Is this a good appliance for my setup?



  • Hello,
    I am watching an ebay item that has pfSense preinstalled.  The specs indicate it is a 1 GB CF install on an N270 1.6 GHz Atom with 2 GB ram.  It comes with 2 GbE ports and wifi.

    Are these specs strong enough to handle a 20 Mbit connection with HAVP and Snort running?  Can it handle 75 or 150 Mbps up and down?  Below is the appliance I am looking at.  A quick response would be appreciated as they are in limited supply.

    http://www.ebay.com/itm/321627877793



  • i don't think so.

    The 20mbit/s should work without problem 75/150 could be a problem.
    but i don't think that the atom is capable of Snort and HAVP.

    I'm running a Apu 1c4d 2x1GHZ on a 100Mbit Fiber connection without snort Havp etc. and its going up 80% CPU Usage.



  • That was my guess as well, would probably work fine up until ~200-300Mbps or so.  I don't run Snort or HAVP, only Suricata so I don't know what impact HAVP has on CPU usage.

    I estimate that my Core2Duo 3GHz can handle about 1.2Gbps with Suricata running and a modest set of rules (pfBlockerNG).



  • I see.  Ok thanks for the replies.  I couldn't find anything better around that price range so I went ahead with it.  It is replacing an RVS4000 which maxes out at 15 Mbps down with IPS on.  I won't have access to anything higher than 20 Mbps for another couple years but I was just trying to plan ahead.  By that time I can replace it with something better.

    I may just skip HAVP since it is a pain to setup anyways.  I haven't tried Snort yet but I expect similar difficulty.  I might even break the unit apart to add cooling and overclock it, hypothetically of course.

    I am interesting in looking into Suricata.  I'm curious how that stacks against Snort.  I do want at least IPS in this setup.



  • @neo243:

    and its going up 80% CPU Usage.

    Did you enable PowerD (max.)?

    @Evancool
    Snort & HAVP perhaps on top Squid & SquidGuard would be causing more then the Atom 1,6 GHz is able to serve.
    So at this days it would be the best and also future proofed to go with an Intel Atom C2xxx board in my eyes.
    Supermicro is producing C23xx, 25xx and 27xx boards with 2, 4 and 8 core cpu´s and they are sufficient to
    manage all this options and features given by pfSense. Mini ITX cases that will fitting perfect are also in the
    run from Supermicro, if this would be to high pricing you should go by a Jetaway board with 2 core and 3,0
    GHz or narrow down the entire features you will be using.



  • Thanks.  Yes I did study the C2xxx Atoms from Supermicro.  I really wanted a C2758 but was just too expensive.  The lesser supermicros were still in the $300+ range.  My max would be $200 for now.  I do realize the 1.6 atom on the ebay item is only single core but I am hoping the hyperthreading and leaving PowerD off can make up for it a little.



  • @Evancool:

    The lesser supermicros were still in the $300+ range.  My max would be $200 for now.  I do realize the 1.6 atom on the ebay item is only single core but I am hoping the hyperthreading and leaving PowerD off can make up for it a little.

    Don't forget those 'older' atoms are 32-bit only. I think it would be wise to get a platform that runs 64-bit. Maybe you can find a different board based on a C2358 within your budget? I would rather have had a C2758 myself, but when I look at the CPU load with my C2558, it's just not needed for semi-professional use.

    Of course I would really like this board: http://www.supermicro.nl/products/motherboard/Xeon/D/X10SDV-8C-TLN4F.cfm
    As long as I'm not paying for it myself!  :o



  • PowerD off can make up for it a little.

    Please don´t do so, this can be also running in the total other direction as you imagine or expect it!
    Alix APU:

    • ~400 - 450 MBit/s throughout with PowerD off
    • ~680 - 750 MBit/s throughput with PowerD on


  • And which option do you recommend with PowerD?

    • Hidaptive
    • Adaptive
    • Minimum
    • Maximum

    Which option gives the best performance, and which the poorest?



  • @robi

    as I am right informed you will be able to set it up as you or your hardware will be
    need it or you want to save electric power.

    And which option do you recommend with PowerD?

    Even that one that matched your personal needs (this can be differ from user to user)
    or what matches right your hardware, making pfSense runs smooth and liquid!

    pfsense > System > Advanced > Miscellaneous

    • Hidaptive

    PowerD is only using the maximum of the CPU clock frequency

    • Adaptive

    PowerD is using from the minimum to the maximum of the CPU clock frequency

    • Minimum

    PowerD is only using the minimum of the CPU clock frequency

    • Maximum

    PowerD is only using form the minimum to the maximum of the CPU clock frequency (recommended)

    From the pfSense Doc`s:
    To force it to use EST rather than throttling or p4tcc add the following lines to loader.conf.local

    hint.p4tcc.0.disabled=1
    hint.acpi_throttle.0.disabled=1
    

    ACPI throttling and p4tcc do not provide any measurable power saving.

    If I am wrong, please correct me.



  • Read this:
    https://www.ateamsystems.com/tech-blog/increase-freebsd-performance-with-powerd/

    So if these guys are correct you need to enable PowerD if you want to use speedstep and/or turbo boost.



  • I've played around with PowerD on Supermicro A1SRi-2758f. When enabled and set to Hidaptive, preformance decreases dramatically at start. After about 5 to 10 seconds, it wakes up fine.
    So  I have about 80-85Mbit/sec for the first 5 to 10 seconds, which afterwards jumps to the expected gigabit-close value.
    Not good.
    Without PowerD enabled, it runs properly at max throughput.

    That motherboard has so little power usage even when maxed out, that it's simply not worth the trouble of fooling around with jumping CPU speeds.



  • Atom N270 - ancient.  Don't buy it.



  • Supermicro A1SRi-2758f is not based on Atom N270.



  • I just answered the first original question only…


Log in to reply