Recommendation for home user with VPN, Snort & fanless
-
Considering the T series of haswell are rated to 35W TDP you could reasonably run it fanless with just about any moderately sized cooler sans fan.
Hmm, not sure I'd agree with that. Most CPUs that are commonly used fanless are <15W TDP. There are cases designed for 35W TDP fanless but they usually go to significant lengths to dissipate the heat. The Akasa Euler for example.
Most modern CPUs have built in over-heat protection of some sort so will just clock down instead of melting but I'm not sure I'd want to rely on that or run a CPU at it's maximum operating temp continuously.Steve
-
I popped one of these: http://www.itsvet.com/proizvod/thermaltake-cl-p0019-fanless-103/comp_comp_cooler/49/237 on an overclocked Q6600 (at 3.2ghz) and it coped ok. That would have been dissipating 150+w
More modern heatsinks are much bigger in terms of surface area.
If you popped something like these on the chip:
http://www.thermaltake.com/Cooling/Air_Cooler_/Frio/C_00001826/Frio_Extreme/design.htmor
http://www.thermaltake.com/Cooling/Air_Cooler_/Contac/C_00001807/Contac_21_/design.htmor
http://www.thermaltake.com/Cooling/Air_Cooler_/Others/C_00001896/BigTyp_Revo_/design.htmI think you would be more than fine, especially considering in a home application you would not be running full out most of the time.
Intel specify the heatsink 60% down the following page for 35W (and it's tiny!)
http://www.anandtech.com/show/4524/the-sandy-bridge-pentium-review-pentium-g850-g840-g620-g620t-tested -
Well, yes, those look fine. I may well be out of touch here but those look like more than 'moderately sized' to me. ;)
35W is a pretty low TDP by modern standards, although the trend for ever increasing power consumption looks to be thankfully reversing. You don't need to much to dissipate 35W but it's a big gap between a small/quiet fan and fanless.
I guess my point here is that if fanless is a key requirement then you're better off spending more on a CPU with a very low TDP than trying to cool a standard CPU with an expensive case. In my opinion!Steve
-
I've run intel i5-3740t (?) and xeon 1265lv2 fanless Ian euler case with dual port i350 on intel dq66kb Mobo. Both run snort and pfblocker with intensive rules on multiple interfaces. Both CPUs run at 10-20% utilisation and 55 degC. Ram is a bigger hurdle, get 16gb of fast stuff, not silly over clocked marketing bull, just good solid low latency ram.
I'm building a couple of rangeley systems next week too for comparison. I've been meaning to throw build and data threads up for sometime but got distracted. -
16gb of ram is utterly unnecessary for home use.
I run 6 gig on my box and even that is overkill..
-
16gb of ram is utterly unnecessary for home use.
I run 6 gig on my box and even that is overkill..
Not necessarily. Snort can use 3-4GB of RAM per interface, depending on how you configure it, and squid can use RAM for a first level cache.
-
I can't see a home user needing multiple snort interfaces and a large squid setup.
Just can't see it
Would love to be proven wrong
-
Depends how you define 'need'. ;)
You could argue that most people don't need a pfSense setup for home use at all.Steve
-
Well, I don't use squid. I prefer to overcome the need with a lot of unmetered bandwidth.
Snort, on the other hand, is very valuable. I run on all interfaces, blocking on externals, alerting on internal. Very memory-intensive.
-
Does it catch much on your home network? What does it catch?
I ask because I gave up running Snort at home after I was getting more false positives than anything useful. That was some time ago though and I'm not running any home servers (currently).Steve
-
Does it catch much on your home network? What does it catch?
I ask because I gave up running Snort at home after I was getting more false positives than anything useful. That was some time ago though and I'm not running any hime servers (currently).Steve
I've had a few people come over with laptops which had Zeus trying to hit CnC servers. I've also had it catch a few 0-Day exploits on web sites. I use it mostly for malware blocking.
Getting it configured correctly so it doesn't constantly block everything you do is the hardest part.
-
Ah, interesting thanks. ;)
Agreed, stopping it blocking everything is what I gave up trying in the end. Too many complaints, not enough perceived advantage.
Back in the day I used to run it in IPCop (by just checking the box) and never really had any issues but also never caught anything. That was on a box with 196MB. Times change, I guess Snort is able to detect far more than it could 10+ years ago.Steve
-
Ah, interesting thanks. ;)
Agreed, stopping it blocking everything is what I gave up trying in the end. Too many complaints, not enough perceived advantage.
Back in the day I used to run it in IPCop (by just checking the box) and never really had any issues but also never caught anything. That was on a box with 196MB. Times change, I guess Snort is able to detect far more than it could 10+ years ago.Steve
I too ran IPCop back in the day along with Snort on an old Dell P-III machine with 256meg of RAM. Most of the blocks were actually unnoticed. Since the hardware was very limited I only had it snort on the WAN (RED Network). I also was running some package that blocked IPs for port scans which worked pretty well. Over time IPCop started to age with no real updates so I looked around for something better which lead me to PfSense after trying out other firewalls.
Just a side note a group of devs forked IPCop which is now called IPFire and very active in development. For simple home use IPFire is fine but I prefer PfSense's advanced features and flexibility.
-
I have snort on my wan at home, the sheer amount of alerts it pops up as having blocked (incoming mainly) is both comforting and concerning at the same time. Yes it is a hassle but I believe it has stopped more problems than it has caused
-
Hmm, I'll have to give it a try again.
-
Interesting aside on the merits of snort for home use. I'm another IPCop user that made the switch years ago. I do remember running Snort and their caching accelerator (quasi-Squid).
I still have a Snort-code but don't currently use it - too much maintenance for what it captures. Now that you're (we're) thinking about resurrecting the package, have you kept up with the VHS-BETA discussion going on in the packages forum re: Suricata vs Snort? There's some persuasive and well structured thought seemingly going into Suricata that I find appealing.
The setup of either of them is still more Black Magic than I like but at least Suricata seems to be coming from a KISS principle first whereas Snort feels like an evolution that has reached the "we need to add one more thing" stage.
PS - Stephen, I sympathize on the lost text. I've taken to highlighting my entire posts and hitting Ctrl-C just before I post. The other thing that works for me (I also use Firefox) is to not set the "Stay logged in" flag, I use a timeout of 600 mins. A little annoying as I have to log back in once or twice a day, but I have had way fewer cookie/cache timeouts and lost posts.
-
PS - Stephen, I sympathize on the lost text. I've taken to highlighting my entire posts and hitting Ctrl-C just before I post. The other thing that works for me (I also use Firefox) is to not set the "Stay logged in" flag, I use a timeout of 600 mins. A little annoying as I have to log back in once or twice a day, but I have had way fewer cookie/cache timeouts and lost posts.
Just remember not to swear when that happens!!!
I have had some success to fix this issue. When it times out, open a second window and login to pfSense Forum again. Then go back to the previous windows and either refresh or click back.. Trying to remember the exact steps without repeating a timeout!! ;)
I am a big fan of using Snort, I would always recommend putting it into non-blocking mode and as you have time disable the rules that are causing FPs, and add suppression as you need. Then once you have it tuned, you can put it into Blocking Mode.
If Pulled Pork was utilized properly, we could use enablesid and disablesid.conf files which you could more easily copy and paste settings to enable/disable rulesets more easily.
so Steve.. Jump in… ;)
-
I've been meaning to give Securicata a try ever since bmeeks anounced his package. Time to try that too.
@BBcan177:so Steve.. Jump in… ;)
If you're asking me to help with integrating Pulled Pork then you clearly haven't ever read any code I've "written". :P
Steve
-
If you're asking me to help with integrating Pulled Pork then you clearly haven't every read any code I've "written". :P
no comment, have you seen mine? ::)
Stephen
-
I've been meaning to give Securicata a try ever since bmeeks anounced his package. Time to try that too.
@BBcan177:so Steve.. Jump in… ;)
If you're asking me to help with integrating Pulled Pork then you clearly haven't every read any code I've "written". :P
Steve
Suricata is a lot more involved. I personally would stick with Snort until Suricata goes thru another few versions. It also a little piggy on memory.
Bill is really doing a fantastic job at managing the Snort and Suricata packages. Integrating Pulled pork was just to let you know that if it was integrated, we could post a basic ruleset that you could copy/paste and be ahead of the curve.
I think we need to convince the pfSense Devs that its a change for the better. (politics!)
For all the help you do on a daily basis to others, we are extending our full support to help you get up and running with an IDS of your choice and no software writing lol :)
