Recommendations for new pfBox?



  • Hi guys,

    I need to build a new pfSense box but I'm not sure what the minimum would be.

    • 2 x WAN connections [one 1Gbps up/down and one 200Mbps/50Mbps]
    • 2 x LAN, both Gbps, one going to the switch, one going to an 802.11ac AP

    Packages will be few and pretty light-weight: arping, bandwidthd, cron, iperf, lcdproc, mailreport, nut, phpsysinfo, spamd and widescreen.

    So far I have the NICs [two of them, basically Intel Pro 1000 PT Server]: http://h18000.www1.hp.com/products/servers/networking/nc360t/ same thing as http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-pt-dp.html

    btw, is the 82571EB controller supported? I know 82571 is [according to [url=http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/pro-1000-pt-dp.html]this], but I'm not sure if the suffix makes any difference.

    So… what else do I need?

    I was thinking of something like this:

    • AsRock H87M
    • i3 4330T [keep it low power]
    • 4 or 8GB DDR3 1600
    • 40GB HDD :D [way more than I need for a few logs, but I don't trust SSDs or flash drives for my router]
    • 250W PSU [overkill, I'm sure, but I don't think I can find anything lighter in the standard ATX format]
    • iGPU

    Will this configuration accommodate my bandwidth? If not, please recommend something appropriate. Also, if this is overkill _, let me know and maybe I'll save some money for some other projects :)

    btw, MB format is irrelevant, it'll all go inside a standard ATX case Thanks in advance ;)_


  • Netgate Administrator

    With those limited packages I would have thought you'd be fine with those components.

    If you're worried about the disk failing have you considered running a Nano image instead. I'm not sure all those packages would be usable, phpsysinfo certainly isn't.

    Steve



  • The PT dual-port server adapter will work just fine.  I had previously used one (actually, it's the same unit you have - the NC360T).

    You can use the both PCIe x16 slots on the board and still have IGP functionality (I'm using the AsRock H87M Pro4 and tested with an i340-T2 variant in the primary slot).

    One thing to note about the AsRock board - you might have to switch from AHCI to IDE mode for the controller or GEOM will not detect the drive.  Not sure why this is the case since I've deployed pfSense on the Gigabyte H87M-D3H with AHCI enabled so it's got nothing to do with the chipset.  Probably just EFI/ BIOS coding issues.

    Modern SSDs are fine these days especially if you don't intend to run SNORT or SQUID on your rig.  You can also use the NanoBSD VGA image which minimizes writing to the disk.  I'm personally running the NanoBSD VGA 2G image on a 8GB Kingspec SSD I bought cheap off eBay.

    As for the CPU, Haswells at idle to low-load consume very low amounts of power.  There is no real need to pony up for the T variants unless you have certain constraints - PSU or cooling limitations.  Personally, I'm using the Core i3-4130 and it works very well.  It's running at 800MHz - 1GHz most of the time (EIST enabled).



  • I would had changed the mainboard to supermicro.



  • Thanks for the hints, dreamslacker.

    @lowprofile - I would, too, but there's really expensive over here. And if I was to do that, I'd go for one with IPMI.

    What do you think about the Xeon L5420? Is it a good CPU for a 1Gbps up/down link? I already have one, modded to work in socket 775, so that might be a interesting project, if you think it'd be up for the job.


  • Netgate Administrator

    Certainly that will firewall/NAT >1Gbps. Do you mean up and down simultaneously; 2Gpbs?
    If you look at the single thread cpu benchmarks for that CPU it's far better than some CPUs known to be good for >1Gbps. I'll leave it some one with more high end experience to speculate as whether it could do 2Gpbs.  ;)

    Steve



  • It's basically a core 2 quad @ 2.5GHz but with much more cache.
    I doubt 2Gbps of Nat or firewall will be an issue. Hacom had their T7200 core 2 duo machine rated to handle 2Gbps of firewall throughout so the Xeon should do better.
    The only question is whether the sub system would handle the rest of the components well. Pairing the xeon u with a G31 isn't a good choice.



  • I know the G31 is slow for that, but I was thinking of finding a P45 board with 3 PCIe [one for some basic VGA and two for the HP NC360T]. Or maybe a server class mainboard with IPMI [just in case], but those are rare over here and usually very expensive.

    btw, I'm in Romania, so eBay isn't that great of a deal because of the shipping charges, customs, etc…

    Also, I'm trying to keep the Antec SLK3000B case, so EATX is not really an option [limited space for the servers anyway].

    So, let me rephrase the whole thing:

    Requirements:

    • 2 x WAN connections [one 1Gbps up/down and one 200Mbps/50Mbps] so a great total of 2.25Gbps bidirectional WAN
    • 2 x LAN, both Gbps, one going to the switch, one going to an 802.11ac AP
    • Packages: arping, bandwidthd, cron, iperf, lcdproc, mailreport, nut, phpsysinfo, spamd and widescreen. Also using firewall and NAT.

    Proposed hardware:

    • Xeon L5420 modded to socket 775, 1333FSB , chipset intel P45, 4GB DDR2 800MHz or 8GB DDR3 1600MHz [if I can find a MB with DDR3], 2 x HP NC360T, small HDD, small PSU

    Would this configuration work without losing bandwidth for large transfers?

    I know I keep changing the problem, but I'm trying to find a cost effective solution [home lab] and I already have the Xeon, NICs, RAM, HDD, PSU, case.



  • It should suffice if you don't need any high speed vpn, or snort, or squid in future. Well there be any high speed transfers between lan and wlan? That in addition to wan-lan traffic might be a little over the top.



  • There will be occasional bursts between LAN and WLAN, but pretty rare. WLAN will be mostly for basic internet access and most traffic will go between LAN and WAN1/2 with predefined rules.

    At most, I'll have some QoS on the slower WAN link for specific traffic, but that shouldn't be much of a load.

    I have no plans to use snort or squid. The only VPN access will be passed through the pfSense on to another server [but that's only for me, no other users].

    Thank you for all the help! I'm off to look for a good mainboard :)



  • Didn't want to open another thread, but the WAN links have changed a bit and I need some recommendations…

    WAN1 - Static IP - 1000Mbps down / 200Mbps up
    WAN2 - PPPoe - 1000Mbps down / 200Mbps up [and I've noticed the PPPoe needs some serious power for such bandwidth]

    Will this system cope with the bandwidth, using pfSense 2.1?

    Xeon L5420 [2.5Ghz, quad, 12Mb cache, FSB 1333]
    4GB DDR2 800
    Intel P45
    NICs - 2 x HP NC360T
    pfSense 2.1 with light packages [arping, bandwidthd, cron, iperf, lcdproc, mailreport, nut, phpsysinfo, spamd and widescreen].

    My alternative would be to put it on my ESXi, which is already running a few machines [2008 R2 with 3 x Shoutcast streams, 2008 R2 domain controller, 2008 R2 mail server, Ubuntu web server and some monitoring] on this:

    i7 3770s
    16GB DDR3 1600
    Intel Z77
    IBM M1015 with 4 x SATA 6Gbps drives [7200rpm, 64MB cache]
    VT-d enabled So… what do you think?



  • acoustiq originally posted about this CPU and motherboard

    • AsRock H87M
    • i3 4330T [keep it low power]

    Is this board/CPU supported with pfsense 2.1?

    I think thats my favorite choice for an i-3 CPU. 3.0GHz clock speed, AES-NI 35W TDP.

    Outside of that, id love to go with a C2750 supermicro- but i dont think pfsense supports it.

    lowprofile, you said:

    I would had changed the mainboard to supermicro.

    I agree, i wouldn't mind have ipmi, and even ECC RAM.



  • @midacts:

    acoustiq originally posted about this CPU and motherboard

    • AsRock H87M
    • i3 4330T [keep it low power]

    I did post that, but my requirements have changed and my budget has gone down [other priorities], so my previous post will show my new dilemma. Any opinions on that?

    LE - did a quick test with my 4 year old pfbox - Sempron 140, nForce430, 1GB DDR2, 2 x HP NC7770 and it's able to sustain about 250Mbps on both links. So the Xeon should be plenty for the new links… Or so I hope :)