PfSense server for small organisation
-
I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:
- AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
- ASRock AM1H-ITX
- 4GB
- Crucial M550 SSD
- Intel dual port NIC
As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?
-
That setup should suffice for general NAT, firewalling and traffic shaping even up to your future 100M symmetric line.
For VPN, you're pretty much stuck with OpenVPN at the moment if you expect to use AES acceleration (and you must select AES type encryption for it). At any going rate, I'd prefer OpenVPN for remote-access/ road-warriors.
If you intend to run additional packages like Squid, Snort & HAVP, then YMMV.
-
Looking into SNORT now, looks interesting for extra security.
-
@_JT:
Looking into SNORT now, looks interesting for extra security.
I recommend you take a look at the Suricata package for pfSense as well. A major upgrade to that package with some cool new features is coming soon. Both Snort and Suricata perform essentially the same task, but each has its own unique features. There are some threads in the Packages sub-forum about each package if you want to learn more.
Bill
-
Thanks! I'll be taking a look at those.
-
@_JT:
I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:
- AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
- ASRock AM1H-ITX
- 4GB
- Crucial M550 SSD
- Intel dual port NIC
As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?
Did you build it? How's it perform? What's the power consumption on it?
-
@_JT:
I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:
- AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
- ASRock AM1H-ITX
- 4GB
- Crucial M550 SSD
- Intel dual port NIC
As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?
Did you build it? How's it perform? What's the power consumption on it?
do the intel lan cards work on the am1 platform? I am liening towards this to, but the asus board for ecc and 8gb of ram
-
Intel cards work just fine on the AM1 platform, no boycot here :-)
Cheers.
-
@_JT:
I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:
- AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
- ASRock AM1H-ITX
- 4GB
- Crucial M550 SSD
- Intel dual port NIC
As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?
Did you build it? How's it perform? What's the power consumption on it?
Also interested in the power consumption and performance
-
I was just curious, did you build it yet? It looks like it would be fine, but a lot of the newer ASRock Boards have hybrid USB3 and SATA controllers. I'm currently running one for the company I'm working with and it runs like a champ, but I had to manually load the usb3 module to get anything to work using my laptop as a temporary boot device.
-
@_JT:
I want to build a small server for running pfSense with VPN. It's not that big of an organisation, I think the amount of users that will be using VPN (which I want to use 2048bit encryption) will be around 25 and they certainly won't be online all at the same time. Internetconnection 50/50, maybe 100/100 later on. I was thinking of:
- AMD Athlon 5350 AM1 CPU (same or better performance then J1900 + AES hardware support)
- ASRock AM1H-ITX
- 4GB
- Crucial M550 SSD
- Intel dual port NIC
As far as I've found this should work with pfSense. But I want to be sure. Anyone got anything to add to this?
Did you build it? How's it perform? What's the power consumption on it?
do the intel lan cards work on the am1 platform? I am liening towards this to, but the asus board for ecc and 8gb of ram
Is there any other ECC-supporting AM1 board in existence besides AM1M-A? It's quite fascinating little platform
-
Sorry all for not replying. In the end I bought an Asus AM1M-A and it works fine out of the box. Only hmac with OpenVPN doesn't work ( https://forum.pfsense.org/index.php?topic=83187.0 ). OpenVPN log shows no error before crashing so I have no idea where to start troubleshooting :( My Intel dual port card works fine! I will take a look at idle power consumption one of the coming days; I cannot yet supply any performance figures as I have not been in a situation that would produce any useable numbers. Anyone have an idea how to test this?
-
Already did a quick check: booted without UTP connected I saw an idle power use of 32w….higher than I anticipated. This could be due to two things:
- PSU. I have a full size ATX PSU which guarantees 80% efficiency (bronze). 0.8 * 32 = 24,5w consumption by other hardware
- Intel dual port NIC. It has a heatsink which suggests it uses some power. But I'm not sure about that. Might remove the card tonight and see what it does in idle.
-
@_JT:
Already did a quick check: booted without UTP connected I saw an idle power use of 32w….higher than I anticipated. This could be due to two things:
- PSU. I have a full size ATX PSU which guarantees 80% efficiency (bronze). 0.8 * 32 = 24,5w consumption by other hardware
- Intel dual port NIC. It has a heatsink which suggests it uses some power. But I'm not sure about that. Might remove the card tonight and see what it does in idle.
The NIC probably does draw a noticeable amount of power.
-
You might need to tweak some system settings to get PowerD/Throttling to work nicely on your system. I don't know about tweaks for AMD, but this are the changes I made for my Intel Pentium G630T:
In /boot/loader.conf.local add:
hint.p4tcc.0.disabled=1 hint.acpi_throttle.0.disabled=1I set this up in system tunables via GUI:
dev.cpu.0.cx_lowest sysctl dev.cpu.0.cx_lowest=C3 C3 dev.cpu.1.cx_lowest sysctl dev.cpu.1.cx_lowest=C3 C3Enable PowerD in Advanced/Misc.
-
The NIC probably does draw a noticeable amount of power.
Yes I found that out. Disconnecting the SSD made no difference, which is not unexpected as modern SSD's draw <0,5w in idle. Removing the networkcard however decreased power consumption to 24,5w in idle. 24,5 * 0.8 = 19,6w. A lot better, even though I think it could have been lower. TDP of 12w + mobo + memory + SSD, all idle.
You might need to tweak some system settings to get PowerD/Throttling to work nicely on your system. I don't know about tweaks for AMD, but this are the changes I made for my Intel Pentium G630T:
In /boot/loader.conf.local add:
hint.p4tcc.0.disabled=1 hint.acpi_throttle.0.disabled=1I set this up in system tunables via GUI:
dev.cpu.0.cx_lowest sysctl dev.cpu.0.cx_lowest=C3 C3 dev.cpu.1.cx_lowest sysctl dev.cpu.1.cx_lowest=C3 C3Enable PowerD in Advanced/Misc.
PowerD kills my system unfortunately. One of 2 problems I found with my config. https://forum.pfsense.org/index.php?topic=83035.0
How can I find out at which clock frequency the CPU runs? Probably command line but I am not really known with the BSD command line. -
@_JT:
How can I find out at which clock frequency the CPU runs? Probably command line but I am not really known with the BSD command line.
Should be:
sysctl dev.cpu.0.freqQuick Google search suggest that PowerD with various AMD CPU's might work better with FreeBSD 10. pfSense 2.2 beta is currently based on FreeBSD 10.1 RELEASE.
-
CPU is running at 2050mhz in idle so that explains the power consumption. Now to find out how I can enable throttling…
-
i would add more ram, and maybe go asus board + eec if you have not purchased same already
-
I already have the Asus board. And I can't keep purchasing all kinds of hardware to just see if it works ;)
-
Got the same, Asus AM1M-A, Athlon 5350, SSD
Best/Least I've managed is about 24,5W draw from wall socket (also using dual slot Intel Pro1000MT NIC).
-
ECC, haven't managed getting it to work. Tried two different brands, had Hynix and Kingston's unbuffered ECC sticks lying around.
-
FreeBSD, enabling CPU throttling leads to system crash (unless I disable C6 state in BIOS)
-
No such issues under Linux but haven't seen lesser energy expenditure there either.
-
Disabling one/two/three "cores" does not make any difference at all in power draw. Only undervolting works to an extent.
I could probably shave couple of Watts off by making the cooling passive (remove fan) but I am not sure it's worth the trouble. None of the big custom heatsinks seems compatible to fittings used with AM1 socket.
-
