Low power gigabit NAT
-
Hi, I am looking for a low power device capable of full duplex gigabit NAT speeds.
I have no need for VPN or other more advanced firewall functionality.
The device will sit between my office equipment and the rest of the company gigabit network.The device must be low power and low noise.
Can be small desktop form factor, or 1U rack mountable.I tested two devices, both can do gigabit NAT, and are fan-less.
They generate a bit of heat, but not too much.
http://www.hacom.net/catalog/mars-twitter-d525-pfsense-appliance
http://www.hacom.net/catalog/mars-iib-fanless-d525-12-gbe-pfsense-1u-serverThere are equivalently spec'd devices, but with fans:
http://www.hacom.net/catalog/mars-openbrick-m-d525-pfsense-appliance
http://www.hacom.net/catalog/mars-ii-pfsense-1u-serverWhich of the above devices, with fans or without fans, use the least amount of power?
Are there other devices with low power and gigabit NAT I can look at?
Thank you
P. -
It's very hard to say without measuring them. Sounds like you have the hardware, get a Killawatt or similar meter and see what they draw.
-
The Mars Twitter claims to be be 20W without a hard drive, that seems a reasonable claim.
I'd be very surprised if you are able to get 1Gbps throughput though. Other people testing similar hardware have managed ~600Mbps.
You say you have tested this?Steve
-
I have not tested throughput or power consumption.
These devices claim 2Gbps firewall throughput, I sure hope it not just 600Mbps, that I can get with a much cheaper consumer wireless router.
I only own the fan-less units, not the with-fan units, that is why I asked if somebody knows which unit uses less power, or if somebody can recommend other units.
P.
-
I wish I had better news for you but I'm fairly confident you won't get 1Gbps through that box.
Check out this comprehensive set of test results from pfSense developer databeestje:
http://forum.pfsense.org/index.php/topic,27780.0.htmlHe is running the slower D510 and maybe has slower ram than you but still manages only 485Mbps.
Still I've been wrong before and no doubt will be wrong again in the future! ::)
Steve
-
Well even if a system can push 2GB that's really only 1GB "through" the box (1GB in one way, 1GB out the other). Would vary widely by OS and packet filter.
With pf disabled you can probably get quite a bit higher throughput, but that isn't a realistic scenario for most people.
-
I had a similar experience with my firebox when I found the gigabit interfaces didn't meet my expectations. Doing some research showed many other people who, similarly found FreeBSD underperformed compared to Linux based counterparts. However in my case I put it down to the rather buggy msk(4) interfaces.
This thread seems to report a similar discrepancy with Intel NICs:
http://forum.pfsense.org/index.php/topic,47907.0.html
It makes me wonder if the two firewalls are actually doing the same job.It's not an issue for me but I can see how it might be a big one for others.
Steve
-
I sure hope it not just 600Mbps, that I can get with a much cheaper consumer wireless router.
Not even remotely close to true, no consumer grade router can push 600 Mbps. That's commercial firewall territory at several thousand USD minimum. If you're talking about the built in switch in some consumer routers, that's a switch, not a multi-port firewall. A world of difference there.
-
I was referring to NAT speeds, e.g.:
http://www.smallnetbuilder.com/lanwan/router-charts/view -
I remember being pretty blown away by those numbers last time I read them.
I'd be interested to know how those numbers were tested and what those routers are actually doing.
Specs for high end soho routers have certainly stepped up a lot recently. The ASUS black diamond is 500MHz with 128MB. Hard to see how it could NAT 860Mbps. Specialist hardware?I see they list the test procedure: http://www.smallnetbuilder.com/lanwan/lanwan-howto/31103-how-we-test-hardware-routers-revision-3
Steve
-
These devices typically are SoC based with network accelerators and multi-core processors.
For traffic like NAT, it can all be done in the hardware network accelerator.
E.g. http://www.broadcom.com/press/release.php?id=s637241 -
Indeed.
However consider the Watchguard XTM 2. This is a device with similar SoC type hardware. 666MHz CPU and 256MHz ram yet running it's tweaked linux it claims only 200Mbps throughput.
Makes me have to consider that the consumer OS is not doing as much. Or it could be that hardware is s few years old. :-\Steve
Edit: Those are in fact over 2 years old now.
-
Those numbers are hard to believe, they basically equate a $120 USD Linksys to a minimum $2500 Cisco ASA (on the brand new -X platform) in forwarding performance. Maybe for single stream. The tests are really lame as far as actually stressing real NAT performance though. Though home grade routers may have advanced to the point they can handle that kind of single stream performance, we play in an entirely different world that's along the lines of the Cisco ASA as far as functionality, not anything the Linksys level can touch.
-
Note that in their description of testing they say they disable stateful filtering, and only perform NAT, and bypass it somehow if it can't be disabled in the unit.
That is really not a valid real-world performance metric you can compare against a system that's actually filtering traffic.
-
Yes, though they also say it didn't make much difference to performance. Makes me wonder just what it does then!
They do have some great pfSense write ups on smallnetbuilder:
http://www.smallnetbuilder.com/labels/pfSenseIncluding a performance test with a D525 system:
http://www.smallnetbuilder.com/security/security-howto/31476-build-your-own-utm-with-pfsense-part-4?showall=&start=1Not directly comparable though as they are running iperf on pfSense and also running Snort. And it's 1.2.3. Really good read though. :)
Steve
-
I'd suggest a low power supermicro chassis with a X9SCM motherboard coupled with a low power i3 or xeon. Passive cooling will work apart from the PSU fan. Should be pretty quiet and HEAPS more powerful.
