Hardware for 1Gbps NAT and 100Mbps VPN



  • Hi guys,

    I need an 1U rackmount solution for 1Gbps firewall/NAT and 100Mbps OpenVPN. There will be around 8-10 VLANs, connected via tagged traffic directly, and 2 WANs, one 1Gbps for main traffic and one 50Mbps as backup. Traffic between VLANs excluded or minimal.

    Nothing else. No extra packages.

    I'd have 2 of these boxes at 2 different locations, they will route inside each other's private networks with OpenVPN. 15-20 users would ocasionnaly work from home using OpenVPN, they will connect to one of the locations considered as primary.

    Do you think Supermicro A1SRI-2758F or Supermicro A1SRI-2558F-O would be able to handle these? I'd run them from a NanoBSD USB disk.



  • they could/should as its basically the same chipsets/cpu that are in the new pfsense/netgate appliances …. but you'll never know unless you try.

    there are people on this forum that have got one of these supermicro board, but not sure what throughput they got out of it



  • I'm interested if it could handle the max throughput or not (I want to replace a couple of Microtiks).

    Unfortunately pfsense/netgate appliances are not available for shopping in my area (in theory they are, but shipping+import duties makes it unreally expensive, +shipping time is extremely long)



  • A1SRI-2758F - yes



  • @kejianshi:

    A1SRI-2758F - yes

    Does it boot fom USB the NanoBSD image correctly? Or boot hacks need to be applied?



  • Deleted because not related!

    @kejianshi
    Thanks it was my false, that was for another set up with RouterOS!



  • I'm not sure of boot issues.



  • @kejianshi:

    I'm not sure of boot issues.

    What do you mean by "not sure"?


  • Banned

    Why not use Innodisk DOM for the job?

    http://surl.dk/elk/



  • I want to keep NanoBSD as I consider it extra-safe, much better than the full install.



  • Not sure.  As in I think it should work fine but I'm not sure.

    I don't own that one.



  • use a supermicro c2758 based solution with ecc ram. you can use a sata-dom (SLC memory) for the OS.



  • If you want to build something yourself the parts I outlined here should do the job. The hard drive can be replaced with a SATA to CF adapter and a high grade CF card or whatever if you feel like it.

    If you don't want to put the parts together yourself you can get basically the same thing in a 1U case in the pfSense store.





  • @antillie:

    If you want to build something yourself the parts I outlined here should do the job. The hard drive can be replaced with a SATA to CF adapter and a high grade CF card or whatever if you feel like it.

    That's exactly how I'm going to do.



  • @antillie:

    If you want to build something yourself the parts I outlined here should do the job. The hard drive can be replaced with a SATA to CF adapter and a high grade CF card or whatever if you feel like it.

    Sounds like a great system, have you measured the power consumption idle/maxed out?



  • I haven't measured it personally but it does sit at 57C idle in a closet with no active cooling according to the coretemp driver built into pfSense. Under load it jumps up to 62C. The powerd service works perfectly with the board so the CPU frequency and voltage change dynamically based on system load.

    However I have talked to someone who built the exact same system except he used a Samsung 840 Pro as the hard drive and according to his Kill-A-Watt meter the box drew 28 watts under max load.



  • @robi:

    @kejianshi:

    A1SRI-2758F - yes

    Does it boot fom USB the NanoBSD image correctly? Or boot hacks need to be applied?

    Okay, my A1SRI-2758F arrived yesterday. It boots perfectly the v2.2 4GB NanoBSD image from a USB stick plugged in either port (USB2, USB3 on the back, or USB3 header inside the board).
    Using the latest bios v109.



  • It also boots perfectly the NanoBSD image from a 4GB CF card connected with a SATA adapter to port SATA2 (the first of the black ones, in bios set to IDE mode instead of AHCI). It doesn't boot it if the adapter connects to a SATA3 port (white conector on the board), but that's because I guess my CF-to-SATA adapter is only SATA2 compatible.



  • @robi:

    I want to keep NanoBSD as I consider it extra-safe, much better than the full install.

    Can you elaborate?  I am thinking of using the same motherboard to build pfSense for my home.  I was planning on using a SSD, but may consider a USB stick.

    I would also be curious to see your throughput with the build.  I will be getting symmetrical Gigabit service soon and would like to build something that will give me the fastest throughput.



  • For the Asus eee box desktop computer network drivers problem, i think you can download a free drivers helper software to helps you. You can find one from cnet or google.



  • @mifronte:

    @robi:

    I want to keep NanoBSD as I consider it extra-safe, much better than the full install.

    Can you elaborate?  I am thinking of using the same motherboard to build pfSense for my home.  I was planning on using a SSD, but may consider a USB stick.

    I would also be curious to see your throughput with the build.  I will be getting symmetrical Gigabit service soon and would like to build something that will give me the fastest throughput.

    Read Full Install and NanoBSD Comparison. NanoBSD is by design a more "industrial" approach to running such a system in an embedded manner.
    Unless you're using some disk-intensive extra packages on pfSense, I see no reason to run a full install at all.

    I did test with a couple of USB sticks, they all booted fine and quickly (these are good at read speeds). Installing packages afterwards turned out to be very slow with USB sticks, and one of them failed during such an install (maybe it was defective in the first place). Turned to SATA-connected CF card by means of an adapter, and got back well-known reliability.
    I like the CF card approach because I can mount it on the case so that the CF itself is accessible from the front panel without having to actually open the case, so I can replace the CF card without having to remove the entire appliance from the rack and open the case.

    Didn't do reliable throughput tests yet, a quick speedtest.net in the evening showed 750Mbit+ download speed with CPU at about 20% usage.



  • Hmm, is it normal for those boards to kind of tilt when they get hotter? I just got my A1SRi-2758F and while installing pfSense suddenly nearly every process segfaulted. At first I thought my RAM was bad and tried my two 4G modules alone but that did not help. Connected a Linux HDD which segfaulted, too.

    Then I took a small fan and put it on the CPU heat sink, suddenly all my problems went away. Strange, because according to IMPI every sensor was green (CPU, RAM, Power…) when the board started freaking out.
    It's about 25-27 degrees Celsius here in the room and the CPU was about 50 to 60 degrees when the segfaults began.
    Should I return the board? Anyone with the same problems?



  • I've had one of them running for about 1 month in a pretty warm rack, according to pfSense dashboard the CPU was at 70 Celsius when idle. It had absolutely no problems at all.
    It's been relocated to some cooler place, now it's at 50 degrees.



  • Keep in mind that few, if any, motherboard temperature sensors are calibrated to.  You could have two sensors sitting side by side on the motherboard and one might be as much as 10C different from the others.

    Motherboard / CPU sensors are great for measuring change in temperature (i.e. is it hotter or colder then yesterday), but not so much for absolute temperature values.



  • Thanks for your input!
    @robi: Just to be sure, your system is fanless?

    The only time I had a system with heat problems was a Dell D630 with a totally dusted fan. We tried to install Windows 7 on a new SSD in this system. We noticed that it got very very hot but it never hung, it just throttled the CPU to 100 MHz and was really slow.  :)
    So I guess that the Atom must have a similar mechanism in place and should not segfault if it gets too hot? Also the mainboard has an "Overheat" LED which did not light up (but I know it works because it blinks when I pull the fan power connector).
    @tgharold: Shouldn't the system at least be able to detect if it's too hot and have the sensors calibrated for that?
    I'm running a memory test at the moment, so far no problems with the fan on. I'll try without the fan after it completes.
    I should also be able to rule out the power supply, unless ist the Pico PSU that benefits a litte from the fan put on the CPU.



  • Yes it is. It's currently in a temporary case, but it's soon going to be moved into a SuperMicro rackmount chassis, and I plan to add 2 extra PWM fans at the back of that.

    Why are you using pico PSU? The A1SRi-2758F is can be powered with 12V directly. On my second machine, I just dropped the psu from the case because of this. The motherboard has power outs for disks.



  • @robi:

    Yes it is. It's currently in a temporary case, but it's soon going to be moved into a SuperMicro rackmount chassis, and I plan to add 2 extra PWM fans at the back of that.

    Why are you using pico PSU? The A1SRi-2758F is can be powered with 12V directly. On my second machine, I just dropped the psu from the case because of this. The motherboard has power outs for disks.

    Thanks! I'll try to get the board exchanged then. I think I can rule out memory because MemTest86 does not show any errors when the board is hot. Strange enough it has no problems booting from USB and running the test when at the same temperature both pfSense and Linux segfault nearly everything.

    As for the PSU, what cables are you using for that? When I ordered the parts, I looked into a 12v DC cable and also HDD power out cable. At least for system power I did not find any solution other than soldering myself.



  • MemTest86 usually only catches fully-failed RAM issues.  If you really want to check your CPU/cache/RAM/timings, then run Prime95 in torture-test mode (available at mersenne.org) for 12-48 hours.  It stresses the CPU and cache and timings and RAM, which is more likely to catch subtle issues like RAM that does not live up to the timings listed on the package.



  • Thanks! If the new board shows the same problems as the current one, I'll look into Prime95. Should arrive tomorrow…



  • @athurdent:

    As for the PSU, what cables are you using for that? When I ordered the parts, I looked into a 12v DC cable and also HDD power out cable. At least for system power I did not find any solution other than soldering myself.

    I didn't really look for original SuperMicro cables, just took a 4-pin 12VDC molex extender and cut the female end, and soldered it to the DC input jack on the chassis. I'm using a 3rd party case which has an external, laptop-style 12V DC power supply, so that's all I had to do.
    The case originally had a built-in 12V->ATX psu, which I simply removed.

    Maybe your board had no problems. Bad quality power supplies can cause problems like you described, that's why I opted to the motherboard's built-in power source.

    My other system is in an original SuperMicro rackmount chassis now, that has a normal ATX power source built-in. Look in the motherboard's optional accessories list.



  • Thanks for your great input. If the new mainboard shows the same symptoms, I'll try with a normal PSU first to rule out power problems. And I'll just solder a P4 - 12v DC cable. Might save some power as the PicoPSU isn't the coolest part either.
    The strange thing is that my supplier accidentially sent the wrong board (A1SAi-2550F) a month ago and RAM / PS worked like a charm there. I only noticed that it was the wrong board when pfSense reported 4 cores. And it was already running for quite some time when I realized I got the wrong board. ;)



  • Looks like it was a faulty mainboard after all. The new one ran without fans for over an hour without any segfaults. And it's 30 degrees Celsius in that room ATM.
    Now I might have too look into another case because 40mm fans tend make high pitched noise that does not really go away even when using the NF-A4x10 FLX with low-noise adapter.
    I have ordered a Scythe Kaze Jyu Slim 100 mm, hope it does fit. I'll try to attach it to the case cover with velcro tape and leave the second HDD/FAN bracket out.