How much CPU does one need...
-
Hey guys and gals
Adding an Asus RS100-E10-PI2 to my Network cabinet as a pfSense box as it meets all my needs... 1U half and depth, 4x on board intel nic's as well as a modern CPU that is AES-NI capable, 1 full height 16x PCIe slot, DDR4 ECC RAM support with compatible CPU that is to list off a few of the strong points but where it shines the best is the whisper quiet operation.
Now the question is...
How much CPU do I really need to achieve full duplex gigabit operation with IDS/IPS while handling its duties as firewall / NAT and VPN Tunneling ??
CPU List : HERE
I'm guess Celeron might be right out of the gate a big fat NO, but the 8th or 9th GEN i3 might be able but not quite sure...
PS: Internal LAN will be a HP Infiniband 544+ as they are reasonably priced and readily available.
-
@_adrian_ said in How much CPU does one need...:
full duplex gigabit operation with IDS/IPS
10,15 years ago, we would say such a setup would need a multi processor setup - not just some multi core/threading one.
But there is good news. As I presume you do not work for the NSA, so you do not have the 'cracker code' that unfolds every TLS stream thrown at it (you would be sitting on top of the entire information stream of this planet, having Poutin and Biden on the phone every day, every "freedom of speech" warrior planning to kill you - and NOT asking question here), the IDS can't do nothing with these packets.
IDS stops handling right after some basic Ethernet header checks. These headers contain source IP, destination IP, source port and destination port, the MAC source and destination, and some flag-bits. Not much to "scan" here.
I think I tell you nothing knew here right ? Why do you think you need "IDS" ? Just check the ratio TLS/non TLS traffic on your network.Some DNS and NTP is still not TLS, so ok, go inspect the time of day, and nail the bastard that sends you a non exiting February 29, 2022 as that day doesn't exist ;)
DNS can be 'scanned' with tools like pfBlockerNG with a pass/no pass functionality.The time that a router/firewall admin could 'see' the traffic is over.
The man-in-middle has been taken down in the forest, and shot like Clippy.I tend to say : a 'fat' Celeron would do just fine - I guess my iPhone processor could handle the traffic just fine.
-
@gertjan I do MITM all the time for the very same reasons.
-
@gertjan It's not about needing all that, but more less than what I can possibly load up in the future that can / will slow down the system. I was always a firm believer in what's the most demanding task I can throw at it then double its requirements so I don't have to touch it for a long time, also the i3's and most of the Xeon's that are listed are multi core and no longer multi threaded at least in what is usable in this system...
My main point / concern is NOT to have to touch or change anything inside hardware wise for a decade ( other than cleaning of course )... yes I'm aware fans / ssd's might fail
-
@_adrian_ said in How much CPU does one need...:
My main point / concern is NOT to have to touch or change anything inside hardware wise for a decade
A decade is just too long I believe, for example, in my case, I planned five years.
-
@nollipfsense if you go overkill why not ?
My internal high speed network switch is a 100gbps beast while I'm only using 40gbps qsfp's as that's all I need right now but leaves me with the option to bump up when needed. Same concept is applied to my Gigabit POE+ switch which I will never saturate and luckily it even came with all uplink ports licensed for 10GB operation.
As far as the firewall goes...
I ended up scooping up an Xeon E-2124 off eBay for a steal of a deal ( under $100 shipped ) and will be adding 16 or 32 GB of DDR4 2666 ECC as well as a 500GB Samsung M.2 -
@_adrian_ Looks as if you got an awesome deal ... congrats!
-
Slowly / again and again we return back to my question How pfSense utilize multicore processors and multi-CPU systems ?
3,100 views and NO right answer on that time (the same thread on FreeBSD forum, but also not good result)I hope, It’s time for Netgate company to create lab for comparing solutions based on DIY and it's own hardware (If I remember correctly, based on SuperMicro platform), and also for bandwidth testing.
Not a huge money for company at all, even in COVID-19 crisis time.
-
@_adrian_ It's likely a "shades of gray" answer as it depends heavily on how it will be used. re: VPN did you look at Netgate's specs? For IMIX the 1537 (at 2.1 Gbps) is the first over 385 Mbps for IPSec. Note also TNSR is much faster.
-
@steveits had a quick look but its late and just finished a 12hr work day... but the main difference i spotted between the 2 units isn't black magic but an accelerator card CPIC-8955 that seems to offload the encryption from CPU and " accelerate cryptographic workloads ".
For a " home lab " I cannot justify spending $2650USD or $3150USD and the recurring $500USD yearly subscription when the Asus RS100 listed above set me back $550CAD + 98CAD for CPU + $110 for a 500GB WD SN750 + $140 for 16GB DDR4 2666 ECC RAM which is a hair under $900CAD which at the current exchange rate is roughly 732USD.
Not sure about the forward compatibility of the NETGATE units with other "firewall" software and would suck to get hardware locked after spending such a large amount of money, but for me... leaving the door open to other avenues to be discovered and allows future flexibility in mind is a good thing as now more than ever that is something to keep in mind.
-
This post is deleted!