1U/2U PfSense Appliance



  • Wanted to ask if anyone had a favorite Pfsense appliance seller. Looking to run latest Pfsense 2.1.

    Needs 2:

    Handle approx 200+ users on the network.
    handle min of 2 ISPs (50 and 15 Mbps pipe)
    Would like to keep it at 1U if possible.

    Has anyone tried the StrongBochs Pfsense box? Was also thinking of the Mars line of boxes by Hacom.

    *Is it better to go with Atom or something more like a Celeron?

    Any feedback or links to reviews would be greatly appreciated.



  • for something like that I would look at a slightly more powerful machine, most sellers focus on crappy 500 MHZ geodes (they have their place)

    I would look into a basic 1U server with a full Xeon or maybe like an I3 or I5 and add your own Nics and Hdd's

    when I do sell boxes of the size your looking for I like to use low end of Dell HP or sometimes supermicro.

    if your sharp you can find something with dual PSU's



  • I built an atom box with dual gigabit ethernet, 4GB ram and a 30GB SSD all in a 1U box

    Intel Atom D2500CC
    1U case without fan and power supply
    204 pin DDR3 ram
    SSD of choice

    All for less than $350. If you go up to i-Series processors, your total will jump up to about $525. Either choice should fill your needs.



  • You guys are right, I would get a better machine if I did it myself but in this case I am looking for something already made that I could order. Have you guys had any luck with some that are already made?

    starshooter10 I think your right. I'm not going with anything less that 1Ghz

    Any reviews or someone that has purchased and used an already made pfsense box that could recommend me something would be appreciated.


  • Banned

    I would raid 2 cheap 1U IBM servers of ebay….and run them in a carp config.



  • Just to be clear on your requirements:

    Are you looking for pre-built hardware that is already configured for pfSense pre-installed, or are you looking for pre-built hardware that you can easily install pfSense on?

    Also, does this need to be from a seller that provides ongoing commercial support for the hardware and/or pfSense?

    These all make a difference.  As such, most of the comments seem to point at standard hardware you can install pfSense to, although the "Appliance" term usually indicates a turnkey system with all inclusive, clear instructions.

    Of course, there's a lot of vendors listed on the pfSense Recommended Hardware Vendors page ( http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50 ), but I assume you're looking for testimonials?


  • Netgate Administrator

    Building the box and installing pfSense is half the fun IMHO.  ;)
    Old Watchguard box? I'm running several of them.

    Steve



  • @stephenw10:

    Building the box and installing pfSense is half the fun IMHO.  ;)
    Old Watchguard box? I'm running several of them.

    Steve

    I certainly agree, doesn't mean others can't feel differently. shrug



  • Have you looked at Lanner?
    1u +
    http://www.lannerinc.com/x86_Network_Appliances/x86_Rackmount_Appliances
    Desktop
    http://www.lannerinc.com/x86_Network_Appliances/x86_Desktop_Appliances

    Besides the Atom/Embedded models for CPU, they are pretty much bare bone. You can put in what you like (per specs of course) :)

    I have not run 2.1 on any Lanner yet, as we are using 2.0.1
    The only thing i have not messed around with was the LCD.



  • Been talking to the Co on the PfSense vendor list and looking at the specs I feel like I can build a 1u for 1/3 the price with better specs. I was originally looking for a "turnkey" box with 2.0.1 pre-installed. Now I am looking at newegg and see 1U servers for ~$350 that if compatible with pfsense could do the job and save me ~$400.

    At this point a link to a pre-built 1U that would run pfsense (2.0.1) would be prefect. If I could find a box that I know the hardware is compatible with pfsense I would be very happy. I can install pfsense myself.

    *is atom dualcore or reg dual core better?


  • Netgate Administrator

    @spartan7:

    reg dual core

    Not sure what you mean.  :-\

    Steve



  • @stephenw10:

    @spartan7:

    reg dual core

    Not sure what you mean.  :-\

    Maybe "real" dual core vs single core with hyperthreaded core.

    I believe there are atoms with two "real" cores and atoms with hyperthreaded cores.

    I have seen reports that in some work loads a real core plus hyperthreading beats a single "real" core and in other workloads a single real core beats the hyperthreaded combo. I suspect hyperthreading is unlikely to help a basic pfSense though hyperthreading might help if there is a significant application component.



  • Beginning to sound like price is fairly significant decision factor.

    Have you considered a re-purposed notebook?  VLAN the NIC with switch to support the multiple ISP WAN and LAN connections.



  • will an atom dual core be enough to power 200 user and 40-50Mbps bandwidth? read that a dual core was going to give me better performance than an atom based dual core. I just wanted to get some feedback if anyone had experienced better performance running pfsense.

    From what I can see, many of the 1U boxes that run pfsense are running a dual core atom based mobo. I think this should do for me. I was looking at the SUPERMICRO SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN and add an  Intel dual port NIC. Has anyone used this box?


  • Netgate Administrator

    A lot of people have used that box (or very similar boxes). The D525 is good for >500Mbps of NAT/firewall. It will probably manage to max out your WAN with VPN traffic if needed (>50Mbps).

    I'm still not entirely sure what you mean (an Atom dual core is an example of a dual core machine) but if you mean core2duo then yes that will give better performance. The Atom is lowest performing of all Intels current CPUs, everything else is faster!
    You may want to consider using a low end Sandy Bridge cpu such as the G620T or G530T. Both of these can build to system that is not much more expensive than Atom and doesn't use much more power but is a far far more capable machine. Throughput >1Gbps. There are several example builds on the forum.

    Steve



  • Logical CPU's via multiple instruction queues (Hyper-threading) are fake CPU's.  Yes, they can help certain processor loads that are multi-threaded and data intensive.  The way it works is if an instruction is waiting for info that it doesn't already have in the processor cache, then it'll move on to the other instruction queue and possibly process that thread while waiting on the previous queue to get all its ducks in a row.

    Now, this doesn't help for single threaded computational tasks.  Most of the heavy lifting tasks for pfSense is mostly single threaded.  And since there are rarely 2 CPU bound threads going on at once in most pfSense installs, Hyper-threading doesn't help as much with those heavy tasks; it may help the other threads from being stalled as much if the "big" thread isn't able to keep the CPU actually busy, though, which is nice.  While an OS sees and usually treats these logical CPU's as individual CPU's, they're not, they're simply instruction queues that removes some of the process scheduling away from the OS and lets the CPU re-order its instruction queue to fill the gaps.

    Imagine a supermarket line of customers waiting for a single cashier where the cashier is -very- good at switching between tasks.  Instead of having a single line where the cashier may end up waiting for people to get their kids in line, get stuff on the belt, write checks, get coupons out, etc; have 2 lines where the cashier turns around to start processing another customer's groceries that's ready to go.  While it might not be exactly 2x as fast, it's certainly faster when there's multiple "slow" customers.

    Cores are (mostly) individual CPU's on a single CPU carrier.  They may share certain functions between the cores, like a certain amount of cache and/or instruction queues, but their processing core is (usually) mostly discrete.  Because they can share some functions they can be both better and worse than individual CPU's; since they can often share cache, you don't have as much cache swapping between CPU's, but you also have to split the bandwidth of the bus itself.  But, this can work well for pfSense in that if a heavy thread is hammering a core the other, regular routing processes aren't (as) slowed down by the lack of CPU time available; which means if a heavy VPN session is going, other users aren't as affected (at least as far as routing goes, your WAN or even LAN may still be affected by bandwidth issues.)  From the reports of multiple board members/admins here, pfSense seems to be able to effectively take advantage of 2 cores, rarely does more than 2 actually make a difference. (Remember the cashiers? Take the cashier with 2 lines and give them more arms, "upgrade" their brain, eyes.)

    Dual CPU, SMP, Dual Socket, multi… etc. are individual CPU's (socket, die, package, etc) on a single motherboard.  These are fully individual CPU's.  This has been around for a long time.  In the x86 world this was done with single core CPU's, sometimes 4 or more, but usually 2.  The main issues had classically been cost of both the motherboards capable and, of course, multiple CPU's.  Oh, and power, 2 hot CPU's take twice the power of a single (although the rest of the system may still be "normal.)  (Btw, this is simply 2 cashiers with 2 individual lines.)

    Then there's, of course, Multi CPU + Multi Cores.  Still usually server and enthusiast option, considering the cost.  Some of the big Macs had 2x QuadCore CPU's, affectionately referred to as a V8.  (4 to 8 lines, 2 individual cashiers, lots of arms)

    And, even more fun, add Hyper-Threading to any of those.  I have servers at work that report 24 Logical CPU's (2 sockets, 6 cores, Hyper-Threading.)  In Windows, bringing up the CPU graphs in Task Manager is less than useful, but slightly humorous.  (You use Excel?  Cross the cyber-octopus cashiers with a few dimensions of Pivot Tables, run in horror.)

    Anyway...  The D525 is a dual core CPU + Hyper-Threading, so it "looks" like 4 logical CPU's to the OS.  That is, to use your terms, 2x "Real" cores plus "Hyper-threading core(s)".  From a quick look, it looks like all the Dual Core Atom CPU's support Hyper-threading, most of the single's do as well.

    For your use, assuming you're not expecting your pfSense implementation to provide VPN support to many simultaneous users, I would think that Atom should be fine for 200 "regular" users. (just to be clear, a few VPN users would still probably be fine on the Atom, even with your 200 regular users.)  Now, unless these are students, or a LAN party, or something similarly scary, where these 200 users are playing games, trying to torrent, etc.  Then you're going to want to do some packet shaping, filtering, etc., and that might "want" a bigger CPU.



  • Oh, and why are there Atom CPU's?  Power, electricity.  They were originally designed for netbooks and tablets where battery life was more important than CPU speed.  These made their way over to small router installs like this since a lot of small to medium offices often don't need a large CPU to route for a standard business, but want to save power, heat creation (some of these sit in closets that aren't well cooled), and/or fan noise (if you're not making a lot of heat, you don't have to push as much air through a small fan, spin 'em slower.)

    If you don't care about heat/power/noise, there's little reason to go with an Atom, especially if you're worried about the features you may add/enable on pfSense that might overload the CPU.  There's plenty of higher powered CPU's you can put in a 1U box for similar cost.


  • Netgate Administrator

    Nicely explained.
    This thread seems relevant here:
    http://forum.pfsense.org/index.php/topic,41643.0.html

    Steve



  • thank you for the wealth of info. It made more sense. I ended up buying the D525, but will be taking you advice and get a sandybridge since we don't mind the noise or power.

    Are there any intel cards that are recommended for pfsense or just any intel as long as they are intel?

    Is it better to run 64 or 32 bit pfsense?

    Once again thank you for taking the time to answer.


  • Netgate Administrator

    Unless you need >4GB of memory I would always use 32bit.
    There's is almost no performance advantage running 64bit and there's less people running it to find bugs.

    Steve



  • where on the forum would I post for someone to swing by our business and check configuration of the new pfsense hardware? I would like to make sure that its up correctly.

    If anyone is interested pm me. We are located in Irvine, CA. 2 locations.

    Thanks



  • Try these for prebuilt 1U servers.  They typically use Supermicro boards so Intel NICs are common.  Check the specs before you buy, but they are a good brand.  Of course, you pay to have them put it together, which you can obviously do yourself if so inclined.

    http://www.ironsystems.com/products/servers/AR-Class



  • Check this out: Newegg 1u Server Barebones

    Check out this SuperMicro 1U barebone, it has dual lan, and supports LGA 1155 CPU's. (It DOES support 22nm Ivy Bridge CPU with currently included BIOS 2.0)
    The Pentium G2120 (22nm Ivy Bridge, 3.1Ghz, Dual Core)
    Grab yourself some low power ram
    Total Above: $477.97

    This system would be better, and ~$200 cheaper than the $675 AR300 in the above poster's link.

    And an HD or SSD, and you are pretty much set!



  • Steve

    Thanks for the heads up on the better builds. I think I will be going with your advice. I'll search for a good sandy build, if you happen to remember one please post a link here.

    ****As I was scouring through the forum I saw the post for 2.0.2 and saw that it was released TODAY!!! I just downloaded and installed without a hitch. ****

    I will follow up with a post with screenshots of performance.

    Thanks for the help guys.


Locked