Xeon vs Celeron

  • Hi,

    I am just looking at the relevant hardware for a new pfSense firewall. I will be using HP, and it seems that the DL320 G5 looks like a good option.

    I can either get it with a Celeron 3.2Ghz (512 K cache), or a Xeon 2.4 (4M cache).

    To put it into context, there will be 2 identical machines in a carp cluster, They will be used to sit in front of a number of web servers (with public IPs, so no NAT on the firewalls).

    I will be using the D-Link DFE580TX PCI-X 4 port cards in the machines (allowing extra ports for management LAN, and rule syncing)

    Memory wise, the Xeon comes with 1G standard, and the Celeron 512M as standard, but clearly with the saving on the cost of the Celeron I could up the memory if required.

    What I want to know is how much difference, for a firewall, will having the Xeon make? Its pretty much £200 more expensive than the Celeron. I don't mind spending the money if it's needed, but don't want to waste money I could spend on other parts of the project.

  • Maybe not the answer your looking for, but i can't help myself :)

    IMO with the future in mind
    Celeron is so slow, Xeon ( http://en.wikipedia.org/wiki/CPU_power_dissipation) price is also high, i think i would go for core 2 dual.
    1G ram
    Intel nic just works better with freebsd. I would also select giga nic's

  • Thanks Perry,

    The server has the Xeon 3060 Dual Core processor in it, which I believe is just the server version of the E6600 Core 2 Duo.

    I know the Celeron is a much slower chip, but I guess what I didn't know is how much CPU speed is needed in a firewall. I guess what your saying is the enough to make it worth while not buying the Celeron?

    Network card wise, I had heard the Dlink one works fine, and its just less than £100, vs an Intel one at around £350, so thats a big price difference, unless the performance of the 2 cards is very different.


  • Intel NICs are a no brainer. Set and forget. Don't know about the D-Link stuff. Maybe.

    The CPU performance dependes on how much bandwidth you need to push and how many VPN tunnels willl be established. Even harder to tell without figures.

  • Hi Chris,

    At the moment there will be 3 VPN's (all IPSEC) but its possible that might have to be upped a little in the future, but its not going to be loads.

    Bandwidth wise, a guesstimate would be around 40 megabits per second.



  • OK, comparing to what I have to draw some conclusions from that:

    • 16MB/512k ADSL

    • PIII Celeron 1100MHz

    • 512MB Ram

    • one permanent IPsec tunnel

    • and another one when I'm on the road - but I don't watch my CPU then

    phpSysInfo reports: Load Averages  0.13 0.07 0.05

    I have not seen my CPU graph reaching 100% unless I trigger lightsquid to rebuid its data. It usually flutters between 0% and 25%.
    Since you would have three times the CPU power for only 2.5 times the bandwidth the 3.2 GHz Celeron CPU should be sufficient. Assuming you give it enough RAM to breathe and good NICs that don't load the CPU too much (like Intel Server NICs).

    And if you need more power in the future you still have the opportunity to upgrade the CPU.

    But don't nail me to it. This are estimates!

  • 40 Mbps of IPsec, or 40 Mbps of total traffic? Huge difference, the overhead for encryption for IPsec is processor intensive.

    If you're looking at 40 Mbps of total throughput, and less than 5 Mbps of consistent IPsec traffic, the Celeron would be more than adequate. That should scale up to 1 Gbps, guessing roughly. You can probably get 2 Gbps with the Xeon, as another rough estimate.

  • Thanks for that,

    40Mps was approximate overall bandwidth, so it looks like the celeron will be fine for the moment, and if the traffic does scale up to the point where it needs to be replaced, then I'll spend the extra then, as its probably a way off yet.

    Ram wise, will 1Gig be OK, or should I give it some more? (I'd like to be running snort, but thats pretty the only additional package really. And I know that can be memory hungry).



  • As always: more is always better. But 1GB should be sufficient for the moment.

    Snort's memory usage depends on the ruleset you define. The more rules the more memory.

  • 1 GB should be fine. But the price differential between 1 and 2 GB is probably very minimal, so I'd likely go for 2 GB.

  • I use a pentium D Dual core 3.00 ghz processor.  It run's great!  i have run on server different processor's.

    dual 500 P III (256 MB) with a 512K fractional t-1
    dual P II 266 (384 MB) DSL, and a 512K fractional t-1
    Pentium D Dual Core(64 bit processor) 3.00 MB / 512 DSL
    C3 GIGA Pro ((733 MHZ clone) 256 MB of ram) 3.00 MB / 512 DSL
    Tested on a Compaq 6400R with 4 - 500 MHZ Xeon processors with no issues  3.00 MB / 512 DSL

    My luck has been great.  I think that a faster processor and more ram is important.  I have customer sites that connect to my IPSEC VPN.  All three use different VPN end points. 
    1- Symantec gateway - Fractional T-1
    1 - Netgear 380 - Cable connection
    1 - Linksys with VPN endpoint - Fixed IP DSL 5 mb / 768 ,m

    All three work great connected to my endpoint.  My end point is a DELL SC400 with 2 - GB network adapters.  One is a broadcomm and the other is a $14.00 special no name.  They both work great.  I have those connected to a vlan on my DELL 8 GB managed switch.  I have a web server, ftp server, terminal server, and a few other services set up behind my firewall (PF-Sense)  The system works really good.  I am on 1.2-RC3
    built on Thu Oct 18 15:19:54 EDT 2007.

    I am not upgrading at this point.  This snapshot is ultra stable and I have had no issues with the services that I am running from behind my firewall.  I am in the process of testing a Veloiraptor 700 firewall to see if I can get PF-Sense or Monowall to run on it.  If I it would be great.

    My other thing I am going to setup is a virtual firewall on vmware.  I am planning to use a new 4 way server with 2.6 Gb of ram and run that virtual device as my firewall.  Then I can backup my image and always recover in the event a upgrade does not work correctly.

    My new question is there any progress on the 64 bit verision of code or a release on Freebsd on release 7.0?

    But back to your prginal point I like a Xeon processor in any flavor, I am not crazy about the Celeron processors.  I do agree more is better in any case.


  • i run a AMD Athlon 900 with 768mb  pc133
    with 3 3com cards

    this is the company firewall/ vpn concentrator and all the other goodies that PFsense offers.

    and i run aprox 15-20% at full capacity

    3 different Vpn with 10 users total on the other side of the 3 different VPN (open Vpn)

    my connections are
    2m x 2m cable and
    3m x 768kb
    under full load it still works fine.

    i personally think that the Celeron will pull you though with minimal issues.
    1gb will do you good… but pending on what you are running all with the base pfsense that could change in a mouse click

  • I'm running on a P4 2.66Ghz, 512MB of RAM, 40GB HD, 2 onboard Intel NICs and 1 RealTek NIC for DMZ.

    On my system I'm running squid proxy and this machine runs fine! I don't usually see more then 10 to 25% CPU usage on average and the only time the machine goes down is for some sort of hardware upgrade!

    My internet connection is 6Mb/512Mb with a server hosting email, TS and a web server and 3 home work stations that draw quite a bit of bandwidth because we are power users, always downloading something, always have something pulling bandwidth. I average 4 to 10GB a day of download.

    Awesome firewall!!!

  • Hi!

    If I recall right HP sell a firewall server for Microsoft ISA, the hardware is a HP DL320 and the CPU are Celeron, that why I think that for pfSense I am sure that the Celeron must be more than enough.

    And for the NIC the recommendations is a good quality net cards (right now Intel or Broadcomm chipset, you get probably VLAN support, QoS tag, TCP Offload, etc.) and if possible all the cards must be the same model/brand.


Log in to reply