Build My Own vs. Official pfSense boxes w/ Google Fiber



  • Hi all,

    I've been doing some research and I'm curious as to what would be best for use with Google Fiber.  I'm considering a pfSense SG-4860 box (https://www.pfsense.org/products/) since it claims that it can support gigabit throughput.  However, based on what I've been reading here on the forums, I'm not entirely sure if it can support 1Gb bidirectional throughput since the SG-4860 box uses a Intel Atom C2558 - 2.4 Ghz.

    What are everyone thoughts?  Would I be better off building my own box?  If so, any recommendations?

    Cheers!



  • I have been wondering exactly the same thing, although with CenturyLink.



  • If all you're going to be doing is running it as a fw/router, you should be fine.

    If you're going to run packages, you need to list them.

    I have two Gbit NICs on my pfSense router that are used for my LAN.  Regular routing traffic blazes through at max speed without warming up the CPU.



  • @tim.mcmanus:

    If all you're going to be doing is running it as a fw/router, you should be fine.

    If you're going to run packages, you need to list them.

    I have two Gbit NICs on my pfSense router that are used for my LAN.  Regular routing traffic blazes through at max speed without warming up the CPU.

    If I were going to be just using the unit as a fw/router, would a SG-2220 work as well? If not, could I get away with a low cost self-build? The MSRP on the SG-2440 is a little high for me.



  • The hardware listed in my signature was put together for about $400, and it has 4 Gbit NICs.

    My first pfSense box was an old Dell I bought used for $99 and threw in another PCI NIC card for $30.

    Dumpster-dive an office park or ask your employer for a working PC they're throwing out.  It'll work just fine, but it might suck more power than you want.  The pf-devices sold here are very efficient, quiet, and work out of the box.



  • @tim.mcmanus:

    If all you're going to be doing is running it as a fw/router, you should be fine.

    If you're going to run packages, you need to list them.

    I have two Gbit NICs on my pfSense router that are used for my LAN.  Regular routing traffic blazes through at max speed without warming up the CPU.

    Hmm… I was considering OpenVPN and maybe Snort.

    OpenVPN would probably be limited to like 30-50Mbps.

    Re: Snort... I'm of mixed minds whether it would be better to have that on a dedicated box, but I'm not entirely certain.



  • Think big, start small.

    I had snort running on the P4 Dell I had, no problem.  But snort takes time to learn.  I locked myself out of my pfSense and shut down both WANs and LANs too because of a misconfiguration.  I was lucky snort had a console.

    I've since expanded that (and stopped using snort) and instead installed Security Onion on a VM that receives data on a mirrored port.  For my purposes this is a better solution, but that was only after starting small and growing into my pfSense installation and packages.



  • @tim.mcmanus:

    Think big, start small.

    I had snort running on the P4 Dell I had, no problem.  But snort takes time to learn.  I locked myself out of my pfSense and shut down both WANs and LANs too because of a misconfiguration.  I was lucky snort had a console.

    I've since expanded that (and stopped using snort) and instead installed Security Onion on a VM that receives data on a mirrored port.  For my purposes this is a better solution, but that was only after starting small and growing into my pfSense installation and packages.

    You make a good point to "think big, start small."  I'll admit that I had to look up what Security Onion was since I had never heard of it before.

    Based on feedback I've heard so far, I'll likely get a pfSense box and start with it as a FW/router first and then go from there.

    I appreciate all the help tim.



  • @cptsmidge:

    I have been wondering exactly the same thing, although with CenturyLink.

    I have CenturyLink 1G fiber and for reference the next step down (SG-2440, c2358) doesn't cut it. I have the unbranded version of that same hardware and am topping out around 550Mbps (see https://forum.pfsense.org/index.php?topic=93968.0). The SG-4860 with the upgraded c2558 might have enough oomph to pull off 1G throughput.



  • @chrismc:

    @cptsmidge:

    I have been wondering exactly the same thing, although with CenturyLink.

    I have CenturyLink 1G fiber and for reference the next step down (SG-2440, c2358) doesn't cut it. I have the unbranded version of that same hardware and am topping out around 550Mbps (see https://forum.pfsense.org/index.php?topic=93968.0). The SG-4860 with the upgraded c2558 might have enough oomph to pull off 1G throughput.

    Good to know.

    At this point, I'm going to give the SG-4860 a try and hope that it can support 1G/1G.  I'll report back my findings after getting the box and testing it.



  • I've been working this to death for the last month, but can't pull the trigger. I am full 1Gb Century Link, with pretty much the neighborhood to myself. (I got mine installed before the early freeze, so most people were locked out for the winter)

    I am certainly awaiting to see what your performance might be like.

    More of a question, I see people lump traffic into two categories when I read here. Routing and Packages. I'm a network engineer by trade, and if we were talking just straight ip-to-ip static routing that'd be an easy process for the any router, but are people generally including NAT into routing when they speak? If so, that's not an easy thing for a hardware router like Cisco.  Is PFSense able to process NAT with less issue due to it being mostly software functions? I'd hate to put "all in" with 1Gb and be able to do full-speed except for when NAT is employed.

    Thanks.



  • pfSense is a custom FreeBSD/PF build.  So it does stateful packet inspection, which allows you to do NAT as well as a bunch of different things.

    Since pfSense inspects each packet, you can build tools (packages) on top of pfSense to extend the functionality of that stateful packet inspection.  If you size your machine improperly, you may consume too many CPU cycles/RAM/disk space for the various functions you're running on top of pfSense.

    That's the short answer.



  • buy your own using a supermicro atom 2578



  • @CynicalFrost:

    Hi all,

    I've been doing some research and I'm curious as to what would be best for use with Google Fiber.  I'm considering a pfSense SG-4860 box (https://www.pfsense.org/products/) since it claims that it can support gigabit throughput.  However, based on what I've been reading here on the forums, I'm not entirely sure if it can support 1Gb bidirectional throughput since the SG-4860 box uses a Intel Atom C2558 - 2.4 Ghz.

    What are everyone thoughts?  Would I be better off building my own box?  If so, any recommendations?

    Cheers!

    www.servethehome.com has some excellent reviews and benchmarks for the 4 and 8n core rangeleys



  • I'm a big advocate of dedicated hardware here, but at the same time, I'm a big advocate of virtualization.  If you're running any sort of servers, or do any sort of dev work, get yourself a nice virtualization host, and run your VMs, including pfsense, from a virtual machine.  It's more reliable (Just migrate machines to another host if things die), more power efficient (One CPU sitting around doing nothing for 10 different hosts instead of per each host), and easier to manage once you set it up right (You screw up your dev server?  restore it from an image~).  If you use open source software, you can get a nice setup for fairly cheap that'll handle your gigabit throughputs just fine, while still allowing your other VMs and other services to function just as well.  Look into an AMD based processor solution with IOMMU and ECC RAM, and you should pretty much be good to go for anything you could throw at it.  If crypto is too slow, you can pci pass-through an accelerator of some sort, and bada bing bada boom.  done.



  • and bada bing bada boom.  done.

    Their are even two different camps that will be once complaining about that doing and once agree with the VMs
    setups, but I really beware of installing a firewall inside of another OS that is not really secure or save.

    And if the VMs server is smoking up you have several services down and on top the Internet connection!
    Bada bing bada boom



  • @BlueKobold:

    And if the VMs server is smoking up you have several services down and on top the Internet connection!
    Bada bing bada boom

    Or, if you know, you were smart and planned ahead, you have two or more virtual routers on distinct VM hosts, and you, you know, only have one VM down, and the others are still working fine, and CARP failover takes over?



  • you were smart and planned ahead

    In deed I hope to do so.

    you have two or more virtual routers on distinct VM hosts,

    Never! I will go straight by the way setting up two real firewall appliances
    working together as a fail over cluster to ensure that all is going fine for me.

    and CARP failover takes over?

    I feel really better if the fail over procedure will be managed and done
    between two real hardware firewall appliances and not between VMs.



  • @CynicalFrost:

    @chrismc:

    @cptsmidge:

    I have been wondering exactly the same thing, although with CenturyLink.

    I have CenturyLink 1G fiber and for reference the next step down (SG-2440, c2358) doesn't cut it. I have the unbranded version of that same hardware and am topping out around 550Mbps (see https://forum.pfsense.org/index.php?topic=93968.0). The SG-4860 with the upgraded c2558 might have enough oomph to pull off 1G throughput.

    Good to know.

    At this point, I'm going to give the SG-4860 a try and hope that it can support 1G/1G.  I'll report back my findings after getting the box and testing it.

    Are you able to get 1g/1g through the 4860 comfortably? I have ATT Gigapower and Google Fiber coming shortly here and need to start looking to upgrade my firewall. I currently have a 2440 and have read that you can probably only get about 600mb through it. No snort or packages here



  • Are you able to get 1g/1g through the 4860 comfortably? I have ATT Gigapower and Google Fiber coming shortly here and need to start looking to upgrade my firewall. I currently have a 2440 and have read that you can probably only get about 600mb through it. No snort or packages here

    This depends also on how you will be measuring this throughput, with Iperf from machine to machine through
    the SG-2440 or SG-4860 or if you check a speed test website!

    Normally an Intel Core i3 or Core i5 (the biggest ones) will surely be able to push full 1 GBit/s through the WAN
    Port, but all things, services, installed packets and activated functions are also narrowing down the entire
    pfSense box and then also on top the throughput!

    An Intel Celeron G3260T @3,2GHz will be able to push a 1 GBit/s line also if money is rarely!


Log in to reply