INTEL OR AMD, Single thread or Multi thread, Suggest a Hw config.



  • I am building a firewall with proxy server squid and either dandguardian or diladele web safety for a school with around 100 desktop computers…main application will be content filtering, report generation using sarg and the usual proxy stuff...pl suggest which of the below configs will perform best in terms of price performance, power and throughput..I'll be using 5 openvpn connections client to server only. what is the ideal RAM requirement when my ISP speed is 50Mbps.

    1. GIGABYTE C1037UN  CELERON DUAL CORE 1.8GHZ WITH TWO NICS PRICE $80 POWER 20W
    2. AMD A4 4000 3.0 GHZ(DUAL CORE) WITH MSI A55-E33 MB PRICE $90 POWER 40W-65W
    3. INTEL G2020 2.9 GHZ (DUAL CORE) WITH H61 ASROCK MB PRICE $ 100 POWER 40W-65W
    4. AMD SEMPRON 2.8 GHZ ( SINGLE CORE) WITH 760G CHIPSET ASROCK 960GM-FX MB PRICE $65 POWER 40W-65W
    5. AMD ATHLON X2 270 3.4 GHZ ( DUAL CORE) WITH 760G CHIPSET ASROCK 960GM-FX MB PRICE $90 POWER 55W-65W

    Does Pfsense fully utilise multi-core CPU's?
    Would a quad core CPU benifit on the above configs...like the Celeron J1900 ?
    How important it single thread CPU performance for Pfsense?



  • Ok pfsense at this time is not highly multithreaded, so fewer fast cores are currently better than many slow cores.

    Really for your throughput with VPN you should be looking at a haswell i3 if budget allows. This would give you aes ni for the VPN, and fast single core performance

    Being a school, you may be able to get a second hand CPU bargain from eBay, for example I picked up an i5-4570T for $140AUD.

    In the not too distant future, more cores and aes ni will make more of a difference.

    In terms of ram, that is highly dependent on whether or not you choose to run snort.

    Allow:
    2-4 gig for squid
    2-4 gig for snort

    6 gig seems to be the sweet spot for running both



  • Also the Avoton server based Atom CPU's support AES-NI. But yeah, basically if you care about high openvpn throughput then make sure you get a chip with hardware encryption (AES-NI) !

    I run an Ivy Bridge i5 because (at the time) it was the lowest end cpu line that supported AES-NI! Thankfully with Haswell they dropped AES-NI down to the i3 range, though. There are also several 'embedded' intel SKU's with AES-NI as well. You can always check on ARK though.



  • @extide:

    Also the Avoton server based Atom CPU's support AES-NI. But yeah, basically if you care about high openvpn throughput then make sure you get a chip with hardware encryption (AES-NI) !

    I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.



  • @Keljian:

    I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.

    Yeah, this is real un fortunate :(

    THIS Supermicro board features a Sandy Bridge based Pentium B915C, which does include AES-NI. The motherboard it is on has 6, yes SIX Intel NIC's! 2 I210's and 4 I350's! It's pretty expensive though, but would be one heck of a sweet pfSense platform!



  • The one thing these "embedded" options lack is upgradability.

    If I get an i3 now, I can go to an i7 later as my needs increase. Not so with Avoton.

    I love the idea of a multithreaded low power monster, but not at a price where I can get much more bang for buck with about the same idle power consumption and the ability to upgrade.



  • PFSense 2.2 should be a lot more thread friendly, and will be out this summer/year. ghz is important, but don't completely write off a quad core if you plan on keeping it for a while and possibly having it do more work, like VPN, proxy, snort, etc. If you put a 5 year life time on the box, where do you see your bandwidth needs in that time?

    When I chose a CPU, I just went for 2.8ghz+ and at least a dual core.



  • @extide:

    @Keljian:

    I've been looking at Avoton, and the pricing is just way too far out there, I could get a high end i5 quad core (possibly even i7!)+ motherboard for the same price as one on a motherboard.

    Yeah, this is real un fortunate :(

    THIS Supermicro board features a Sandy Bridge based Pentium B915C, which does include AES-NI. The motherboard it is on has 6, yes SIX Intel NIC's! 2 I210's and 4 I350's! It's pretty expensive though, but would be one heck of a sweet pfSense platform!

    That board is "expensive" because it has an Intel Quick Assist ("Cave Creek") on-board.    When I (eventually) get the work done to incorporate this into FreeBSD (and thus, pfSense), it will make sense.

    But I took the decision to support AES-NI first (limited resources, remember?) because it is more generally applicable.



  • @Keljian:

    Ok pfsense at this time is not highly multithreaded, so fewer fast cores are currently better than many slow cores.

    false.  At this time, the only part of pfSense 2.1 that isn't multi-threaded is the pf packet filter.
    The rest scales very well with multiple cores.

    @Keljian:

    Really for your throughput with VPN you should be looking at a haswell i3 if budget allows. This would give you aes ni for the VPN, and fast single core performance

    Be aware that at this time, only OpenVPN is accelerated with AES-NI.  We're working on accelerating IPSEC.

    @Keljian:

    In terms of ram, that is highly dependent on whether or not you choose to run snort.

    Allow:
    2-4 gig for squid
    2-4 gig for snort

    6 gig seems to be the sweet spot for running both

    There are reasons that the C2758 in the pfSense store has 8GB (and 8 cores, and supports AES-NI and QuickAssist).

    We know what is coming.  :-)

    Jim



  • @gonzopancho:

    @Keljian:

    Ok pfsense at this time is not highly multithreaded, so fewer fast cores are currently better than many slow cores.

    false.  At this time, the only part of pfSense 2.1 that isn't multi-threaded is the pf packet filter.
    The rest scales very well with multiple cores.

    @Keljian:

    Really for your throughput with VPN you should be looking at a haswell i3 if budget allows. This would give you aes ni for the VPN, and fast single core performance

    Be aware that at this time, only OpenVPN is accelerated with AES-NI.  We're working on accelerating IPSEC.

    @Keljian:

    In terms of ram, that is highly dependent on whether or not you choose to run snort.

    Allow:
    2-4 gig for squid
    2-4 gig for snort

    6 gig seems to be the sweet spot for running both

    There are reasons that the C2758 in the pfSense store has 8GB (and 8 cores, and supports AES-NI and QuickAssist).

    We know what is coming.  :-)

    Jim

    Sorry Jim,

    I meant to say:
    1. Snort is single threaded as is pf
    2. Squid benefits mostly from 2 threads, as opposed to more (in my personal experience)
    3. Quick assist is a good explanation of why this board is so expensive - I question whether it is necessary for a school at this time.


  • Netgate Administrator

    Yeah, I definitely wouldn't go single core unless you have that harwdare to hand already. As Jim said the pf process is limited to a single thread (but not for too much longer) but there are many processes running especially if you're using packages.

    I don't agree about AES-NI though. You can push 50Mbps of OpenVPN traffic using only software on an Atom D525! Yes, AES-NI will reduce the CPU loading a VPN connection introduces but unless you're planning to get a faster WAN connection it's not something I would consider a priority in selecting a CPU. The G2020, for example, would have no problems. It has more than 5X the single thread performance of a D525.

    Steve



  • stephenw10…whats your take on j1900 or c1037un?
    both are low power...how will they fare against the G2020?


  • Netgate Administrator

    I've not used either, or the G2020!  ;)
    You mean the Gigabyte board specifically of the CPU? The board has Realtek NICs which I would try to avoid if possible. I think there is a thread here discussing it.

    Both the C1037 and the J1900 are substantially less powerful, in processing terms, than the G2020. See:

    http://www.cpubenchmark.net/compare.php?cmp[]=2131&cmp[]=1988&cmp[]=1839
    

    Edit: URL won't format properly.  >:(

    The J1900 is particularly weak in the single thread benchmark but scores reasonably because it's quad core.
    Although the G2020 is a 55W TDP CPU that does not mean it will draw anything like that in normal use. Unless you have a very strict power requirement, like you're running from solar, then I would not expect it to be expressively expensive to run. There are other threads here comparing the G2030 with the G2030T in terms of power consumption where the savings were minimal.

    Steve



  • I am presently running on G2020 with idle power of 44W I am attracted only because of low power consumption and the dual nic's readily available on-board..
    has any body compared performance of Athlon x2 270 vs G2020..pl let me know?



  • How is it enough for 100 desktop computers share a dual lan firewall, why not considering making it 4 lan or 6 lan?



  • @allendyb:

    How is it enough for 100 desktop computers share a dual lan firewall, why not considering making it 4 lan or 6 lan?

    Because, even with a Single-WAN router, the bottleneck is usually the WAN connection itself, that is unless you have a connection faster than 1gbit!