Another hardware recommendation question



  • Hi there,

    I'm fairly new here and i did search this forum, but please forward me to already existing info that i missed.

    I would like to build a pfsense box for my home network.. My setup would be like this:

    internet (fiber, 500Mb/s) modem –-  pfsense box --- managed gigabit switch  --- everything else

    everything else includes:

    • wired:
    • NAS (FreeNAS, dual-nic, LACP)
    • playstation 3, wii
    • raspberries and other media players
    • smart tv's & pvr's
    • laptops
    • wireless, via 2 wireles access points (1 cisco/linksys, 1 apple airpoirt)
    • laptops
    • tablets
    • phones

    What hardware would you recommend, leaving enough room for future use, maximum performance (don't think i wil evenr upgrade beyond the 500 Mb/s internet connection), while keeping the costs as low as possible? Probably the game consoles do not need to managed or monitored at all.

    What pfsense applications/functions require the most af the hardware resources? (So i can choose what i want to use vs cost of hardware)

    I think intel nics and an encryption supporting CPU are the way to go?

    Thanks in advance!



  • I would go ahead and buy the most current and expensive piece of hardware that you can find in the ESF store, since no matter what I recommend, that what others will recommend and ultimately thats what you will go with.  The 8 core atoms are quite nice.

    http://store.pfsense.org/c2758/

    By all means, do not buy cheap, used readily available hardware with 2-4 cores, i3 - to - i7.

    I'm using a old athlon x2 dual core and it never goes over 14% and can handle your bandwidth just fine.

    But I've built lots of very expensive boxes for people who like to never see more than 1% load (-:  haha



  • @reilos:

    What pfsense applications/functions require the most af the hardware resources?

    snort / Dansguardian / ClamAV / NMAP / Encryption (VPN) / squid probably.



  • @kejianshi:

    I would go ahead and buy the most current and expensive piece of hardware that you can find in the ESF store, since no matter what I recommend, that what others will recommend and ultimately thats what you will go with.

    Why you think i would do that? Why would i come here for advice if i do not have the intention to follow the reccomendations?

    @kejianshi:

    By all means, do not buy cheap, used readily available hardware with 2-4 cores, i3 - to - i7.
    I'm using a old athlon x2 dual core and it never goes over 14% and can handle your bandwidth just fine.

    So why would you reccommend to buy the most expensive hardware first?

    I came here for some serious advice and even hope to get some explanation to why specific hardware is suitable for my specific use case. Your response does not seem very helpful.

    @jahonix:

    snort / Dansguardian / ClamAV / NMAP / Encryption (VPN) / squid probably.

    Thanks



  • I've been recommending to use cheaper, used readily available hardware when possible…  Few people listen and most disagree.

    I thought I'd try child psychology this time and see how it goes (-:

    If you have a used laptop with dual core celeron processor or better and 2GB ram or better and a expresscard slot you can put a gibit nic into, that would also work wonderfully...

    So, don't do that either.  (-:

    (I like using old laptops for pfsense if you have an old one you don't need) - Even better if it has a new battery.



  • I do not have old hardware to re-use, so i have to buy everything new…or used.

    And now comes the REAL advice......?


  • Netgate Administrator

    Yes, there are a lot of variables here. Really the only thing we have that's fixed is the 500Mbps WAN bandwidth. At the low end if you don't run any packages, so just firewall and NAT, and you only have a single internal interface then almost any old hardware you have to hand will probably be sufficient. 2 NICs in anything faster than a Pentium 4 will pass 500Mbps easily (some P4s also  ;)) and that's not a bad way to go initially. Spend no money, gain experience installing/running pfSense and come away with a much better idea of what you might need longer term.
    At the other end of the scale you might want to run Snort, Squid/Squidguard and HAVP. Perhaps you want to route all your traffic over a VPN (the full 500Mbps). You could have several internal subnets, segregated wifi and guest wifi. You're going to need something considerable more powerful to do that obviously. It gets much harder to estimate exactly but I would suggest a fast i3 or the previously mentioned Rangely Atoms.

    Steve


  • Netgate Administrator

    You posted while I was typing.  ::)
    You really have no spare hardware? You could pick something up for next to nothing then as a test.

    Steve



  • I posted the below information in another thread as well. It may be worth your time to explore it. You can throw in more resource intensive packages on it and it will handle with no issues.

    Rangley Atom configs are great but I still don't see the cost to benefit ratio. The power saved and $$ to recoup this expensive piece of hardware is not likely to happen in a year's time. If they come down in price (yes they will some time in future.. all hardware prices do.. lol) then I see the point in buying them. For now I am sticking with i3.

    –-------------------------------------------------------------------------------------------
    This is what I have and would recommend the same (except maybe better hard drive). Check on eBay. You will get all the hardware you need for much less price. I got the CPU mobo combo for just $102.75 shipped

    Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
    ASUS P8B75-M LX PLUS LGA 1155
    8GB RAM
    100GB laptop drive
    2 x Dual port Intel NICs PCIe

    Package Name  Category  Package Version
    Dansguardian  Services  2.12.0.3_2 pkg v.0.1.12
    pfBlocker          Firewall  1.0.2
    RRD Summary  System  1.1
    snort                  Security  2.9.7.0 pkg v3.2.1
    squid3          Network  3.1.20 pkg 2.1.2

    Dansguardian has clamd (virus scanning) service activated and Snort has all the rulesets loaded.

    This supports a 110Mbps/20Mbps WAN without breaking a sweat. At full 110Mbps WAN activity (for over 14 hours non stop) the CPU hovers between 12-19%. Have 5 VPN users on this as well.

    And part of this in another thread...

    The hardware will easily support your 850/850 bandwidth along with resource intensive packages fully loaded. I have tested the same config in a test environment and it used up the entire 1 gigabit WAN network (my test network is 1 gigabit only) and the CPU was around 39-42% with the resource intensive packages. On base install the CPU never crossed 20%. I thought of doing a 2 gigabit test but it wasn't worth my time.




  • @stephenw10:

    Yes, there are a lot of variables here. Really the only thing we have that's fixed is the 500Mbps WAN bandwidth. At the low end if you don't run any packages, so just firewall and NAT, and you only have a single internal interface then almost any old hardware you have to hand will probably be sufficient. 2 NICs in anything faster than a Pentium 4 will pass 500Mbps easily (some P4s also  ;)) and that's not a bad way to go initially. Spend no money, gain experience installing/running pfSense and come away with a much better idea of what you might need longer term.
    At the other end of the scale you might want to run Snort, Squid/Squidguard and HAVP. Perhaps you want to route all your traffic over a VPN (the full 500Mbps). You could have several internal subnets, segregated wifi and guest wifi. You're going to need something considerable more powerful to do that obviously. It gets much harder to estimate exactly but I would suggest a fast i3 or the previously mentioned Rangely Atoms.

    Steve

    Thanks! this is some advice i can work with. Or at least start with  :D
    I want to use firewall, nat and i only have a single internal interface, mabe one extra for the PS3, so it won't interfere with the internal network. I won't route the full 500Mb over an encrypted vpn connection, but i do plan on using vpn to connect to my network remote. And now that you start mentioning things like segregated wifi and guest wifi, i might want that too! :P
    Anyway, your advice is noted. Start small and cheap, learn, and later decide.

    @stephenw10:

    You posted while I was typing.  ::)
    You really have no spare hardware? You could pick something up for next to nothing then as a test.

    Steve

    Yeah, maybe some friend or relative has some spare parts :)



  • @Asterix:

    I posted the below information in another thread as well. It may be worth your time to explore it. You can throw in more resource intensive packages on it and it will handle with no issues.

    Thanks! I'll check it out!



  • Your requirements should be extremely easy…

    2 cores or more, 2ghz or more

    2 gb memory or more

    1 built in intel/realteck/broadcom  nic

    plus 1 PCI or pcie interface to add another intel gb nic

    low power is better - aim 65w cpu or less, but if its more its fine.  Just abit of extra electricity bill.

    1 HD or SSD, 64GB or more for a full install.

    I like to have the option to plug in a keyboard/mouse/vga monitor, but many dont.

    Shop ebay

    Or, buy new - that also works.

    used can cost you less than $100 and new can be upwards of $600 or more depending on your taste for overkill.



  • If you rack mount IPMI over KVM is very handy. Most boards from SuperMicro has this feature.



  • I went to NewEgg.com and bought a refrubished HP 7900, small form factor box, added a couple NICs from my parts box and swapped in a cheap small SSD for the hard drive. Only one thing to watch and that is to insure that the power supply is a "Revision B" or newer if you plan to use the box on a UPS, the PFC circuitry in the Revision A boxes does not do well with that. If you do get a Rev a one  a rev B power supply is cheap on ebay if you do need to upgrade.

    Under $200 for everything if I had to buy new NICs and a SSD. Got a free OEM Windows 7 pro disk tossed in for use elsewhere too. If this link works it will pull up four likely systems:

    http://www.newegg.com/Product/Productcompare.aspx?Submit=ENE&N=-1&IsNodeId=1&Description=hp refurbished desktop&bop=And&CompareItemList=-1|83-250-180^83-250-180-03%23%2C83-281-287^83-281-287-TS%2C83-280-184^83-280-184-TS%2C83-256-341^83-256-341-04%23&percm=83-250-180%3A%24%24%24%24%24%24%24%3B83-281-287%3A%24%24%24%24%24%24%24%3B83-280-184%3A%24%24%24%24%24%24%24%3B83-256-341%3A%24%24%24%24%24%24%24



  • You would probably be ok with any power supply if you happen to have a pure sine wave ups laying around.



  • @stan-qaz:

    I went to NewEgg.com and bought a refrubished HP 7900, small form factor box,…

    Am I correct in assuming that all but one of those devices only run 32-bit software?
    This could be a drawback with future upgrades, can't it.



  • I admittedly could give a crap less about form-factor for my personal box.  All I ask is good performance, reliability, reasonable low power consumption and ability to set bios to power on after blackout and to wake on lan.  64 bit capable boxes with 2/4/8 GB ram already installed with way reliable overkill psu are a dime a dozen on ebay.  Mine in Maryland is a mid-tower atx.

    Its abandoned in my basement there amongst other clutter and no one will complain.





  • I'm using APC BackUps Pro 1500s here and they don't provide good enough power, not sure if it is the waveform or the switching delay. Every 7900 with an A rev supply glitches on power transfers and every B rev is fine. All are now B rev after a quick visit to ebay.

    Newegg is offering a couple 8000s for $139 and $149 today:

    http://flash.newegg.com/Campaign/4053?utm_source=NFEmail011615&utm_medium=index&utm_campaign=SaleBanner_B3G_4053&cm_mmc=EMC-NFEmail011615--SaleBanner_B3G_4053--4053-_-NA

    They aren't on the power supply warning list from HP.

    http://h20566.www2.hp.com/hpsc/doc/public/display?sp4ts.oid=3785403&docId=emr_na-c01718939&lang=en&cc=us



  • @kejianshi:

    You would probably be ok with any power supply if you happen to have a pure sine wave ups laying around.

    I've seen cheap PSUs, spark, flare, and smoke. Even if contained in a metal box, I'm not a fan of electrical fires in my computer. I only purchase namebrand PSUs myself.

    I've seen all kinds of stupid stuff from no-name PSUs, assuming that's what you meant by "any".



  • Nooooooo.  What I mean is that if you get a nice used HP dual core celeron or something, probably the PSU in that unit will be fine with any good pure sine wave UPS.

    Or without a UPS.



  • This is an issue that is related to a small number HP power supplies, the Revision A ones originally provided in the 7900 and other series of small form factor HP boxes. They were their first round of SFF - PFC supplies and didn't really get a good round of testing before being shipped, many unhappy customers.

    Since it is not a standard shaped supply replacement is difficult except with another HP one or doing some case work and sacrificing drive mounting space.

    The list of problem systems:

    http://h20566.www2.hp.com/hpsc/doc/public/display?sp4ts.oid=3785403&docId=emr_na-c01718939&lang=en&cc=us



  • OK, so i've been away for som time off. Wow, lot of replies, thanks for all the hardware suggestions!

    I still do not really know how to determine my exact needs though  :-[

    Althouh my connection is 500Mb/s, the only things i really need to have: no wireless, 1xWAN, 2xLAN (or more) (1 for the game console), decent firewall, NAT, DHCP and access control (what machine has internet/wan access and when and preferably parental control by domain, ip and category). With AES-NI not yet fully implemented in pfSense, the only VPN stuff i will use, is done on the clients itself. Maybe need some VPN pass-throug or something like that. Captive portal seems nice for guest access, maybe use a VLAN for that too (but i could also do that in my managed switch), so guests can only use the internet and cannot access the local network.

    So taking into account the list from my original post, adding the info above, i guess the hardware requirements are not that high for that, right?



  • Another NewEgg.com deal for the next few days on a similar system. Marked down to $99.00 with free shipping until 29 Jan 2015.

    http://flash.newegg.com/Product/N82E16883280460

    Refurbished: HP 6000 Pro Desktop PC Intel Pentium Dual Core E6500 (2.93GHz),
    2GB Memory, 80GB HDD Storage, DVDROM, DisplayPort Windows 7 Professional 64 Bit

    Also has VGA port, Serial port, 1 PCI, 3 PCIe slots.



  • @stephenw10:

    Yes, there are a lot of variables here. Really the only thing we have that's fixed is the 500Mbps WAN bandwidth. At the low end if you don't run any packages, so just firewall and NAT, and you only have a single internal interface then almost any old hardware you have to hand will probably be sufficient. 2 NICs in anything faster than a Pentium 4 will pass 500Mbps easily (some P4s also  ;)) and that's not a bad way to go initially. Spend no money, gain experience installing/running pfSense and come away with a much better idea of what you might need longer term.
    At the other end of the scale you might want to run Snort, Squid/Squidguard and HAVP. Perhaps you want to route all your traffic over a VPN (the full 500Mbps). You could have several internal subnets, segregated wifi and guest wifi. You're going to need something considerable more powerful to do that obviously. It gets much harder to estimate exactly but I would suggest a fast i3 or the previously mentioned Rangely Atoms.

    Steve

    Hey Steve Do you think an old P4 will support Gigabit WAN? OUR ISP is currently building its fiber network in town (Its currently 150/7.5 Cable)

    I think it might with good Intel NICs I have an old 2.8GHz S478 Northwood P4, sitting around collecting dust unfortunately all it has is  PCI slots not PCIe :(



  • @reilos:

    With AES-NI not yet fully implemented in pfSense,

    Wot?


  • Netgate Administrator

    @iGamer:

    Hey Steve Do you think an old P4 will support Gigabit WAN?
    I think it might with good Intel NICs I have an old 2.8GHz S478 Northwood P4, sitting around collecting dust unfortunately all it has is  PCI slots not PCIe :(

    Nope.  ;) It might get close though, like 700-800Mbps, with no packages and no other throttle points, like PCI.
    My home box was running a P4-M underclocked to 1.2GHz and it could push ~300Mbps before all it's capacitors burst and it died.  :(  It had PCI-X connected NICs (as well as some special network connection bus Intel was using at that time) so there was no hold up there.

    If you have the hardware already it might be a fun project at zero financial cost. Since it's a single core CPU (without HT?) you should be able to get a good idea of how it will scale to a higher throughput. It will consume electricity at a much higher rate than a newer box though, expect >60W.

    Steve



  • @gonzopancho:

    @reilos:

    With AES-NI not yet fully implemented in pfSense,

    Wot?

    From the website https://www.pfsense.org/hardware/: Future support of AES-NI acceleration of IPsec is planned, and should significantly reduce CPU requirements on platforms that support it.



  • @reilos:

    @gonzopancho:

    @reilos:

    With AES-NI not yet fully implemented in pfSense,

    Wot?

    From the website https://www.pfsense.org/hardware/: Future support of AES-NI acceleration of IPsec is planned, and should significantly reduce CPU requirements on platforms that support it.

    Yeah, we should update that.


  • Administrator

    @gonzopancho:

    @reilos:

    @gonzopancho:

    @reilos:

    With AES-NI not yet fully implemented in pfSense,

    Wot?

    From the website https://www.pfsense.org/hardware/: Future support of AES-NI acceleration of IPsec is planned, and should significantly reduce CPU requirements on platforms that support it.

    Yeah, we should update that.

    Cleaned it up real quick, I will probably touch it again in the near future: https://www.pfsense.org/hardware/#sizing



  • 4 or 8 core atom 2558 or 2758 board from super micro

    8-16gb ddr3

    pick a case, hd,etc

    that board has everything you will ever need, and can do 1gbs connections



  • @jdillard:

    @gonzopancho:

    @reilos:

    From the website https://www.pfsense.org/hardware/: Future support of AES-NI acceleration of IPsec is planned, and should significantly reduce CPU requirements on platforms that support it.

    Yeah, we should update that.

    Cleaned it up real quick, I will probably touch it again in the near future: https://www.pfsense.org/hardware/#sizing

    Will recommended hardware change becauso of this?


  • Netgate Administrator

    No, I think most people in this thread were already aware of the current aes-ni support.

    Steve