Custom build or thin client? (low throughput home use)



  • After some discussion in this thread https://forum.pfsense.org/index.php?topic=73558.0 back in April, I built the following pfsense box to test out:

    Case: Silverstone SG05W-LITE
    Motherboard: ECS Elitegroup H81H3-M4 (1.0A)
    CPU: Intel Celeron G1820 2.7GHz
    PSU: Z3-ATX-200 16-24V dc-dc from eBay w/ 19V laptop brick
    RAM: 4GB Kingston DDR3 1333MHz (already had)
    Disk: Western Digital Black 250GB 2.5" HDD (already had)
    WAN: Intel Pro/1000 CT Desktop PCIe x1 (already had)
    LAN: Intel Pro/1000 PT Dual port Server PCIe x4 (already had)
    OPT1: Onboard Realtek RTL8111G

    Power consumption: about 26W idle

    I am planning on selling the above build to a co-worker who's needs are expressed in the thread linked above; with my usage it barely gets above idle and it should meet his needs.

    Another co-worker and myself are looking at getting something with even lower power usage and  less expensive due to our lower usage requirements. Which leads to the question of custom build or re-purpose a thin client?

    My co-worker has a 7/1 and I have a 15/1 so I believe almost any hardware available would easily handle the WAN throughput.

    Requirements:
    At least 3 NICs: WAN, LAN, and OPT1 for wireless AP
    Low-power <15W
    Inexpensive

    We would also like to try some packages like HAVP and Snort/Suricata if feasible, though not a requirement.


  • Netgate Administrator

    Like you say almost any hardware will easily handle a 15/1 connection. An old Alix box for example and they consume ~5W. They are also readily available second hand. However their 256MB on board (non-upgradable) ram is limiting. They might run Snort/Securicata but probably not well.

    Steve



  • Thanks for the input Steve!

    I discussed this with my co-worker and he is leaning towards a custom build with a socketed processor (possibly AM1). I am currently still researching options.

    I welcome suggestions for a low power pfsense box (around 15w or less).



  • Basically any Haswell celeron or pentium will hit that power consumption at idle provided you turn off anything you're not using on the motherboard like the sound card.

    Peak is less of an issue as you will find that most of the time the machine will be idling.

    Change the hard drive for an SSD or USB (SLC) and you'll save more power.

    Note: your 2x Intel PT card will probably draw 6w itself… http://www.intel.com/content/www/us/en/network-adapters/gigabit-network-adapters/1000-pt-dual-port-server-adapter-brief.html



  • @S-KGray:

    … I built the following pfsense box to test out:

    Case: Silverstone SG05W-LITE
    Motherboard: ECS Elitegroup H81H3-M4 (1.0A)
    CPU: Intel Celeron G1820 2.7GHz
    PSU: Z3-ATX-200 16-24V dc-dc from eBay w/ 19V laptop brick
    RAM: 4GB Kingston DDR3 1333MHz (already had)
    Disk: Western Digital Black 250GB 2.5" HDD (already had)
    WAN: Intel Pro/1000 CT Desktop PCIe x1 (already had)
    LAN: Intel Pro/1000 PT Dual port Server PCIe x4 (already had)
    OPT1: Onboard Realtek RTL8111G

    Power consumption: about 26W idle

    To test out configurations it's good to build anything and everything. But if you are going to run this 24/7 for home use you might want to pay extra attention to a few points:

    1. Short of using Intel's latest mobile device processors like Bay Trail, etc. your electricity bill will be significant.
      Pretty much anything, even an 8 bit microcontroller from the last decade can drive your 10 or 15 megabit per second WAN.
      You don't need gigabit on the LAN side (nor on the WAN side as a matter of fact) on a PC based router, the LAN traffic will never be any higher than your WAN traffic (unless you install multiple ethernet ports and make your router work as a switch on top of a router, or use your router as caching proxy but in home use that probably is negligible).
      In this day and age $20 worth of electronics with less than 5 watt of power requirement should be able to satisfy your specs above including basic wifi (TP-LINK TL-WR841N etc.)
      http://www.amazon.com/TP-LINK-TL-WR841N-Wireless-Router-300Mpbs/dp/B001FWYGJS/ref=sr_1_1?ie=UTF8&qid=1413895740&sr=8-1&keywords=tp+link+wifi+router

    2. I suspect that your average power consumption will be much higher than 26 watts. Your rule of thumb should be no less than the microprocessor's thermal design power value, which in the case of a Celeron G1820 at 2.7GHz is 54 Watts. While in average your processor will consume maybe half of that or 60%, the rest will be used by the motherboard, other interface card or components and will be dissipated as heat (especially by your power supply).

    3. Since you are at the experimentation phase get yourself an inexpensive electricity usage monitor like this for $20:
      P3 P4400 Kill A Watt Electricity Usage Monitor
      http://www.amazon.com/P3-P4400-Electricity-Usage-Monitor/dp/B00009MDBU/ref=sr_1_1?s=electronics&ie=UTF8&qid=1413896388&sr=1-1&keywords=kill+a+watt+meter
      … and let your system run for a day to see the actual watt.hours consumed by your system. You will be surprised!

    4. Unless you're running home based servers you should have any and all WAN initiated traffic blocked, in which case you don't need snort. Similarly squid web proxy doesn't do anything for home users. (Run it for a while and check the logs to convince yourself) So all the extra processing power on your pfSense router to accommodate snort and squid is a waste in home use environment. Snort will not protect you better and Squid will not increase your network performance. As for basic VPN for occasional use, well in a basic pfSense config even if it is a bit slow so what?! Don't budget any additional horsepower for it, consider it as a basic side benefit. You're probably not intending to connect from work to your home network and do multimedia all day long  ;D

    Good luck and have fun
    Halea



  • Great post by haleakalas… thought I'd throw in a few other points.

    The best value low power consumption processor that I've found is the Celeron 1037u. I purchased a small aluminum cased fanless dual Realtek NIC box from China for less than $200 with 2GB memory - and it works like a champ. With an SSD it draws about 13 watts. You can get similar "firewall oriented" boxes from China with multiple ports. Another great value is the OEM production (Minix) atom d2550 box that is on Newegg. It has dual broadcom NIC's and it will cost you about the same as a 1037u from China. The dowside is that it has a fan (although it can be disconnected), is a little larger, and draws 2-3 watts more... but the upside is that you can buy it from Newegg and it has Broadcom NICS vs. Realtek.

    Either of the above options works great with pfSens and will easily handle my 25/4 cable connection running Squid (configured not to cache anything - required for DG) and Dansguardian.

    An SSD doesn't save you more than a Watt or two over a standard 2.5" drive... However, a 3.5" drive draws 4-6 Watts - I'd stay away from them. In my mind, the biggest advantage of an SSD is that you can have a rock solid machine with no moving parts to break.

    The TP-Link WR841N works great as an access point. If you get the correct version, you can even run OpenWRT (or Gargoyle) on it.



  • @rjcrowder:

    … An SSD doesn't save you more than a Watt or two over a standard 2.5" drive... However, a 3.5" drive draws 4-6 Watts - I'd stay away from them. In my mind, the biggest advantage of an SSD is that you can have a rock solid machine with no moving parts to break.
    ...

    I would rather say that it's the speed benefit and it might make a huge difference if you're dealing with a lot of storage and your primary hardware is a bit weak. The best illustration is when you try to run a samba server off a Raspberry Pi or BeagleBone Black (Obviously non mission critical and rather modest/fun configurations - but it's amazing what you can do with BBB and an SSD drive). You will definitely thank your SSD and SSD/USB adapter.

    That said, with our luck in our lab almost all our 3 year old SSDs have been blowing up to our face and for the last few weeks our technician didn't do anything but replace SSD drives. I wonder how they do in places like Linodes and DigitalOcean where they use massive arrays of SSD.

    Halea



  • I'd bet the bank that a samsung SLC SSD won't blow up in your face, but its not faster than a normal HDD.
    Just more reliable and lower power.

    I'm sure there are others also, but I've not tested others personally.

    15w is a hard target to hit unless you use one of the platforms (newer or old) that are for sell usually by pfsense associated vendors.

    I'd say just buy one with over 500MB ram or more used from someone who is upgrading.



  • Not sure if you are talking about a particular SSD drive that I might not know much about. But generally speaking, actually specifically Samsung speaking, they use a rather old technology where they store 1 bit per cell. That's really basic technology.
    I don't know that it makes it more durable.

    Actually we have a high failure rate with our Samsungs too. We have a mix of Intel, Samsung, SanDisk, Crucial, Kingston, Fuji, PNY and a few others that I care to remember. Our exposure to SSD in our lab is in the thousands of units over 5-6 years, not just a few. We have performance and failure stats and analysis meticulously compiled. They all fail eventually and "eventually" is not an eternity, it's just a few years based on your actual average access rate. I know everybody is doing some creative math to come up with MTBF values comparable to hard disk drives but the fact is SSDs have a magnitude or two shorter life span as hard disks.

    Halea



  • yeah - 1 bit per cell is better, not worse….

    I am pretty sure what you have a high failure rate with is slightly older MLC SSDs.

    Those were probably 2 bits per cell and these days its even 3 bits per cell.

    Strangely the samsung TLC SSDs seem to have quite a low failure rate if properly configured with TRIM.

    I have had a bunch of the old samsung SLC drives running for a long time now without any failures.

    But I do agree that if you don't know whats up with TRIM or pick the wrong brand, crashes will come much much faster than with a HDD.



  • @haleakalas:

    Actually we have a high failure rate with our Samsungs too. We have a mix of Intel, Samsung, SanDisk, Crucial, Kingston, Fuji, PNY and a few others that I care to remember. Our exposure to SSD in our lab is in the thousands of units over 5-6 years, not just a few. We have performance and failure stats and analysis meticulously compiled. They all fail eventually and "eventually" is not an eternity, it's just a few years based on your actual average access rate. I know everybody is doing some creative math to come up with MTBF values comparable to hard disk drives but the fact is SSDs have a magnitude or two shorter life span as hard disks.

    You obviously have much more data that I do… my experience at home has been that cheap SSD's die quickly - especially if you are using something disk intensive like Squid and don't use TRIM. I've had good luck with Intel and Samsung drives though. As for performance, I've never noticed a difference using an SSD vs. hard drive (for a router machine) other than the time to bootup.


  • Netgate Administrator

    @rjcrowder:

    I've never noticed a difference using an SSD vs. hard drive (for a router machine) other than the time to bootup.

    Including Squid performance?

    I agree the default pfSense install in unlikely to benefit much in performance terms unless you are swapping in which case you're doing it wrong anyway.  ;) I think this is proved by the Nano installs I have where the CF card performance is very, very bad but the overall system performance is not a problem.

    I see Samsung have a firmware bug fix out today.

    Steve



  • Those particular SSDs have a super high rating on newegg.

    My experience is that people prefer to post about problems more than to praise, so when I see approval ratings in the high 90% for a drive more than a year old, I believe that over all, it must be a solid piece of hardware.  HDDs and SSDs in particular, usually get lower than average ratings compared to other hardware because not too bright people break them and complain.  So a high rating indicates a certain degree of idiot-proof-ness.



  • @stephenw10:

    Including Squid performance?

    Yes… However, I've only used it in my home environment so the volume and number of hits would be really low. In fact, I think squid cacheing was actually slowing things down rather than helping. I've subsequently disabled the squid cache (have to have squid because I use dansguardian) and overall browsing "feels" faster.



  • @haleakalas:

    1. Unless you're running home based servers you should have any and all WAN initiated traffic blocked, in which case you don't need snort.

    So all the extra processing power on your pfSense router to accommodate snort is a waste in home use environment.

    Snort will not protect you better  ;D

    I hope you will forgive me as I am the eternal self-declared n00b when it comes to pfSense, but Snort and firewalls are two completely different techniques, so I learned.

    The firewall is stateful and will block anything not state, yet Snort, and Suricata, look inside the packages (the firewall lets through) for mailicious content.


  • Netgate Administrator

    You are quite correct in  saying that Hollander however I don't think that's what haleakalas meant. I read his comments more along the lines of it's just not worth bothering with for a home network. Certainly a lot (most?) of the malicious traffic Snort looks for is that coming from a compromised server or of tools attempting to compromise a server. If you're not running any servers at home much of that is just never going to happen.
    I do not run Snort at home. The last time I did the false positives outweighed any advantage it gave me. I realise that's quite subjective though, many people here would tell you you're not properly protected unless you're running IDS/IPS. At the other end of the scale are people who say that firewalls are a just a fudge anyway and that everything should be publicly addressable (IPv6) and inherently secure. Certainly there have been security exploits discovered in software/hardware to which the manufacturer has responded 'this isn't a problem because it should be behind a firewall' which is unacceptable in my view. The ubiquitous presence of firewalls promotes this attitude to some degree.

    Steve