Deciding between two Server RIGs for a new firewall.



  • Hello guys,

    as we will have better internet speed upcoming this year we want to upgrade our veeeery old firewall hardware (still running 2.2.6).

    We will have:

    • 100 MBit/s up/down WAN
    • 10 Mbit/s up/down WAN
    • 50/15 Mbit/s up/down WAN
    • 1 Gbit LAN (10 Gbit between all switches)

    Using OpenVPN (atm only AES 128), pfBlockerNG, SNORT (on all interfaces).

    So now I have something in sight that is on the same budget level (around 500€):

    Intel Celeron G3900 (2x2,8GHz) | Asus P10S-I | 4 GB ECC DDR4 | 3x Intel Gbit NIC (2x onboard, 1x extension)
    -VS.-
    Intel Celeron J3455 (4x1,5-2,3GHz) | Industrial IPC Board | 4 GB RAM | 6x Intel Gbit NIC onboard

    The J is lower on Hz but has 4 cores while the G has higher Hz but only 2 cores.

    What are your ideas? I have no clue how the packages and speed handle multicore compared to higher Hz count.

    Best regards,

    Mel


  • Netgate Administrator

    OpenVPN is single threaded. Snort is single threaded (currently) but would be one thread per interface.

    OpenVPN is probably the biggest restruction there but either of those will do 100Mbps (subject to traffic type, link conditions etc).

    Steve



  • Hey Steve, thanks for your reply.

    I did not know it is still single threaded. Maybe I should try Suricata then instead of SNORT? Is each OpenVPN Server using one thread or alltogether? (We have two running atm on the pfSense.)

    Btw. I think we have space for a 2U rack, so it would be possible to get this RIG for the same price:

    AMD Ryzen 3 2200G | MSI A320M | 8 GB DDR 4 | 3x Intel Gbit NIC PCI-E.

    (sure, consumer stuff, but easier to replace just in case) I guess I would kill Hz count and more threads with that one, if pfSense supports that processor unit.

    Mel


  • Rebel Alliance Moderator

    @Melphiz said in Deciding between two Server RIGs for a new firewall.:

    Is each OpenVPN Server using one thread or alltogether?

    No every OVPN process is bound to its own core. So with e.g. a quad core you could run multiple OVPN servers/s2s connections to spread out CPU utilization.

    Maybe I should try Suricata then instead of SNORT?

    You could but would miss out on OpenAppID if that is relevant to you.

    I'd personally skip Ryzen CPUs as their architecture isn't that great for network related processing and more look towards things like the Intel Atom C2xx8 (old) or C3xx8 chipsets/CPUs as their main purpose is network related. (And it's one reason, pfSense has two official boxes using with SG-5100 and SG-7100).


  • Netgate Administrator

    With 200Mbps total anything reasonably recent is going to to be fine I would expect.

    Steve



  • @JeGr said in Deciding between two Server RIGs for a new firewall.:

    I'd personally skip Ryzen CPUs as their architecture isn't that great for network related processing and more look towards things like the Intel Atom C2xx8 (old) or C3xx8 chipsets/CPUs as their main purpose is network related. (And it's one reason, pfSense has two official boxes using with SG-5100 and SG-7100).

    Ok, thanks for that input. I wasn't aware of that. I have found another source for buying this kind of stuff. So I might end up purchasing SuperMicro A2SDi-4C-HLN4F board with Atom C3558 + 1U Chassis + 8GB Samsung RAM M378A1K43CB2-CTD (non ECC) from the tested memory list.
    I would go with a WD Re (Yellow) that is still unused.

    Thanks for all the input, guys. Appreciate it.



  • I think you shouldn't be concerned whatever you go for... I suggest to buy a server grade machine because they are cheap... Also your WAN speeds combined seems not a big deal so I think any dual CPU server will do the work... For example I have Cisco UCS C210 M2 with 2x X5650 6 core CPU, 24 GB DDR3 RAM, 2x Broadcom dual SFP+ 10G NIC... This machine have configured 4 WAN : 2x 10 Gbit/s plus (2x 1 Gbit/s trough onboard ports) from 4 separate ISP, 2x LAN ports 10 Gbit/s, OpenVPN and some other things... I share internet to some of my neighbors as well... Never had any problems and never seen load exceed 10% even with lots of traffic... As I remember before few months ago there was a new game released and we are eager to play, so 4-5 of my friends including me started to download at the same time and we accumulated near 800 MB/s without a problem :)


Log in to reply