Hardware Help on first build. 400+ Users 50mbps up & down



  • I have been researching FreeBSD and PfSense for quite some time now and I am building a box for an apartment complex. I have 400+ users and a 50Mbps symetric fiber pipe in. as of right now I am pricing out an i5 build with 8 gigs of RAM and possibly a ssd drive. I plan for 3 Gigabit ports 2 LAN and 1 WAN. I know this probably seems like overkill, but I really can not afford to run into any latency problems. Has anyone completed a build with an i5 or anything similar? Any advice on hardware woud be greatly appreciated!


  • Netgate Administrator

    Like any pfSense deployment the hardware requirements will depend mainly on two things:
    1. The required throughput.
    You have stated a 50Mbps up and down WAN connection, that's not going to put much strain on even low end hardware. You also have two LAN interfaces, do you require filtering of LAN1 to LAN2 traffic at gigabit speeds?

    2. What you want the box to do.
    Are you going to be running and packages such as Squid or Snort? These will push up the hardware required significantly.

    Several users have built boxes based on low end Sandy Bridge CPUs like the Celeron G530 or the Pentium G620. These have proven to be more than capable of 1Gbps throughput with firewall/NAT.
    http://forum.pfsense.org/index.php/topic,45439.0.html

    Steve



  • StephenW… Thanks for the reply. I haven't looke dmuch into squid or snort but I am planning to use PfSense for blocking different protocols and monitor traffic. Do you have any suggestions on add-ons for Pfsense?


  • Netgate Administrator

    Blocking protocols will probably not require any additional packages and monitoring is also in the base install to some extent.
    There are a few packages that allow a greater level of monitoring, it depends what you want:
    http://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage%3F

    Steve



  • Thanks for all of your help Steve! The PfSense community is awesome.



  • For a simple pfSense installation with just 50mb throughput an i5 and 8gb ram are most likely overkill by a long shot. You may want to get something smaller like a Pentium G630 or something in that line, 4gb are more than enough and maybe spend some extra money in good Intel NICs. You may also want to get an external AP in case you need 802.11n.



  • If i can make a suggestion, at 400 users maybe you could add a second box running carp. (redundancy)
    If price is a problem, maybe lower the specs to get two boxes.
    (IMHO) :)



  • All 400+ users will be on same lan interface ? or is better to use 2 or 3 lan interfaces and split the number



  • I am currently using an i5 system. Have configured 4 VLANs for network sanity and ease of management.

    For 400+ users I highly recommend i3/i5 system especially if you are concerned of high latency. Don't listen to others who think it's an overkill. It's not… PowerD function drops the CPU clock when not required. You have 400+ users and that demands CPU power for quick responses. I also recommend at least 8GB+ RAM and Squid for caching. Plus install Snort for keeping the network safe from intruders.



  • @asterix:

    For 400+ users I highly recommend i3/i5 system especially if you are concerned of high latency. Don't listen to others who think it's an overkill. It's not…

    In virtually every network with 400 users, it's absolutely overkill. It won't get you one iota better performance than an Atom. Exceptions might be some unusual circumstances where 400 users can routinely peg a 500+ Mbps Internet connection, those are very rare though. Or if you're doing internal VLAN routing with it, that's generally not the case though.



  • Its 400+ users.. you can't control that high number of user internet activity. During peak hour times the pfSense hardware needs to be capable enough to service every request. Plus later if the owner installs Snort then it would need even more processing power to keep up with all the connections.

    In todays time just 1 user can go up in 10 to 15 connections at any given time (email, chat, file transfers..etc). 400 times 10 is 4000 connections. That is just the start.. with heavy network traffic the atom will barely keep up, especially routing data to and fro to all 400+ users. For a simple home and simple routing the Atom might be good enough but not for a 400+ user network.



  • An ALIX can handle vastly more than 4000 connections, that's nothing. An Atom has 8+ times the capacity, it will not get dragged down at all by 400+ users. I see systems all the time of that spec with that much of a load or more, and they're nowhere near capacity.



  • @asterix:

    Its 400+ users.. you can't control that high number of user internet activity. During peak hour times the pfSense hardware needs to be capable enough to service every request. Plus later if the owner installs Snort then it would need even more processing power to keep up with all the connections.

    In todays time just 1 user can go up in 10 to 15 connections at any given time (email, chat, file transfers..etc). 400 times 10 is 4000 connections. That is just the start.. with heavy network traffic the atom will barely keep up, especially routing data to and fro to all 400+ users. For a simple home and simple routing the Atom might be good enough but not for a 400+ user network.

    Not true.  Number of connections isn't a factor.  The throughput and interrupt loading is a greater factor.

    For instance, I've had a Celeron 1.2GHz (the current dual-core atoms are much faster) push >120,000 connection states without breaking a sweat:


  • Netgate Administrator

    Whilst I agree that an Atom would easily handle a 50Mbps connection with almost any number of users I have to also agree with Asterix's view that it seems pointless to use an Atom if you're building a new box. Low end Sandybridge systems can be built for almost the same cost and will likely consume a similar power level.
    If at some later stage you need to implement Squid, Snort, complex traffic shaping or VPNs you could easily run out of CPU cycles on an Atom.
    About the only niche left for an Atom is in an entirely passively cooled system where the maximum power dissipation of a Sandybridge CPU is too high to be practical. That particular niche is rapidly being filled by ARM powered CPUs in other markets.
    My own personal view.  ;)

    Steve



  • IMO Passive cooling is a rapidly growing niche, and Intel is doing pretty well with the Atom so far :) But I believe this is getting a bit off-topic. The Atom was first mentioned on this thread just as an example of why the OP shouldn't really need an i5. Many of us suggested to go to a lower-end Sandy like a Pentium or Celeron, but the Atom was never directly suggested as a solution for this, it was only mentioned to make a point.

    @stephenw10:

    Whilst I agree that an Atom would easily handle a 50Mbps connection with almost any number of users I have to also agree with Asterix's view that it seems pointless to use an Atom if you're building a new box. Low end Sandybridge systems can be built for almost the same cost and will likely consume a similar power level.
    If at some later stage you need to implement Squid, Snort, complex traffic shaping or VPNs you could easily run out of CPU cycles on an Atom.
    About the only niche left for an Atom is in an entirely passively cooled system where the maximum power dissipation of a Sandybridge CPU is too high to be practical. That particular niche is rapidly being filled by ARM powered CPUs in other markets.
    My own personal view.  ;)

    Steve


Locked