Advice for hardware
-
Hello there, I'm thinking to invest in some hardware for a perimeter firewall (just a home network with way overkill network and toys, who don't like toys :) and a gigabit fiber connection. Either way, i found this vendor selling what looks to be a good deal for the money and was hoping some of you PfSense experts could have a look and give their input. From reading plenty of similar threads i know that some parts are more important then others, some are bad for some are good for and some are required but i still feel very unsure about the details.
Most important question of all is since i have a full gigabit connection, and intend to run medium amount of IPS/DNS filtering and that sort of stuff, i would like to be able to maintain as high bandwidth as possible for obvious reasons.Before i decided to go for Pfsese i was looking into other alternatives such as Unifi Dream Machine Pro, before deciding against it due to its many limitations and problems. But the specs and mainly the MAX IPS throughput of 3.5 GB would give the user almost full gigabit still even with most of the bells and whistles turned on. With that said, would the below hardware be able to give the same result, and if not, could anyone point me to another similarly priced device better suited for being able to push it there?
Any of course, any other input and good to know is more then welcome to help me make an educated choice
Anyways, thank you for taking the time to read this and here is the hardware i was looking at
-
They give numbers there and I have no reason to doubt them. I'm sure that would pass 1Gbps.
It's almost impossible to give numbers for IDS/IPS because it can vary wildly depending on what traffic you are putting through it and what signatures you have loaded. I would expect it to be pretty fast though, I use that CPU in my desktop.
Steve
-
meh, that probably won't work as well as you'd like.. especially if you wanna throw all the ips/ids you can at it with a gig fiber connection.
I know i'm gonna get a lotta blow-back for saying this, but just from my experience you're going to want to disable hyperthreading.
unless there's some setting/tuning that i'm unaware of (which could very well be the case, as i'm definitely a noob when it comes to this), hyperthreading kills (at least, it did on mine), throughput.
i have an old dell optiplex with 16gigs of ram and it's powered by an old i7-2600k. When i first installed pfsense I had HT enabled and the most i got out of my 100/5 cable connection was maybe ~75 down x 5 up? i chalked it up to just old hardware.. it worked and let it be.
I don't remember where, but i read a discussion between the pfsense pros on how HT could theoretically hurt performance. eventually i went into the bios and disabled HT and rebooted... et voila'! my throughput immediately jumped to an easy 115/6 on a 100/5 connection.
sorry for the long winded explanation. I get pretty enthused to share my experience with other newcomers.
My recommendation; look for a 4 core cpu. dont bother paying more for hyperthreading, because you should plan on disabling it if the cpu is hyperthreaded. Also, i just read an article the other day how one of the security vulnerabilities of intel cpus is via sideloading the hyperthreading.. and the workaround is to disable hyperthreading.
sorry for the long winded response.. I hope it helps with your choices.
-
@jc1976 said in Advice for hardware:
i7-2600k
I'd suggest you had something else in play there. I would expect a single core from that CPU to pass 1G relatively easily (packet size and latency depending etc).
75Mbps is less than what an ancient ALIX board could pass!
Steve
-
@darkfall That looks like the Qotom boxes that sell on Amazon. I bought this i5 one in July https://www.amazon.com/gp/product/B07KM7YY4Y/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1t. Now while I only have 400 down and 20 up, it handles my home network (2 vlans, lan; PCs and IOT, often times several work VPNs going at once and others streaming videos. Haven't had any issues, the load remains low (once I saw it hit 12% CPU load but it averages 2~4%. Running SNORT with paid rules and free Emerging Threats, along with PFBlocker. Used to run a mini ITX Pentium Gold PC, and this does just as well while using less energy and making zero noise. I can't tell you how well the computer you are looking at will do in your environment, but in mine, I don't think I would have a problem with the one I am using as it seems to be not even breaking out a sweat now.
-
as it stands now, i'm sure it could sustain several hundred megs without much issue. The only time i see the cpu spike is when it first starts and it's trying to get all the packages going.. otherwise it loafs along at around 3% utilization. so, yeah... it doesn't take any hardware to make it work.
I have suricata, pfblocker, watchdog, clamav, and squid running for packages.
the guy mentioned he had a 1gig fiber connection. i dunno how many devices hes servicing or what packages he'll be running.
Will he run a vpn? I plan on subscribing to one soon (nord or express), and if i bump up my speed to 400Mb, openVPN would demand more of my cpu. Wouldn't you agree? -
If you try to push the traffic at 4x the speed and encrypt it then, yes, you will need more CPU.