Mini-ITX fanless recommendations?



  • I recently found out about pfSense and I would like to build a system utlizing it as a firewall.

    Ideally, I'd like to get a fanless system that is quiet and efficient on power.  The system will support a home network with a single NAS, VoIP and 3-4 PC's on a 20/3 internet connection.  I run daily backups off the NAS to a remote NAS with approximately (10-20MB) daily and periodically (10-20GB).

    Ultimately, I'd like to incorporate Snort, Squid, clamAV, and VPN services in the pfSense setup.

    I was considering the Intel D2500CCE Mini-ITX and was wondering if this would be sufficient to provide these services without taxing the box too badly?

    Thanks.



  • I wouldn't recommend building the box in my photos below, it cost way too much, but most of it was in spares I had sitting around from other projects, so I'm going to show off.  All I bought for this was the DN2800MT motherboard, the case, and the power brick.  I had the RAM, mSATA SLC SSD, and quad-port NIC sitting around.

    Atoms tend to get pummeled under heavy load (eg. snort, squid, clamav, VPN, etc) but you don't have a lot of bandwidth so it should be OK.

    ![2013-04-18 19.34.36.jpg](/public/imported_attachments/1/2013-04-18 19.34.36.jpg)
    ![2013-04-18 19.34.36.jpg_thumb](/public/imported_attachments/1/2013-04-18 19.34.36.jpg_thumb)
    ![2013-04-18 19.34.59.jpg](/public/imported_attachments/1/2013-04-18 19.34.59.jpg)
    ![2013-04-18 19.34.59.jpg_thumb](/public/imported_attachments/1/2013-04-18 19.34.59.jpg_thumb)



  • I have essentially the same system; buy but since I loaded Snort and HAVP it's slowed down noticeably. I'm now considering an Intel DQ77KB MB with an Ivy bridge (3rd gen) i3 processor.


  • Netgate Administrator

    Like Jason said I would have thought an Atom would be fine at 20/3 Mbps even with those services. The Atom will be good for ~50Mbps VPN, for example, or ~500Mbps raw throughput.
    What WAN bandwidth do you have Daniev?

    You will struggle (or pay a lot!) if you want entirely fanless with a higher power CPU.

    Steve



  • Steve, yes on the i3 I won’t go fan-less, but the new generation CPU cooler fans are very quiet. I have the Verizon FIOS 75/35 plan but with their "fluff" to allow for HD TV, I see 84/39 Mbs and I'm not complaining about anything other than HTTP/S traffic. This is not scientific in any way but ever since Snort and HAVP had been loaded the response on Internet Browsing has slowed down to the point where it's now annoying to me. I'm hoping the i3 horsepower / power consumption balance is just right and an improvement over the Atom processor.



  • @daniev:

    I have essentially the same system; buy but since I loaded Snort and HAVP it's slowed down noticeably. I'm now considering an Intel DQ77KB MB with an Ivy bridge (3rd gen) i3 processor.

    How much bandwidth do you have?  Number of active states?

    Snort is very dependent on the amount of RAM in your system and what options you select.  If you've enabled a ton of rules, or picked an option like lowmem, and don't have a lot of memory to go with it then your performance may plunge.  Take a look at the last paragraph at the link below.

    http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense?start=1



  • @stephenw10:

    Like Jason said I would have thought an Atom would be fine at 20/3 Mbps even with those services. The Atom will be good for ~50Mbps VPN, for example, or ~500Mbps raw throughput.
    What WAN bandwidth do you have Daniev?

    You will struggle (or pay a lot!) if you want entirely fanless with a higher power CPU.

    Steve

    A current-gen, dual-core 1.86Ghz Atom will actually do more like 70-80Mbit/s on an AES-256 VPN.  Mine has no issues with maxing out both directions on my FiOS at once with OpenVPN to my office.


  • Netgate Administrator

    Ah, my figure was based on the older D510/D525. I thought it better to be conservative.  ;)

    As soon as you are doing virus scanning on the proxy you will introduce some delay no matter how powerful the box is. You click a link in your browser, normally code starts arriving and being rendered almost instantly so you see some action. If you are scanning for viruses, when you click in your browser the code is first downloaded to the proxy so it can be scanned and then it starts coming back to your machine. You initially see no action at all.

    Steve



  • @Jason:

    @stephenw10:

    Like Jason said I would have thought an Atom would be fine at 20/3 Mbps even with those services. The Atom will be good for ~50Mbps VPN, for example, or ~500Mbps raw throughput.
    What WAN bandwidth do you have Daniev?

    You will struggle (or pay a lot!) if you want entirely fanless with a higher power CPU.

    Steve

    A current-gen, dual-core 1.86Ghz Atom will actually do more like 70-80Mbit/s on an AES-256 VPN.  Mine has no issues with maxing out both directions on my FiOS at once with OpenVPN to my office.

    How is the response/performance with Snort (all categories loaded), Squid, Dansguardian (with clamd virus scan), pfBlocker, etc. all running on it?



  • I don't use all that crap at once so I couldn't say.  You're asking a lot with all that on there.  If you're looking for a high-bandwidth, all-in-one solution you should be willing to spend more a well as deal with some higher power consumption and noise.



  • Yup.. just wanted to see if Atoms were getting powerful enough. I guess my impressions were right.. they are just not up to par in performance to have multiple packages running all at once.
    I stand corrected.. i3 is the most suited CPU for heavy packages.



  • Ok, I think I have decided on the components for building out my pfSense system.  The one item I am kinda indecisive on is the CPU's listed below.

    Can anyone argue for one of these particular CPU's over the others?

    Motherboard: GIGABYTE GA-H77N-WIFI LGA 1155 Intel - http://www.newegg.com/Product/Product.aspx?Item=N82E16813128567
    CPU: i3-2100 Sandy Bridge 3.1GHz - http://www.newegg.com/Product/Product.aspx?Item=N82E16819115078
              i3-2120 Sandy Bridge 3.3GHz - http://www.newegg.com/Product/Product.aspx?Item=N82E16819115077
            i3-2130 Sandy Bridge 3.4GHz - http://www.newegg.com/Product/Product.aspx?Item=N82E16819115092
            i3-3220 Ivy Bridge 3.3GHz - http://www.newegg.com/Product/Product.aspx?Item=N82E16819116775
    (comparison http://www.newegg.com/Product/Productcompare.aspx?Submit=ENE&N=100006676&IsNodeId=1&Description=i3 cpu ivy
    %20bridge&bop=And&CompareItemList=-1|19-115-078^19-115-078-04%23%2C19-115-092^19-115-092-TS%2C19-115-077^19-115-077-03%23%2C19-116-775^19-116-775-TS&percm=19-116-775%3A%24%24%24%24%24%24%24)

    Memory: CORSAIR Vengeance 8GB DDR3 SDRAM DDR3 1600 (PC3 12800) - http://www.newegg.com/Product/Product.aspx?Item=N82E16820145345
                  (I'm hoping the heat sink on these sticks will fit in the case ok)
    Case: M350 Universal Mini-ITX enclosure - http://www.mini-box.com/M350-universal-mini-itx-enclosure
    SSD: Mushkin Enhanced Chronos MKNSSDCR60GB 2.5" Asynchronous MLC SSD - http://www.newegg.com/Product/Product.aspx?Item=N82E16820226247
    Power Supply: picoPSU-160-XT + 192W Adapter Power Kit - http://www.mini-box.com/picoPSU-160-XT-192W-Adapter-Power-Kit

    A concern I had with the power supply is that the motherboard mentions the following in it's manual:

    "To meet expansion requirements, it is recommended that a power supply that can withstand high
    power consumption be used (300W or greater)."

    However, the largest picoPSU I see available is 160W (w/ 200W peak).

    Thanks.



  • @asterix:

    Yup.. just wanted to see if Atoms were getting powerful enough. I guess my impressions were right.. they are just not up to par in performance to have multiple packages running all at once.
    I stand corrected.. i3 is the most suited CPU for heavy packages.

    They are fine as long as you don't try to use a ton of packages AND have a ton of bandwidth.  If you're looking for fanless it's about as good as you can get unless you find some appliance where the CPU heatsink is attached to the case.


  • Netgate Administrator

    You do not need an i3 for 20/3Mbps WAN connection. Consider saving some money and using a lower end Sandy/Ivy bridge CPU instead. Perhaps this: http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889
    Or, to reduce heat and noise, this: http://www.newegg.com/Product/Product.aspx?Item=N82E16819116407

    The on board wifi on that motherboard will not work with pfSense. There is actually a review on the site of using that board with pfSense that states that.

    Steve



  • I had 2 bad experiences with Gigabyte motherboards. I recommend you look into Asus.



  • Thanks so much for the suggestions stephenw10.  I'll take a look at those CPU's.

    asterix, I too was slightly skeptical of the Gigabyte board and have to admit have had nothing but success with the ASUS boards.  I just couldn't find an ASUS board with two onboard NIC's.  Looks like I'd have to install a NIC into any of the ITX ASUS boards.



  • @Jason:

    @asterix:

    Yup.. just wanted to see if Atoms were getting powerful enough. I guess my impressions were right.. they are just not up to par in performance to have multiple packages running all at once.
    I stand corrected.. i3 is the most suited CPU for heavy packages.

    They are fine as long as you don't try to use a ton of packages AND have a ton of bandwidth.  If you're looking for fanless it's about as good as you can get unless you find some appliance where the CPU heatsink is attached to the case.

    FYI, I just fired up Snort on my box at home with VRT Balanced and all ET rules and there was negligible change to throughput, latency, and CPU usage while maxing out my FiOS (42/35).



  • I tested my i5 (pfsense on a ESXi 5.1 but no other VMs turned on) with full 50/6 bandwidth taken by P2P file downloads for over 4 hours. I had all packages running… like Snort fully loaded with all rules, Dans with clamd virus scanning, Squid, pfBlocker.. etc and saw constant 20% usage throughout the 4 hours. Also to keep in mind is the number of connections... mine were way up than normal so my box had to keep up with each connection.

    I highly doubt an Atom would be able to sustain that.



  • The Pentium G630T (Sandy Bridge), nearly caps out at 100 Mbps DL with Snort loaded up. Almost all processes on pfSense (pf, Snort, etc.) are single thread only, so you can very easily cap it out with heavy packages. When I run my box to the max on my 100/10 Mbps fiber, Snort runs at close to 100% on one core.

    If the i5 was a quad core and 20% total load, then that's nearly capping out one core.



  • Yup.. its a quad core.


Locked