Building a new pfsense based on the new supermicro A1SRM-LN7F-2758 board



  • Hello All,

    I need to build a new machine for my pfsense based on the following requirements :

    1- its my home office router
    2- 4 80Mbps VDSL with load balancing
    3- might need VPN in the future

    So based on the above I was thinking to build the new machine based on the new Supermicro A1SRM-LN7F-2758 board (http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm) which has 7 nic's which is perfect for me, as I read some reviews that they have done testing on pfsense running on it and it worked find, but I need confirmation on that, so here are my questions for this board

    1- what is better to run pfsense from an msata SSD or just use a regular sata 64gb
    2- what is a good amount of ram for my setup
    3- a silent power supply

    Based on the above what which case would you recommend as my preference is 1U chassis but do they come from supermicro with their own power supply of do I need to buy it separately (can you recommend one for me) or a small form-factor computer case (i have a spare antec ISK 600) which I can use for this build

    Sorry for many questions, but I need to get this solved in one posting :)



  • 1 - I will go to Intel SSD S3500 80GB
    2 - 8GB minimum, better 16GB.
    3 - Maybe a picoPSU is the right choice.

    I have the following setup:

    1 - ASRi-2558
    2 - 8GB RAM
    3 - Intel SSD S3500

    Case M350, 1 Noctua Fan 40x40x10

    10/1 ADSL, with a dedicated NIC for VPN (4 Clients) and the other for clear-internet (10 clients).

    I have build the unit recently, I am still monitoring the temperatures for correctly position the fan.



  • Thanks a lot

    Any other help :)



  • @Wolf666:

    2 - 8GB minimum, better 16GB.

    :o
    Since when is 8GB a minimum for a small office build. Let alone half of that.. Without VPN use, and apparently any packages.

    How many clients are you gonna serve? Any internal servers reachable from the internet? IPS/IDS? Any proxy use, combined with filtering? When moving to VPN, how many tunnels?

    4GB is more then enough if you are not going to have 50+ clients using squid, combined with Snort / Suricata and a number of VPN road warriors / tunnels.
    Buy 8GB if you wanna be future proof, the cost isn't that much higher. I would rather take some ECC memory instead of 16GB.

    Any reason you need 7 ports? That board is about double as the "normal" 4 port. For the money difference you can buy a decent switch and use VLAN's. Then the firewall wont have to handle internal traffic, or even inter-vlan traffic.
    For a small office build, this is overkill in every way :).

    I have one A1SAi-2750F in particular serving around 10k+ users at peak, 3x 200Mb/10Mb WAN's,  8 IPSEC tunnels, Suricata combined with IP blocklists, about 10 VLAN's, 100'ish firewall rules and I cannot even break 7GB memory use.



  • 4GB is sufficient. Will be fine with multiple packages running.

    Also, that board is a mATX and not a mini-ITX. It won't fit in the M350 case. Go for a mATX case with ample space for air circulation. It will keep the temperature from peeking to higher numbers on heavy WAN network load… especially if you go for Snort in the near future.



  • I posted a thermal imaging pic or two of the board. That can also help you plan airflow.

    Also it is not a full mATX size so you do get a bit of extra room in a tight mATX chassis.



  • I did not see a budget mentioned in your post.  How much would you like to spend on your home office firewall?

    1- what is better to run pfsense from an msata SSD or just use a regular sata 64gb
    2- what is a good amount of ram for my setup
    3- a silent power supply

    1 - I would say that the storage interface is not as important as choosing quality enterprise components.  Improved reliability is debatable (see the Backblaze study) but the longer warranty period is not.  The previously mentioned Intel S3500 is a good choice for an SSD.

    2 - As others have already mentioned, 4GB to 8GB is sufficient for a number of popular packages.  Do not try to save money on the memory - I have 2x4GB sticks of what Crucial (Micron) recommends for the motherboard.

    3 - You could go fanless for silence, but there is a catch (see below).  I have a Seasonic SS-400FL2 in my firewall.  Again, choose a reliable manufacturer and not the cheapest option you can find.

    My setup has a similar number of ports, but I went about it differently: A1SRM-2758F (I354 on-board) plus an add-in Intel i350-T2 for a total of six.  It lives in a CSE-731I -300B mid-tower case with Noctua 80mm and 92mm fans installed.

    Here are two things that you will need to watch out for with a similar setup: 1) Out of the box, the kernel did not allocate enough buffer space for the number of active ports and the number of cores.  The igb driver kept throwing out exceptions while I tried to configure the firewall during installation.  I set kern.ipc.nmbclusters to 262144 in the loader config and now it typically uses 75% of that under heavy load.

    1. Do not use PWM controlled fans connected to the motherboard headers and expect it to turn out well.  Unlike other Supermicro products, you cannot adjust the PWM profile of their embedded Atom boards.  There will not be enough airflow between a fanless PSU and the case fans to adequately cool the hardware.  The system thermal sensor in my firewall hit 56 *C before I pulled the fan leads and connected them to four-pin Molex adapters to run at 100%.  If you go with an ATX form factor power supply, just choose one with a big fan (120mm+) and you should be pleased with the noise level unless you install the firewall in a sauna.

    Hope that helps..



  • The C2k parts are rated to 90C (some of the smaller ones are now rated to 100C).

    The SoC will throttle itself to prevent any damage to the CPU.  56C is fine.

    We have 2 core designs running fanless in a 70C ambient with no thermal throttling.  This is while running
    Intel's thermal management utility, which exercises the part to the upmost.  It provides a "worst case scenario".

    pfSense will never exercise the part (and will never generate as much heat), as the thermal test utility.


  • Netgate Administrator

    I too would ask whether you really need 7 interfaces.
    Many people coming from SOHO routers assume they need multiple interfaces but in fact they just need a switch.

    Steve



  • @gonzopancho:

    The C2k parts are rated to 90C (some of the smaller ones are now rated to 100C).

    The SoC will throttle itself to prevent any damage to the CPU.  56C is fine.

    It is good to know that the C2k chips will take high ambient temperatures and keep ticking.  However, I had my eye on the published specs for the SMC mainboard (60 *C) when I made the hasty wiring update.

    I always design a system or application to outperform expected conditions, as I hope the SMC engineers also do - but I also would not put it past them to trigger a thermal shutdown at 60.9 degrees and leave the system in a funky state at the next power cycle.



  • @blinkenlights:

    @gonzopancho:

    The C2k parts are rated to 90C (some of the smaller ones are now rated to 100C).

    The SoC will throttle itself to prevent any damage to the CPU.  56C is fine.

    It is good to know that the C2k chips will take high ambient temperatures and keep ticking.  However, I had my eye on the published specs for the SMC mainboard (60 *C) when I made the hasty wiring update.

    I always design a system or application to outperform expected conditions, as I hope the SMC engineers also do - but I also would not put it past them to trigger a thermal shutdown at 60.9 degrees and leave the system in a funky state at the next power cycle.

    or you could just buy from a vendor that doesn't do this.  IJS…