-
IPS IDS, Suricata + Pfblocker + pfSense firewall rules and other plugins with a 2.5Gb connection with quite a few connections. What do I need for a CPU (&ram)?
quick one is ram -> is 8gb of slow ram 2600-3200 enough? One stick vs two sticks ?
More important question -> What range would work to get me running fast:
- ryzen 1600af (6 cores ) , 1700 (8 cores)
- ryzen 3700/3800 (8 cores more speed)
- ryzen 3900/3950 (More cores more speed)
-
R rcoleman-netgate moved this topic from General pfSense Questions on
-
I would choose clock over cores.
-
@andyrh Clock over cores, there may be a min number of cores/threads ?
What do you think is needed, from ryzen, to accomplish what I am after give the network parameters above ?
-
My Netgate device has 4 cores and easily does 1Gb WAN and 50Mb OpenVPN (limited by the other side).
I am only running a few low need packages and a very reasonable number of rules and VLANs.
IMO you would have to try to get too few cores.From a process view, 1 core per queue plus 1 core per package would be perfect for the best speed. In practice that would be a waste as most cores can handle many tasks faster than the bandwidth will allow.
I would look for 4 or more cores. Ryzen cores will outperform my Atom cores. The higher the clock, the quicker the thread will be able to decide what to do with the IPS/IDS part of your question.Others may amend/correct what I have said, but this is the path I would follow.
-
@andyrh Thanks again for chiming in. All the CPUs I proposed are more than 4 cores, but noted you recommendation. Coincidentally a lot of the higher core offerings also have higher clocks, indepent of generation that is.
Specifically my concerns are: I want to utilize my broadband speed level (2.5 gbs) while enabling IPS/IDS + Pfblocker + Rules etc.. So trying to buy the right CPU to achieve this.
I am flexible but would like to know if it is a 1600AF/1700x task or more of a 3900x task.
If anyone knows or can offer some advice please let me know. Thanks again.
-
@srytryagn said in CPU enough cores / speed for pfSense?:
Coincidentally a lot of the higher core offerings also have higher clocks, indepent of generation that is.
Mmm, that's the opposite of what you'd usually find due to the total thermal/power requirements of the package.
-
@stephenw10 On a closer look, you are quite right about that. Any suggestions for what CPU will live up to the task ? Have you run over a 1gb+ with IDS/IPS enabled ?
-
I've never run any of those CPUs so I can only make an educated guess but I imagine that any of them would probably pass that no problem.
-
@stephenw10 What CPUs are you running, in terms of cores and clocks ? Are they able to get over 1gb with something like suricata running ?
-
The C3558 we use in the 6100/7100 will do that.
The actual throughput limit will depend on how Snort/Suricata is configured though.
-
It is not even so easy to say something about IDS/IPS
and pfBlocker-ng for the others, they will be only able to give you a number here and there pending on others and there own made experiences. If you will be fully load or much (many) lists inside of pfBlocker-ng it can be a really
hard with to slow CPU, to less RAM and/or to less SSD space. if then on top ids comes by side with really many
rules sets enabled you will be on the need of more ram, cpu horse power and HDD/SSD space. Inline mode for snort as an example will be only running with some NIC
types at this moment as I am informed, and so on and so on and so on. It is not that question to get a powerfully machine, but more how good it is supported.You would pay ~500 € for an AMD CPU, for sure it will be a bomb, but also on your electric power bill.
Xeon E3 v5/v6 used or new is capable of 3,5GHz to 4,5 GHz and owns 4C/8T so it is much enough for your needs, it can be sorted with up to 64 GB ECC RAM and will be able to stick on a Supermicro mini ITX board. But, you will
be of the lag of Intel QAT and you have to add more things inside. So you will be ending up with something around;- Xeon E3 v5 CPU ~350 €
- ECC RAM ~75 € (2x8GB / 16 GB)
- Board ~350 €
- case 150 €
- M.2 ~100 € (1TB)
If you compare it to an Supermicro C3758, C3858 or C3958
for around 900 € - 1500 € plus RAM 75 € and M.2 for ~100
it will be perhaps more modern but with less CPU horse power.For both systems you need a supported 2,5 GB NIC, either with1 Port or 2 Ports or 4 Ports on top of all, so it might be nice to get now the price from an Netgate 7100 you will be
getting for xyz € or xyz $ in your country. Is it to far away
from that price range? -
@stephenw10 the C3558 in the 7100 is a 4 core 4 thread 2.2Ghz processor; spec is quite low I am curious if that is all that is required to get the level of performance I am after with all the packages running.
does this suggest that even the bottom tier of processors I am looking at, 1600af if a 6 core 12 thread 3.2 Ghz or 1700x 3.4 Ghz would be up to the task ?
-
@srytryagn said in CPU enough cores / speed for pfSense?:
@stephenw10 the C3558 in the 7100 is a 4 core 4 thread 2.2Ghz processor; spec is quite low I am curious if that is all that is required to get the level of performance I am after with all the packages running.
does this suggest that even the bottom tier of processors I am looking at, 1600af if a 6 core 12 thread 3.2 Ghz or 1700x 3.4 Ghz would be up to the task ?
The rest of the entire hardware like the mainboard must
or should be also supported by freebsd and so it might be better to go than with a Supermicro miniITX and an Intel
Xeon E3 4C/8T ~3,2GHz upwards. -
Yeah, like I said I would expect any of them to pass that no problems.
However you still could hit a limit if you use Snort (which is single threaded) and just enable every rule there is.
-
@stephenw10 That is right, Suricata FTW ?
Glad to know I can same some money and go with a lower tier processor like the 1600af and still meet my end goal! A 5900/5950 would have been expensive. Thanks for confirming.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.