Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1gbps Hardware Advice - Hosting

    Scheduled Pinned Locked Moved Hardware
    12 Posts 8 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      usmc77
      last edited by

      Hey guys been using pfsense for quite some time now, but using it at the house and not in the capacity we are going to try and use it in. Myself and a few friends are all network engineers so we work with Cisco and Juniper all day but we decided to try our luck at hosting so we got some space at a datacenter and a 1gbps circuit. I need hardware advice for this box and came here for idea's. We plan on running a pair of firewalls at the edge and a pair in front of the servers. The pair on the edge will strictly be for firewalling off traffic (maybe snort), but the firewalls in front of the  web servers we would be looking at doing HA proxy and snort.

      Processors are mainly what we are uncertain about

      Intel 2.4GHz Quad Core X3220 Processor x1 or Intel® Core™2 Duo Processor E7400 x1

      I know from what i've read to do 1gbps we need at least a 2.8ghz processor so my thoughts were to do the dual core's at the edge and the quad cores in front of the servers, or we can do all dual cores or all quad cores. All the servers will be maxed out at 8gb of memory, raid 1 hard drives, but uncertain about the cpu's. All the servers will be using quad intel server nics so no realtek or anything like that also. We will also be looking in the next few months at getting the cabinet next to us and an additional 1gbps circuit which might go into a new pair of firewalls when the time comes, but for now I just want to make sure we have the hardware to get this done right.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        @usmc77:

        The pair on the edge will strictly be for firewalling off traffic (maybe snort)

        Firewalling at 1Gbps is not too taxing but running Snort at 1Gbps is a much bigger ask. I think you're going to have to decide on that first.

        The processors you mention actually throw up some interesting data. The cpu I often use for comparison is the Celeron G530 since it's very cheap.  ;) It has been shown to be capable of firewall/NAT at >1Gbps. Look at the passmark figures for the three processors:

        Intel Celeron G530 @ 2.40GHz 2172

        Intel Core2 Duo E7400 @ 2.80GHz 1757

        Intel Xeon X3220 @ 2.40GHz 3132

        Looks as though the E7400 may pass 1Gbps but it might be close and certainly won't do Snort at that speed. However that's not the full story. Currently (due to change with pfSense 2.2, FreeBSD 10) the pf process is restricted to a single thread and it's this that limits the firwall/NAT performance. Now look at the single thread figures:

        Intel Celeron G530 @ 2.40GHz 1,229

        Intel Core2 Duo E7400 @ 2.80GHz 1,146

        Intel Xeon X3220 @ 2.40GHz 926

        The E7400 is much closer to the Celeron but most interestingly both are more powerful than the Xeon. That's just for straight firewall/NAT, once you start running other services those extra cores are going to pay off.

        There are a number of threads with very similar titles to yours in which people give example hardware that would probably be useful to check.

        Steve

        1 Reply Last reply Reply Quote 0
        • K
          Keljian
          last edited by

          Complete newbie here (but I have done a lot of reading).

          Based on what I have seen, single core speed matters more than more cores, which resulted in me getting a pentium G3420 for my setup. (3.2ghz haswell x2).

          This is overkill for my needs as I have 100/15 cable, but should be capable of snort and squid @ 1gbps.

          Based on this, a 3.4 ghz i3 haswell would be my recommendation

          1 Reply Last reply Reply Quote 0
          • A
            Aluminum
            last edited by

            @Keljian:

            Based on what I have seen, single core speed matters more than more cores, which resulted in me getting a pentium G3420 for my setup. (3.2ghz haswell x2).
            …
            Based on this, a 3.4 ghz i3 haswell would be my recommendation

            Yep, a cheap haswell dual core is faster than most multi-socket servers on purely singled threaded low footprint tasks. (like pf in 2.1)
            The first MP xeon cpu that comes close is 2 thousand dollars, and its still sandy or ivy bridge so ~5% slower per clock.

            Haswell i3 support AES-NI and ECC in the right motherboard, some icing on the cake ;)

            1 Reply Last reply Reply Quote 0
            • A
              Atlantisman
              last edited by

              i also run a 1gbps link through pfsense, i run it on an ESXI host with the following specs

              Xeon E3 1275V2 @ 3.5Ghz
              32gb of RAM
              RAIDZ NFS storage from NAS

              The VM does have the highest priority of all the VMs on the host for the CPU, but only has 1gb of ram allocated to it. I have no problems with speed or running high demand packages such as snort.

              1 Reply Last reply Reply Quote 0
              • M
                midacts
                last edited by

                Aluminum:

                for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

                Would it mainly be used for things like VPN connections?

                1 Reply Last reply Reply Quote 0
                • J
                  jasonlitka
                  last edited by

                  @midacts:

                  Aluminum:

                  for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

                  Would it mainly be used for things like VPN connections?

                  At the moment it's about zero.

                  I can break anything.

                  1 Reply Last reply Reply Quote 0
                  • A
                    Aluminum
                    last edited by

                    @Jason:

                    @midacts:

                    Aluminum:

                    for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

                    Would it mainly be used for things like VPN connections?

                    At the moment it's about zero.

                    Yep, you can manually tweak some things for a speed boost but generally just wait for 2.2

                    The way the internet is going though I think encrypting every link is going to be the new normal, and hopefully last mile speeds stop sucking in more places so for future proofing a DIY router its a must have feature IMO. Its not expensive if you shop carefully.

                    1 Reply Last reply Reply Quote 0
                    • D
                      Darkk
                      last edited by

                      @Aluminum:

                      @Jason:

                      @midacts:

                      Aluminum:

                      for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

                      Would it mainly be used for things like VPN connections?

                      At the moment it's about zero.

                      Yep, you can manually tweak some things for a speed boost but generally just wait for 2.2

                      The way the internet is going though I think encrypting every link is going to be the new normal, and hopefully last mile speeds stop sucking in more places so for future proofing a DIY router its a must have feature IMO. Its not expensive if you shop carefully.

                      Very true about encryption but other than VPN your PC is going to be handling the encryption when you surf the net so really don't need anything powerful on the firewall side unless you are serving over 100 people.

                      1 Reply Last reply Reply Quote 0
                      • A
                        Aluminum
                        last edited by

                        Very true about encryption but other than VPN your PC is going to be handling the encryption when you surf the net so really don't need anything powerful on the firewall side unless you are serving over 100 people.

                        Not really, what I mean is that always on VPN is slowly becoming the new normal for tech crowd, definitely for anyone knowledgeable enough to use pfsense or similar configurable devices. Here in NA the monopoly ISP vs user war is starting to go from cold to hot, among other things…
                        Not just your PC, you want to pipe all your random online devices through it too.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          The always on VPN scenario seems like, often at least, it gives a false sense of security.
                          Where are you terminating your VPN/exiting your traffic?
                          The only way it seems likely to help is either you are terminating it somewhere genuinely trustworthy (don't know where that mught be  ;)) or you have many VPNs terminating on one machine such that traffic from the terminating machine cannot be eaily tied to any particular VPN.

                          Anyway that's enough thread hi-jacking. Apologies to the OP.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • J
                            jasonlitka
                            last edited by

                            @stephenw10:

                            The always on VPN scenario seems like, often at least, it gives a false sense of security.
                            Where are you terminating your VPN/exiting your traffic?
                            The only way it seems likely to help is either you are terminating it somewhere genuinely trustworthy (don't know where that mught be  ;)) or you have many VPNs terminating on one machine such that traffic from the terminating machine cannot be eaily tied to any particular VPN.

                            Anyway that's enough thread hi-jacking. Apologies to the OP.

                            Steve

                            I route all my traffic at home through a server in a near-by data center (consistent 8ms ping).  It gets me away from Verizon's crappy routing (read: my Netflix works) and I can do interesting things like run all my web traffic through mod_pagespeed.

                            I can break anything.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.