad core vs a dual core?

    The j3355 is generally a better choice because the bottleneck tends to be single threaded performance for openvpn or pppoe, and the j3355 base clock of 2GHz is significantly higher than the J3455 base clock of 1.5GHz. More cores would help with routing multiple gigabit networks, but that's not usually a requirement in a home context.



  • +1 to vamike for j3355 over 3455 for most home networks.

    It's not so much that the i5 you listed was a bad deal, it's a bad deal for what it sounds like you need.

    That CPU is way overpowered, like hugely so. Its newer and faster than my i5-2500 box, and my box is dramatically overpowered for what I need to do, but it was cheap.

    I would recommend just shopping around SFF workstations from reputable sellers that are under USD 100. I'd look for one that doesn't include the HDD. You can boot with zfs from a pair of.flash drives and a ram disk (I do), or get a cheapo 16gb ssd.

    Any second gen i3 or better will do. Some older pentiums will work. You do want AES-NI though which will probably be the limiting factor in how old of a cpu you can get. I don't remember when that came out on i3's and pentiums? That's probably why I ended up with a second gen i5 come to think of it.

    If you find a workstation you like then order it and also a used server pull i340 (2 or 4 port as required) with a low profile bracket.
    Put the NIC in the computer, unplug unnecessary stuff it may have come with (HDD, optical drive, etc.) and you're ready to go.

    That's what I would do in your shoes if you're wanting to buy used.

    If you want new then definitely recommend j3355b route. It will cost you more for sure though.



  • @belt9:

    +1 to vamike for j3355 over 3455 for most home networks.

    I would recommend just shopping around SFF workstations from reputable sellers that are under USD 100. I'd look for one that doesn't include the HDD. You can boot with zfs from a pair of.flash drives and a ram disk (I do), or get a cheapo 16gb ssd.

    That's what I would do in your shoes if you're wanting to buy used.
    .

    I remember reading a thread saying to use a hdd over a ssd for pfsense due to the number of writes pfsense makes.

    I currently have the following in my possession:
    USB key
    Hdd
    32gb msata ssd

    Are you saying to go ssd?



  • I currently have the following in my possession:

    this would be my personal road to walk on;
    1. choice mSATA
    2. choice Hdd
    3. USB key for installations only



  • @Roy360:

    I remember reading a thread saying to use a hdd over a ssd for pfsense due to the number of writes pfsense makes.

    That thread is stupid and may safely be disregarded.



  • My priority would be:

    SSD
    SLC Flash Drive / SATA DOM
    xLC (normal) Flash Drive
    HDD

    I wouldn't recommend using normal thumb drives as a boot disk unless you A. mirror them or better in ZFS and B. Use a RAM Disk. I use a set of thumb drives with zfs redundancy and a RAM disk and it works great.



  • @belt9:

    My priority would be:

    SSD
    SLC Flash Drive / SATA DOM
    xLC (normal) Flash Drive
    HDD

    I wouldn't recommend using normal thumb drives as a boot disk unless you A. mirror them or better in ZFS and B. Use a RAM Disk. I use a set of thumb drives with zfs redundancy and a RAM disk and it works great.

    I'll go the ssd route then. It's just been hanging out in my laptop as a cache drive these days.

    Plus I'm assuming in order to use a RAM disk  you'd need ECC RAM.

    @belt9:

    .

    If you find a workstation you like then order it and also a used server pull i340 (2 or 4 port as required) with a low profile bracket.
    Put the NIC in the computer, unplug unnecessary stuff it may have come with (HDD, optical drive, etc.) and you're ready to go. .

    Could I use a Monoprice USB 3.0 NIC  to connect to my internet modem, and then use the onboard to connect to my Asus router (which will be running as a wireless Ap)?

    The specific NIC you mention is going for 50$ used.



  • You definitely don't need ECC RAM for a RAM Disk (I don't use ECC) - ECC is never needed in a home router.

    But if you already have an SSD just use that.

    People have used USB NIC's, it's not recommended and I've never done it so I can't say if it will work for you or not.
    Personally I would get a VLAN capable switch and use that instead.



  • I’ve setup a raspberi pi as a OpenVPN server to allow remote access before and it tops out at about 10-12 mbps. If your connection is under that then it will work or if you just want the occasional access to a network.



  • @jgiannakas:

    I’ve setup a raspberi pi as a OpenVPN server to allow remote access before and it tops out at about 10-12 mbps. If your connection is under that then it will work or if you just want the occasional access to a network.

    He could do that with the router he already has using xxxwrt.



  • @belt9:

    @jgiannakas:

    I’ve setup a raspberi pi as a OpenVPN server to allow remote access before and it tops out at about 10-12 mbps. If your connection is under that then it will work or if you just want the occasional access to a network.

    He could do that with the router he already has using xxxwrt.

    I've tried.

    The router's CPU isn't capable of it.

    Running selective openVPN bogs down all the wireless connections, even though they aren't running thru the vpn



  • I had the same issue as Roy to a degree, i ran OpenVPN on 1 low end router, and 1 High End consumer Router with pretty much the same results.

    OpenVPN is a Resource hog and really, has no real optimisation. so in the end i built my PFSense Router/Firewall on:

    ITX Asrock SoC AMD-APU 5000 (Builtin AES-NI)
    Generic 1U Case
    Basic 1U PSU
    40GB HDD
    4GB of RAM

    Running:

    OpenVPN
    Surricata protecting, WAN, LAN, TUN
    few other bits and bobs

    Running 80/20.



  • @belt9:

    Now, if you can get an old SFF i5 workstation for a price that isn't bullshit - go for it!

    How about a i5 2.9Ghz 4570S, 8GB ram, 120GB Ssd for 210 (160 USD)?

    I can swap out the CPU with the I3 4130 that's in my htpc



  • That's certainly more better  ;D

    Another thought, just use your HTPC as pfSense and buy a J3355B to use as your HTPC. It does HEVC 10 bit hardware decoding. Mine plays back the higher bitrate 4k HEVC 10 bit jellyfish test files just fine.

    That option might save you some $$.



  • @belt9:

    That's certainly more better  ;D

    Another thought, just use your HTPC as pfSense and buy a J3355B to use as your HTPC. It does HEVC 10 bit hardware decoding. Mine plays back the higher bitrate 4k HEVC 10 bit jellyfish test files just fine.

    That option might save you some $$.

    My HTPC doubles as a gaming rig too (it has a gtx 750ti)  8)

    Steam link and Nvidia gamestream require the host to be not in use, so I've got no choice to to play games locally. Otherwise I'd definitely setup streaming, my network is mainly wired after all.