Help me build for pfSense!



  • Hi,

    What would be the most power efficient and compact way to go about pfsense for needs of 100mbps openvpn encrypted 24/7 traffic usage?

    I'm thinking mini-itx, I checked some of the prebuilt but they seemed either overpriced or not good enough for encrypted throughput at high speed.

    Should I go encrypted hafn card with atom?

    Let me know your good ideas.



  • Had the exact same question about 2 weeks ago posted here:

    http://forum.pfsense.org/index.php/topic,68741.0.html

    did not get any real amount of info or post back sadly… but check here:

    http://forum.pfsense.org/index.php/topic,68709.0.html

    I am happy someone else out there, wants 100meg under openvpn thought I was the only one in the world !

    Bottom line is avoid the atoms and amd cpus,  low end cpus will not cut openvpn performance and just won't work as well.

    Cpus to look for are intel Core i5 to i7 or intel Xeon 3ghz+ cpus

    Always find an intel cpu with AES instructions.  AES instructions will reduce the overhead when using openvpn more applies so if your VPN provider uses AES !  difference is large 40-60% less cpu usage.

    mini-itx is possible,  however remember most mini-itx (and all mobos!) boards use realtek lan ports (best to avoid) you want a motherboard with at least 1 pci express slot so you can add a network card preferably an intel 364T dual network card or quad one for reliability and speed.

    Getting the cpu and having the right amount of network Ethernet ports is crucial.... so read both links I posted above to understand this.

    mini-itx does not give much energy and electricity saving over micro or full atx..... its the cpu that taxes most.  Which is why I am considering core i5 3ghz or xeon 3ghz quadcore cpu (server 24/7 cpu) and micro atx mobo with 2 pci express slots,  plenty of expansion for network cards etc..... and way cheaper then mini itx !


  • Netgate Administrator

    You won't need an i5 if your requirements are purely 100Mbps OpenVPN. Consider that an Atom will do 50-60Mbps, and that was older models.

    Steve



  • Good informations guys, I already have my intel pro dual gigabit nic, I guess I might go mATX

    What would be the most energy efficient intel cpu with aes instructions? I already have enough hardware that heating isnt required in winter, I dont need yet another overkill build :)



  • While its true you won't need such a beefy and powerful Core i5 cpu,  if you are considering upgrading in the future to 200meg or more at least your future proof.

    I checked around for intel cpus starting from celeron dual core to pentiums and even core i3s and none of them supported AES instructions.

    Although super_8 on the other thread had mentioned some core i3s do have AES support,  maybe in your country not sure.

    Only ones I could see were the Core i5s around 3ghz+ (sandy/ivy/haswell),  and not all of them have it so google them to double check.  I was looking at the 2320 core i5.

    The difference between AES and no AES is not minor…. were talking 92% cpu usage when running torrents and full speed downloads(intel celeron 2.7ghz).  With an AES supported (XEON E3-1230 with AES) cpu the cpu usage goes to 25%.  Even if it is an more pricey and hotter running cpu it will still use very little cpu overhead and electricity thanks to AES.  Also these intel cpus are highly efficient its not to suggest they will use 95watts always (tweek your bios settings for energy settings)

    Some have even suggested an Xeon with AES,  since its a 24.7 designed cpu.... but I feel it gets overkill and pricey then.


  • Netgate Administrator

    It wil be interseting to see how the new 22nm Atoms perform. They are reported much higher perfromance than the previous gen models and have AES-NI support.
    The 22nm Haswell i3s also support AES-NI. The current restriction to running Haswell is that they usually ship on motherboards with Intel I210 series ethernet which isn't supported out of the box by pfSense 2.1.

    Steve



  • @stephenw10:

    It wil be interseting to see how the new 22nm Atoms perform. They are reported much higher perfromance than the previous gen models and have AES-NI support.
    The 22nm Haswell i3s also support AES-NI. The current restriction to running Haswell is that they usually ship on motherboards with Intel I210 series ethernet which isn't supported out of the box by pfSense 2.1.

    Steve

    Really? I was under the impression that they weren't dramatically faster except for the fact that you can get them with up to 8 cores and a coprocessor which doesn't have any OS support.

    EDIT: Never mind, just read some reviews, they do look pretty fast. Crappy support on the NICs as well though.



  • Thanks for your information guys. This really helped me a lot.



  • Looked a bit more and stephen was right the haswell core i3s tend to support AES so that is a good thing.

    Those new atoms do look lovely and very low power also http://www.anandtech.com/show/7453/ecs-reveals-bay-traild-miniitx-line

    Only thing is I see no pci express slots,  vital to have one.  I am unsure if anyone has attempted a mini express network card and its worked with pfsense…. but if the performance of these baytrails are good and mini express network cards worked then they would make awesome pfsense boxes.