Hardware suggestions
-
Hello
i have a budget of about 1000$ to get hardware on which to run pfsense. we have 8 offices spread over about a 1000 kms, average users around 400-500. VPNs are used frequently and it wont be wrong if i say are used 24x7
I want to get possible hardware which will work efficiently for next 3-4 years during which it is expected the number of users may increase by around 100-150.
currently running pfsense on soekris 6501 boards which give throughput of about 600 mbps on full load and on vpn throughput of around 120mmbps. Goal is to double the throughput (if possible)
I'd want to have the box similar in size to that of soekris
Any suggestions will be much appreciated
Thanks
-
it'll probably depend on the type of VPN.
-if you wish to accomplish this with openvpn then you $1k budget might be on the low-end if you wish this to be in a 19" appliance type of device. (openvpn needs lots of cpu power or hardware crypto card = i5/i7/xeonE5 ish)
-recently there have been huge performance gains when using IPSEC by enabling AES-NI (freebsd & pfsense & netgate worked together to get this working in 2.2 … )
http://store.pfsense.org/c2758/ <– high-end model that should probably do more then 300mbit ipsec with AES-NI (ask for confirmation at pfsense-devs )
-
I'm surprised you're seeing 120Mbps from an older Atom.
Jim posted some numbers for an IPSec tunnel between an FW-7551 and a C2758:
https://forum.pfsense.org/index.php?topic=81862.msg471933#msg471933Steve
-
I'm surprised you're seeing 120Mbps from an older Atom.
Jim posted some numbers for an IPSec tunnel between an FW-7551 and a C2758:
https://forum.pfsense.org/index.php?topic=81862.msg471933#msg471933Steve
my bad, it was about 65 mbps
@heper:it'll probably depend on the type of VPN.
-if you wish to accomplish this with openvpn then you $1k budget might be on the low-end if you wish this to be in a 19" appliance type of device. (openvpn needs lots of cpu power or hardware crypto card = i5/i7/xeonE5 ish)
-recently there have been huge performance gains when using IPSEC by enabling AES-NI (freebsd & pfsense & netgate worked together to get this working in 2.2 … )
http://store.pfsense.org/c2758/ <– high-end model that should probably do more then 300mbit ipsec with AES-NI (ask for confirmation at pfsense-devs )How much will an i3/i5 setup cost approx?
-
That seems closer to what I'd expect. ;)
Is is just the VPN speed you're looking for?
The FW-7551 and its successor are a lot less than $1000.
http://store.pfsense.org/SG2440/Steve
Edit: Rogue apostrophe
-
How much will an i3/i5 setup cost approx?
your budget is fine, I would go this rout >>
Get you something like this mobo
SUPERMICRO MBD-X10SLM-F-O
With an i3 or even a Xeon (E3-1220V3)
and you will have nothing to worry about for 3 to 5 years.
(Those 2 + Memories, rackmount case, Supply should get you right around your budget)
-
How much will an i3/i5 setup cost approx?
your budget is fine, I would go this rout >>
Get you something like this mobo
SUPERMICRO MBD-X10SLM-F-O
With an i3 or even a Xeon (E3-1220V3)
and you will have nothing to worry about for 3 to 5 years.
(Those 2 + Memories, rackmount case, Supply should get you right around your budget)
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)
-
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)SUPERMICRO MBD-A1SRi-2758F-O is mini ITX with Quad Intel Ethernet, this one have a 8-Core Atom (C2758). Not sure if it will fix the case you refer to.
You can also find it with an i7 (SUPERMICRO MBD-X9SPV-M4-3UE-O)
Or you can add a Quad Intel Nic on PCIe slot to any of the mini ITX LGA1150 boards.
-
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)SUPERMICRO MBD-A1SRi-2758F-O is mini ITX with Quad Intel Ethernet, this one have a 8-Core Atom (C2758). Not sure if it will fix the case you refer to.
You can also find it with an i7 (SUPERMICRO MBD-X9SPV-M4-3UE-O)
Or you can add a Quad Intel Nic on PCIe slot to any of the mini ITX LGA1150 boards.
if your total budget is 1000$, that is going to be difficult for 8 offices. if about 1000$ per office, than go with the above setup to be problem free. use ecc ram
-
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)SUPERMICRO MBD-A1SRi-2758F-O is mini ITX with Quad Intel Ethernet, this one have a 8-Core Atom (C2758). Not sure if it will fix the case you refer to.
You can also find it with an i7 (SUPERMICRO MBD-X9SPV-M4-3UE-O)
Or you can add a Quad Intel Nic on PCIe slot to any of the mini ITX LGA1150 boards.
if your total budget is 1000$, that is going to be difficult for 8 offices. if about 1000$ per office, than go with the above setup to be problem free. use ecc ram
Oh, maybe I misunderstood the OP, I thought the 1K budget was for the VPN server / File server host, not all the 8 offices. I thought the offices will be clients. 1K over those 8 offices would be $125 per office…? no way you will find anything for $125
-
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)SUPERMICRO MBD-A1SRi-2758F-O is mini ITX with Quad Intel Ethernet, this one have a 8-Core Atom (C2758). Not sure if it will fix the case you refer to.
You can also find it with an i7 (SUPERMICRO MBD-X9SPV-M4-3UE-O)
Or you can add a Quad Intel Nic on PCIe slot to any of the mini ITX LGA1150 boards.
if your total budget is 1000$, that is going to be difficult for 8 offices. if about 1000$ per office, than go with the above setup to be problem free. use ecc ram
Thanks for the suggestions
That 3rd gen seems very good.
we have 1000$ per office budget.
Last thing is to get a small 1u casing. Any suggestions regarding that will be greatly appreciated
-
Thanks for the suggestions
That 3rd gen seems very good.
we have 1000$ per office budget.
Last thing is to get a small 1u casing. Any suggestions regarding that will be greatly appreciatedCheck out SUPERMICRO SuperChassis CSE-512L-200B
-
Thanks for the suggestions
That 3rd gen seems very good.
we have 1000$ per office budget.
Last thing is to get a small 1u casing. Any suggestions regarding that will be greatly appreciatedCheck out SUPERMICRO SuperChassis CSE-512L-200B
Thanks but looking for something smaller like the soekris casings please
-
Thanks but looking for something smaller like the soekris casings please
You said 1U… that's 1U
soekris casings re custom, not sure there is anything out there that would fit a ITX formfactor
-
http://uk.farnell.com/schroff/20860-120/case-19-inches-1u-220mm-steel/dp/1455923
this is one that i found not sure if it would fit properly though
Secondly. would 4 GB ram suffice? And what brand should i go for
-
Supermicro has low depth cases for mini itx bundled with PSU's.
So if you are going that route I would not use a CSE-512L-200B a suggested above, but a CSE-503L-200B : http://www.supermicro.com/products/chassis/1U/503/SC503L-200.cfm
Remember you need a fan assembly, and HDD cage if you are not going to hotglue everything :). These things are also not super quiet. Especially if you use the official fan.It has the depth of general non enterprise switches. And is 1U. I use them even in small 6U mini racks without issue.
I have no idea why you would want to use custom steel cases? The time you need to cut ports in them alone, if you factor in time/cost is ridiculous.
Akasa will some day have very nice passive cases. If they ever release them : http://www.akasa.com.tw/update.php?tpl=product/product.detail.tpl&no=181&type=Fanless%20Chassis&type_sub=Fanless%20Mini%20ITX&model=A-ITX17-M1BSupermicro RMA support is twitchy. So prepare to stock 1 extra 'in case'. Seeing your budget, you should have enough left to buy a 9th setup as a spare.
An A1SRi 2758 / 8GB ECC / SSD / case should be well within 1k.Of course, for your speed requirements. I see no reason why not go the official store route - and support your favorite Firewall Appliance?
http://store.pfsense.org/SG4860/Has everything you could ever want. Smaller form factor if for some reason you want that. Lower power use, passive. 6 ports.
And currently will already do several hundred Mbps VPN tunnels with improvements on the way.
-
You will get more bang for the bug buying this one: http://www.xcase.co.uk/1u-rackmount-server-cases/x-case-itx-19-02-1u-rackmount-short-29-95-x-case.html
-
Supermicro has low depth cases for mini itx bundled with PSU's.
So if you are going that route I would not use a CSE-512L-200B a suggested above, but a CSE-503L-200B : http://www.supermicro.com/products/chassis/1U/503/SC503L-200.cfm
Remember you need a fan assembly, and HDD cage if you are not going to hotglue everything :). These things are also not super quiet. Especially if you use the official fan.It has the depth of general non enterprise switches. And is 1U. I use them even in small 6U mini racks without issue.
I have no idea why you would want to use custom steel cases? The time you need to cut ports in them alone, if you factor in time/cost is ridiculous.
Akasa will some day have very nice passive cases. If they ever release them : http://www.akasa.com.tw/update.php?tpl=product/product.detail.tpl&no=181&type=Fanless%20Chassis&type_sub=Fanless%20Mini%20ITX&model=A-ITX17-M1BSupermicro RMA support is twitchy. So prepare to stock 1 extra 'in case'. Seeing your budget, you should have enough left to buy a 9th setup as a spare.
An A1SRi 2758 / 8GB ECC / SSD / case should be well within 1k.Of course, for your speed requirements. I see no reason why not go the official store route - and support your favorite Firewall Appliance?
http://store.pfsense.org/SG4860/Has everything you could ever want. Smaller form factor if for some reason you want that. Lower power use, passive. 6 ports.
And currently will already do several hundred Mbps VPN tunnels with improvements on the way.Thanks a lot for your detailed reply
I guess il go for 503L in the end :)
ECC RAM is the only thing left i think so any suggestions fir that?
-
made an error ! enclosure is 505-203b : http://www.supermicro.com/products/chassis/1U/505/SC505-203.cfm
front panel layout is totally different (and wrong..) with a 503.I often just use Kingston 1.35v ECC non buffered without any errors. But if you want to be sure 100% Supermicro has a supported memory list at the spec page of the motherbord.
-
Thanks for the suggestions :)
Will try to go with xeon budget permitting
Main issue currently is finding a mini itx board having 4 NICs that can fit in the soekris casing or something similar of the size (have to say its beautiful :P)SUPERMICRO MBD-A1SRi-2758F-O is mini ITX with Quad Intel Ethernet, this one have a 8-Core Atom (C2758). Not sure if it will fix the case you refer to.
You can also find it with an i7 (SUPERMICRO MBD-X9SPV-M4-3UE-O)
Or you can add a Quad Intel Nic on PCIe slot to any of the mini ITX LGA1150 boards.
Can anyone please confirm if (SUPERMICRO MBD-X9SPV-M4-3UE-O runs freebsd? Checked the os compatibility chart on supermicro site but cant seem to find freebsd for this specific model
-
http://uk.farnell.com/schroff/20860-120/case-19-inches-1u-220mm-steel/dp/1455923
this is one that i found not sure if it would fit properly though
Secondly. would 4 GB ram suffice? And what brand should i go for4GB ram would be more than enough if you don't need anything other than VPN.
-
With an $8000 budget I'd get 1 (or 2) C2758s from pfSense or Netgate for the central site and RCC-VE 2440s for the satellites. $4,443 (with 2 C2758s in HA) from Netgate, - half your budget - and it'll scream and will all have QuickAssist and AES-NI for future versions. Plenty of budget to add things like 30GB mSATAs to the satellite routers, upgrade switches, etc.
-
With an $8000 budget I'd get 1 (or 2) C2758s from pfSense or Netgate for the central site and RCC-VE 2440s for the satellites. $4,443 (with 2 C2758s in HA) from Netgate, - half your budget - and it'll scream and will all have QuickAssist and AES-NI for future versions. Plenty of budget to add things like 30GB mSATAs to the satellite routers, upgrade switches, etc.
Cant see how a 2758 would be better than i7 3517 :-\
-
Cant see how a 2758 would be better than i7 3517 :-\
No QuickAssist in the 3517 for one. Tested and supported for precisely your stated purpose.
-
Cant see how a 2758 would be better than i7 3517 :-\
No QuickAssist in the 3517 for one. Tested and supported for precisely your stated purpose.
I see
so is it due to quick assist or more cores of the 2758 as compared to the 3517?
-
I lean more toward tested and supported than anything else when compared to rolling your own. Don't get too wrapped around the axle about the hardware. C2758s are already overkill for what your requirements dictate. Having everything you buy support QuickAssist just gets you about as much future-proofing as you can get these days.
-
Hello bhawk6901,
if you can whait until Q5 of this year the new Soekris net6801 could be the follower because
it comes in the same dimensions and is also quite silent to drive but it comes with an Intel
C2758 with 8 Cores and 8 GB of RAM this should be the greatest one of them as I see it
right and Intels AES-Ni will be availably also on board. Soekris net6801
-
@BlueKobold:
Hello bhawk6901,
if you can whait until Q5 of this year the new Soekris net6801 could be the follower because
it comes in the same dimensions and is also quite silent to drive but it comes with an Intel
C2758 with 8 Cores and 8 GB of RAM this should be the greatest one of them as I see it
right and Intels AES-Ni will be availably also on board. Soekris net6801no, have to get it done by June max
also i think soekris is pretty expensive :-\
-
@BlueKobold:
Hello bhawk6901,
if you can whait until Q5 of this year the new Soekris net6801 could be the follower because
it comes in the same dimensions and is also quite silent to drive but it comes with an Intel
C2758 with 8 Cores and 8 GB of RAM this should be the greatest one of them as I see it
right and Intels AES-Ni will be availably also on board. Soekris net6801no, have to get it done by June max
also i think soekris is pretty expensive :-\For sure you are right but they are producing also reliable and solid hardware.
What is about a Netgate RCC-VE 2440 System for around ~ $4002 Core - 1,7 GHz - Intel C2358 - AES-NI - Intel QuickAssist
4 GB RAM / 4 GB Storage
3 miniPCIe slots for modem, mSATA and WiFiwould this be an option for you?
-
on your main office, the one where everyone connects to, I would use a supermicro c2758 with 16gb+ ecc ram and a sata-dom 32-64gb @ SLC memory. this is the main unit that everyone dials into.
for the other offices, you can build the same unit over for each, maybe with less ram, or even get a gigabyte celeron-j rig with 4-8gb and a regular sata ssd @ 128gb.
if you want it rock solid, go supermico everything. you can use the 4 core atoms instead of the 8 cores to save about 60-70$ per box. I would just get the 8 cores.
the xeon d is also almost out, and would make for a more capable main box, but at greater cost.
