Best hardware for new 1U servers?
-
Looking at pfSense's supporting vendors, the Hacom stuff looks decent for low- to middle-range installs. But what's good, solidly compatible hardware going upwards from their offerings? In my case we're looking for something that can handle 20 concurrent OpenVPN sessions, 100 or so active NAT'ed connections to servers behind it (that is, 100 distinct DNAT links from the firewall to the inside; a few of these may have several dozen external addresses connecting at the same time as outside sources), plus traffic between several subnets behind the firewall. Or can the Hacoms actually handle that?
Preinstalled fpSense doesn't matter at all. What matters is hardware that's 1U, that's beefy enough to never be a bottleneck in the operation, and that's relatively reliable. The client in this case doesn't care about saving a few hundred bucks; the price equation is the difference between going this way and going with a SonicWall. The goal is to get two, and set up failover. But a good guarantee on the hardware, so that a failed unit can be quickly replaced, is of real value. Redundant power supplies would be good too, but not essential.
(I'm coming from a Linux/Netfilter background on regular servers. The other admin on the current project is from a SonicWall appliance background. My supposition here is that a pfSense appliance will give him enough of what he wants, while staying out of SonicWall's overpriced, proprietary space. But another guy, who used to be in his seat, brought in a bunch of marginal, discount IU hardware that's flaking out right after warranty expiry, so quality on that end is essential.)
Update bonus Q: Is there any rule of thumb correlating CPU with max throughput using pfSense, assuming a current system with Intel NICs?
-
Bonus Answer: Try reading the pfSense site, where you'll find information on hardware sizing ;)
I'd also suggest you try searching, since the general question has been asked and answered many times, even this week yours isn't the first. As I'm fond of saying, you need to know your traffic profile, both in terms of bandwidth and packets per second. Packets per second is more important than bandwidth.
My personal choice would be to buy commodity 1U hardware, with Intel Gbit server grade nics, preferably on PCIe. If you're uncertain of your traffic profile then go with lots of RAM and lots of CPU power.
-
@Cry:
Bonus Answer: Try reading the pfSense site, where you'll find information on hardware sizing ;)
Cry, trust me, I have been. And I have not found that information yet. If someone can point me to it, I'll be obliged. (Hint: If newbies can't find it easily, it may be a clue that there's room for improvement in the organization.)
I'd also suggest you try searching, since the general question has been asked and answered many times, even this week yours isn't the first.
Again, trust me, I searched first. Most of the available discussion here is about building cheap. I'm not trying to build cheap. Then again, the search function here is primitive - not to knock it, none of these BBS packages have good search IHMO.
As I'm fond of saying, you need to know your traffic profile, both in terms of bandwidth and packets per second. Packets per second is more important than bandwidth.
That would be nice, but this is a new colocation for a business with rapid expansion prospects. Not that the traffic is too heavy at present - it doesn't even dent the capabilities of the HP server firewalling the 100Meg line into the office (using Netfilter). But now moving the services to colocation (the office is running out of power and cooling), we'd rather go appliance than full-blown server for the firewall. Thus I'm here. The traffic profile a year from now is what matters. And that depends on what products sell to how many customers. We're basically selling data services.
My personal choice would be to buy commodity 1U hardware, with Intel Gbit server grade nics, preferably on PCIe. If you're uncertain of your traffic profile then go with lots of RAM and lots of CPU power.
Yeah, I've got the Intel NIC part. Already use 'em. Like 'em. RAM is cheap. CPU power can still get spendy. Firewall appliances generally make throughput claims. So what throughput claims would correlate with what CPU's (assuming Intel PCIe NICs)? If there's already a nice chart of this here, please again blame me for not finding it yet - as long as you point out where it is. If the design goal is to get people to stop asking the same questions, organizing the answers and putting them in an obvious place is how to get there. "Search the fine BBS" … no so much. Don't assume people haven't spent a few hours searching before posting, just because you know the answers are somewhere there.
And there are lots of commodity 1U units out there. They're not all equal. They're not all equally suitable for a particular use. They're not all equally reliable. Is there any compilation here of success with different brands of motherboards, in terms of performance and reliability? I've looked. I'm not finding it so far. It would be a useful thing, no?
-
@Cry:
Bonus Answer: Try reading the pfSense site, where you'll find information on hardware sizing ;)
Cry, trust me, I have been. And I have not found that information yet. If someone can point me to it, I'll be obliged. (Hint: If newbies can't find it easily, it may be a clue that there's room for improvement in the organization.)
www.pfsense.org -> Hardware -> Selection and Sizing
That would be nice, but this is a new colocation for a business with rapid expansion prospects. Not that the traffic is too heavy at present - it doesn't even dent the capabilities of the HP server firewalling the 100Meg line into the office (using Netfilter). But now moving the services to colocation (the office is running out of power and cooling), we'd rather go appliance than full-blown server for the firewall. Thus I'm here. The traffic profile a year from now is what matters. And that depends on what products sell to how many customers. We're basically selling data services.
Then you need to provide a best guess based upon your experience.
Yeah, I've got the Intel NIC part. Already use 'em. Like 'em. RAM is cheap. CPU power can still get spendy. Firewall appliances generally make throughput claims. So what throughput claims would correlate with what CPU's (assuming Intel PCIe NICs)? If there's already a nice chart of this here, please again blame me for not finding it yet - as long as you point out where it is. If the design goal is to get people to stop asking the same questions, organizing the answers and putting them in an obvious place is how to get there. "Search the fine BBS" … no so much. Don't assume people haven't spent a few hours searching before posting, just because you know the answers are somewhere there.
And there's no reason that I should assume you've bothered to look - many don't. See the above directions for finding the sizing guide.
And there are lots of commodity 1U units out there. They're not all equal. They're not all equally suitable for a particular use. They're not all equally reliable. Is there any compilation here of success with different brands of motherboards, in terms of performance and reliability? I've looked. I'm not finding it so far. It would be a useful thing, no?
It would be, but people's choices are often dictated by many things, like what they're used to, what their company uses, what they can get. You'll see many references to hardware choices here, though you'll have to go looking. From memory I've seen references to Dell hardware multiple times lately.
-
@Cry:
www.pfsense.org -> Hardware -> Selection and Sizing
Thanks!
I've seen references to Dell hardware multiple times lately.
Yeah. My client in this case used to be a Dell shop. As you might imagine after years of experience, they have a strict "no more Dell!" rule. I concur with that. YMMV.
So going to "Selection and Sizing we see":
501+ Mbps - server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU.
That way underspecifies. CPUs of a given speed can perform far differently at a specific task. Given the core tasks of pfSense, and how it's coded, how many cores are optimal? How many CPUs? Will a slower quad-core outperform a faster dual-core at a given price point? Which Intel or AMD models give the most bang per buck? Has anyone done any benchmarking with pfSense and different CPUs? These are standard questions when sizing up hardware for a task. The description on pfsense.org is more hand waving than a thorough answer. I'm hoping people here on the BBS have more thorough knowledge.
And "server class," right. That's a very fuzzy classification. Any 1U unit, by the very form factor, is intended as a server.
-
It's all guidlines, as I and others have said, you need to know your network. The values are, as you put it "hand waving" because anything else would require consultancy. Two networks both with a pair of wired interfaces, 150 Mb/s bandwidth, 50 users and 10 VPN users may have completely different usage profiles and completely different hardware requirements. Some choices will be influenced by other choices - for instance if you've got Intel Server Gbit NICs then you can get away with a slightly lower spec CPU.
CPU: Packet processing tends to be linear, one very fast core is better than multiple slower cores - hence the recommendation for 3GHz+. If anybody has done benchmarking I don't remember seeing it, but a Google may find people who have (just look for FreeBSD routers since that's what pfSense is under the hood). If you add things (packages, VPN, multiple interfaces) then you need more CPU cores. Again, PPS is more important than bandwidth and your choice of NIC is critical.
Hardware: That page doesn't make any reference to 1U server hardware. Most people using pfSense will do so on something other than rack mount, and even 1U servers aren't always built to server standards.
Finally, if you know the Linux hardware requirements you can be certain that pfSense won't need anything more and indeed will have lower requirements. FreeBSD's network stack is more efficient than the one in Linux (at the moment anyway).
-
whit,
I've been working on putting together a few different sized hardware appliances that all have been tested to work well with pfSense. All very clean and professional looking, most with LCD's as well. Everything is intel based, PCI-e/PCI-x, intel nics, etc. Even some with modular interfaces. I've followed all the recommendations on this forum as well as other BSD sites to make sure I choose the best appliances possible. I don't have any documentation yet and and I only have a few models in production at this point, but if you're interested shoot me an email offline and we can chat some more about it.
regards,
Jason
jason@net-methods.com -
oh, and just to be clear… I'm not building these. They are enterprise class hardware appliances from a few different manufacturers. (I do have pictures of most of them)
-
We build 1u pfSense appliances utilizing Intel chipsets: https://www.linuxappliance.net/catalog/index.php/firewall/pfsense-firewall-solutions/strongbochs-p100-pfsense-appliance.html
Let me know if you have any questions, thanks!
-
I use cheap IBM Xseries 335 found on Ebay. They are rocksolid and a very good performer. And IBM still have day to day spareparts available.
They can handle almost all you can throw at it….
How much do you pay for colocation by the way??? Usually people construct serverrooms the wrong way.... If it is done properly, the need for cooling almost disappears.
Just isolate the cold and the hot side...Completely. And reuse the hot air to heat up the building.....:)
-
I use cheap IBM Xseries 335 found on Ebay. They are rocksolid and a very good performer. And IBM still have day to day spareparts available.
Great servers, just don't forget to buy the necessary KVM breakout cables to go with them. A bit of a pain that they don't have standard ports on 'em. And reeeely annoying if you order one and forget the KVM cable.
-
Yiiir…I know. Otherwise the Xseries 345 2U server is also an option. It runs a lot cooler and you can use CF to IDE adapter upright and it has 3 64 bit expansion slots available.
And you can get that for around 200$ on Ebay.
I use cheap IBM Xseries 335 found on Ebay. They are rocksolid and a very good performer. And IBM still have day to day spareparts available.
Great servers, just don't forget to buy the necessary KVM breakout cables to go with them. A bit of a pain that they don't have standard ports on 'em. And reeeely annoying if you order one and forget the KVM cable.