Hardware Recommendation



  • I am looking to run pfsense 2.02 with squid, snort, and vpn tunneling installed on an HDD or SSD.  I would prefer 1gb NICs.  A firebox would work, as long as it meets those requirements.  It is for home use, but want to use the full release of pfsense.



  • NewEgg.com is selling some refurbished HP/Compaq DC7900 systems for about $150 for grade B about $190 for a grade A one without a few scuff marks. With a 3GHz dual core, 1 GB RAM, 160 GB HD, mini internal speaker, DVD and VGA or DP video in a small form factor box. The motherboard NIC is a GB one and there are three half height PCIe slots for a DVI video, more NICs or other uses. If you give up one of the PCIe slots there is a PCI slot too.

    I'm running PFSense on one here and am quite happy with it. I put in two Intel GB NICs for the WAN and LAN connections, saving the motherboard NIC for later. I installed onto a 128 GB SSD drive for power and noise reduction over the internal 160 GB hard drive and once I got the install done I unplugged power to the HD and DVD. Put in a NV210 video card  It is showing under 10%CPU use during a speed test, about zero under light use and 7% memory use. It sits about 3 feet from my ear and it is almost lost in the background noise of my room, the two internal fans, CPU and power supply are very quiet. Power draw is running about 45 watts.

    I looked at some similar sized refurbished Dell boxes but they offer limited expansion slots that are poorly cooled and they make a lot more noise.



  • What other options are available?



  • @alixman:

    What other options are available?

    Maybe some more ideas of what's important to you.  Does it need to be drop-in easy?  Does it need to look like network gear, big or small?  How important is energy efficiency?  How important is cost, or what's your budget?

    Someone else is probably better to answer about the particular Firebox models, but some fireboxes can handle doing that, but they're not always super easy to set up, again, probably depending on the model.  There's a thread of specialty boxes that are known to run pfSense (or not to) here: http://forum.pfsense.org/index.php/topic,36651.0/all.html

    Back in the standard computer world, the DC7900 linked above is actually a pretty decent deal.  You can sometimes find 'em on Ebay a bit cheaper, but, it is Ebay, might have better luck on not getting a dud through NewEgg.  There's also UltraSlim models, but they don't exactly have room for a second NIC, so generally only really good if you have a VLAN capable switch.  DC7700's can be found pretty cheap on Ebay and they're great too.

    I'm currently running a Small Form Factor HP DC5700, but it doesn't have a (real) PCI-Express x16 slot, just an x1 and a couple standard PCI slots, but of course, low profile.

    For the most part, consider the standard PCI bus (all slots combined, not individual slots) as capable of fully supporting a single Gb port, PCI-Express X1 similar.  Dual and Quad port cards should generally require x4 or so (which can fit in an x16 slot.)

    So, what'cha looking for?



  • Size doesn't really matter, I'd like to keep prices sub 300 if possible.  Doesn't have to be rackmount.  Energy doesnt matter.  I just want a fast machine that is crypto card capable, with 2 GB nics.



  • I started with a refurbished Dell desktop with a P4 in it.  Barely went over 20% CPU with a persistent IPSec tunnel and a few packages churning away.  I eventually upgraded the box to a DIY with an i3 and 4GB of RAM and 4 x GB NICs.

    Any old beat up refurbished P4 machine with 2GB of RAM and an onboard GB NIC will do.  You can pick up additional PCI (whatever flavor) for another $30.



  • @alixman:

    Size doesn't really matter, I'd like to keep prices sub 300 if possible.  Doesn't have to be rackmount.  Energy doesnt matter.  I just want a fast machine that is crypto card capable, with 2 GB nics.

    Right, so any desktop from the last 7 years or so should be able to do that, like tim.mcmanus mentioned, any old beat up refurbished P4 machine.

    I might look for something with PCI-Express, though, as it can help in Gb NIC performance if you needed to add a 3rd port.  Plus, I don't know how much bandwidth flows through a Crypto card, I mean, obviously 2x whatever throughput it's pushing, but I don't know if there's any extra overhead too.  Meaning a total maximum of 44MB/s if a Gb NIC and Crypto card are all on the PCI Bus (133/3) in theory land, but in practice I would expect less, more like 30MB/s.  Which is nothing to sneeze at, just remembering that the PCI Bus is a shared Bus is important.  Not that I have any idea what the Crypto card would be capable of pushing, nor do I have any idea what your internet access is, but almost any CPU you'd use probably can push more than 30MB/s on VPN anyway, so all that can become important (and may actually be a reason to not use a Crypto card if you're stuck on PCI.)

    But, to play around with, an old P4 can be damn near free, if not outright free.  Many will have SATA, so you could do the SSD now and move it over to a faster machine later if it turns out to be what you want to do (again, if you do a PCI SATA card to use a SATA SSD and expect to cache, you'll be adding that to the PCI Bus, which may lower throughput.)  Also, on some of the older P4's the onboard NIC might be Gb, but it also might still be internally on the PCI Bus, especially if it's not an "Intel" NIC (Intel NICs onboard on a P4 are often integrated in to the chipset, and so often not on the PCI Bus, or possibly on its own PCI Bus, there were a lot of configurations.)

    Seriously, if you're looking for something decent now and space isn't an issue, I'd look on Ebay for a decent Core2Duo that's not a "Small form factor" or similar, something that has full height PCI and PCI-Express slots.  Core2Quad won't help you, most processes in pfSense are single threaded, so usually, at most, you'll have 2 threads hitting the CPU with any vigor, and usually only 1, so the extra cores don't help and can actually reduce performance due to the two banks of cores having separate caches.

    Personally I like HP DC7700's.  Assuming you're in the US, this is under $75 shipped: http://www.ebay.com/itm/HP-COMPAQ-COMPUTER-DC7700-MT-INTEL-CORE-2-DUO-E6400-2-13-GHZ-1GB-RAM-DVD-FreeSH-/380563334139?pt=Desktop_PCs&hash=item589b57a3fb  (You might want some more RAM, but you can start with that and get the extra RAM later, but another GB of DDR2 is cheap, maybe a pair of 512MB DIMM's might be cheaper, even.)

    Or here's a DC7800 with a slightly faster CPU and 2GB of RAM, for $12 more, still under $100 shipped in the US: http://www.ebay.com/itm/HP-COMPAQ-DC7800-CORE-2-DUO-E6550-2-33-GHZ-2-GB-RAM-CDRW-DVD-WORKING-FREE-SHIP-/130840503568?pt=Desktop_PCs&hash=item1e76b3a510

    It's easy to build a -very- capable pf box with cheap hardware.  I almost ran it on an old 1Ghz PIII/Celeron I was using for m0n0wall, but, seriously, the main reason I didn't was because the fans on the old rack-mount PIII machine were loud and I had the HP DC5700 sitting around doing nothing (I originally bought it for a Media PC, but its slot that looks like a PCI-Express x16 slot isn't, it's ADDO2/SVDO; don't get me started on that one.)



  • You are very helpful.  So if I bought the DC7800 you listed, what upgrades would you do?  SSD for sure for squid/snort, what else?



  • Just make sure you get plenty of PCIe slots and plenty of lanes (4x & 16x) for your multiport NICs and crypto card, the 7900 has a 16x a 4x (with a 16x socket) and a 1x so that worked out well for me.

    For now I have a graphics card in the 16x slot, way overkill but the DP output and my DP to DVI converter didn't work with my KVM switch and my monitors don't like VGA. Then two single port NICs in the 4x and 1x slots, the 4x could be updated with a multiport Intel card, I have a dual port model in my parts box if needed and the motherboard port is available for a low-bandwith link.

    You'd end up, assuming no graphics issues with your crypto card in the PCIe 16x slot, a dual/quad port NIC in the 4x and a single port one in the 1x.

    I did a SSD, a 64 would do but a 128 has much better IO rates so I went with that.

    Good smart NIC cards have worked out well for me in other places so I pretty much keep a stack of them on hand. Mostly 1x single cards but I have a spare dual port one too. I've been very happy with Intel's offerings, low CPU loading, fast throughput and no adapter related glitches so far.

    The HPs have funny drive mounts for the HD and DVD drives, the front DVD and HD use funny screws to slide in slots, not too hard to find some that fit the slots in your junk box. The back drive that fits under the power supply used a funny screw with a vibration damper built into it. I moved the HD to the front slot and unplugged it, keep it handy as you'll need Windows to do HP updates with, a very few can be forced to work from DOS or by a direct CD/USB load. The rescued vibration dampers went on a 2.5 to 3.5 converter with no problem and the SSD is happy under the power supply. When you have the install finished you can unplug power to the DVD too.

    I added a home-brew power cord retainer, a couple wire-ties and a loop of Velcro to avoid surprise unplugging by a too firm cable pull.



  • @alixman:

    You are very helpful.  So if I bought the DC7800 you listed, what upgrades would you do?  SSD for sure for squid/snort, what else?

    Well, I'd put in more RAM, for sure.  I mean, 1GB is great for normal routing, but if you're doing extended features, you'll want more.  They can cheaply take 4GB, 8GB isn't too expensive.

    I would probably get a good dual port PCI-Express Intel Gb NIC, it'll fit in your PC-Express x16 slot (you don't need a video card in a router, the features supplied by the onboard/integrated GPU are already overkill.)  It has an integrated Intel Gb NIC already.

    If you need something physically smaller, the Small Form Factor versions of the same can be slightly cheaper, but they'll need low profile cards.

    Past that, unless you've got some serious internet access and/or plan on doing some crazy stuff, upgrades would probably be just for the sake of upgrading, not noticeable performance.  I mean, this hardware should be able to get close to saturating Gb internet with pure routing; VPN somewhere between 50Mb and 100Mb (+/- probably 20Mb depending on the type of VPN.)  I'm not sure what dedicated crypto cards would do for you, though.


Locked