Fanless gbit pfSense router?



  • Hello, i have been looking at the Intel DQ77KB motherboard with two 1 gbit interfaces and then i found this pre-built box with Core i5-3470T (2.9-3.6 GHz):
    http://www.atlastsolutions.com/fanless-thin-mini-itx-pc-core-i5-16gb-128gb-ssd-intel-dq77kb/

    Would this be able to route 1gbit full duplex (2gbit?) or would i need a PCIe card for that? http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-pt-dp.html



  • The two built in ports and the i5 should handle it (one would think).



  • I think that board uses 82579V NICs.  I'm not 100% sure that those work in 2.0.  You might need to run 2.1.

    In terms of "routing", that is a fairly trivial task for a system like this.  "Firewall" isn't much harder.  If you're including VPN, traffic shaping, squid, snort, etc. then likely not.



  • I think its two different ethernet controllers, one is Intel 83574L and the other Intel 82579LM. They seem to support some offloading but maybe not as good as others.

    It would do routing and firewall/NAT, just for my home, nothing complicated.



  • @theidiot:

    I think its two different ethernet controllers, one is Intel 83574L and the other Intel 82579LM. They seem to support some offloading but maybe not as good as others.

    I second that.



  • Sorry, I misspelled, it should be Intel 82574L and Intel 82579LM.. Anyways, the question is would it route/firewall/NAT 1gbit? With todays hardware is it really important that the NIC is on PCIe like the Hardware Sizing Guidance says? http://pfsense.org/index.php@option=com_content&task=view&id=52&Itemid=49.html

    The CPU has AES-NI so it should handle OpenVPN much better than my current Asus router atleat.

    Im thinking about buying and building this:
    Case: Akasa Euler
    Motherboard: Intel DQ77KB
    CPU: Intel Core i5-3470T
    HDD: Crucial m4 32GB mSATA SSD
    RAM: Corsair 8GB (2X4GB), 1600MHz



  • Yes - It will handle it.  Get the I5 fast as you can within your power/heat budget.  You will enjoy the headroom.


  • Netgate Administrator

    Indeed, the hardware guidelines are unfortunately a little outdated. The i5 can very easily firewall/NAT 1Gbps. The lowliest Sandy Bridge CPU like a G530 can manage 1Gbps with plenty of cycles to spare. See: http://forum.pfsense.org/index.php/topic,45439.0.html

    I'm not sure of the status of AES-NI support. Last I looked it wasn't working but was being actively worked on. Either way the raw power of that CPU will provide some pretty high numbers for VPN.

    Steve



  • @kejianshi:

    Yes - It will handle it.  Get the I5 fast as you can within your power/heat budget.  You will enjoy the headroom.

    And what would the headroom be used for? pfSense can route many mbps of data on a measly P4 or Atom chip!

    Unless you're running a large network with hundreds of users, anything more than an i3 is wasted (and wasted for a long time to come).



  • When he starts trying to route "1gbit full duplex" from a WAN through a LAN, with a few packages running you will find out quickly why you need headroom. I guess I could assume thats not what he plans to do, but why would he mention it then?



  • A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.

    To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.

    For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.

    Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.


  • Netgate Administrator

    Completely agree. Also I totally understand why there are so many questions asking essentially the same thing. I'd love to see some real throughput tests on a range of fully loaded systems. By fully loaded I guess I'm talking, Squid, Squidguard, Snort, HAVP - the full UTM setup. Currently there are vague numbers from systems that aren't really comparable.

    Steve



  • I have a fully loaded system working beautifully. Its on a VM with Intel(R) Xeon(R) CPU X5550 @ 2.67GHz. Has pfBlocker, Snort, Dans (with clamd for virus scans), Squid. and OpenVPN. But I have a 50Mbps (still thinking about that 75Mbps upgrade) connection. RCN cable here isn't that great even though they are fiber optic. I start to get very high ping times and packet loss on higher download speeds. It's an ISP issue and they have acknowledged it. So I wouldn't be the best candidate to run any tests.. lol

    On a side note, I think HAVP should be phased out. Dans with clamd does a better job along with the role of SquidGuard.



  • @asterix:

    A lot of folks here have a notion that anything above an Atom is waste. Its not all about single or multi threaded. The CPU cycle speeds have a lot to do with the processing as well. Atom was designed for power saving (a couple of yrs back) and still is designed to save power.. no doubt about it. Hey, even Windows runs fairly ok on Atom. i3/i5 is a different breed.. so as Xeon. Not trying to lecture anyone but my point is i3/i5, in certain situations, is a better option to go for than an Atom. An i3 may in fact be more effective in power savings than an Atom. An i5, may be not, but is still very effective.

    To Steve's and kejianshi's point, for a gigabit WAN throughput a G530 or an i3 are best candidates. Folks have tested them on 1Gbps (search the forums). But keep in mind.. we are talking about processor strength on WAN throughput processing only. When you start to add in resource hungry packages (even if they are single threaded) like Snort, Dansguardian with clamd, Squid, pfBlocker.. you are taxing the processing "times" of the CPU which it would normally use to process WAN throughput.

    For a sweet 1Gbps WAN throughput and making a complete UTM with all packages on it, I will definitely recommend i5 for best "response" times. When I say "response" I mean the UTM processing the data from WAN, pfblocker checking allowed IP range, Snort processing it, Dansguardian checking for proper site access, then clamd doing a virus scan on it, lastly Squid caching it.. before you even see the page load.

    Face it, you are not going to save even 50 bucks in annual electricity by under powering from an i5 to i3 or Atom.

    I'm the opposite, one of my -isms is "Friends don't let friends buy atom", especially when a local microcenter has dual ivy bridge cores @2.6Ghz for $35 and 1155 motherboards for <$50. Without even checking benchmarks I'm sure that is at least twice as powerful as any atom.

    The last couple generations of atoms had no real improvements, maybe centerton or whatever its called with out of order and some real core improvements might be ok.

    As for the OP, one of my pfsense boxes is basically what you are considering: DQ77KB inside the same akasa euler (really nice case) i3-3220T, msata ssd. I also installed an AR9280 minicard for wifi AP someday, but drivers in 2.0.3 are not stable at all even with forced G so its not being used yet.

    Its only on an ~80Mb fiber link for now, but it screams though everything.

    I hope they come out with a Q87 thin itx board, because I can't find the Q77 anymore and the haswell i3s now have AES-NI standard. i3-4130 ~$125 for amazing single threaded performance (3.4Ghz) and its ready for big VPN acceleration whenever that makes it into stable.



  • I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3  ;D ) and swear by it.

    Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.



  • @asterix:

    I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3  ;D ) and swear by it.

    Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.

    what about ram amounts? I'm thinking I want to build a nice(ish) UTM…


  • Netgate Administrator

    Ram is cheap, get lots.  ;)
    If you have a new build with current technology RAM then just fill it. RAM in £/MB is more expensive in older modules.
    If you want to run Snort and Squid I would look at 4GB.

    This is getting a bit OT but there is still one area where the Atom is king; very low power consumption passively cooled setups.
    Yes the Akasa euler can do it for 35W 'real' CPUs but there's cost involved there. The Atom currently fills a niche between the Alix and significantly more expensive passive cooling solutions that can handle higher TDP. A niche that will hopefully be filled by the new Alix board.  ;)

    Steve



  • @Dr_Drache:

    @asterix:

    I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3  ;D ) and swear by it.

    Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.

    what about ram amounts? I'm thinking I want to build a nice(ish) UTM…

    Start with 4GB. My sweet spot is 6GB ;D. Snort, Squid, dans with clamd, pfBlocker.. all run like smooth butter and memory usage sits between 40 to 43%. I have kept 8GB just because I have extra in my server and its a VM. RAM usage is between 30 to 33%. If needed I will pull it down to 6GB.


  • Netgate Administrator

    Any idea what it peaks at?
    Unused RAM is doing no good to anyone. ;)

    Steve



  • I think its wise to keep 25% in reserve to handle momentary spikes in memory usage.  Could be wrong.



  • Here are the screenshots of my UTM. Network activity has gone down drastically this week due to schools re-opening. Last month was modest as well.. just shy of 350GB.. as we were on family vacations.




  • 2




  • 3




  • Yeah - Similar here.  I like to have a safety buffer also.



  • My memory consumption goes up and down depending on how much cache is in the RAM. Old data flushes out periodically and brings down the usage. Snort has come a really long way from its initial days where 2GB was just not enough to load it and would crash while turning on the service. It's not like that anymore since 2011.



  • Same same…  Goes up to 75% and then pops back down to 25% periodically.
    Disk usage is slowly creeping up to 20%  (Its a newly installed SSD - Will take time.  I'm usually faster to adopt but SSD has been a bumpy ride)
    My screaming processor is a dual core AMD, but you know what?  I like it.  Its impressively stable for garbage that costs abut the same as a couple cups of coffee.  And I'm passionately in love with Mushkin Server Ram.



  • At full WAN capacity. Keep in mind in fully loaded UTM with all resource hungry packages running. Maxed my WAN at 51.73 Mbps.

    Hardware is begging for more WAN throughput :D




  • No doubt is working well  ;)



  • If we do the math..

    8% of CPU was able to do 50Mbps  of WAN throughput. So my UTM could do just about ….hmmm...

    100/8=12.5 times 50Mbps .. that's 625Mbps before it runs out of CPU cycles. Keeping in mind that the Xeon is way more powerful than an i3 and i5, plus it's fully loaded with all resource hungry packages running at full power. I suspect it can reach 1Gbps if I let go of Snort and Dans with clamd.



  • For sure, if I need to handle 625Mbps and every package in the repository, I'd go with modern dual xeons and more RAM and maybe faster/bigger SSDs also.  Its just a little businessy / industrial strength for my home.  Here my network will top at 150Mps at the WAN for sure.  No higher in the next foreseeable decade or so.  If google internet comes here, I'll need something faster.



  • On second thoughts, I forgot I am on VM host. So it's shared CPU. If I load just pfSense with no VM host than the throughput would be better

    OR

    my strong belief is maybe its because the packages are single threaded and limiting the processing power.



  • Yes - Its a monster build for sure, but…
    Is it fanless?    ;D

    I like this guys original specs for his purposes.



  • Mine.. actually yes. Both physical CPU's are fanless with heatsinks. Except for the PSU ;)



  • haha - you win…


  • Netgate Administrator

    It's almost impossible to extrapolate accurately like that because, as you say, there are some single threaded processes. Particularly this is true of pf, as has been discussed before. In the worst case scenario you could have all that 8% on one core with the others idle (very unlikely I know). If your CPU appears as 8 cores (I have no idea how many you gave to the VM but this is worst case!) then that would be one core at 64% giving only 36% headroom or maximum throughput of 68Mbps!  :P
    Obviously that's not true but I hope it highlights how the calculation is not that simple.  ;)

    Steve



  • @asterix:

    I agree. I will never ever buy an Atom as it makes no real sense when it comes to $ v/s CPU power. Some folks who are using Atom are sorta die hard fans (even when they know within that they should had gone for a G530/i3  ;D ) and swear by it.

    Frankly, for a fully loaded UTM I cross out Atom immediately. Even if someone is trying to build even a basic pfSense firewall with no add-on packages, its just makes no sense by not going the G530/i3 route for a few extra bucks, unless you are extremely tight on budget and every dollar counts for your end decision.

    It's not about the bucks, it's about heat and electricity use. A D525 Atom uses only 13Ws vs 65Ws for a G530. For a basic pfSense firewall with a couple of packages running, it's barely pushing 5% CPU; so all those extra cycles on the G530 is wasted, and consuming electricity. So over the course of a year, you're paying about 35.00 in extra electricity costs for what? Also, my box can pretty much fabless versus a G530 which would at least require a CPU fan.

    I'm happy with the performance, never goes past 10% CPU utilization with the packages I'm running and the processor can easily do 200mbps+ of throughput.



  • Ahem..  :o

    65W at full 100% usage ;D. Typical consumption is around 1 to 5% tops. No one is paying for 65W unless they are running 100% 24x7 ;)


  • Netgate Administrator

    Exactly.
    Also if you want a fanless box capable of Gigabit speeds you're better choosing a 35W tdp CPU. The required cooling solution is based on the maximum heat dissipation and 65W passively is big!

    Steve



  • @stephenw10:

    It's almost impossible to extrapolate accurately like that because, as you say, there are some single threaded processes. Particularly this is true of pf, as has been discussed before. In the worst case scenario you could have all that 8% on one core with the others idle (very unlikely I know). If your CPU appears as 8 cores (I have no idea how many you gave to the VM but this is worst case!) then that would be one core at 64% giving only 36% headroom or maximum throughput of 68Mbps!  :P
    Obviously that's not true but I hope it highlights how the calculation is not that simple.  ;)

    Steve

    Yeah I agree on that. I have allocated all 8 cores, even though pfSense won't be able to utilize them.

    Honestly, in this date I was expecting FreeBSD to evolve more on the multiple core support plus all the packages out there. It's a shame to see so much CPU cycles sitting idle ant not being taken advantage off. pfSense response times would be lighting fast if all the packages along with the core OS was designed for multiple cores.



  • So, use them for something else…  I'm sure you must have some need for those cores elsewhere?


Log in to reply