High Power, Low Cost



  • Hello!

    I finally want to use my full bandwidth on my internet connection, so I decided to build my own router / firewall on my own, based on a *BSD.
    My connection is a full 1 GBit, so the router needs to be able to live up to these speeds.
    I maintain 5DMZ, which are in separate VLANs. One of them is performance critical, as my file server is placed in it. It is capable of doing a full GBit. A managed switch is installed.
    Furthermore, I want to use site2site vpn with a 200 MBit/s maximum speed with facility A and another VPN with facility B with 100 MBit Max. Another site2site with 1 GBit bandwidth is sometimes to be used (backups).
    Furthermore, 2-10 endpoint devices are planned to connect to my network.
    Since I have to sleep in the same room, the solution has to be very silent, preferably fabless.

    I have looked and found the following devices:
    -Fitlet X
    -PC Engines APU
    -The new soekris 6801
    -The new Beagle Board X15

    What do you think? Any additions?



  • Sounds like a lot of potentially high bandwidth VPN traffic. What do you foresee needing for VPN bandwidth, both in aggregate across all sites and to a single site?



  • It will most likely idle most of the time. On my facility there's a big file server, the other sites will use that to pull data when they need it, so my VPN has to deal with it at reasonable speeds.
    A VPN throughput of a minimum of 500 MBit (in general) and 500 MBit min for each connection would be the lower end of what I expect the VPN to handle.
    (Background: it's unlikely that all sites each are requesting VPN at their maximum wan connection speeds at once. It's first and foremost important that if some data is needed, it's there fast so the sites can use it.)

    Absolutely optimal would the situation where I would have a maximum of 1 GBit  VPN throughput (the maximum connection speed to the outside world), but I'm not entirely sure how this can be handled with non-high-end(-priced) hardware.



  • @def4:

    Hello!

    I finally want to use my full bandwidth on my internet connection, so I decided to build my own router / firewall on my own, based on a *BSD.
    My connection is a full 1 GBit, so the router needs to be able to live up to these speeds.
    I maintain 5DMZ, which are in separate VLANs. One of them is performance critical, as my file server is placed in it. It is capable of doing a full GBit. A managed switch is installed.
    Furthermore, I want to use site2site vpn with a 200 MBit/s maximum speed with facility A and another VPN with facility B with 100 MBit Max. Another site2site with 1 GBit bandwidth is sometimes to be used (backups).
    Furthermore, 2-10 endpoint devices are planned to connect to my network.
    Since I have to sleep in the same room, the solution has to be very silent, preferably fabless.

    I have looked and found the following devices:
    -Fitlet X
    -PC Engines APU
    -The new soekris 6801
    -The new Beagle Board X15

    What do you think? Any additions?

    • No, too slow.
    • No, too slow.
    • Yes, technically, but Soekris sucks.
    • No, That's an ARM CPU. pfSense runs on x86 and x86-64.

    One of the C2000 Atoms is the way to go, but the 8-core models are only really fanless if you're in a cool room.  I have a small 40mm case fan on mine running at 7V with ducted airflow across the CPU heatsink.  It's basically silent, but not fanless.  I'd suggest the Supermicro A1SRi-2758F.



  • sure that a fitlet X A10 is too slow? It seems to be the most powerful device on my list…
    Why exactly does Soekris suck?
    in case of the beagle I'd try OpenBSD... It's just a "can the hardware handle the load" thing :)



  • I'm a n00b here but went through the research for a setup with similar requirements.

    I went with http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm and 16g RAM (expandable to 64) because I expect to be able to run other VMs on this same hardware.

    With all the vpn action you want hardware encryption support. You need to look at the necessary encryption algorithms and make sure your hardware can support it.

    The intel atom c2*58 chips support QuickAssist which has a lot of encryption and compression acceleration.

    If you want just a firewall appliance then the netgate fw7551 seems to be the best choice for prebuilt hardware, or the 2758 if you think you need more.



  • @def4:

    sure that a fitlet X A10 is too slow? It seems to be the most powerful device on my list…

    Agree, but for 1gbit routing you need a more powerful platform. I really doubt you can do it with a fanless system since you want to handle internal traffic too.



  • @def4:

    sure that a fitlet X A10 is too slow? It seems to be the most powerful device on my list…
    Why exactly does Soekris suck?
    in case of the beagle I'd try OpenBSD... It's just a "can the hardware handle the load" thing :)

    By what metric do you think the Fitlet X is the fastest system?

    Soekris sucks because they release half-baked products at prices 50% higher than the competition 12 months later than everyone else and take years to fix issues, if they ever do.