My pfsense build



  • So I decided to build my own pfsense box. I am hopping to get some good feedback from these forums on my build.

    1. The Case
    I want a case that is rack mountable. I want the IO to be in from so I can easily access the NICs. I have found only a few options for front IO server chassis. I prefer the power supply to remain in the back but not a huge deal if its in the front too. The thing I cannot seem to find in a case with front IO and a front 5.25" external drive bay. Probably doesn't exist but I would like to ss as I have a 4 X 2.5" hot swappable drive cage I can put in a 5.25" drive bay. I will have to see what I can get. I pan on using two SSDs in a RAID 1 so not much chance of failure but I would like easy hot swappable access in case one does manage to fail.

    2. The Motherboard
    I still have alot of work to go on deciding the motherboard for this build. I am thinking either low-end server grade a a decent consumer grade board. The main thing is it needs a fast bus to avoid bottlenecking my thoughput, and it needs to support my CPU obviously.

    3. The CPU
    This is the part of the build I have actually narrowed down to a specific part I am looking to get. This is a Intel i3 dual core 2.6GHZ CPU with a power draw of only 35 watts. And its affordable. I would really like to get feedback on this CPU choice before I actually purchase it. http://www.newegg.com/Product/Product.aspx?Item=N82E16819115094

    4. The RAM
    Nothing special here, I was thinking 3Gigs should suffice for my needs. Since I am planning on running virus scanning and web caching packages.

    5. The Harddrives
    I already mentioned this but I am looking to get 2 low capacity SSD's (probably used to save some money). RAID1 for redundancy in the unlikley even one manages to fail. I want a failure to be a 0 downtime issue.

    6. The NICs
    I am looking to have 1 4-port gigabit NIC to start with (plus hopefully two one board for WAN interfaces). I am also looking to have room to expand with at least 1 more 4 port card in the future.

    My 3 goals for this build in order:

    • Maximize network throughput
    • Keep costs low
    • Keep power consumption/heat low

    Any feedback you can give or recommendations especially on a case to meet my needs is appriciated.


  • Netgate Administrator

    What sort of throughput are you looking for? WAN to LAN or between internal subnets?

    Steve



  • My WAN is a 40MBps (down) Cable connection, I want to at the very least keep pace with that. Between subnets the closer I can get to Gigabit the better. But I'm not sure if this regular desktop CPU I am looking at is even compatible with a decent server grade motherboard with a PCI-X bus to support high throughput.


  • Netgate Administrator

    That CPU will push >1GBps of traffic doing just NAT/firewall. It will easily saturate the 40Mbps WAN with web caching and virus scanning. I'm sure you can find a motherboard that will take it, I wouldn't have thought it very difficult. You will be looking at PCI-e in any board that will take it so forget about PCI-X.

    Quad port NICs are expensive, especially if you get Intel NICs and that's highly recommended. A rack mountng case with a front 5.25" bay and two PCI expansion slots could be very difficult to find! Have you considered using a managed switch and VLANs instead?

    Steve



  • @stephenw10:

    That CPU will push >1GBps of traffic doing just NAT/firewall. It will easily saturate the 40Mbps WAN with web caching and virus scanning. I'm sure you can find a motherboard that will take it, I wouldn't have thought it very difficult. You will be looking at PCI-e in any board that will take it so forget about PCI-X.

    Quad port NICs are expensive, especially if you get Intel NICs and that's highly recommended. A rack mountng case with a front 5.25" bay and two PCI expansion slots could be very difficult to find! Have you considered using a managed switch and VLANs instead?

    Steve

    How well will PCIe perform?

    I did some more research into cases. I found one it had the front IO and it had a rear 5.25" external bay which would have worked ok since I would not need access to the drive bay often but it was spendy at $300. I think I decided to go with a generic rackmount case with the standard rear IO then connect the NICs to a patch panel mounted above the server to give me access to rewire as needed. I suspect I could find a mobo with 4 expansion slots and I can use just dual port NICs I've seen those on ebay for $20-$30 each.


  • Netgate Administrator

    @MarkA:

    How well will PCIe perform?

    Much better than PCI-X. Even a PCIe X1 slot has 2.5Gbps bandwidth.

    I would still rather use VLANs and more standard looking hardware. How easy or quickly will your box with external PCI-e cards be to replace if you have problem?

    Steve



  • This case can be mounted reversed,link, picture



  • If you have a Microcenter close by then go for a mini-ITX or micro-ATX (with 2 PCIe slots) motherboard with i3 CPU. mini-ITX typically have just one PCIe slot.

    Also get 4GB of RAM instead of 3.. an extra GB doesn't hurt.. plus they are cheap.

    For the NIC check eBay and get 2 PCIe Intel dual-port gigabit network cards. Hook the WAN to the onboard NIC and use the 4 Intel ones for you internal network.

    For the enclosure I had a 2U. It gives room for adding hardware plus the extra room is good for hardware air circulation.. keeps it better cooled than a 1U. It is not that big. I converted it to a VMware machine and had pfSense hosted on it along with a few other VMs. The i3 will work ok on VMware but it wont be lightning speeds if you add additional VMs on it. OR just keep plain pfSense on the it with no VMware.

    http://www.plinkusa.net/webG2220S.htm



  • Buy a slightly old MOBO with a slightly old chip-set and slightly old NICs. 
    Preferably Intel NICs, but others also work. 
    Then check the specs against the boards BEFORE YOU BUY.



  • You can get a cheap supermicro case, or one second hands. For the mainboard I would have chosen a supermicro mainboard because it has ipmi and is made for servers, so is always betters than regular mainboard from asrock, asus etc

    RAM might or might not be important, but it is always prefered to have to much than to little. 4, 8, 16 GB does not cost much, in some cases linux will cache and that will or might increase the speed, even if it is a little. For the HDD you might consider a 10k or 15k rpm harddisk, ssd is good but I would not put reliablity on consument ssd's. The NIC is good because you will not need it with a low end system.



  • So if I go that i3 processor linked in my OP, a server grade mobo with pcie bus and gigabit NICs. It sounds like I can saturate the gigabit NICs and maximize my thoughput, is that correct?

    I am also curious as to why you would recommend mechanical drives over ssds? Because I don't need much capacity ssds I can get 2 32GB ssds for $70-$80. As I understand ssds have extremely low power consumption generate little heat and because they don't have any moving parts have faster IO and are less prone to failure, am I missing something here?

    For the mobo I found this: http://www.ebay.com/itm/Intel-S1200BTL-LGA-1155-Server-Motherboard-GG3-/330967844318?pt=Motherboards&hash=item4d0f3885de

    http://ark.intel.com/products/53557/

    What are your thoughts on this mobo? My processor isn't listed as compatible with this motherboard though. It says the i3-2120 is but thats just a slightly more powerful version of what I was looking at the 2120T, if necessary I could just go with the 2120 but I prefer the 2120T listed above because it uses less power and should be powerful enough for this. It does state it is compatible though with the i3-2100T which is also low power but the clock speed is a little lower at 2.5GHz, newegg has discontinued it but I can find it here http://www.amazon.com/Intel-i3-2120T-Dual-Core-Processor-Cache/dp/B005LMPN7M/ref=sr_1_2?ie=UTF8&qid=1377033526&sr=8-2&keywords=i3-2100t



  • Depends on which kind of install you plan to do as to if SSD is a good way to go or not.  SSDs that are good for a full install of pfsense and won't break are actually sorta pricey.  The SSDs you are talking about are probably cheap junk MLCs that rely on TRIM to keep them going more than a month or two.  Good SLC versions are better for full installs of current release of pfsense but cost a bit more.


  • Netgate Administrator

    Interesting that it doesn't list the 2120T. The 'T' variant have different voltage requirements to get the lower TDP however it lists the G2100T as compatible as you say. I'd be surprised if it didn't work. Perhaps look for reports of compatibility elsewhere before you buy.

    Steve



  • @MarkA:

    I am also curious as to why you would recommend mechanical drives over ssds? Because I don't need much capacity ssds I can get 2 32GB ssds for $70-$80. As I understand ssds have extremely low power consumption generate little heat and because they don't have any moving parts have faster IO and are less prone to failure, am I missing something here?

    I've killed several small cheap SSD's running squid and dansguardian on my home network. I finally gave in on the last one and purchased a quality drive (Intel) - so far so good.



  • Which Intel drive did you buy exactly and what do they cost?



  • @kejianshi:

    Which Intel drive did you buy exactly and what do they cost?

    Don"t remember which one… it was one of the later models - 40GB. Recommended by someone on this board...



  • Ahhhh - A later model 40GB SSD of some sort.

    Yeah - I also heard those are good.



  • @kejianshi:

    Ahhhh - A later model 40GB SSD of some sort.

    Yeah - I also heard those are good.

    I believe the key was "later model "Intel"… I didn't google it, but I doubt there are many variations on the newer Intel SSD's - they all tend to be pretty good quality.



  • I disagree - I think there is huge room for differences in reliability amongst the drives made by Intel.  If not, there would be no need for Intel to sell expensive SLC based drives for enterprise applications.  They could just peddle off their MLC stuff to everyone.  Personally I think people are dreaming, or perhaps just wishing, when they install MLC into something thats going to have to endure alot of writes.

    Every year some company has a new fail proof scheme how to make MLC as reliable as SLC and after a year or so they find they were wrong (after having sold a ton of product of course).



  • @rjcrowder:

    I believe the key was "later model "Intel"… I didn't google it, but I doubt there are many variations on the newer Intel SSD's - they all tend to be pretty good quality.

    Found it… Intel 320 Series 40 GB,Internal,2.5"



  • MLC - Get to version 2.1 ASAP and get TRIM running…



  • MarkA,

    I saw someone suggested you getting a Mini-Itx board. I just successfully built a Pfsense 2.1 a system very similar to what you are talking about so I thought I would thought I would throw this idea of a build out to you.

    I got this motherboard with dual Realtek nics:
    http://www.newegg.com/Product/Product.aspx?Item=N82E16813128567

    It supports LGA 1155 So I am sure your i3 CPU would be fine, you can check here for CPU compatibility:
    http://www.gigabyte.us/support-downloads/cpu-support-popup.aspx?pid=4338

    I put in a new released Pentium G2030, this system rocks man. The dual Realtek nics were not seen by 2.03 but they were seen by 2.1 and then I have an PCI express Intel Dual nic installed for the Opt interfaces. The sticker on the back says Intel Pro/100 PT Dual Port I picked it up on Ebay for $30.

    The reason I am suggesting this route is I am concerned you will pay out the nose for a 4 port nic. This way you get two supported nics with the board and a cheap dual port Intel nic. I didn't put this in a 1u chassis, I just got a mini itx InWin case, so  if you go that route you will need a low profile PCI bracket for sure, but you can find one cheap.

    Anyway, thought I would share since I also just built a socket 1155 4 nic build. Everything works I did not have to do ANY special setups, only enabled Trim for my SSD that's it.

    Just for FYI my system:
    GIGABYTE GA-H77N-WIFI
    Pentium G2030
    (2 Onboard Realtek Nics)
    Dual Intel Pro 100 PCI express nic
    4 GB 1333 GSkill Ram
    32GB SanDisk SSD
    InWin Case/ with 200W PSU

    Let me tell you this box is amazing, I have a site to site IPSEC setup between my work and home (my home is 100mb/s fiber work is 100mb/s fiber) my tunnel traffic bounces at anywhere from 85-90 mb/s and the CPU is not even at 25%.

    If you are interested to here is a similar idea (mboard/cpu combo) that has a 17 watt Celeron which people have used for PFsense 2.1 as well with dual Realtek nics:
    http://www.newegg.com/Product/Product.aspx?Item=N82E16813128598
    you can do something similar only this one you would have to use a regular PCI dual nic rather than PCI express.

    If I had to do it over again I would probably go for that Celeron because of the 17 Watt TDP, obviously my build is overkill (and it is 55 Watt)

    If you want a PCI express Nic then here is another Celeron combo here:
    http://www.newegg.com/Product/Product.aspx?Item=N82E16813128585&Tpk=gigabyte%20celeron%20combo

    Sorry I know I threw a lot at you, but I have recently been gorging myself on these specs and figured I would try to help someone else out. Your i3 might even be overkill like my G2030, not sure what you are doing with it, so those Celerons might be a better route.

    I hope this helps you out.



  • Hi folks, just built a box with http://www.portwell.com/products/detail.php?CUSTCHAR1=WADE-8012 board, with an i3 2120T. Works like a champ. I have Squid3 and Squid Guard packages installed, may also look at Snort later on.

    Full Specs
    pfSense Release 2.2
    Silverstone MLO5 Case
    Silverstone SFX SF30 Power Supply
    Silverstone AP122 Case Fan
    Portwell Wade 8012
    Intel i3 2120T
    OEM i3 CPU Cooler
    Western Digital 320G Black
    8GB Ram



  • What does this have to do with a 1.5 year old thread?

    But, cool  8)  I'm glad those are Intel NICs. So many people build firewalls and don't even look at the most important parts, the NICs. "Ohh, my system is slow" "Yeah, you've got some crappy NICs, what did you expect?"


  • Banned

    …without bandwidth your Intel's won't buy you anything, though... :-D


Log in to reply