1gbps Hardware Advice - Hosting



  • Hey guys been using pfsense for quite some time now, but using it at the house and not in the capacity we are going to try and use it in. Myself and a few friends are all network engineers so we work with Cisco and Juniper all day but we decided to try our luck at hosting so we got some space at a datacenter and a 1gbps circuit. I need hardware advice for this box and came here for idea's. We plan on running a pair of firewalls at the edge and a pair in front of the servers. The pair on the edge will strictly be for firewalling off traffic (maybe snort), but the firewalls in front of the  web servers we would be looking at doing HA proxy and snort.

    Processors are mainly what we are uncertain about

    Intel 2.4GHz Quad Core X3220 Processor x1 or Intel® Core™2 Duo Processor E7400 x1

    I know from what i've read to do 1gbps we need at least a 2.8ghz processor so my thoughts were to do the dual core's at the edge and the quad cores in front of the servers, or we can do all dual cores or all quad cores. All the servers will be maxed out at 8gb of memory, raid 1 hard drives, but uncertain about the cpu's. All the servers will be using quad intel server nics so no realtek or anything like that also. We will also be looking in the next few months at getting the cabinet next to us and an additional 1gbps circuit which might go into a new pair of firewalls when the time comes, but for now I just want to make sure we have the hardware to get this done right.


  • Netgate Administrator

    @usmc77:

    The pair on the edge will strictly be for firewalling off traffic (maybe snort)

    Firewalling at 1Gbps is not too taxing but running Snort at 1Gbps is a much bigger ask. I think you're going to have to decide on that first.

    The processors you mention actually throw up some interesting data. The cpu I often use for comparison is the Celeron G530 since it's very cheap.  ;) It has been shown to be capable of firewall/NAT at >1Gbps. Look at the passmark figures for the three processors:

    Intel Celeron G530 @ 2.40GHz 2172

    Intel Core2 Duo E7400 @ 2.80GHz 1757

    Intel Xeon X3220 @ 2.40GHz 3132

    Looks as though the E7400 may pass 1Gbps but it might be close and certainly won't do Snort at that speed. However that's not the full story. Currently (due to change with pfSense 2.2, FreeBSD 10) the pf process is restricted to a single thread and it's this that limits the firwall/NAT performance. Now look at the single thread figures:

    Intel Celeron G530 @ 2.40GHz 1,229

    Intel Core2 Duo E7400 @ 2.80GHz 1,146

    Intel Xeon X3220 @ 2.40GHz 926

    The E7400 is much closer to the Celeron but most interestingly both are more powerful than the Xeon. That's just for straight firewall/NAT, once you start running other services those extra cores are going to pay off.

    There are a number of threads with very similar titles to yours in which people give example hardware that would probably be useful to check.

    Steve



  • Complete newbie here (but I have done a lot of reading).

    Based on what I have seen, single core speed matters more than more cores, which resulted in me getting a pentium G3420 for my setup. (3.2ghz haswell x2).

    This is overkill for my needs as I have 100/15 cable, but should be capable of snort and squid @ 1gbps.

    Based on this, a 3.4 ghz i3 haswell would be my recommendation



  • @Keljian:

    Based on what I have seen, single core speed matters more than more cores, which resulted in me getting a pentium G3420 for my setup. (3.2ghz haswell x2).

    Based on this, a 3.4 ghz i3 haswell would be my recommendation

    Yep, a cheap haswell dual core is faster than most multi-socket servers on purely singled threaded low footprint tasks. (like pf in 2.1)
    The first MP xeon cpu that comes close is 2 thousand dollars, and its still sandy or ivy bridge so ~5% slower per clock.

    Haswell i3 support AES-NI and ECC in the right motherboard, some icing on the cake ;)



  • i also run a 1gbps link through pfsense, i run it on an ESXI host with the following specs

    Xeon E3 1275V2 @ 3.5Ghz
    32gb of RAM
    RAIDZ NFS storage from NAS

    The VM does have the highest priority of all the VMs on the host for the CPU, but only has 1gb of ram allocated to it. I have no problems with speed or running high demand packages such as snort.



  • Aluminum:

    for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

    Would it mainly be used for things like VPN connections?



  • @midacts:

    Aluminum:

    for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

    Would it mainly be used for things like VPN connections?

    At the moment it's about zero.



  • @Jason:

    @midacts:

    Aluminum:

    for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

    Would it mainly be used for things like VPN connections?

    At the moment it's about zero.

    Yep, you can manually tweak some things for a speed boost but generally just wait for 2.2

    The way the internet is going though I think encrypting every link is going to be the new normal, and hopefully last mile speeds stop sucking in more places so for future proofing a DIY router its a must have feature IMO. Its not expensive if you shop carefully.



  • @Aluminum:

    @Jason:

    @midacts:

    Aluminum:

    for the AES-NI based CPUs, how much of a performance boost do you think you would get using AES-NI?

    Would it mainly be used for things like VPN connections?

    At the moment it's about zero.

    Yep, you can manually tweak some things for a speed boost but generally just wait for 2.2

    The way the internet is going though I think encrypting every link is going to be the new normal, and hopefully last mile speeds stop sucking in more places so for future proofing a DIY router its a must have feature IMO. Its not expensive if you shop carefully.

    Very true about encryption but other than VPN your PC is going to be handling the encryption when you surf the net so really don't need anything powerful on the firewall side unless you are serving over 100 people.



  • Very true about encryption but other than VPN your PC is going to be handling the encryption when you surf the net so really don't need anything powerful on the firewall side unless you are serving over 100 people.

    Not really, what I mean is that always on VPN is slowly becoming the new normal for tech crowd, definitely for anyone knowledgeable enough to use pfsense or similar configurable devices. Here in NA the monopoly ISP vs user war is starting to go from cold to hot, among other things…
    Not just your PC, you want to pipe all your random online devices through it too.


  • Netgate Administrator

    The always on VPN scenario seems like, often at least, it gives a false sense of security.
    Where are you terminating your VPN/exiting your traffic?
    The only way it seems likely to help is either you are terminating it somewhere genuinely trustworthy (don't know where that mught be  ;)) or you have many VPNs terminating on one machine such that traffic from the terminating machine cannot be eaily tied to any particular VPN.

    Anyway that's enough thread hi-jacking. Apologies to the OP.

    Steve



  • @stephenw10:

    The always on VPN scenario seems like, often at least, it gives a false sense of security.
    Where are you terminating your VPN/exiting your traffic?
    The only way it seems likely to help is either you are terminating it somewhere genuinely trustworthy (don't know where that mught be  ;)) or you have many VPNs terminating on one machine such that traffic from the terminating machine cannot be eaily tied to any particular VPN.

    Anyway that's enough thread hi-jacking. Apologies to the OP.

    Steve

    I route all my traffic at home through a server in a near-by data center (consistent 8ms ping).  It gets me away from Verizon's crappy routing (read: my Netflix works) and I can do interesting things like run all my web traffic through mod_pagespeed.


Log in to reply