DIY pfSense hardware recommendations for gigabit wan - celeron, atom, i3?

jds580s

I am prepping to migrate from m0n0wall to pfSense.  I recently upgraded my WAN connection to 100/100mbps and will be moving to 1000/1000mbps in 2015.

My old m0n0wall box is not able to keep up at 100/100 due to old hardware, so I thought it would be a great time to move to pfSense and upgrade my hardware.

Goals
1. Ability to scale to 1000mbps
2. low power consumption
3. low cost

Intended Usage
1. Home / SOHO
2. Users ~4
3. VPN but rarely (a few times a year for 1 user) it's okay if performance decreases during use
4. No packages at this time
5. No VLANs at this time

Not necessary but would be nice bonuses
1. Enough CPU horsepower to experiment with packages
2. One or two VLANs down the road

A few questions I have
Spinning discs and SSDs - I see a lot of users going with spinning discs and SSDs in their builds.  How are these used when the system is up and running?  I am used to m0n0wall running on PC hardware off just a CF card.  The card is only accessed at bootup, or changing configuration settings.  Everything else is run out of RAM to prevent write wear on the flash memory.  For my needs above would an SSD offer any tangible benefits?

RAM - How much should I anticipate RAM contributing to speed of routing and overall performance?  Any recommendations for a reasionable amount based on my uses would be much appreciated.

CPU - I've read a number of threads on the platforms others have used.  I'm curious if I could get away with an inexpensive Celeron 1037U based system or if gigabit will require more.  If I do need more where should I target?  Atom Rangeley C2358, C2358, Core i3, i5, or other?

Any help would be much appreciated!

jasonlitka

Low cost and 1000/1000 with packages like snort aren't going to intersect, at least not using the home definition of "low cost".

I'd bet on the C2758.  Under 2.2 that will absolutely scream.

koulee

On the matter of SSDs, the controller performs wear leveling so as to not wear out the nand cells prematurely. The bigger a drive is, the more cells available to it and thus making it last longer. The most writing will come from /var and /tmp, but there is an option to use system RAM as disks to run those off of.

On the matter of RAM, more isn't necessary if you aren't going to run packages. Firewall states, system buffers, caches would do fine with just a gig. But with memory as cheap as it is, more would lessen the need to upgrade in the future if and when you decide to run lots of packages. My recommendation is to at least fill out the requisite number of slots to take advantage of dual channel/triple channel/quad channel performance.

On the matter of CPU, it also depends on the packages that you would have running. If, for instance, you decide to run Snort/Suricata, you would have to have enough power for a 1G/1G connection so as to not miss processing packets when you are saturated and also to be able to fully utilize your connection speed. My recommendation would be the i3 in this case. It would also have better energy saving.

Keljian

VPN benefits from AES-NI - which is available on rangely/avoton and haswell i3 - how much? Well that depends on the use.

Rangely/Avoton have quick assist, this is great for packet sniffing, eg snort/suricata, but only if you're pushing lots and lots of traffic.

The cheapest i3 + cheapest B85/H87 board+ cheapest 4 gig of ram, with a reasonably beefy intel NIC (PT/i350 or equiv) + cheapest smallest SSD will be plenty for 99% of basic home use.
You can probably get 90% of this for well under $200

Heck you'll get more than reasonable performance out of a haswell pentium (eg the anniversary edition), even without AES-NI, if your budget is tight and you need to drop the price more. Then when you need an upgrade, you just drop in a faster chip.

Look at second hand also - you don't need a brand new shiny chip, you don't need a brand new shiny board, or ram, or nic..

I bought an i5-4570T for $130 on ebay (which retails for ~2.5x that)…

If your budget can stretch to $500 then avoton becomes a serious contender, but for that price range you could probably drop in a high end i5 or (even an i7!) and plenty of memory.

One thing that no one here seems to make mention of is that the Haswell iX series of chips has AVX2 as well, which could potentially net massive performance increases with pattern matching in future....

I run the aforementioned i5 with 6 gig of ram an i350 (chinese clone), temp/var in ram, with about 25 clients at home, off a 100mbit link using pfsense 2.2 beta with the following packages:
-Suricata (migrated over from Snort unconvinced I need both, especially at home) - Lots of rules enabled
-OpenVPN (1 client on all the time, usually about 30-40mbit)
-DNS/DHCP/PPPOE
-random other low requirement packages
-4 separate subnets
-Darkstat
-Complicated Nat/firewall rules
-600000 max connections (overkill)

I have also used Squid/HAVP in the past.

I rarely exceed 15% memory consumption, and 5% CPU consumption (with AES-NI), the machine hardly breaks a sweat.

Snort bumps this CPU consumption up to about 15-20% when under "heavy" load

stephenw10

As mentioned the requirements to firewall/NAT 1Gpbs are not that hard to meet. An older Celeron G530 will do it for example. Do you actually require 2Gbps? (1Gbps up and down simultaneously).
Without packages a minimal amount of RAM (1GB) will also be fine and you'll see almost no advantage to using an SSD. It will boot quicker.

If you plan to run Snort, Squid or Sucuricata though your hardware requirements are going to go sharply up, or your throughput down.

Steve

jds580s

Thank you all so much, that is great information and I feel like I can make a better decision knowing what to expect from given hardware and what would be pushing the limits.
I will price out a few variations of builds to see what the best build I can create for my budget.

Thanks!

mir

You could also consider an AMD E-350 based board.
Pro:
    Lots of SATA3 ports
    Supports up to 16GB RAM
    Low power consumption
    Works out of the box with pfsense 2.x
    Has a PCIe 16 (4x electrical slot)
    Small form factor (MiniItx)
Con:
    Not the highest performer (2x1.6 Ghz)
    No AES-NI

Plugin a quad-port nic and you have 5 nics.

I have such a board in which I have added this: http://www.intel.com/support/network/adapter/1000vtquad/sb/CS-029502.htm
works out of the box. Off-loading everything to the nics works even for the on-board realtek so even under heavy network load CPU is never loaded more than 20% and total power consumption never exceeds 35W but most of the time it is only 15W due to powerd.

My board is this: http://www.asrock.com/mb/amd/e350m1/
Asus also has a board: http://www.asus.com/Motherboards/E35M1I/

messerchmidt

Athlon 5350 (AESNI, low power)
Asus AM1I-A
16gb crucial ECC ddr3 1.35 (8gbx2)
microatx case
Antec EarthWatts Green EA-380D Green 380W
Intel EXPI9301CTBLK pcie (x2)

pick a HD, SSD, compact flash,etc to run PF sense from.

Keljian

@messerchmidt:

Athlon 5350 (AESNI, low power)
Asus AM1I-A
16gb crucial ECC ddr3 1.35 (8gbx2)
microatx case
Antec EarthWatts Green EA-380D Green 380W
Intel EXPI9301CTBLK pcie (x2)

pick a HD, SSD, compact flash,etc to run PF sense from.

1. There is absolutely zero reason to get 16gb of ram for a pfsense box at home, or even in most small businesses. Heck 6-8 Gig is more than most need. ECC is definitely not required.
2. The power supply is greatly overrated for the box, which means it will be low efficiency, consider picopsu or equivalent with ~100W
3. 2x network cards will consume more power than 1x, consider how many ports you need, as for a home user you rarely need more than 2. A switch is a much better option if you need more ports (generally)

You would be better off with an i3, with less ram, than the AMD chip.

asterix

Get a used 2nd/3rd generation i3 with 4GB RAM from fleebay. The extra RAM will help in case u add Snort or other memory intensive package. Simple HDD is just fine.

messerchmidt

@Keljian:

@messerchmidt:

Athlon 5350 (AESNI, low power)
Asus AM1I-A
16gb crucial ECC ddr3 1.35 (8gbx2)
microatx case
Antec EarthWatts Green EA-380D Green 380W
Intel EXPI9301CTBLK pcie (x2)

pick a HD, SSD, compact flash,etc to run PF sense from.

1. There is absolutely zero reason to get 16gb of ram for a pfsense box at home, or even in most small businesses. Heck 6-8 Gig is more than most need. ECC is definitely not required.
2. The power supply is greatly overrated for the box, which means it will be low efficiency, consider picopsu or equivalent with ~100W
3. 2x network cards will consume more power than 1x, consider how many ports you need, as for a home user you rarely need more than 2. A switch is a much better option if you need more ports (generally)

You would be better off with an i3, with less ram, than the AMD chip.

The said asus board does ecc, and its about the same price, so I would go for same.
16gb vs 8gb = not even $100, and better to add it now than wanting to add it at a later time, and not being able to find same.

psu you can got for less, but I do not see any on newegg.com

if you can get a dual intel nic card cheap, go for it. otherwise, just use two x1 pice gigabit ones.

Keljian

@messerchmidt:

@Keljian:

@messerchmidt:

Athlon 5350 (AESNI, low power)
Asus AM1I-A
16gb crucial ECC ddr3 1.35 (8gbx2)
microatx case
Antec EarthWatts Green EA-380D Green 380W
Intel EXPI9301CTBLK pcie (x2)

pick a HD, SSD, compact flash,etc to run PF sense from.

1. There is absolutely zero reason to get 16gb of ram for a pfsense box at home, or even in most small businesses. Heck 6-8 Gig is more than most need. ECC is definitely not required.
2. The power supply is greatly overrated for the box, which means it will be low efficiency, consider picopsu or equivalent with ~100W
3. 2x network cards will consume more power than 1x, consider how many ports you need, as for a home user you rarely need more than 2. A switch is a much better option if you need more ports (generally)

You would be better off with an i3, with less ram, than the AMD chip.

The said asus board does ecc, and its about the same price, so I would go for same.
16gb vs 8gb = not even $100, and better to add it now than wanting to add it at a later time, and not being able to find same.

psu you can got for less, but I do not see any on newegg.com

if you can get a dual intel nic card cheap, go for it. otherwise, just use two x1 pice gigabit ones.

If your box is going to cost $200-300, then $100 is 1/3 of the price, therefore it is significant enough to warrant consideration, considering that in OP's original post said he was looking for a low cost solution.

PSU wise, $10-20 can get you a Picopsu style power supply on ebay, and for another $20-30 you can get an adapter to run it.  $25-30 will get you a used dual intel PT nic also.

messerchmidt

you can salvage parts off ebay.

trust me, add more ram and use ecc (as long as the board supports it) as the price difference is less than the headache of not having enough

Keljian

@messerchmidt:

you can salvage parts off ebay.

trust me, add more ram and use ecc (as long as the board supports it) as the price difference is less than the headache of not having enough

Give me one good reason to use more ram, and another for ecc (in this instance, noting OP's requirements)

Keljian

Just a follow up, I now run pfsense in a VM with the aforementioned hardware. I'm only giving it 2 gig of ram and 2 cores, generally speaking it doesn't use more than 60% of the memory, and (assuming memory compression in the VM), it's only using 254 meg overall in the ESXI dashboard.