Hardware Sizing: Small Office; Snort, Traffic Shaping ,Squid, DarkStat, 10 OVPN
-
Hi all,
I've been using pfSense for about 3-4 years now. Prior to that I was using m0n0wall, IPCop/SmoothWall, and dd-wrt.
Currently my small office's pfSense box runs 2.1 is as follows:
-
Atom D525
-
3GB RAM
-
4G NanoBSD
-
4 x RealTek GbE NIC
This is fed with a 20/5 Cable connection.
We have 2 NICs setup for for separate LANs going to unmanaged GbE switches. Lately with Snort alone it appears to be hitting around 40% of the CPU. I'd also like to start running Squid and use the pfSense box to serve from 5-10 OpenVPN users as well. Normally aside from that, we have about 20-30 devices total connected, mostly using rather low WAN bandwidth as a lot of the connected racks are internal development/build servers. It may be nice to start using VLANs as well, though it's not a hard requirement.
The official hardware sizing recommendations are sort of out of date… so I'd like to collect thoughts.
-
What approximate hardware setup would support this?
-
256-bit encryption on OpenVPN would be nice, but 128-bit is OK too
-
Is pfSense still performing better on higher frequency CPUs (and ignoring efficiency?)
-
How important is having multiple cores, and to what extent?
The pfSense box is about 4 years old. I'd like to keep it as small as possible but avoid using purely embedded solutions, so mITX it is if possible. If multicores help out a lot vs frequency per core, I'm really leaning toward the new 6-8 core Atoms that are coming out soon.
Thanks for your advice!
-
-
Intel i3 on ITX mobo (will handle Snort, Dans with clamd if needed, OpenVPN 256-bit for 15+ users)
8GB RAM (Snort needs RAM)
Intel dual-ports NIC (VLAN would be a good way to go)
SSD – 40GB should be fine (for Squid) -
I'm not opposed to an i3 system, since there are low TDP versions of the i3.
What about number of cores? Would it be feasible to run let's say an 8-core Intel Avoton Atom vs a dual-core IVB/Haswell i3? Would you happen to know if scaling works well with the addition of more cores?
If at all possible I'd like to keep total system wattage down. My current Intel Atom D525 system pulls ~20-25W at the wall under load, and an 8-core Avoton would pull about the same. Just roughly thinking, an i3 system would pull at least 60W at the wall under load.
Can you share an i3 setup that you're currently using with that configuration?
-
Is pfSense still performing better on higher frequency CPUs (and ignoring efficiency?)
How important is having multiple cores, and to what extent?For all out maximum performance through pf (routing/firewall) a high frequency is important. This is because the pf process only uses one thread. In that respect multiple cores are less important. However if you're running Snort, Squid and OpenVPN those will use whatever processing you have available.
At this point I would still expect a high frequency dual core cpu to outperform a low frequency 8 core cpu. That may all change in 2.2 though. Don't hold your breath. ;)
An i3 system (or some other low end ivy bridge box) need not draw much more power than your current setup. Consider that a far more capable processor will be working a lot less hard, it won't be anywhere near its TDP rating.
Steve
-
Steve,
It's high time someone updates the official hardware recommendations page. I have noticed a lot of folks in this forum first try to do their homework by browsing through that page but it's basically useless in respects to the current hardware on the market.I don't blame them coming and asking the same old question again and again..
I can pitch in some help if required to update that page based on my experience.
-
I completely agree.
There may be some changes in the pipeline already though:
@jdillard:we are in a transition to a new website design (finally!) and hope to have it out soon for all to enjoy.
I don't have any special insight though.
Some more detailed test results would certainly help a lot of new users.
Steve
-
I agree that updating the hardware guidance would be pretty helpful. Otherwise, users would have to sift through the forums where there may be conflicting opinions.
The Atom CPU I mentioned before is this one:
Intel Atom C2750 Intel ARK Link
It's a 2.4GHz octa-core CPU @ 20W TDP which supports hardware AES, VT-x, and 64GB ECCHere's an interesting board that is about to be released which uses the CPU:
Supermicro A1SAi-2750F Supermicro Link
Unfortunately it doesn't have a mSATA slot, but it has an onboard USB header that you could install a Flash DOM/Flash drive on. My only concern is it uses the Marvell 88E1543 chipset which I can't find any concrete info for pfSense 2.1 support, though previous similar Marvell LAN chipsets apparently had had problems with 2.0.x.For the i3, I saw the i3-4330T:
Intel i3-4330T Intel ARK Link
It's a 3.0Ghz dual-core with HyperThreading CPU @ 35W TDP which supports hardware AES, VT-x, and 32GB ECCThere don't seem to be many interesting LGA 1150 mITX boards, and I couldn't find any by Supermicro or ASUS. I did find a few from ASRock and Jetway though:
ASRock IMB-181-D ASRock Link
ASRock IMB-182 ASRock Link
Jetway NF9J-Q87 Jetway LinkBoth have some niceties, such as the mSATA slots (but no USB header for Flash DOMs). The bad points I guess is much less total RAM capacity support (16GB), no ECC option, and only dual LAN based on the Intel i210 + Intel i217LM for ASRock and the Intel i211AT + Intel i217LM for Jetway.
The perfect scenario would be either the Atom or i3 in mITX form factor, but also have 4 NICs either built in, or through a daughterboard like my current Jetway Atom D525 board. I think I can cope with 3 NICs at the minimum. Normally I'd say "screw this" and just use a separate 2-4 port Intel NIC on PCIe, but then that forces me to use bigger cases. I'd like to use as small as a case as possible since it's nice to have a small mITX sized "appliance" instead of a bigger cube box or a 1U rack (if I went rack I'd just use a mATX board anyways).
Edit: here's a review by ServeTheHome for the Intel Atom C2750 on the Supermicro board: ServeTheHome Review. Apparently the new Atoms are based on a "new" OOO architecture that is much more efficient and puts it basically on-part with the lower clocked i3's in multi-threaded applications. The older Atoms like the D525 are based on an in-order architecture which was pretty slow.