Need help spec'ing new pfSense box - 1 Gbps WAN
-
Hi Guys,
I need to build a pfsense box that:
- Is rack mountable
- Can support 1 Gbps on the WAN side
- Has PCI-e for another NIC
Any suggestions on which hardware to go with?
-
My biggest concern while trying to spec this on my own are the Hardware requirements listed for 1Gbps WAN on the pfSense website:
"501+ Mbps - server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU."
I'm not sure if these requirements take into account dual or quad core CPU's. Initially I was thinking a Dell PowerEdge R320 with an Intel Xeon E5-2407 2.2GHz but unsure about what's listed above.
-
You haven't specified what kind of packages you would be installing on the box? For example Snort can take quiet a lot of CPU cycles for processing all data coming in from WAN. Also how many users?
My recommendation would be to go for a low powered i3 system as it can easily support 1Gbps WAN throughput. Do not look at Atoms or older Celerons as you might install heavy packages on it sooner or later. Unless you have over 50 users who would be doing extremely heavy internet usage and i3 processor should be able to take all the abuse with ease. Start with 4GB RAM (1 stick) and if you think you need more you can bump it to 8GB.
Get an Asus mini-ITX (they are well built and have a good record), i3 processor, 4GB RAM and 40-60GB SSD.
For rack mounting, I always recommend 2U boxes as it gives the machine room for air flow and in turn less heat. Hot air dessipates out easily as air circulation is better. The hardware lasts longer in good air flow conditions. You would pay less in electric bills as the fans wont be over tasked in cooling like in a 1U pizza box.
-
You haven't specified what kind of packages you would be installing on the box? For example Snort can take quiet a lot of CPU cycles for processing all data coming in from WAN. Also how many users?
My recommendation would be to go for a low powered i3 system as it can easily support 1Gbps WAN throughput. Do not look at Atoms or older Celerons as you might install heavy packages on it sooner or later. Unless you have over 50 users who would be doing extremely heavy internet usage and i3 processor should be able to take all the abuse with ease. Start with 4GB RAM (1 stick) and if you think you need more you can bump it to 8GB.
Get an Asus mini-ITX (they are well built and have a good record), i3 processor, 4GB RAM and 40-60GB SSD.
For rack mounting, I always recommend 2U boxes as it gives the machine room for air flow and in turn less heat. Hot air dessipates out easily as air circulation is better. The hardware lasts longer in good air flow conditions. You would pay less in electric bills as the fans wont be over tasked in cooling like in a 1U pizza box.
Thanks for the response. Most likely only snort will be used. This will serve a 9 server cluster that is accessed to retrieve/download data fragments (usually 1-5mb) by over 800 users on web (via a web server in the cluster), along with receiving data from around 100 GPS devices.
In your opinion, would a Dell PowerEdge R320 with a Xeon E5 be sufficient? This is for enterprise class systems at a datacenter so I'd rather have something pre-built.
Thanks!
-
Snort might be a little tricky for 1 Gbps throughput. A Intel Pentium G630T (2.3 GHz) caps (hits 100% on the core running Snort) out at ~100 Mbps (torrent traffic, 100/10 Mbps connection). The faster GHz Intel's will probably cap somewhere between 200-500 Mbps too. Remember that a single Snort monitor will only utilize a single core.
This blog post has some ideas on Snort capacity planning: http://mikelococo.com/2011/08/snort-capacity-planning/
-
Last month I got myself a used ASUS RS700-E6/RS4 with the following config.
Intel(R) Xeon(R) Quad Core CPU X5550 @ 2.67GHz
24GB DDR3 SDRAM
4 - 1TB hard drives (SAS)
Dual port Intel gigabit NICs, will be adding a PCIe dual gigabit as well
ASUS PIKE64 LSI RAID cardLoving it. Its still 1U (only thing I don't like.. but I got it for under $450) but it has a zero wire internal design with backup PSU. Lightning fast and pretty less noisy as compared to other comparable servers.
I have 5 VMs (Domain controllers, Exchange, SQL, DLNA) on it including pfSense.. on 75Mbps WAN its running flawlessly and I have yet to reboot it since the day its been up on the network.
The following services are active in pfSense and I have yet to see a processor heavy usage spike.
dansguardian
dhcpd
dnsmasq
miniupnpd
ntpd
openvpn
snort
squid -
I believe that the most important question when designing pf-sense hardware is what king of pipe form outside you are connected to. I have dell 890 that has 8gb of ram and 100mbs from Comcast and my dual core xeon runs at 400 mhz all day long. I have snort installed
-
I believe that the most important question when designing pf-sense hardware is what king of pipe form outside you are connected to. I have dell 890 that has 8gb of ram and 100mbs from Comcast and my dual core xeon runs at 400 mhz all day long. I have snort installed
The outside pipe is Ethernet at 10 Gbps, but we're only using a 1 Gbps drop. Therefore, the hardware will need to be able to handle bursts of up to 1 Gbps, and 100 mbps sustained (doubt it will hit 1 Gbps very often but the hardware still needs to accommodate it).
Thanks for the feedback!
-
Snort might be a little tricky for 1 Gbps throughput. A Intel Pentium G630T (2.3 GHz) caps (hits 100% on the core running Snort) out at ~100 Mbps (torrent traffic, 100/10 Mbps connection). The faster GHz Intel's will probably cap somewhere between 200-500 Mbps too. Remember that a single Snort monitor will only utilize a single core.
This blog post has some ideas on Snort capacity planning: http://mikelococo.com/2011/08/snort-capacity-planning/
Thanks for the info/link. Most likely it will only have bursts to 1 Gbps for very short periods of time, and maintain around 10-100 Mbps for the majority. Sad to see that Snort is only optimized to use a single-cpu.
-
I'm gathering the data here: http://www.pfsense.org/index.php@option=com_content&task=view&id=52&Itemid=49.html may be a little outdated given feedback thus far.
If anyone currently uses pfSense on 1 Gbps WAN uplink, please let me know the hardware you use :)
All other info has been great just hoping to get someone who actually uses 1 Gbps with pfSense.
-
a Xeon with 8GB RAM should suffice your needs. Keep room for RAM growth for future needs.
-
Yes the info on that page is somewhat outdated.
The 1Gbps WAN connection is far less a consideration that trying to run Snort at 1Gbps.
There are plenty of people running 1Gb WANs using relatively low end hardware. For example a Celeron G530: http://forum.pfsense.org/index.php/topic,45439.0.htmlSteve
-
Thanks guys, appreciate all your feedback!
-
For rack mounting, I always recommend 2U boxes as it gives the machine room for air flow and in turn less heat. Hot air dessipates out easily as air circulation is better. The hardware lasts longer in good air flow conditions. You would pay less in electric bills as the fans wont be over tasked in cooling like in a 1U pizza box.
Got an aluminum "pizza box" (Casetronic C159) for US$39.99, I'm unable to use it without 3 40mm fans spinning at 7000rpm just to keep it a Core i3 330M below 50C.
-
You mean like this?:
I hope your fans are arranged better than that. No ducting. CPU cooling fan drawing air from the top which is probably mostly obstructed.
Steve
-
You need to check how your fans spin direction (in or out). My 1U ASUS RS700-E6/RS4 has 7 fans and I have kept just 3 of them placed close to the CPUs which have passive cooling. My fans speeds rarely go over 5500 RPM. Usually they hover around 4500/4800 RPM.
-
There is no other way to use the fans.
-
We are using CARP with two dell poweredge R610 with bi-CPU E5506 and 16Gb of memory.
It has been running well for us.
It handle: a 650Mbps WAN which average at 200Mbps and can peak to 600Mbps for a few hours which generate ~70TB of traffic/month
50000+ states, ~60 simultaneous OpenVPN users, 4 IPSec tunnel (3DES 256bits)
