500 mbps connection and integrated NIC's?



  • Hi!

    I have ordered a 500 mbps fiber connection for my home, that will be delivered in about 4 months. I want to plan ahead, so I'm going to build a pfsense server soon.

    I was looking at hardware that were energy effective and powerfull enough for this mission. I will pfsense to make four different VLAN's, as it's four apartments that will share this connection, and I do not want the LAN's to communicate but to only share the internet connection.

    So, I was looking at the Core i3-4130T ( http://ark.intel.com/products/77481/Intel-Core-i3-4130T-Processor-3M-Cache-2_90-GHz ) and the Gigabyte GA-H97N ( http://www.gigabyte.com/products/product-page.aspx?pid=4992#ov ) as both of these don't use much power. I'm also adding 4gb or 8gb or ram and a 80gb sata disc.

    So, to the questions:

    1. The gigabyte motherboard have two Intel NIC's integrated. Will these perform good enough for this speed?
    2. Is the hardware powerfull enough?

    Thanks!

    Best regards,

    twarr


  • Netgate Administrator

    Yes that hardware is easily powerful enough.
    The Atheros NIC I don't think is supported.
    The wifi and bluetooth are definitely not supported.

    See: https://forum.pfsense.org/index.php?topic=75928.0

    Steve



  • Do the tenants at each apartment plug into a local switch, which then trunks to a central location for PFSense?

    You mentioned a vlan for each apartment and they can't talk to each other, but what about each tenant? Should they also not see each other?



  • Ok.. since that motherboard won't work, what about this one? :)
    http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-dq77kb.html

    I will use a Cisco SB300 which is a 3layer switch. Every apartment will have their own wireless router. Each apartment have several users connected to their wireless router, and I wan't to part these different networks from each other.


  • Netgate Administrator

    The DQ77KB will definitely work, there are plenty of people here using it, but it's no longer made so it's very hard to get hold of.

    Steve



  • Hi!

    My connection is only 100/10 but hopefully I can still add some useful specific performance info that I myself didn't really find when I built my first pfsense box 5 months ago.

    Intel DQ77KB
    Intel i5-3470T TDP 35W 2012 Q2, cpubenchmark.net average score 4547 (single thread 1861)
    8 GB RAM
    40 GB Intel 530 mSATA SSD
    Akasa Euler fanless case

    Packages pfblocker, squid3 and snort with about 25 WAN rules (scans, dos, dshield, compromised, exploit like rulesets) and about 95 LAN rulesets (browser exploits, servers specific, various tx protocols and server rulesets). Sort of as per bmeeks but my snort ruleset is way to large for my needs, but I just haven't had the time to examine every ruleset and trim.

    Out of curiosity I maxed out my connection full duplex for half an hour (for temps) to see how it fared. CPU loads are from 'top -SH', temps, memory and disk stats from the overview in pfsense. Your i3-4130T was tested at cpubenchmark.net with 4177/single thread 1691 so pretty close to my CPU.

    top -SH output, trimmed:
    STATE WCPU COMMAND

    CPU0 100% idle (cpu0)
    CPU2 98% snort (snort)
    CPU1 95.3% idle (cpu1)
    bpf 53.5% snort (snort)
    RUN 45.5% idle (cpu2)
    RUN 15.7% idle (cpu3)
    WAIT 4.7% intr (irq257: em1: rx 0)    # em0 and em1 are the two NICs)
    -      4.2% kernel (em0 que)
    piperd 0.5% php (php)    # web gui
    and then 9 other processes at 0% cpu usage

    Web GUI overview page:
    CPU core temps 60-61 deg C
    CPU usage 45%
    Memory usage (26% of 7989 MB)
    Disk usage 3% of 38GB
    State table size 0% (107/798000 max)

    So my conclusion is that apart from snort then only roughly "10%" out the 2 physical core + 2 logical core max capacity of "400%" are used the routing and filtering itself and 1/3 of the total CPU capacity used for snort. So while I don't have a 500 Mbps link yet I will likely get a 1 Gbps in a year or two and I think that my CPU and thus yours in its likenesss would easily handle filtering for 500 Mbps. Snort with a large ruleset is perhaps pushing it. Therefore I switched my CPU to a Xeon E3 1265Lv2 (45W TDP, cpubench 8823) last week because I'm so happy with the soundless box and I wanted to add as much longevity to it as possible before it's impossible to upgrade it. Also with multithreaded pf coming in 2.2 and when suricata (multithreaded IDS) matures perhaps the load spread over more cores can make it run a little cooler but I really have no knowledge of that. It's most likely overkill :)

    Thanks everyone for all the answers that helped me in my box building and thank you so much pf and packages developers!



  • Unfortunately I omitted some somewhat important info about my test. The above figures with quite a load on snort relative the 100 Mbps link was when I saturated the link over an OpenVPN connection from one of the LAN hosts with 5 FTP-request for ubuntu ISOs from speedy servers. When I did the same test but not over OpenVPN the snort load figures were about 15% of divided over two CPUs. I don't really know what caused that difference but my guess is that snort didn't associate the packets as part of an already initiated continuous transfer stream and rather ran rules on every packet. Does anybody know?


Log in to reply