Opinions Needed SSD vs HD vs CF



  • I have two clients that are looking to do IPSEC tunnels and need VPN.  Snort would be nice on WAN for the auto blocking feature, but that's about it.  I want to go with the atom 1.8 dual core and 4gb of ram.  I have seen the new pfsense certified box on netgate, but I am hesitant about the SSD.  I will be semi hands off after the install except for update the box, etc.  Any suggestions on a hardware setup?  I have used a box from mitxpc.com with intel gig nics and a HDD for at least a year with no fan and have had excellent results.  I just worry about the HDD over time, if I am not monitoring it constantly.  My gut says go with the CF card install.  Any thoughts?  They need to be able to run 1 IPSEC tunnel each and have maybe 5 VPN connections at a time for accessing file shares.  Thanks in advance.


  • Netgate Administrator

    If you want to run Snort then I would go for an SSD/HD. SSD early failure issues have been blown out of all proportion IMHO. Yes they have limited write cycles but if you get something reputable (Intel/Samsung) or even better something SLC based you should have no trouble for many years. Make sure you have enough RAM not to start swapping.

    Steve



  • I was probably going to recommend the FW 7541 with 4gb of ram and the SSD, if I was going to opt for the full install. So you are saying opt for the full install on the SSD.? I suppose the write times are faster on the SSD than the HDD.  I like the fact that it's pfsense tested as well. Any other insight? I have been running limited rules of snort on a CF for a few months now and it doesn't seem to be an issue.  Not sure if it will die eventually though…    What do you mean enough ram to not start swapping, using the swap partition?  Should I delete it?


  • Netgate Administrator

    Yes, using the swap partition. If you start having to use swap the writes to the drive go up massively. It won't happen unless you run out of ram though. Also it's not going to kill your SSD overnight, most of these drives have a full windows install complete with swap file. Just keep an eye on the dashboard where it lists swap usage.

    I have seen some problems with Snort running on a CF card. It was a while ago though and the Snort package has had a lot of work since. To avoid the possibility of problems I would use a HD or SSD. If you're tested it and are happy then feel free to use CF card.

    Buying the FW-7541 from Netgate directly supports the project so I'll not discourage you from doing so.  :)

    Steve



  • @newbieuser1234:

    I was probably going to recommend the FW 7541 with 4gb of ram and the SSD, if I was going to opt for the full install. So you are saying opt for the full install on the SSD.? I suppose the write times are faster on the SSD than the HDD.  I like the fact that it's pfsense tested as well. Any other insight?

    Be sure to enable TRIM for the SSD to help minimize writes.  Means using the ahci(4) driver.  Howto is here:
    http://forum.pfsense.org/index.php/topic,63656.msg344604.html#msg344604
    though I think the only steps still needed for 2.1 release are #4 and #10 (and #12 to verify).

    I have been running limited rules of snort on a CF for a few months now and it doesn't seem to be an issue.  Not sure if it will die eventually though…    What do you mean enough ram to not start swapping, using the swap partition?  Should I delete it?

    No, don't delete it, but keep an eye on your swap usage and memory usage.  I've never seen my RAM usage higher than 7%, nor seen any swap usage on my 4G system (then again I don't run many packages).



  • Thanks.  How do you monitor the swap file? Also, would i need to SSH or be at the console to enable trim?



  • I'd chose "good" SSD over HD over "cheap" SSD over (slow) CF.



  • I think one of the questions no one seems to ask is the hard drive size.  I too recommend the good brand SSD so maybe 64 gigs would be more than enough?  I am thinking larger surface area in the SSD so going with a large drive to ensure long life?

    Right now I have a 500 gig laptop hard drive in my box and yes I know the drive size is super overkill but for $50 isn't bad so I bought it. My original 80 gig laptop hard drive ran 24/7 for 4 years before it died.  Eventually I may swap it out with a SSD.



  • @newbieuser1234:

    Thanks.  How do you monitor the swap file? Also, would i need to SSH or be at the console to enable trim?

    Try 'status –> dashboard', there's a nice bar chart for swap and memory in the 'system info' widget.

    Yes, you need a shell prompt for the console commands.  And of course, the re-boots in steps 5 and 11 still needed too; I shouldn't have implied you could skip them.



  • thanks so much



  • I'm one of the pfSense users who has had a couple of SSD failures… Pretty sure it wad due to buying cheap SSD's though. I haven't had a problem since I put in a quality SSD (Intel). Likewise, TRIM support in 2.1 will help



  • Would you recommend CF nano install over SSD? Or did you ever go back to HDD?


  • Netgate Administrator

    CF is great if you have a CF slot already in your box, it's cheap and easy. But… I would only ever run the Nano variant from CF.
    There are people running a full install from a flash drive but I personally don't think it's worth the risk.

    Steve



  • I have been running the nanobsd install for months with a limited snort rule set and it appears to be fine? any thoughts?  the nanobsd install is read only correct?


  • Netgate Administrator

    Probably good to go then.  ;)
    As I said it's been a while since I had that trouble (it couldn't fetch new signitures as I recall).
    NanoBSD is mounted read-only, correct.

    Steve



  • I just want snort mainly for the port scanning blocking at WAN.  Is anyone else hesitant to do the 2.1 upgrade for nano given the apinger issue? Doesn't seem like it's been resolved either. I can't use openvpn with 2.1 nano.


  • Netgate Administrator

    I am running 2.1 Nano on all my boxes. I have not seen any problems with apinger, I am using OpenVPN on at least one box.

    Steve



  • Do they have static IPs for WAN?  Both boxes I did the 2.1 upgrade via the dashboard and openvpn crashes out frequently.  I read somewhere it has to do with apinger.  not sure, regardless I can't see to get 2.1 nano to work with openvpn and dhcp.


  • Netgate Administrator

    PPPoE and DHCP. Neither box running OpenVPN sees much traffic but I've not seen any errors  nonetheless.

    Steve



  • Did you do the in place upgrade or install from scratch?  Is it the VGA nano version?


  • Netgate Administrator

    Mostly upgrades but some fresh images. They are all standard Nanobsd using the serial console.

    Steve



  • mine are all vga.  can you install a serial console version, if you assign one of the interfaces as a serial port? probably not right?  are you using the alix board?  i just did a fresh install of 2.1 vga and vpn / apinger is working fine now.  i'll keep you posted to see how it goes.


  • Netgate Administrator

    No the serial port has to be a real serial port, it's hardcoded into Nano when it's built.
    I'm using all re-purposed Watchguard boxes.

    Steve


Log in to reply