New CPU/Plattform REcommendation
-
I never saw a TNSR install, so all I know is this https://www.netgate.com/tnsr-software/performance#get-to-know - the (max) performance shown over there is mind boggling.
I wonder what hardware Netgate was using to see those specs. They could tell you ^^100 Gbits++ is enough for a small county ^^
-
@sysadminfromhell said in New CPU/Plattform REcommendation:
I will be gettin 1G WAN in this year (end of year) and for VPN I use WireGuard and IPsec.
IDS/IPS was planned and is installed but not active currently.@sysadminfromhell said in New CPU/Plattform REcommendation:
I currenlty dont know how to benchmark the system
I suggest starting with Netgate benchmarks. They provided known performance and price in a balanced system
https://www.netgate.com/appliances?priceMin=179&priceMax=3148&user_profile=&software=pfSense+Plus&form_factor=#compare-productsYou may find buying there optimal, if not you can compare the specs of your proposed system to theirs. You are unlikely to get as good system component balance but it should at least get you in the ball park.
-
@Patch this answer doesn’t really help. How does Netgate benchmark ?
-
You don't need to upgrade. What you have is already waaaay more powerful that it needs to be.
The only reason I could imagine for upgrading would be to something less powerful to reduce running costs.
-
@stephenw10 said in New CPU/Plattform REcommendation:
You don't need to upgrade. What you have is already waaaay more powerful that it needs to be.
The only reason I could imagine for upgrading would be to something less powerful to reduce running costs.
i would love to have the ability to use QAT as well as somehow "know" how much I could press through the firewall - so how to benchmark properly. I am kind of new to the whole Benchmark'ing thing. Would be good to know where the limit is of the hardware.
EDIT: I also don't really know how much better QAT is against the normal crypto acceleration build-in the CPU but would be good to have the option to it. Thats why I asked for a recommendation. -
QAT is not that much of an advantage. Unless you're hitting a limit in crypto throughput it's not going to help you much. And and can only imagine that being an issue if you're passing all your traffic over a VPN?
Additionally if you're running Plus IPSec-MB is as fast or faster for many cipher types.
For a basic test try passing iperf3 traffic through the box between two interfaces and check the output of
top -HaSPat the CLI while it passes.Then try sending that over a VPN and retest.
-
@stephenw10 said in New CPU/Plattform REcommendation:
For a basic test try passing iperf3 traffic through the box between two interfaces and check the output of
top -HaSPat the CLI while it passes.direct connected with twp or just virtually (ETH0->EHT1 routing)?
EDIT: I guess around 38 GBits?
-
@sysadminfromhell said in New CPU/Plattform REcommendation:
Supermicro X11ssh-TF
https://www.supermicro.com/en/products/motherboard/x11sdv-8c-tp8f
-
@sysadminfromhell said in New CPU/Plattform REcommendation:
I guess around 38 GBits?
That can't be right unless I'm missing something. Those are all 10G NICs?
I guess that could be right if you have 40G NICs and if so that's a huge number!
But more likely you tested between the devices on pfSense itself? You want to test between two other host devices on two subnets routed through pfSense.
-
@stephenw10 yea I only got 10G NICs. I tested on the host itself for today to get the setup right. Tomorrow I am going to test with my 2 Servers which are capable of doing 10G via SFP+
