Please Help School with hardware decision



  • Hi there,
    for our school we would like to use squid as a transparent Proxie / cache. We do not operate VPN tunnel etc. Maybe later a radius server on pfsense and captive portal.

    What would you recommend us for hardware. We are a free school and must finance ourselves. :-( I'm looking for something that is stable but not too expensive at school we have 1 GB lines and 80 computer Our internetline has 50Mbit downspeed …
    It  must not be the latest hardware.

    I appreciate any response

    Greeting pfsenselearner



  • It's all cost vs benefit.

    I would be looking at a "sandybridge" or "ivybridge" low end i5 (eg i5-2320), with 6-8 gig of ram - 6 gig is fine, and an intel dual port server NIC ($25? on ebay).

    Add an SSD (smallest samsung pro you can get- as they have proved to be super reliable)

    This will serve you well.


  • Netgate Administrator

    The important factor here is what bandwidth you actually require through the pfSense box. If you have only WAN and LAN interfaces with all your clients on the LAN subnet then your throughput requirement can only be 50Mbps which can be met with modest hardware. However if you have your network divided into several subnets you may want to connect them via separate interfaces to the pfSense box and filter traffic between them. In that case you might want the full 1Gbps between those interfaces which requires a more powerful machine. Any Sandybridge i5 will do that easily though.

    Steve



  • Hello,
    Thank you for your answers! I was afraid I had to buy much better (expensive) hardware. I will mainly use Squid as a cache between WAN and LAN. The students often call on identical pages. Many teachers have students to call the same movies e.g. Youtube. In addition, updates will be stored from Microsoft.
    We already have two single 1GB Intel Server NIC - (Intel Pro / 1000 MT Server Adapter). They run as PCI / PCI-X (64 bit / 133 MHz).

    Can I still ask you three questions?
    1. Can I use those 1 Port NICs - or must the busspeed on the MB than higher?
    2. Would be a two-port NIC better - and all together cheaper?
    3. Can you recommend me a motherboard? Asus, ASRock …?

    I look forward to any response!

    Thank You

    pfsenselearner


  • Netgate Administrator

    You can use those adapters if you've got a motherboard with slots to fit them. Using standard PCI slots you are limited in bandwidth to ~1Gbps total for the bus. That means that if both adapters are on the same bus you might see only 500Mbps between them. However there may be other devices also using that bus that slow you further.
    If you have a board with PCI-X slots then there's no problem, they have a much higher bandwidth.

    Dual port adapters are often more expensive than two single port adapters and only really have the advantage of only taking up one slot. If you only need two adapters that's not a problem.

    Steve



  • If you are buying new, my motherboard recommendation based on my experience is this one:
    http://asrock.com/mb/Intel/H81M-DGS R2.0/index.us.asp

    Cheap and cheerful, and has been working for over a year without complaint. (I bought it cause it was cheap, but it has served me well)

    As mentioned a dual port Nic can be found on eBay for $25-35.

    Pair that with a Pentium g3220 or 3420 and you have the basics covered

    Slap 4-6 gig of ram in it, and a cheap ssd, then you are good to go.



  • @Keljian:

    If you are buying new, my motherboard recommendation based on my experience is this one:
    http://asrock.com/mb/Intel/H81M-DGS R2.0/index.us.asp

    Cheap and cheerful, and has been working for over a year without complaint. (I bought it cause it was cheap, but it has served me well)

    As mentioned a dual port Nic can be found on eBay for $25-35.

    Pair that with a Pentium g3220 or 3420 and you have the basics covered

    Slap 4-6 gig of ram in it, and a cheap ssd, then you are good to go.

    Fastest way to bring an old machine back to life is stick a fast hard disk in it as this is usually the bottleneck.

    SSD's will add another year or two to old laptop's as they normally always have slow 5400rpm disks that need to be slower to handle the knocks and drops a bit better, something that affects SSD's less, not to mention better battery life but not having to spin some metal as well.

    On the reliability of SSD's I've been using unbranded cheap mSata's (intel nuc's for pfsense) as well as branded ssd's like Crucial M4's (3/4 years daily use programming inside VM's running on laptops) with the firmwave update affecting the writes, and also have the latest Samsung Evo 840 Evo 1Tb which I got last year, all have been reliable without any failures. So far they seem as good as spin disks now for reliability, although yet to use any SSD's in servers, but the speed of these things make it much nicer to work on as you dont spend as much time wasted waiting for the machine. Compile times have shot down enormously so some apps that would take a day to compile are now down to a few hours, so theres no need for batch compilers any more.

    FWIW.



  • Thanks for the replies and tips! The hardware is ordered:-)

    ASRock H81M-DGS R2.0
    Pentium G3420
    Corsair 8GB RAM
    Samsung Pro 850 128 GB

    An old case with power supply I have left.

    I still have two questions :-))
    1. How do you run the trim for the SSD under PfSense / FreeBSD?
    2. What do you mean how many watts should have the power supply?

    @ Firewall user
    do you already know the "new" update for the Samsung 840 EVO? Performance Restoration software including FW:

    http://www.samsung.com/global/business/semiconductor/minisite/SSD/de/html/support/downloads.html

    I will inform you about the course

    Many greetings pfsenselearner



  • This appears to be a useful thread https://forum.pfsense.org/index.php?topic=34381.0 its about SSD's with pfsense.

    do you already know the "new" update for the Samsung 840 EVO? Performance Restoration software including FW:

    I didnt, but do now thanks!

    http://www.anandtech.com/show/8617/samsung-releases-firmware-update-to-fix-the-ssd-840-evo-read-performance-bug


  • Netgate Administrator

    There's quite a lot of mis-information in that ssd thread. It's worth reading through but don't believe everything in it!  ;)

    Steve



  • Hmmmmm.

    Any old reliable desktop machine with a couple of cores that is reliable and has slots for your NICs will work fine.
    Your bandwidth requirements are low.

    On the HDD - If you install a reliable, fast HDD that will be simple, fast, reliable and easy.  Doesn't need to be big at all.  64GB or more is plenty.  More won't ever get used.

    If you go with a SSD, it will be faster but you can wreck it if you don't enable trim.

    SLC SSD will cost more but its harder to wreck.

    Any of these can be very reliable just set TRIM if you go with a MLC SSD and get a good SSD.  Reliability is more important than size.



  • @stephenw10:

    There's quite a lot of mis-information in that ssd thread. It's worth reading through but don't believe everything in it!  ;)

    Steve

    Hadnt looked through it all so thanks for the heads up.

    This should be good enough though.
    https://www.freebsd.org/cgi/man.cgi?query=tunefs&sektion=8

    But it doesnt work, getting a system superblock error with
    #  tunefs -p /dev/ada0
    but it appears to be simply 3 steps.

    1. Single user mode
    2. # mount
    3. # tunefs -t enable /dev/ada0

    Oh well off to find out about the superblock error.



  • Regarding the power supply budget:
    15w for the network card
    5w for the ssd
    40w for the processor (though this will be circa 5w most of the time)
    5w for the memory

    That should be sufficient



  • One thing you may not have considered is site caching for YouTube. It's very challenging to actually get Squid to play nice with YouTube at any level. YouTube uses a number of tactics to throw off proxies, which include rapid DNS changes, random filename changes, among other tactics. There's also a different .flv for each quality level. This is mostly for legal reasons: they need control of their brand, and having copyrighted material still available through site caches exposes them to liability.

    Few consumer-grade solutions operate at a high level of efficiency, and for a more efficient setup, you're looking at commercial solutions, which can be fairly pricy. Even worse, the storage capacity you'll need for such a solution is enormous.

    If I'm reading correctly, 50Mbps will be majorly Insufficient for the needs you have. At 50Mbps you're looking at incredibly tight restrictions on all content, including YouTube, which will impair the quality of education. If upgrading the WAN truly is out of the question, you could blanket-blacklist YouTube, but allow some content in via white listing. Have teachers fill out a form so that specific content can be downloaded and stored on the network (ie. via shares) ahead of time. If that is too troublesome, you could permit white listing of specific content using a, similar form. Even still, you'll have major issues with concurrent usage.


  • LAYER 8 Netgate

    Many teachers have students to call the same movies e.g. Youtube. In addition, updates will be stored from Microsoft.

    Yeah, they might have to figure out another way.  You should probably look at WSUS instead of depending on a web cache for the windows updates.


Log in to reply