PfSense server for small organisation

_JT

I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:

• AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
• ASRock AM1H-ITX
• 4GB
• Crucial M550 SSD
• Intel dual port NIC

As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?

dreamslacker

That setup should suffice for general NAT, firewalling and traffic shaping even up to your future 100M symmetric line.

For VPN, you're pretty much stuck with OpenVPN at the moment if you expect to use AES acceleration (and you must select AES type encryption for it).  At any going rate, I'd prefer OpenVPN for remote-access/ road-warriors.

If you intend to run additional packages like Squid, Snort & HAVP, then YMMV.

_JT

Looking into SNORT now, looks interesting for extra security.

bmeeks

@_JT:

Looking into SNORT now, looks interesting for extra security.

I recommend you take a look at the Suricata package for pfSense as well.  A major upgrade to that package with some cool new features is coming soon.  Both Snort and Suricata perform essentially the same task, but each has its own unique features.  There are some threads in the Packages sub-forum about each package if you want to learn more.

Bill

_JT

Thanks! I'll be taking a look at those.

margen

@_JT:

I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:

• AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
• ASRock AM1H-ITX
• 4GB
• Crucial M550 SSD
• Intel dual port NIC

As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?

Did you build it? How's it perform? What's the power consumption on it?

messerchmidt

@margen:

@_JT:

I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:

• AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
• ASRock AM1H-ITX
• 4GB
• Crucial M550 SSD
• Intel dual port NIC

As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?

Did you build it? How's it perform? What's the power consumption on it?

do the intel lan cards work on the am1 platform? I am liening towards this to, but the asus board for ecc and 8gb of ram

Escorpiom

Intel cards work just fine on the AM1 platform, no boycot here :-)

Cheers.

S-KGray

@margen:

@_JT:

I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:

• AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
• ASRock AM1H-ITX
• 4GB
• Crucial M550 SSD
• Intel dual port NIC

As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?

Did you build it? How's it perform? What's the power consumption on it?

Also interested in the power consumption and performance

italics

I was just curious, did you build it yet? It looks like it would be fine, but a lot of the newer ASRock Boards have hybrid USB3 and SATA controllers. I'm currently running one for the company I'm working with and it runs like a champ, but I had to manually load the usb3 module to get anything to work using my laptop as a temporary boot device.

shaqan

@messerchmidt:

@margen:

@_JT:

I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:

• AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
• ASRock AM1H-ITX
• 4GB
• Crucial M550 SSD
• Intel dual port NIC

As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?

Did you build it? How's it perform? What's the power consumption on it?

do the intel lan cards work on the am1 platform? I am liening towards this to, but the asus board for ecc and 8gb of ram

Is there any other ECC-supporting AM1 board in existence besides AM1M-A? It's quite fascinating little platform

_JT

Sorry all for not replying. In the end I bought an Asus AM1M-A and it works fine out of the box. Only hmac with OpenVPN doesn't work ( https://forum.pfsense.org/index.php?topic=83187.0 ). OpenVPN log shows no error before crashing so I have no idea where to start troubleshooting :( My Intel dual port card works fine! I will take a look at idle power consumption one of the coming days; I cannot yet supply any performance figures as I have not been in a situation that would produce any useable numbers. Anyone have an idea how to test this?

_JT

Already did a quick check: booted without UTP connected I saw an idle power use of 32w….higher than I anticipated. This could be due to two things:

• PSU. I have a full size ATX PSU which guarantees 80% efficiency (bronze). 0.8 * 32 = 24,5w consumption by other hardware
• Intel dual port NIC. It has a heatsink which suggests it uses some power. But I'm not sure about that. Might remove the card tonight and see what it does in idle.

Douglas Haber

@_JT:

Already did a quick check: booted without UTP connected I saw an idle power use of 32w….higher than I anticipated. This could be due to two things:

• PSU. I have a full size ATX PSU which guarantees 80% efficiency (bronze). 0.8 * 32 = 24,5w consumption by other hardware
• Intel dual port NIC. It has a heatsink which suggests it uses some power. But I'm not sure about that. Might remove the card tonight and see what it does in idle.

The NIC probably does draw a noticeable amount of power.

fragged

You might need to tweak some system settings to get PowerD/Throttling to work nicely on your system. I don't know about tweaks for AMD, but this are the changes I made for my Intel Pentium G630T:

In /boot/loader.conf.local add:

hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1

I set this up in system tunables via GUI:

dev.cpu.0.cx_lowest 	sysctl dev.cpu.0.cx_lowest=C3 	C3
dev.cpu.1.cx_lowest 	sysctl dev.cpu.1.cx_lowest=C3 	C3

Enable PowerD in Advanced/Misc.

_JT

@Douglas:

The NIC probably does draw a noticeable amount of power.

Yes I found that out. Disconnecting the SSD made no difference, which is not unexpected as modern SSD's draw <0,5w in idle. Removing the networkcard however decreased power consumption to 24,5w in idle. 24,5 * 0.8 = 19,6w. A lot better, even though I think it could have been lower. TDP of 12w + mobo + memory + SSD, all idle.

@fragged:

You might need to tweak some system settings to get PowerD/Throttling to work nicely on your system. I don't know about tweaks for AMD, but this are the changes I made for my Intel Pentium G630T:

In /boot/loader.conf.local add:

hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1

I set this up in system tunables via GUI:

dev.cpu.0.cx_lowest 	sysctl dev.cpu.0.cx_lowest=C3 	C3
dev.cpu.1.cx_lowest 	sysctl dev.cpu.1.cx_lowest=C3 	C3

Enable PowerD in Advanced/Misc.

PowerD kills my system unfortunately. One of 2 problems I found with my config. https://forum.pfsense.org/index.php?topic=83035.0
How can I find out at which clock frequency the CPU runs? Probably command line but I am not really known with the BSD command line.

fragged

@_JT:

How can I find out at which clock frequency the CPU runs? Probably command line but I am not really known with the BSD command line.

Should be:

sysctl dev.cpu.0.freq

Quick Google search suggest that PowerD with various AMD CPU's might work better with FreeBSD 10. pfSense 2.2 beta is currently based on FreeBSD 10.1 RELEASE.

_JT

CPU is running at 2050mhz in idle so that explains the power consumption. Now to find out how I can enable throttling…

messerchmidt

i would add more ram, and maybe go asus board + eec if you have not purchased same already

_JT

I already have the Asus board. And I can't keep purchasing all kinds of hardware to just see if it works ;)