New hardware

JKnott

As I mentioned earlier, the computer I was running pfsense on died recently. I have decided on one of these as a replacement. I'll be getting the Q350G4 4200U NO WiFi bundle with 4 GB of RAM. I trust this would be adequate for pfsense. I have a 500 Mb down/20 up Internet connection.

Comments?

tnx jk

noplan

@jknott

I recommend >4gb ram better for Playin around with DNSBL

Only Intel to use Intel NICs and for the horsepower hmmm some AES NI supported CPU

BrNP

JKnott

@noplan

I'm not sure what your reply is saying. That 4 GB is well above the minimum specs for pfsense and what does DNSBL mean? It also has Intel NICs and AES-NI. The system it replaced has an Athlon 3200+ CPU and 4 GB, which ran very well and had no problem keeping up with 500 Mb download.

NogBadTheBad

@jknott said in New hardware:

@noplan

I'm not sure what your reply is saying. That 4 GB is well above the minimum specs for pfsense and what does DNSBL mean? It also has Intel NICs and AES-NI

Hes talking about pfBlocker.

TBH RAM is cheap

noplan

@jknott

hi,
if u plan tu use pfBlocker and play a little with DNSBL (DNS-based Blackhole List)
then the more RAM u have the better.

have u thought about gettin a NETGATE SG1100 box depending on your use case ...
and by the way much cooler than the aliX import ;)

AES and Intel Nics are keepin u headache free ;)

noplan

@nogbadthebad said in New hardware:

TBH

?? damn i'm from europe i dont speak emojii ;)

NogBadTheBad

@noplan said in New hardware:

@nogbadthebad said in New hardware:

TBH

?? damn i'm from europe i dont speak emojii ;)

I'm in Europe too

TBH = To Be Honest

JKnott

@nogbadthebad said in New hardware:

Hes talking about pfBlocker

I don't use pfblocker.

JKnott

@noplan said in New hardware:

have u thought about gettin a NETGATE SG1100 box

When that was discussed earlier, the opinion was that it was a bit anemic and to go for a better model.

noplan

@jknott

have a look SG-2100 here a little over 300 EUR not including VAT

@ SG1100 same here !

but compare it wirh the SG2100 maybe it fits

noplan

@nogbadthebad said in New hardware:

I'm in Europe too

No you are not ! You kicked yourself out !

:

JKnott

@noplan said in New hardware:

but compare it wirh the SG2100 maybe it fits

It's about twice the price of the Qotom I selected.

noplan

@jknott

but the shippin from them to me flippy expensive

bingo600

@noplan

Isn't shipping around $40 w. DHL ?

noplan

@bingo600

i think i'll get a new toy ;) but i think customs declaration & import tax will kill the benefit

but @ netgate i found this

JKnott

@jknott said in New hardware:

@noplan said in New hardware:

but compare it wirh the SG2100 maybe it fits

It's about twice the price of the Qotom I selected.

Hmmm... Somehow I got the idea it was twice the price, but on checking further it appears to be roughly the same. Which would have better performance? The Qotom is an i5 CPU and has Intel NICs, but the Netgate has an ARM CPU and Marvel NICs. Both have 4 GB.

noplan

@jknott

depends on your use case, and on how long u wanna use the "box"
if u are a home/lab user and planning to use the box till it dies go with the netgate box considering the future possibility to go all in with the pfS+ version they are talkin about

and hey its a netgate box vs a china box ;)

dont get me wrong i really dont have a clue what hardware i m gonna buy in the next 6 months

@noplan said in New hardware:

and hey its a netgate box vs a china box

Exactly where do you think the Netgate device is manufactured?

JKnott

@jwj

As was the Unifi AP I recently bought. Does the Netgate have those AES-NI instructions?

bingo600

@jknott said in New hardware:

@jwj

Does the Netgate have those AES-NI instructions?

AES-NI is an Intel extension

@jknott No. It doesn't. The i5 will crush the ARM device for single thread performance and OpenVPN throughput. Question is, do you need that performance? Netgate box will be more energy efficient.

For what it's worth, I've always seen the 5100 as entry level. Then I cried inside at the price... The LAN<->LAN filtering rates is what I pay attention to. I would want line speed.

JKnott

@bingo600 said in New hardware:

AES-NI is an Intel extension

It's on other CPUs too.

bingo600

@jknott said in New hardware:

@bingo600 said in New hardware:

AES-NI is an Intel extension

It's on other CPUs too.

Please mention just one ARM CPU that has it (AES-NI)

JKnott

@jwj said in New hardware:

No. It doesn't. The i5 will crush the ARM device for single thread performance and OpenVPN throughput. Question is, do you need that performance? Netgate box will be more energy efficient.

The Netgate takes a 12V 2A power supply, which means it runs less than 24W. The Qotom takes 15W, so there's not much difference. As for the AES-NI instructions, it wasn't that long ago that plans were dropped to require them. I don't have much of a need for those, as I only occasionally use the VPN, but I wouldn't want to lose the ability to update the software for the lack of them.

JKnott

@bingo600 said in New hardware:

Please mention just one ARM CPU that has it (AES-NI)

According to that article I linked to, several do.

@jknott For sure not an obvious choice. You're going to have to have a think about it.

Also some of the discusion around pfSense+ leads me to believe the REST API is on the roadmap. Will that bring back the AES requirement or will they work around that with the other instructioin sets available on the ARM devices. I have no idea...

What do you see as the lifespan of this device?

noplan

@jwj
couldn't agree more here with @jwj

bingo600

@jknott said in New hardware:

@bingo600 said in New hardware:

Please mention just one ARM CPU that has it (AES-NI)

According to that article I linked to, several do.

Where does it say that an ARM CPU has AES-NI ??

I see this , where it specifically mentions that AES-NI is Intel/AMD only

Other architectures have Crypto instructions too , but not AES-NI

/Bingo

JKnott

@jwj said in New hardware:

What do you see as the lifespan of this device?

Well, based on my other experience, until something significantly better comes along or it dies (as happened with my previous firewall). I'm not one to run out and buy the latest & greatest, unless it yields significant improvement. For example, if a pfsense update had required AES-NI, then I would have bought something that supports it, as the HP computer I was running didn't.

Another example, my current desktop computer case originally had a 32 bit CPU. I've since replaced the mom board a couple of times. The case is so old it's cream coloured, not black (matches my IBM model M keyboard, but not much else). I also recently finally got an AP that support 5 GHz.

BTW, that keyboard is built like a tank and old enough to not have a Windows key.

bingo600

@jknott said in New hardware:

The Netgate takes a 12V 2A power supply, which means it runs less than 24W. The Qotom takes 15W, so there's not much difference.

The CPU TDP is 15W

The NIC's (Phy's) + other electronics also consumes

My Qotom came w. a 12V/5A PSU

/Bingo

JKnott

@bingo600 said in New hardware:

Other architectures have Crypto instructions too , but not AES-NI

So, what does pfsense do with those Crypto instructions? Ignore them? I could be wrong, but I would assume software written for an ARM CPU would take advantage of the ARM instructions.

It's been a while since I've written software, but I seem to recall compilers can link in appropriate libraries for the different target hardware.

@jknott said in New hardware:

@bingo600 said in New hardware:

Other architectures have Crypto instructions too , but not AES-NI

So, what does pfsense do with those Crypto instructions? Ignore them? I could be wrong, but I would assume software written for an ARM CPU would take advantage of the ARM instructions.

It's been a while since I've written software, but I seem to recall compilers can link in appropriate libraries for the different target hardware.

There are some threads concerning that. To the best of knowledge it does ignore them at the moment.

I have sent you a private message...

bingo600

@jknott said in New hardware:

@bingo600 said in New hardware:

Other architectures have Crypto instructions too , but not AES-NI

So, what does pfsense do with those Crypto instructions? Ignore them?

If Netgate want their ARM boxes to perform decent w. crypto they probably have enabled the usage of any Crypto instructions available.

I could be wrong, but I would assume software written for an ARM CPU would take advantage of the ARM instructions.

On embedded programming you often have to make sure to use the correct libraries. It's usually done with a couple of compiler switches , that pulls in the correct linker library. Sometimes you even have to set a few bits in the MCU , in order to enable any "Crypto part in the MCU" , often "extensions" are disabled on POR , to minimize power usage.

It's been a while since I've written software, but I seem to recall compilers can link in appropriate libraries for the different target hardware.

Yepp , if being told to do so.

But you were referring to AES-NI
And i replied correctly it was an Intel extension.

/Bingo

@jknott said in New hardware:

@jwj said in New hardware:

What do you see as the lifespan of this device?

Well, based on my other experience, until something significantly better comes along or it dies (as happened with my previous firewall). I'm not one to run out and buy the latest & greatest, unless it yields significant improvement. For example, if a pfsense update had required AES-NI, then I would have bought something that supports it, as the HP computer I was running didn't.

Another example, my current desktop computer case originally had a 32 bit CPU. I've since replaced the mom board a couple of times. The case is so old it's cream coloured, not black (matches my IBM model M keyboard, but not much else). I also recently finally got an AP that support 5 GHz.

BTW, that keyboard is built like a tank and old enough to not have a Windows key.

I'm very much the same. For example, my 2015 VW Golf is just about broken in. I'll drive it until it has no value and then replace it.

Buy nice things and use them, don't worry about the new things until your done with the ones you have ;)

JKnott

@bingo600 said in New hardware:

My Qotom came w. a 12V/5A PSU

How much does it actually consume? What does the label by the power connector say? The info I saw listed 12V 2A. It's good practice to over spec things like power supplies, provided you don't go overboard. Either way, both devices are in the same ballpark and will require far less power than the HP desktop computer that's being replaced.

bingo600

@jknott said in New hardware:

@bingo600 said in New hardware:

My Qotom came w. a 12V/5A PSU

How much does it actually consume?

I haven't measured it yet , i might

Either way, both devices are in the same ballpark

I would expect the 2100 to use less than the Qotom.
Guesstimate ... Around half.

and will require far less power than the HP desktop computer that's being replaced.

I totally agree

JKnott

@bingo600 said in New hardware:

But you were referring to AES-NI

My original intent was to write AES-NI or equivalent, but I didn't bother.

JKnott

@jwj said in New hardware:

I'm very much the same. For example, my 2015 VW Golf is just about broken in. I'll drive it until it has no value and then replace it.
Buy nice things and use them, don't worry about the new things until your done with the ones you have ;)

I'm driving a 2005 Ford Taurus and it's still going strong. I generally drive my cars until the wheels fall off.

No matter what it will soon be new hardware day. That's a happy occasion. Cheers!

JKnott

@jwj

One other thing I just noticed about the Netgate box. It doesn't appear to have a video port. That's not critical, as I do have a USB serial port, but I have a 4 port HDMI/USB KVM, which I used to connect to my old firewall. I could just switch from my computer to my firewall as needed.