Info on my configuration



  • Hello everybody, I would like to use pfSense as my own router but I am still in trouble deciding which hardware I want to use. I will start saying that my ISP wan connection will be a fiber optic (with RJ45 NTU) 500Mbit/500Mbit up/down.

    The router will mostly be used for an OpenVPN connection, since I do travel a lot and I would like to be able to access my home connection as fast as possible.

    Now, I am planning to buy a 1U chassis to fit the router in my home rack system, but from what I can see most of them fits only ITX motherboard. At home I have available the following hardware:

    • MSI H110M ECO H110 uATX
    • Intel Core i5-7500
    • 16GB ram corsair LP DDR4 (Sadly the motherboard does not support ECC modules)
    • SSD 32GB Kingstone

    What do you guys suggest me to do, buy an ITX mobo and use the i5 or go for something else?

    Hope someone else can help me out, thank you!


  • Netgate Administrator

    @warofdevil said in Info on my configuration:

    i5-7500

    The i5 is a solid choice if OpenVPN throughput is your priority here. It has good single thread performance.

    If you don't need the full 500Mbps of encrypted traffic then it's probably overpowered.

    Steve



  • Thanks a lot for the clarification Steve :)



  • Today a friend of mine gave me this Atom motherboard: https://www.supermicro.com/products/motherboard/atom/A2SDi-4C-HLN4F.cfm

    I can see online that is the same CPU that Netgate use on few of their products, do you think that this motheboard would be better than my i5 that I currently use? The mobo will be used with my 16Gb Corsair 2133Mhz posted above.

    If so, do you think I can fit the mobo in my 1U chassis? https://www.supermicro.com/products/chassis/1U/512/SC512L-260B
    (Of course I would need to buy the appropriate I/O shield, should be MCP-260-00079-0N for my chassis)

    For connectivity I am a bit confused, the motherboard has 4x RJ45 Gigabit Intel C3000 SoC. Can I use them or PCI card is better? (In case I have at home an Intel I350-T4 4x PCI). The plan was to use 1 port as WAN, connected to my fiber NTU, and 3 ports in link aggregator to my Ubiquiti POE switch.



  • @warofdevil said in Info on my configuration:

    The plan was to use 1 port as WAN, connected to my fiber NTU, and 3 ports in link aggregator to my Ubiquiti POE switch.

    Why waste some port in link aggregation mode, if you not handle big traffic flows? Boh! 🕺
    According to me is better shrink/separate network traffic instead of connect all together. 🚥
    For example you can make some vlans and or reserve network port for wlans etc. pfSense can handle all interface indipendent from other one, and you gain true control of your network.

    If onboard chipset is detected by freebsd driver so it's fine enough and not need to add other pci card unless you notice poor performance trought onboard nics.
    🏊 bye.



  • @babiz said in Info on my configuration:

    According to me is better shrink/separate network traffic instead of connect all together. 🚥

    That's a nice suggestion, I will think about that, and maybe separate my IP cameras, NAS and WIFI in different VLAN's.

    Actually, is there a way to test the performance of an onboard NIC's and NIC's from a PCI card?



  • @warofdevil yes of course, you can use iperf tool.
    It's simple to do . Iperf running as Server side and a client side.
    You will start server session with : iperf -s
    And on other end (other host) you will start client with: iperf ip_address_of_server

    This is enoug for a brief test, but iperf came with some many options, you can define tcp or udp test, duration, window size amount of bandwidth and so on.
    🤗



  • @babiz said in Info on my configuration:

    @warofdevil yes of course, you can use iperf tool.
    It's simple to do . Iperf running as Server side and a client side.
    You will start server session with : iperf -s
    And on other end (other host) you will start client with: iperf ip_address_of_server

    This is enoug for a brief test, but iperf came with some many options, you can define tcp or udp test, duration, window size amount of bandwidth and so on.
    🤗

    Many thanks, that's really easy, I will start to play with it a little bit :)

    Now I just have to wait tips regarding which hardware would be better to use, Atom vs i5.



  • @warofdevil said in Info on my configuration:

    Now I just have to wait tips regarding which hardware would be better to use, Atom vs i5.

    Well I'm pretty sure, the hardware crypt-o support of cpu will be a good choice, when you need handle vpn's tunnels. But I'd not know better is Atom or i5, of course Atom designed for more power saving than i5 CPU.

    My pfsense box run well enough with APU 2 , this boar is designed for a good compromise between performance and energy savings, (less than 9W at idle with cpu temp around 39c°)
    alt text

    Anyway I think you need some tough appliance to handle gigabit fiber wan side, and your lan clients, but this reflects the simultaneous use of resources, busy network needs powerful hardware to be smootest as possible.

    Yeah split nework into a few subnets , sure helps to decrease latency of your network devices when talking at same time, and you can do fine granular control of network flows with pfSense "Limiters". (if you want, or if you deal with many devices)
    Bye. 🌇


  • Netgate Administrator

    The i5 will give you significantly better OpenVPN throughput if the CPU is the limitation there, the single thread performance is higher. And I would expect it to be for a 500Mbps connection. But as said it will consume more power.

    It looks like you actually have both sets of hardware available already though? In which try it and see, let us know the results.

    Steve


  • LAYER 8 Rebel Alliance

    My C3558 (Netgate XG-7100) can push around 280 MBit/s OpenVPN AES-256-GCM traffic per Core/Instance.
    I'd expect the i5-7500 to do some more.

    -Rico



  • @rico said in Info on my configuration:

    My C3558 (Netgate XG-7100) can push around 280 MBit/s OpenVPN AES-256-GCM traffic per Core/Instance.
    I'd expect the i5-7500 to do some more.

    -Rico

    Thanks a lot for the info, that help :)
    I would like to ask you something, do you think that this cpu can handle my fiber connection 500Mbit up/down ? (Of course I am not talking about VPN now).

    And I am quite curious about something, how can I test if the integrated NIC of the supermicro mobo (C3000) will peform better or less then adding a pci Intel I350-T4 and connect WAN and LAN there?


  • LAYER 8 Rebel Alliance

    The CPU will laugh about routing 500 MBit/s traffic. ☺ Totally no Problem there.
    Test your equipment with some potent PC at WAN and LAN side with iperf.

    -Rico


  • Netgate Administrator

    Exactly. 500Mbps of routing with firewall/NAT would be no problem for either CPU.

    Steve