Hardware recommendations?


  • Hi,

    New to pfSense and am wondering what hardware recommendation people have to run pfSense.

    I will wont to run some packages and wont a fast responsive, but efficient solution.

    I was thinking of something like IBM System x3250 M2 Xeon E3110 3.0GHz Dual-Core 1U Rack Server

    http://www.ebay.com.au/itm/IBM-System-x3250-M2-Xeon-E3110-3-0GHz-Dual-Core-1U-Rack-Server-/231027532873?pt=AU_Servers&hash=item35ca506449&_uhb=1

    Upgrading to an SSD.

    I know the min requirement is only 256MB RAM, but is 2GB ECC RAM enough for a fast router? (WAN is slow only 8 Mbits currently, but wont to future proof it for around 100Mbits).

    Just want to get some more info as to the hardware to give me best performance, or if it doesnt really matter too much what you run as long as its the min requirements stated e.g. cpu, ram etc.

    Thanks


  • If all you're doing is Firewall+NAT then it's plenty.  If you start adding packages like snort or squid you may come up short.

  • Netgate Administrator

    To clarify that, those specs will handle everything you can throw at it at 8Mbps. If you get a 100Mbps WAN and load every package you can without tuning anything you might hit the limits but with a 3GHz Xeon I doubt it. You may consider going to 4GB if you're running Snort with many rules.

    Steve


  • thanks,

    yeah, I will only be running 5 or so packages including snort.

  • Netgate Administrator

    The number of packages is not really relevant because they have wildly varying resource requirements. Snort and Squid are far more taxing than most (all?) other packages. The virus scanning packages are also tough to run but are dependant on Squid anyway.

    Steve


  • What do you guys think of my setup:

    ASUS P9D-I with 2x i210 GB nic
    Intel Xeon E3-1240 V3 LGA1150, Quad Core, 3.4GHz, 8MB, 80W, Haswell, Box
    2x Kingston DDR3 1600MHz 8GB ECC ValueRAM CL11 DIMM w/ TS
    2x Corsair SSD Nova Series 2, 30GB

    I have 100/100 now and the system bearly use anything.
    I dont have snort og squid. I dont see the point in squid or is it just me?

    I maby going to test 1GB connection in the future so is my pfsense box up top the task?

    Thanks.


  • Using Squid when you only have a few client machines and a lot of bandwidth will usually slow things down.  The benefit is when you have a bunch of users and not enough bandwidth.

  • Netgate Administrator

    Or if you're using it in combination with Squidguard for content filtering or with virus filtering package.

    To answer your question, yes, that Xeon should handle anything you throw at it including a Gigabit uplink probably even with Snort, Squid etc.

    Steve


  • @stephenw10:

    The number of packages is not really relevant because they have wildly varying resource requirements. Snort and Squid are far more taxing than most (all?) other packages. The virus scanning packages are also tough to run but are dependant on Squid anyway.

    Steve

    Hi,

    Yes, I will won't to be running Snort, virus scanning package and possible squid if that will help with speed as my internet connection is only 2-4Mb/s :(.

    Thanks

  • Netgate Administrator

    @tmacka88:

    Yes, I will won't to be running Snort

    I assume you mean you want to run Snort rather than you won't be running it.  ;)

    You'll have not problems at all at 4Mb/s, you probably won't see the CPUs ever get much above idle.

    It's unlikely Squid will help you much here. If you run it with Squidguard you can block ads and other stuff that would otherwise use your bandwidth but it's usually easier to do that from using adblock in the browser anyway.

    Steve


  • I can confirm what Jason and Steve say about Squid and speed: if you have few clients on the LAN (I have 5), Squid doesn't appear to do much/add much benefit. Aux contraire, it appears slower with Squid than without.

    And as Steve says, the added benefit would be Squidguard. So in that situation, you sacrife speed for the benefit of blocking ads. At least, that is my experience on my two pfSense machines. If all you want to do is simple add blocking (blocking ad servers, so no RegEx), you might as well consider a blacklist in the DNS forwarder. I am testing that right now, and it appears to work stable as well.


  • If you have to ask then you probably don't need anything that has more power than Atom processors.

    This is probably what you're looking for, this one uses Celeron 1037u, much more powerful than Atoms, fanless, dual gbit lan, idles at 17w, usb3, supports msata/sd, the box is only 29mm thick and can handle 1GBit/s easily:
    https://forum.pfsense.org/index.php?topic=75262.0