Hardware requirements for 10Gb/s WAN

Zak McKracken

Hi,

I've been running pfSense since 2006 and I have been a big fan ever since. It has been rock solid, never needed any attention and upgrades have always been smooth.

However, I'm still running it on the same hardware I bought back in 2006. At that time, I didn't skimp on hardware, but soon our internet connection can be upgraded to 8Gb/s, and I'm starting to wonder if my box can still handle that.

My pfSense router is running on a SuperMicro SYS-5019A-FTN4, with 16GiB of SuperMicro memory and an Intel enterprise SSD. Reliability was very important to me.

I wonder if the 8-core Intel Atom C2758 (?) is still up for the task. Per recommendation of ServeTheHome, I have ordered a pre-used Chelsio T520-SO-CR dual SFP+ NIC, hoping that the server-offloading will aid the CPU a bit.

Will this still cut the mosterd, or do I need to start thinking about upgrading?

Thanks in advance!

Dobby_

I wonder if the 8-core Intel Atom C2758 (?) is still up for the task.

Your link in this forum post, is showing the SuperServer 5019A-FTN4, that is sorted with an Intel Atom C3758
CPU that is running with 2.2 GHz with 8 cores.

It might be that this hardware will be able to push 10 GBit/s,
but if you need a constant 10 GBit/s packet flow, I would not trust on really.

I would more trust the Intel Xeon D-2100 or D-2700 CPU´s
that runs on with other cores, more cores and on the speed
of something around > 3.0 GHz.

Zak McKracken

@dobby_ said in Hardware requirements for 10Gb/s WAN:

Your link in this forum post, is showing the SuperServer 5019A-FTN4, that is sorted with an Intel Atom C3758
CPU that is running with 2.2 GHz with 8 cores.

Yes, yet pfSense reports a mere C2758, so I either fixed my box with the 'wrong' mainboard, a couple of years ago, or SuperMicro upgraded the board in this product.

Anyway, it's an 8 core Atom @2.4GHz with 4MiB of cache.

It might be that this hardware will be able to push 10 GBit/s,
but if you need a constant 10 GBit/s packet flow, I would not trust on really.

Well, it's an 8GiB FTTH XGS-PON connection. On those, a fiber is split and share with multiple subscribers. I have no idea whether this 8GiB is shared among those subscribers, or it is what's available per subscriber after sharing.

I would more trust the Intel Xeon D-2100 or D-2700 CPU´s
that runs on with other cores, more cores and on the speed
of something around > 3.0 GHz.

Hm, perhaps it's better to go look for a board with two on-board 10GBase-T NICs then.

I'll see how it goes, expecting the need for an upgrade. Thanks for you insights.

Cool_Corona

@zak-mckracken You need a Ryzen or Xeon to handle 10Gbit/s FW traffic.

An Atom cant handle that.

Dobby_

@zak-mckracken

Yes, yet pfSense reports a mere C2758, so I either fixed my > box with the 'wrong' mainboard, a couple of years ago,...

There are Intel Atom C2xxx CPU´s and Intel Atom C3xxx CPU´s and brand new Inte Atom C/P5xxx
CPU´s available from Supermicro. The second generation
C2xxx I would not believe to archive 10 GBit/s with them.

The C3xxx series will be soldered on Supermicro boards together with 10 Gbe and 10 Gbit/s SFP+ ports and so it might be better to start with them, but all in all I really
read much about all over the Internet and with Linux it might be running but for FreeBSD you may need some more horse power (hardware based) to archive that throughput (10 Gbe). And so I find out for my self that the Xeon D-2100 and/or Xeon D-2700 platform will be better.
Especially the Supermicro board with a N or NT in the name for networking will be offering all things you may love to have for your pfSense.

• Intel QuickAssist
• Intel AES-NI
• Hyperthreading
• TurboBoost

Its all on board (on the SoC) and some of them are running nearly at 3,0 GHz too.

stephenw10

Yes, I would expect to see 3-4Gbps from a C2758 with firewall and NAT. There are many variables of course.

Zak McKracken

@Zak-McKracken said in Hardware requirements for 10Gb/s WAN:

I wonder if the 8-core Intel Atom C2758 (?) is still up for the task. Per recommendation of ServeTheHome, I have ordered a pre-used Chelsio T520-SO-CR dual SFP+ NIC, hoping that the server-offloading will aid the CPU a bit.

For those appreciating closure, here's a small update on this adventure.

The Chelsio T520-SO-CR NIC was a Bad Idea. First of all, the T520-SO-CR is not the one to have. That would be the T520-CR. The difference is in the number of connections that can be offloaded to it: A few on the first one, 32k on the second one. Sellers often don't bother to check, but the difference can be spotted easily: The first has unpopulated footprints for the extra memory required for all these extra connections.

Secondly, this card run very hot. It does have internal temperature sensors, recognized by pfSense, but if it's not in a direct flow of air, it easily reaches a die temperature of 120°C and shuts down. As a direct effect, it consumes quite a lot of power: It easily adds >20Watt to your router. That may not seem a lot, but for something running 24/7, it is.

And finally - and this is the biggest argument against these cards - pfSense actually using TCP offloading requires loading an experimental Kernel Extension. And on top of that, according to the NetGate manual, with this offloading connections aren't always checked and filtered properly.

So instead of a Chelsio T520, I got myself an Intel X720, a little further down the ServeTheHome list. It adds only ~4Watt of power consumption to my system and it has been rock-solid so far.

The only thing still bothering me is that all speed tests I run, seem to be capped at 1GiB/s, despite my line-speed from workstation to fiber is now 10GiB/s. I think something is misconfigured at my provider, because even my wimpy Atom C2758 should be able to at least fluctuate a little over that. But that's still an ongoing investigation.

stephenw10

@Zak-McKracken said in Hardware requirements for 10Gb/s WAN:

I got myself an Intel X720

You mean an X710? Or maybe an X520?

Zak McKracken

@stephenw10 said in Hardware requirements for 10Gb/s WAN:

You mean an X710? Or maybe an X520?

An intel X710, that is. Apologies for the confusion.

In Europe, ISPs are obliged to allow their customers to use their own ‘modem’, but most of them drop support as soon as customers do. So I’ve put the cheap ISP ‘modem’ on the front line, and that is capped at the same speed. As soon as that’s running at the speed I paid for, I will connect my pfSense box straight to my own ONT, and post some speed results here.