Thoughts on this possible hardware purchases?



  • I am thinking of purchasing these for each of my offices for my pfSense deployment.

    What do you folks think?

    http://www.mitxpc.com/proddetail.asp?prod=EKIAD2500DL&cat=209



  • I've never used one of those but the specs look like it should be fine.  Buy 1 and test before you buy them all, but I foresee no problems.



  • How many users are you planning to have behind each of the offices? For official use I always recommend having a bit robust system. This one is fine but I wouldn't deploy it to offices without any backup in case this goes down.



  • Hi Asterix

    Office 1
    15 users
    1 Domain Controller
    1 Terminal Server accessed over IPsec

    Office 2
    20 users
    1 Domain Controller
    Users access TS at Office 1

    To be honest I thought the specs were overkill for my application. As for backup, I will have a spare system regardless of what I end up choosing, but are you implying this config is more prone to instability?



  • I think you are safe also, but if things get slow for you, you can try one of these slightly faster systems.

    http://www.liquidnitrogenoverclocking.com/monolith.shtml



  • haha very funny  ;) ;) ;)



  • See - You probably thought I was pranking you but I was actually teasing Asterix  :P

    After you stress-test the first one, you will know if its enough or not.

    If you start loading a bunch of packages that gobble CPU, its possible you can tax this system.



  • Yeah that's what I am starting to think because I am going down the UTM path. So I'll be running Snort, AV, pfBlocker, Squid, bandwidthd and who knows maybe more. Suggestions based on this? I should have included this info from the start…my apologies.



  • In that case - Take Asterix's advice.  Asterix runs all that stuff and prefers zippy hardware for that reason.


  • Netgate Administrator

    The board in that box, the Intel D2500CCE is well tested and written about here on the forum. You would have no issues running it but it probably won't like all those pakages. It depends on what bandwidth you are expecting it to handle. 2Mbps - no problem. 500Mbps with all those packages - not a chance.

    Steve



  • @drew27c:

    Yeah that's what I am starting to think because I am going down the UTM path. So I'll be running Snort, AV, pfBlocker, Squid, bandwidthd and who knows maybe more. Suggestions based on this? I should have included this info from the start…my apologies.

    Go for a simple i3 with 4GB RAM and 40-60GB SSD. What kind of WAN throughput are you looking to serve the users?



  • @kejianshi:

    I think you are safe also, but if things get slow for you, you can try one of these slightly faster systems.

    http://www.liquidnitrogenoverclocking.com/monolith.shtml

    Kinda overkill for 15 user's - unless the system is doing IDS, crazing filtering, HVAP, and other things.

    The D2500 should have no issues with even a few of those features are turned on.



  • @asterix:

    Go for a simple i3 with 4GB RAM and 40-60GB SSD. What kind of WAN throughput are you looking to serve the users?

    A SSD is prone to wear and tear, especially if there is a misconfiguration and it starts spewing out logs/writes to disk, I suggest a fast 2.5" drive instead.



  • "An SSD is prone to wear and tear"

    I can agree with this for pretty much all the MLC and especially the TLC drives…  (I suppose 4 values per cell is up next?)

    The SLC drives should outlast the pfsense according to my observations.

    Something good for pfsense need not be bigger than 64GB and I'd bet 20GB could actually be good in all honesty.

    Either way, this will be a controversial point.

    However - Those SLCs don't cost what they cost because they are no better than MLCs.



  • @kejianshi:

    Something good for pfsense need not be bigger than 64GB and I'd bet 20GB could actually be good in all honesty.

    Either way, this will be a controversial point.

    However - Those SLCs don't cost what they cost because they are no better than MLCs.

    Agreed, the rest of the 40GB can be used for over provisioning and the drive will last many lifetimes, but I think an SSD is not necessary for pfSense? I'm not sure what services besides squid would take advantage of it, and especially for a small network environment. Memory caching would probably be more cost effective and feasible for a small network.



  • OK - My experiences so far.

    I recently switched to a small 64GB SLC SSD for my pfsense.  Obviously, its not been years and years yet, but I notice no performance difference at all over the Western Digital Black SATA that was in there before.  Basically I threw it in to see how it lasts.

    I also installed SSD on the Host of main computer here and 1 SSD drive per VM for each server I'm running to see how they last in that role as well.  All SLC.

    Again - Not noticing any noticeable performance difference.  Now, of course the benchmarks absolutely scream, even inside the VMs but thats a number and not really noticeable to me in actual use.  I do hope they last forever, but just incase, everything is backed up on massive HDD storage.



  • A HDD is fine, but with 15 users I would bet Squid will play a critical role and SSD would be a bit more faster. Typical HDD will be just fine.. hey we lasted so many years with them :D

    I like embracing new technologies and let go of old ones. The more we use the more it becomes common ..the more we progress. Holding on to things just hinders progress.. lol ;)



  • The data retention of some of the new SSDs are abit scary to me.  I'm not using any MLCs or TLCs but the thought that if I turn my system off for a couple of months its going to just forget everything is funny to me.  I'm not sure if thats what they actually do, but it does appear to be what their specs suggest.  Somethings gonna need to be fixed about that if it is the case.



  • @stephenw10:

    The board in that box, the Intel D2500CCE is well tested and written about here on the forum. You would have no issues running it but it probably won't like all those pakages. It depends on what bandwidth you are expecting it to handle. 2Mbps - no problem. 500Mbps with all those packages - not a chance.

    Steve

    What about the same packages with 6meg dsl connection (max they can go is 18meg), with 5-7 users?



  • Thats lower throughput - So, original specs should be fine.  (I'd think)



  • That WAN throughput is a walk in the park for an Atom. Packages would run just fine on it. Just ensure you fine tune Squid and Snort to how you like them to behave and keep an eye on page loads and download times.

    Let us know how it all worked out ! :)



  • My internet connection is a measly 5/0.5 ADSL

    The business park we are in has oooooolllld infrastructure and there is literally zero other option for our connection.



  • Have you considered transmitting wifi from a 4G phone to your pfsense.  It might be alot faster…  haha.

    (Kidding - You would no doubt eventually get throttled).

    Yeah - Any old dual core atom can handle this.



  • @arch113:

    @stephenw10:

    The board in that box, the Intel D2500CCE is well tested and written about here on the forum. You would have no issues running it but it probably won't like all those pakages. It depends on what bandwidth you are expecting it to handle. 2Mbps - no problem. 500Mbps with all those packages - not a chance.

    Steve

    What about the same packages with 6meg dsl connection (max they can go is 18meg), with 5-7 users?

    I think smallnetbuilder did a bechmark of the D525 with IDS features enabled, it was able to push around 230 - 250mbps on an Atom. For most small networks that is more than adequate. Also, with such small numbers if users, it is hard to saturate a connection continuously with such a speed anyways.

    But if you're worried about headroom, the G530 is a great choice or a low-end/low power i3. Price of all the hardware should be comparable.



  • Yeah.. that was on v1.2.3 .. or whatever that old version was.. with snort barely having any major rules processing. A lot has changed since then with over 10 version changes on Snort. Plus no dans with clamd or pfBlocker. Those are CPU hoggers.



  • @drew27c:

    My internet connection is a measly 5/0.5 ADSL

    The business park we are in has oooooolllld infrastructure and there is literally zero other option for our connection.

    For this? I don't see the need for anything more than a Netgate 2D3. Add the HiFN crypto board if the IPSec brings you down. 15 users on a 5/.5? lets be real. That puts you at $300/site. Buy a third as a hot spare or buy 4 and go HA.

    Nothing was said about squid, snort, AV, etc.  I've seen the Alix board handle 90 mbits (no proxy, no snort)


Log in to reply