Hardware vendor recommendations?
i've looked around this forum, the HCL, the guides on correct hardware for usage, and spoken to a couple of online retailers about pfsense and hardware, and i have some questions:
it seems everybody universally hates realtek chipsets, and favours intel
i've seen some people say the nforce2 chipset regarding pci is particularly poor on performance
SOHO users regard the alix/wrap boards, and admins of larger networks find them lacking
what do people think about via or marvell chipsets?
personally i will be looking to set up a machine to provide QoS, bandwidth throttling, subnet segregation, proxy caching (with the squid addon) for upto 10 clients on a 17/2.5Mb ADSL2+ connection, which i believe pfsense can support.
so i have the choice of buying an alix (2c3) setup which will fit nicely in a 1U 19" rackmount (important for my needs), or reusing older machines, mainly 2~2.8GHz AMD SKT A systems (mostly with the poorly recommended nforce2 and realtek chipsets, unfortunately, but some via or marvell LAN cards), or investing in a new machine. is it best to put up the cash or will the less popular hardware suffice?
any recommendations are appreciated, thanks in advance
edit: in case it helps, i will be connecting to the ISP with a DG834G netgear adsl router. i would consider using an adsl modem on the pfsense box but apparently there are no ADSL2+ pci modems
at the moment i am testing pfsense on a virtual machine with 3 usb 10/100 NICs. performance-wise it is as painful as you may expect (i can copy a 300MB file in 170 minutes), but the features and ease of use are very impressive
If you've got spare hardware, I'd be tempted to use that and see what your results are. pfSense is easy to move from machine to machine especially if you are able to disconnect the storage from one machine and connect it to the new machine.
I looked around at the various options, with a strong preference for a rack mount system. ALIX didn't have the power I needed, and the mini-ITX solutions tended to be compromised somewhere, especially on the amount of RAM available (important if you want to use Snort).
I settled on a Dell PowerEdge R200 - which is a reasonably inexpensive 1U rack mount server. It doesn't have the enterprise level redundancy of a higher end PowerEdge - there's no hot swap hard disks, hot swap fans and redundant power supplies, which you can get in the more expensive R300 and 1950 III, but at a rather higher price. Nevertheless, the R200 is a solid machine.
The R200 is all Intel including an ICH9 chipset, and a single Xeon dual core or quad core processor. The exception is the NICs, which are two Broadcom gigabit controllers. These NICs are well supported in FreeBSD - they don't quite have the well deserved following of the Intel gigabit parts, but they don't have the hassles of Realtek NICs.
About the only annoying thing with the R200 is that Dell's BIOS doesn't support the AHCI mode of the built in SATA controllers. This means that you can't use their RAID functionality; if you want RAID 1, Dell want to sell you a SAS 6/iR card. I haven't got one of those cards in my R200, but I'm thinking of upgrading it to one before going into full production. At the moment, pending sorting out the UPS for this machine, I'm running pfSense on it using the LiveCD and a USB memory key for the configuration.
I got my R200 at a very good price from my account manager as part of a much larger order. Still, you could do worse than take a look at the Dell web site for your country, even if it's just to get a comparison point for further investigation.
If you do buy an R200, you'll need to use the build of pfSense 1.2-RELEASE based on FreeBSD 6.3 which can be found here. The 'true' 1.2-RELEASE is based on FreeBSD 6.2, which doesn't support the ICH9 SATA controllers. pfSense 1.2.1 is on the way, which will be based around FreeBSD 6.3.
thanks for the reply,
you mentioned the alix boards weren't powerful enough for your needs, can i ask what they are? i'm trying to gauge what mine will be right now.
sorry i wasn't very specific in my first post, i was originally just going to ask if people preferred say broadcom over via, 3com over marvell, etc.
some other considerations i had are for low power, silent/quiet machines. i did take a look at the R200, it is impressive but i can imagine the noise it makes would be unbearable! i will be less than a few feet away from whatever i end up using.
a silent and low power rackmount system, or an ATX box that i can tweak for power consumption and have options regarding quiet cooling i think are my best options. the alix is small and neat, if it is powerful enough for me it would be perfect. otherwise recycling an older machine and throwing in some rev. 1 netgear FA311's (NS DP83815 via chipset - not sure how they compare?) would avoid any further expense.
i've actually just re-read the hardware recommendations on the main site, i missed the bit that says 'most' features are not concerns for hardware choices. based on that i could probably get away with even the lowest spec.
People achieved wirespeed with their Alix boards (100 Mbps) with stg like 10 rules (no VPN).
Actually, the PowerEdge R200 is a quiet box - surprisingly so. I have mine sat in my office at the moment, waiting for the server rack to be installed in its final location. It makes much less noise than the cooling fans in the 24 port L2 managed gigabit switch that's with it. The R200 has a small power supply fan, also a couple of blowers at the CPU end of the motherboard which seem to be temperature sensing. Some R200's have a fan on the expansion card bay, but this is only fitted when necessary (according to the hardware manual, the expansion card fan must be fitted when a SAS controller with external ports is fitted).
My intention is to use Snort - an ALIX board doesn't have enough RAM for Snort (I'm expecting to need most if not all of the 2GB currently in the box - it can be expanded to 8GB) and possibly not enough processor power. As there's much noisier kit going in the rack when deployed, including a PowerEdge 2950 III, the R200 was an obvious choice at the price I paid for it. When I began to price up a rack mount Mini-ITX based setup, I got very near to the price of the R200 without having the power of the R200.
All but Intel processor Mini-ITX boards tend to cut off at 1GB of RAM. If you're going to use a Core 2 Duo based Mini-ITX setup (Intel Atom is some way from release) you're going to need active cooling of the processor and sorting out the necessary airflow in a 1U rack mount case might not be easy. The parts for a Core 2 Duo based setup got very close to what I paid for the R200.
I'd take the R200 as a comparison point for what can be done if you want an Intel processor, Intel chipset and Broadcom NICs. Dell have solved all the cooling and rack mount installation problems for you. If your rack is a telco / switching type rack, the R200 is too deep anyway; you really need a four post server rack for an R200.
For firewalling, traffic shaping and a bit of modest VPN usage, an ALIX board is probably sufficient - as Klug says, people have got wirespeed performance out of them. The VIA chipsets and NICs used aren't bad. If it wasn't for wanting to run Snort, and the relatively expensive rack mount chassis, I would have gone for an ALIX 2C3. I may still put an ALIX 2C3 in my rack as a backup firewall using CARP (obviously, the backup system would have to run without Snort - but it would only be there as a failover).
With Mini-ITX, the biggest shame are the cheap NICs used on many boards. Liantec make Mini-ITX boards with Intel Gigabit NICs, though these boards seem to be less common seen for sale than Jetway and similar boards.
It would probably help if you set out the requirements you have for your pfSense machine in terms of traffic speed on each interface, any information you can give about what sort of traffic it is and your traffic shaping requirements, any VPN requirements you have and any packages that you wish to use.
vpn will be handled by a domain server i have, so that isn't an issue. i would need a 'private' and 'public' interface, as well as the wan
the public link will be segregated from the private. at the moment i have an adsl modem router to which the public connect to, which also links to another router that serves the private network. by subnetting the public lan cannot see the private simply because it doesn't know where to route to, so a very simple but very cheap approach.
the public lan will probably never have more than 3-4 clients with minimal traffic. at the moment it only has 2, which i will limit to say 4mb/512kb down/up when traffic shaping is possible. the private network will not be limited at all, and hardly ever tops 10mb/1.5mb.
webcaching will ideally be done on both interfaces, but if its not possible then on the private only. i have other questions about caching performance and the limits of the alix board as it only has a single CF interface as far as i can tell but i will do some research before i start on that.
i don't really intend to use any traffic analysis like snort, but will use snmp (again possibly questions on that after i do the decent thing and use the search feature first)
thanks for the replies so far, and David_W cheers for the details on the other kit. i think though silent, not just quiet, is one of the top priorities so i it seems if it can do what i need the alix system is my best bet
well i've been running pfSense on a 700MHz/386MB test box and its been solid as a rock. any questions about caching speed seem irrelevant after i found out the board only supports UDMA33 anyway.. i would just use it as it is but the power draw is still a bit high for my liking.
apparently the alix 2C3 board does have a 44pin IDE connector (the first revision didn't, so a lot of the images you find online suggest the CF socket is the only way to provide storage) so i think i'll be going for one of those with a HDD for the full install.
thanks again for all the help
SOHO users regard the alix/wrap boards, and admins of larger networks find them lacking
Depends on how you define "larger networks". :) If you're doing NAT, firewalling, a little VPN, and don't consistently need more than 75 Mb of Internet throughput or 10 Mb of VPN throughput, and have fewer than 500 machines you'll be fine with an ALIX.