Hardware recommendation pfblockerng + wireguard + "room to wiggle"

Pizzamaka

Hi all.
I have an SG-1100 and running pfblockerng-devel. I see it constantly runs out of memory (kills unbound+pfblocker etc...)and am thinking of what a potential upgrade would be. Below are my thoughts / requirements, please add your points :)

What I would like to do:

run pfblcokerNG-devel
run a wireguard server
eventually run some packet inspection in the future
I love the support in this community (and I have enought things to care about), so I would really love to have some kind of appliance (no custom hardware)
I have a 400 MBit WAN connection (will stay that way, since I don't really need more)
3 VLans planned (not really set up yet)

My thoughts on hardware

The 2100
- has 4GB of memory, so that should be fine
- has the same CPU as the 1100 (Often the CPU is maxed out on mine)
- has similar low power consumption like the 1100
- has an M2-SSD which can be upgraded/swapped
The 4200 is like the 2100 with
- better CPU
- higher Power consumption

So my questions are

do I need the better CPU? (In my case that probably is the only thing that differs)
Is there anything I am missing?

WN1X

@Pizzamaka I went with the 4200. At the time, the max option was not available so I upgraded itself. I have 1gig service with pfBlockerNG plus a few other packages. Very happy with it.

stephenw10

Mmm, I would choose the 4200. You are likely to be close to hitting the CPU limit on the 2100 with that combination of VPN and packages.

Pizzamaka

@stephenw10 is that due to the packet inspection or is wireguard + pfblocker already pushing the CPU?

stephenw10

The maximum throughput without any packages or VPNs on the 2100 is 600-700Mbps. No problem for 400Mbps. But if you want to pass 400Mbps over wireguard you are going to be CPU limited. If you want to do that with Snort or Suricata running, even more so. Memory shouldn't be an issue unless you load up ever list and definition in pfBlocker and Snort (which you shouldn't!).