Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CPU enough cores / speed for pfSense?

    Scheduled Pinned Locked Moved Hardware
    15 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srytryagn
      last edited by srytryagn

      IPS IDS, Suricata + Pfblocker + pfSense firewall rules and other plugins with a 2.5Gb connection with quite a few connections. What do I need for a CPU (&ram)?

      quick one is ram -> is 8gb of slow ram 2600-3200 enough? One stick vs two sticks ?

      More important question -> What range would work to get me running fast:

      1. ryzen 1600af (6 cores ) , 1700 (8 cores)
      2. ryzen 3700/3800 (8 cores more speed)
      3. ryzen 3900/3950 (More cores more speed)
      1 Reply Last reply Reply Quote 0
      • R rcoleman-netgate moved this topic from General pfSense Questions on
      • AndyRHA
        AndyRH
        last edited by

        I would choose clock over cores.

        o||||o
        7100-1u

        S 1 Reply Last reply Reply Quote 0
        • S
          srytryagn @AndyRH
          last edited by

          @andyrh Clock over cores, there may be a min number of cores/threads ?

          What do you think is needed, from ryzen, to accomplish what I am after give the network parameters above ?

          1 Reply Last reply Reply Quote 0
          • AndyRHA
            AndyRH
            last edited by

            My Netgate device has 4 cores and easily does 1Gb WAN and 50Mb OpenVPN (limited by the other side).
            I am only running a few low need packages and a very reasonable number of rules and VLANs.
            IMO you would have to try to get too few cores.

            From a process view, 1 core per queue plus 1 core per package would be perfect for the best speed. In practice that would be a waste as most cores can handle many tasks faster than the bandwidth will allow.
            I would look for 4 or more cores. Ryzen cores will outperform my Atom cores. The higher the clock, the quicker the thread will be able to decide what to do with the IPS/IDS part of your question.

            Others may amend/correct what I have said, but this is the path I would follow.

            o||||o
            7100-1u

            S 1 Reply Last reply Reply Quote 0
            • S
              srytryagn @AndyRH
              last edited by

              @andyrh Thanks again for chiming in. All the CPUs I proposed are more than 4 cores, but noted you recommendation. Coincidentally a lot of the higher core offerings also have higher clocks, indepent of generation that is.

              Specifically my concerns are: I want to utilize my broadband speed level (2.5 gbs) while enabling IPS/IDS + Pfblocker + Rules etc.. So trying to buy the right CPU to achieve this.

              I am flexible but would like to know if it is a 1600AF/1700x task or more of a 3900x task.

              If anyone knows or can offer some advice please let me know. Thanks again.

              stephenw10S 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator @srytryagn
                last edited by

                @srytryagn said in CPU enough cores / speed for pfSense?:

                Coincidentally a lot of the higher core offerings also have higher clocks, indepent of generation that is.

                Mmm, that's the opposite of what you'd usually find due to the total thermal/power requirements of the package.

                S 1 Reply Last reply Reply Quote 0
                • S
                  srytryagn @stephenw10
                  last edited by

                  @stephenw10 On a closer look, you are quite right about that. Any suggestions for what CPU will live up to the task ? Have you run over a 1gb+ with IDS/IPS enabled ?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    I've never run any of those CPUs so I can only make an educated guess but I imagine that any of them would probably pass that no problem.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      srytryagn @stephenw10
                      last edited by

                      @stephenw10 What CPUs are you running, in terms of cores and clocks ? Are they able to get over 1gb with something like suricata running ?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by stephenw10

                        The C3558 we use in the 6100/7100 will do that.

                        The actual throughput limit will depend on how Snort/Suricata is configured though.

                        S 1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User
                          last edited by

                          It is not even so easy to say something about IDS/IPS
                          and pfBlocker-ng for the others, they will be only able to give you a number here and there pending on others and there own made experiences. If you will be fully load or much (many) lists inside of pfBlocker-ng it can be a really
                          hard with to slow CPU, to less RAM and/or to less SSD space. if then on top ids comes by side with really many
                          rules sets enabled you will be on the need of more ram, cpu horse power and HDD/SSD space. Inline mode for snort as an example will be only running with some NIC
                          types at this moment as I am informed, and so on and so on and so on. It is not that question to get a powerfully machine, but more how good it is supported.

                          You would pay ~500 € for an AMD CPU, for sure it will be a bomb, but also on your electric power bill.

                          Xeon E3 v5/v6 used or new is capable of 3,5GHz to 4,5 GHz and owns 4C/8T so it is much enough for your needs, it can be sorted with up to 64 GB ECC RAM and will be able to stick on a Supermicro mini ITX board. But, you will
                          be of the lag of Intel QAT and you have to add more things inside. So you will be ending up with something around;

                          • Xeon E3 v5 CPU ~350 €
                          • ECC RAM ~75 € (2x8GB / 16 GB)
                          • Board ~350 €
                          • case 150 €
                          • M.2 ~100 € (1TB)

                          If you compare it to an Supermicro C3758, C3858 or C3958
                          for around 900 € - 1500 € plus RAM 75 € and M.2 for ~100
                          it will be perhaps more modern but with less CPU horse power.

                          For both systems you need a supported 2,5 GB NIC, either with1 Port or 2 Ports or 4 Ports on top of all, so it might be nice to get now the price from an Netgate 7100 you will be
                          getting for xyz € or xyz $ in your country. Is it to far away
                          from that price range?

                          1 Reply Last reply Reply Quote 1
                          • S
                            srytryagn @stephenw10
                            last edited by

                            @stephenw10 the C3558 in the 7100 is a 4 core 4 thread 2.2Ghz processor; spec is quite low I am curious if that is all that is required to get the level of performance I am after with all the packages running.

                            does this suggest that even the bottom tier of processors I am looking at, 1600af if a 6 core 12 thread 3.2 Ghz or 1700x 3.4 Ghz would be up to the task ?

                            ? 1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User @srytryagn
                              last edited by

                              @srytryagn said in CPU enough cores / speed for pfSense?:

                              @stephenw10 the C3558 in the 7100 is a 4 core 4 thread 2.2Ghz processor; spec is quite low I am curious if that is all that is required to get the level of performance I am after with all the packages running.

                              does this suggest that even the bottom tier of processors I am looking at, 1600af if a 6 core 12 thread 3.2 Ghz or 1700x 3.4 Ghz would be up to the task ?

                              The rest of the entire hardware like the mainboard must
                              or should be also supported by freebsd and so it might be better to go than with a Supermicro miniITX and an Intel
                              Xeon E3 4C/8T ~3,2GHz upwards.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Yeah, like I said I would expect any of them to pass that no problems.

                                However you still could hit a limit if you use Snort (which is single threaded) and just enable every rule there is.

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  srytryagn @stephenw10
                                  last edited by

                                  @stephenw10 That is right, Suricata FTW ?

                                  Glad to know I can same some money and go with a lower tier processor like the 1600af and still meet my end goal! A 5900/5950 would have been expensive. Thanks for confirming.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.