Hardware for 100MB connection



  • I need to build a box for a data center which will have a 100MB connection in both directions. There is the ability to increase the pipe based on need up to a 1GB pipe.

    I know that I will need a board with gigabit nic. What would be the sweet spot for processor and memory to start? Any first hand experiences?


  • Netgate Administrator

    What services/packages do you need to run?

    Steve



  • All of the basic services plus, openvpn, bind, bandwidthd, iperf, syslog-ng. This will be connected to a fiber connection with the option to scale up to 500MB in both directions.


  • Netgate Administrator

    Do you need OpenVPN to be able to fill the connection? That pushes the hardware requirements considerably.

    Just to be sure, you've written 1GB but I assume you mean 1Gb (gigabit). Sorry to be pedantic but that's an 8x difference.  ;)

    A low end Ivy bridge Celeron with 4GB of RAM will firewall/NAT at 1Gbps and handle most things you through at it but won't come close to that speed for OpenVPN traffic, maybe 2-300Mbps (?). It would also be very easily upgradable being LGA 1155.

    Steve



  • Duly noted. My notation was incorrect.

    OpenVPN connections would be periodic, not constant. If I understand you correctly, OpenVPN adds a significant overhead?

    i3 Haswell would be a better choice then?


  • Netgate Administrator

    Yes the encryption/decryption of traffic is a huge load on the CPU. As a comparrison an Atom D510 will firewall/Nat at around 500Mbps but can't push more than ~50Mbps of encrypted traffic.
    There have been a few threads recently regarding hardware for VPN. One was for a 300Mbps VPN connection and the other for 1Gbps. Have e read through those.
    In general, yes, an i3 will push more encrypted traffic. I would stick to an Ivy Bridge model though as the Haswell boards almost all come with i210 NICs (if they're Intel which you want) and they're not supported by pfSense 2.1without some mods.

    Steve



  • Thanks for the heads up on lack of Haswell support. You saved me making a time consuming and possibly expensive mistake.



  • @stephenw10:

    Yes the encryption/decryption of traffic is a huge load on the CPU. As a comparrison an Atom D510 will firewall/Nat at around 500Mbps but can't push more than ~50Mbps of encrypted traffic.
    There have been a few threads recently regarding hardware for VPN. One was for a 300Mbps VPN connection and the other for 1Gbps. Have e read through those.
    In general, yes, an i3 will push more encrypted traffic. I would stick to an Ivy Bridge model though as the Haswell boards almost all come with i210 NICs (if they're Intel which you want) and they're not supported by pfSense 2.1without some mods.

    Steve

    Haswell core i3's come with AES-NI though.  So there's the opportunity to tap that for accelerated AES-256 VPN traffic.  The flip-side would be that most 8X series boards come with Realtek 8111G or Intel i200 series NICs, neither of which are supported out-of-box with pfSense 2.1.

    However, a dual-port Intel PT or i340 NIC may be a viable option depending on where the OP is located (shipping costs more than the NIC for me).  Also, the 8X series chipsets do support using a PCIe NIC on the graphics PCIe slot without losing the integrated graphics (I personally tested this with a H87 board and i340-T2).  So even an ITX board is viable with external NICs.


  • Netgate Administrator

    Assuming you still trust AES of course.  ;)

    Also the current status of FreeBSDs AES-NI support is such that it doesn't make a huge difference. In the future of course it will allow you to off load encryption duties to a larger extent. Not until 2.2, maybe later.
    If you did ever want to push encrypted traffic at 1Gbps you would want it.

    Steve



  • @stephenw10:

    Assuming you still trust AES of course.  ;)

    Also the current status of FreeBSDs AES-NI support is such that it doesn't make a huge difference. In the future of course it will allow you to off load encryption duties to a larger extent. Not until 2.2, maybe later.
    If you did ever want to push encrypted traffic at 1Gbps you would want it.

    Steve

    I'm not that paranoid..  Haha..
    TBH, not everyone has NSA's resources (computing wise) and lets face it.  Computing power can be free (for some) but analysing the data costs real time and money (hiring analysts).  They won't come after you if you don't give them a reason to.  For most Americans, planting field agents to stalk them is probably much cheaper than harvesting and analysing their digital footprint.

    For most part, I just use OpenVPN strictly for tunnelling back.  Hardly, any important data goes through and I could technically live with PPTP or L2TP (without IPSEC).  Ultimately, I hope to be able to stream 1080P from home via the tunnel.  As luck would have it, my ISP just launched a 1Gbps plan (I'm on 150/75) at slightly more.  Sadly, I'm not eligible to upgrade from my current contract.



  • Even when using inefficient MPEG2 encoding, 1080p needs less than 40mbps (and obviously even less when you use a more efficient codec like H.264). What makes you think you'd need gigabit speeds for your streaming?



  • @razzfazz:

    Even when using inefficient MPEG2 encoding, 1080p needs less than 40mbps (and obviously even less when you use a more efficient codec like H.264). What makes you think you'd need gigabit speeds for your streaming?

    I don't.  But it does mean that prices for higher-tier plans will follow suit and drop across the board so that more people will pick-up faster fibre and I'll get more places to tunnel and stream from.


Log in to reply