HP Proliant Microserver G8
Been lurking for a while and have found a couple of dated threads saying this "might not" work etc. wanting to see if anything has changed or if anyone tried it.
I have so far worked out the following:
Non G8 works, but requires another network card as it only has 1 built in: https://forum.pfsense.org/index.php?topic=60899.0 the non-G8 version lacked lots of features that made the box a little underpowered by today's standards.
I will probably need to buy a new dual or quad network card to put in the PCIe slot for FreeBSD to have networking (while doing so I should also dodge realtek based NICs and try and pick up a nice Intel chipset) which should carry me through to the next version of pfSense based on FreeBSD 10 where I might be supported again (http://forums.freebsd.org/viewtopic.php?t=31769)..
...I've also read that actually the networking might actually work out of box however it may be buggy (https://forum.pfsense.org/index.php?topic=77639.msg423339#msg423339)
and I speculate I might be able to get away with disabling the hardware RAID, switch to ACPI and then use pfSense software RAID? : https://forum.pfsense.org/index.php?topic=71523.0 and other posts imply the disk controller just might not work anyway https://forum.pfsense.org/index.php?topic=73396.msg400694#msg400694
Anything I'm missing? Anyone actually pulled this off without adding a virtualisation layer and just hoping no-one compromises it?
I looked at hardware more suitable but found that all the new Haswell chipsets are unsupported. I looked at some of the Netgate APU4 / Official pfSense machines (which are all just basically PC Engines APU boards - http://www.pcengines.ch/apu.htm) and the UK P&P is awful (I could buy a microserver for the total cost) and I wouldn't really get Snort running on it. If I wanted a squid cache i'd also probably have to plug in an external HDD (which I only assume is possible). Also I haven't seen any benchmarks that say the sort of throughput the passively cooled CPU would start throttling and I'd get out of it before I wished I'd bought a proper PC to run it on.. nobody appears to have reviewed them either. It's a bit odd someone hasn't sat down and written guides on the Netgate and reviewed them (I was hoping for a mention on somewhere reputable like PC Pro but I couldn't even find some ropey blog somewhere that talked about them). The hardware page implies on a gigabit network to get anything above 100Mbps the APU might not be up to the task "No less than a modern Intel or AMD CPU clocked at 2.0 GHz." (https://www.pfsense.org/hardware/)
Anyone have any comments :-)?
Update: I found a review of the APU.. didn't come out great http://planet.ipfire.org/post/pc-engines-apu1c-a-review
Im running an N40L with 4GB RAM dual port intel nic and hp remote access card, ive had no issues with pfsense on the hardware. initially i ran the microserver with a single port broardcom nic and pfsense ran fine, i had it spare before that but they are extremely cheap on ebay. i just wanted an extra nic at the time so i got the duel port intel. Ive gone back to only using 2 NICs anyway and run all internal interfaces on separate VLANs.
These boxs are under powered for windows server and system center and i wouldn't attempt to use them in the enterprise but for basic routing at lower speeds in a home or small business they defiantly do the job. With 4GB RAM snort seems to work fine (however im not actively running it anymore) and i run squid on one network segment aswell. My biggest issue is the form factor and the power usage. i have a small comms rack that i want my pfsense box to go into, but if your not rackmounting it anyway the form factor does fit fairly well.
the APU seems to be using a very similar processor but with a lower clock speed and realtek NICs, it makes it look like a real step down for me. If only it had intel NICs then i would consider it. although i still wonder about its longevity in a hot country with the amount of heat it seems to produce.
The new Atoms look very interesting to me but only a single system is listed on the pfsense store and an 8 core seems overkill to me. Not all the hardware in other manufactures systems will run under pfsense 2.1.3
You don't mention what internet connection speed you will have. That is a fairly key consideration, along with any packages you intend to run.
I'll give you my view of the differences as I use both an N54L(G7)and a G8. Both are running ESXi. N54L with pfSense, NAS4Free and a windows-based mail server as VMs. G8 has those VMs plus a web server and another Windows VM. The G8 has 100 Mb/s cable and ADSL connections, the G7 has ADSL only. Both ADSL connections are about 14 Mb/s.
The G7 has a dual core AMD Turion II running at 2.2 GHz.
The G8 has a dual core Intel G1610T running at 2.3 GHz or a G2020T running at 2.5 GHz
The G8 will take an alternative 1155-pin Intel CPU like the Xeon E3-1265Lv2, which will get you AESNI and PCI pass-through. The only problem is finding one of those CPUs.
Here's a comparison of the Turion and the G1610T.
The G7 will support up to 16GB of memory. The G8 will support up to 16GB of memory (but needs ECC memory, IIRC)
The G7 has two PCIe slots and one built-in Broadcom NIC. The G8 has two built-in Broadcom NICs and one PCIe slot. The G8 also has an integrated ILO port, which may or may not be useful to you.
The G7 has no built-in RAID controller. The G8 has a built-in HP B120i RAID controller. Even for a NAS I think the B120i is a waste of space. Four 3.5" disk slots is a waste for any stand-alone firewall device.
The G7 fan is almost inaudible. The G8 fan is not loud but louder than the G7.
The G7 probably has lower overall power consumption but probably not by a lot.
Updating the firmware(s) on the G8 is a PITA.
The G7 costs a lot less than the G8.
The best thing about the G8 is that is very well constructed. Adding memory and a PCIe card is easier than on the G7 but how often do you do that?
Thank you for your reply.
You don't mention what internet connection speed you will have.
152 Mbps (sic). The rest of the network is gigabit. I plan on running snort (and potentially fail2ban), passive proxy, obscene HTTP cache (hopefully with If-Modified-Since logic like Forefront has), anti-virus, HTTPS inspection, logging, potentially an OpenVPN and all the things that say I probably need a proper PC for this. I am also mooting placing the domain controller / mail server etc on a separate NIC so that I can make the firewall rules truly granular in-case one of the workstations ever goes rogue.
My concerns with virtualising on the G8 is that I lose the flexibility of remotely iLOing it if it goes wrong and that the VMWare services are another attack vector. The server will hold the CA cert for the HTTPS inspection so these sorts of things concern me. The server will be DMZed from the ISP's consumer grade router. After playing/failing with getting BSD to PXE boot (with grub4dos) off an old netbook yesterday I realised just how much of a dick BSD is with devices not on the approved list.
I currently use Forefront TMG which is now end-of-life. I think I proved the value of having a UTM device though and as I have quite a bit of holiday off from work wanted to get playing because I enjoy this sort of thing.
The G8 fan is not loud but louder than the G7.
You raise an interesting point about fan noise, I assume if the box isn't under much load the fan noise adjusts accordingly? I also read the G8 fans go to full power if you place a drive in there that doesn't have a decent temperature sensor or falsely reports the drive as too warm. Does pfSense have all the CPU mode switching so that the CPU cores can be shut off or idle when they're not busy?
I get that the G7s are pretty much being given away now.. but with iLO, extra NIC and the speed improvements (like aus_guy said the G7 is a little underpowered) I'm not sure it'd be worth buying old tech. I was thinking of going for the G2020T because I found a good deal in the UK for a G8 that comes with that and you might as well over-spec if you're going to be stuck with it for a while to come and there's not a big difference in cost. I'm also curious about running the boot disk from an SD card which the G8 has.
I'd probably rack the G8 up with 8GB (2 x 4), I imagine anything more would get astronomically expensive.
Four 3.5" disk slots is a waste for any stand-alone firewall device.
I was planning on a RAID 1 of the first 2 disks for the OS and then another RAID 1 for the cache. I have the disks left over from a previous decommissioning (years ago). I suspect the HP RAID controller might not actually let me make 2 x RAID1 volumes so I'd probably just settle for RAID 10 which depending on how much of both disks I fill is close enough.
Can you confirm that out of box (even just liveCD'd) the current version of pfSense will refuse to recognise the NICs and not talk to the RAID controller?
aus_guy - Thanks too for your reply, I think we have the same understanding about how much i'd get out of an APU. I've never really seen good throughput from an Atom, it's not really what they're designed for and AMD always used to go for slightly cheaper components so Intel always had the edge on cooler CPUs that made for ultimately quieter systems.
I'm pretty certain that pfSense won't recognize the B120i RAID.
Sorry, I don't whether the on-board Broadcom NICs (BCM5720 according to ESXi) in the G8 will work with pfSense.
I'm pretty certain that pfSense won't recognize the B120i RAID.
It didn't last time I tried to install 2.1.3 on one.
I've never really seen good throughput from an Atom, it's not really what they're designed for
The Rangley range is certainly designed for network communications, it is a shame they called it an atom because its nothing like the old atoms. Have a look and you may be surprised at whats changed.
pfsense/ESF are selling them for good reason
either way good luck whatever you decide on