Another new build - spec check please - NOW WITH PICS

TomHBP

Hi all,
I'm new to pFsense - I've done a lot of reading, but as yet, no using.

I want to build a box to separate every device in my house from my Virgin Media cable modem:

:SuperHub Cable modem:–---:PFSENSE BOX:-----:Switch, Wifi router etc:

The primary purpose of the box will be to tunnel everything in the house over OpenVPN (AES-256), but I would also like to use Squid and Snort.

My current download speed tops out at around 106Mbps, and using an OpenVPN client on my wired PC, I get no appreciable loss of speed.

Hardware which I already have:
-Regular spinning HDD
-HP NC360T Dual intel NIC card (Plan to use one for WAN and one for LAN, and not use motherboard LAN at all)
-120W Pico PSU.
-MiniSYS M8 case (modified to accept PCI-E NIC card)

I'm mainly after advice on what processor/mobo to go with, and how much RAM - I currently plan to use 4GB of 1600MHz - is this enough?
I'm only considering processors that support AES instructions, and have the lowest TDP possible, as it will run 24/7/365. Initial outlay cost is also a driving factor.

My current options (Ranked first to last) are:

1. Biostar A68N-5000 with integrated A4-5000 Quad-core 1.5GHz processor.
   http://www.biostar.com.tw/app/en/mb/introduction.php?S_ID=712

2. ASRock QC5000-ITX/PH - same processor as above but with M-PCIE slot and more SATA connectors.
   http://www.asrock.com/mb/AMD/QC5000-ITXPH/

3. ASRock N3150-ITX - using the Intel processor, has a higher clock speed (+ Turbo) and a lower TDP.
   http://www.asrock.com/mb/Intel/N3150-ITX/

Although the N3150 has a lower TDP and a higher clock (+ Turbo), its AES scores in Geekbench are less than half what the A4-5000 scores.
From what I have read, OpenVPN on pFsense only runs on a single core, so the better AES scores of the A4 seem to make it a better choice  as it will be permanently VPN connected - although if I'm wrong please explain why!
Geekbench of N3150 - http://browser.primatelabs.com/geekbench3/3222068
Geekbench of A4-5000 - http://browser.primatelabs.com/geekbench3/1950692

All advice is appreciated!

Many thanks,
Tom.

Guest

In the Q/2016 PC Engines will be launching a brand new APU2B4 Board that comes with the following tech. specs.:

• AES-NI
• Intel NICs
• Quad Core CPU
• 4 GB ECC RAM
• 3 miniPCIe Slots

All together for something around ~250 €, will the best compromise between power consuming and saving
if you are not from Europe but from the USA, this board would be hitting them all, it is without AES-NI but
either strong enough to take 1 GBit/s at the WAN Port and Snort on top. Jetway NF9HG-2930

• 4 Intel LAN Ports
• Quad Core CPU
• 2 x miniPCIe + SIM slots (mSATA, WiFi & Modem)
• max. 8 GB RAM
• mini ITX

Board ~$220
RAM ~$30
mSATA ~$50
in total ~$300 and you can turn it in a fully UTM device using Squid & SquidGuard, Snort and HAVP
in my eyes better then all the other home brew options.

whosmatt

The hardware you already have seems on par; the HP NC360T is well supported and is in my own build.  4GB of RAM is plenty; most of it will probably go unused.  I think any of the boards you mentioned would be a good choice.

As a lark, I connected to my openvpn server from my own LAN using NAT reflection and ran iperf against the openvpn IP on pfsense, with the pfsense box as the server.  On my Sempron 2650 (Kabini, dual 1.45GHz) I got 300+ Mbps and had a little processor room to spare.  It may have been even faster had I not used a virtual machine as the client.

Ymmv, but you're on the right track.

Matt

EDIT:  Apparently my test wasn't quite on track.  So, I'm testing the old fashioned way.  I have a machine in AWS and i set it up as an openvpn client (I know, not quite the same) and pushed large files to my home network using SCP and CIFS.  Both topped out at about 30Mbps, but my connection download is 50Mbps.  CPU usage by openvpn on pfsense was around 22% in both cases.  If I can extrapolate (and not sure that is valid) then a single Kabini core @ 1.4GHz should be able to push around 120Mbps of OpenVPN.

TomHBP

Bluekobold - thanks, those boards look very interesting, however the clock speed of the processor only appears to be 1GHz, and based on the same AMD jaguar architecture as the A4-5000 chip, presumably meaning it will be almost exactly 2/3 of the speed too. Also, the kit i'm looking at only comes in at €110 for mobo+process, RAM, NIC, and PicoPSU.

Whosmatt - thanks for the test results! That seems to be pretty much in line with the research I've done. Thanks for the confirmation - think I will go with the A4!

I will post results and pics in the new year when I've had a chance to build!

Many thanks,
Tom.

Guest

This one could also match really to your installation and your needs.
Intel Celeron 1037U 8 GB & 2 SFP Slots
But the price is much higher as you want to go;

• ~220 € barebone
• ~80 € shipment

But this board has all onboard.

whosmatt

@TomHBP:

Bluekobold - thanks, those boards look very interesting, however the clock speed of the processor only appears to be 1GHz, and based on the same AMD jaguar architecture as the A4-5000 chip, presumably meaning it will be almost exactly 2/3 of the speed too. Also, the kit i'm looking at only comes in at €110 for mobo+process, RAM, NIC, and PicoPSU.

Whosmatt - thanks for the test results! That seems to be pretty much in line with the research I've done. Thanks for the confirmation - think I will go with the A4!

I will post results and pics in the new year when I've had a chance to build!

Many thanks,
Tom.

If you're not set on fanless operation, you might try the AM1 socketed boards, which will provide higher clock speeds and the possibility of a drop-in upgrade for the CPU.  Current choices go up to the Athlon 5350 which adds 500+ Mhz per core over the A4-5000 and fits in a 25W envelope.  I find the small fan on the heatsink not loud at all, especially considering my hardware is located in a cabinet with a Drobo, which is the loudest thing in there.

TomHBP

The 1037U board does look great for the price, but I can't see what brand the onboard NIC's are?
Also the 1037U doesn't support AES - something which I think I could do with. There is also no onboard graphics - is this not needed for the initial install of pFsense??

I had also looked at the 5350 and an ASUS AM1I-A Mobo to allow me to underclock it (for heat and power management purposes) but the lower power consumption and fanless operation of the A4 swung it for me.

I have ordered the A68N-5000 and 4GB of DDR3L RAM… I'll post on how it works out, with pics of course!

Thanks for the help!

Tom.

TomHBP

So… It Lives!!
I went with the Biostar A68N-5000 and 4GB of RAM in the end.

I have successfully got a working system, that is now tunneling all of my network traffic over OpenVPN!
I'm currently using AES-128, as I'm still having a problem getting AES-256 to work - I'm currently waiting on the correct settings from the VPN provider.

Having done a few Speed tests, I was getting ~108Mbps before the pFsense box was installed, and I'm now getting ~99Mbps through pFsense and OpenVPN.
I have a problem enabling the AES instructions, (but I think that's for a diffrent post) so just using raw processor power, I see 26-30% CPU utilisation when downloading at 99Mbps - I'm very impressed!

Expect many other software related questions over the coming months, but for now, here's some pictures!
(Excuse some of mu slightly ghetto cable-tie fixes, but you can't see it when the lid's on  ;)

Sorry - Google drive's lings don't like being inserted as [IMG's] so you will have to click!

https://drive.google.com/file/d/0B189OsjA9tPSd2xUR3dFZUlwR2c/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSZWtrYktpRmJDaXc/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSUjNZZ1BUM3JiZ2c/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSMi1vSm1jSUNlRjg/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSNGRhSFVueF85MGs/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSUXJCX2N2Z3BQbWM/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSekZDbnJiajEwM2M/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSNlE0RWRkZFJpTWM/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSVV9JNGJUdXZLWjQ/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSUW1QMFAxejB3azg/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSZ0FYS2d6ZFI0UjA/view?usp=sharing
https://drive.google.com/file/d/0B189OsjA9tPSN09LbXN2VFEzdXc/view?usp=sharing

Guest

Having done a few Speed tests, I was getting ~108Mbps before the pFsense box was installed, and I'm now getting ~99Mbps through pFsense and OpenVPN.

You could try out to set up the following;

• Enable PowerD (hi adaptive)
  To get the right CPU frequency and RurboBoost really good working
• high up the mbuf size
  Will not run for you pending on the small amount of RAM

whosmatt

As far as crypto hardware acceleration is concerned, I believe you need to go to System > Advanced > Miscellaneous and select AES-NI.  Then, in OpenVPN, select BSD cryptodev engine.

Someone correct me if I'm wrong.

whosmatt

@TomHBP:

Having done a few Speed tests, I was getting ~108Mbps before the pFsense box was installed, and I'm now getting ~99Mbps through pFsense and OpenVPN.
I have a problem enabling the AES instructions, (but I think that's for a diffrent post) so just using raw processor power, I see 26-30% CPU utilisation when downloading at 99Mbps - I'm very impressed!

Do you see that CPU usage at the web UI?  What do you see if you get a console going and watch top?  Just curious about what the openvpn process itself is using.

Matt

TomHBP

Frank - thanks for the advice, I have enabled PowerD on hiadapt and added mbuf as a tunable - currently set to 131072 as in the pfsense docs. Anyone know if this is in bits / bytes or kbits etc??

Matt - good that you said that! In my other thread https://forum.pfsense.org/index.php?topic=104096.0 that is exactly what i've done to get AES, so far quite ineffectually!

Yes that was cpu from the UI - it was at 0-1% until i started a download. Even netflix at 1080 hd doesnt tax the cpu beyond 3-4%.
Not sure what you mean by watching top in a console? Please elaborate.

Thanks again,
Tom.

whosmatt

@TomHBP:

Not sure what you mean by watching top in a console? Please elaborate.

If you have a monitor and keyboard connected to the system, you can use option 8 in the console menu to get a shell.  At the shell prompt, type "top" and you'll be able to see a list of processes sorted by CPU usage.  Start a transfer and you'll be able to see how much CPU the individual openvpn process is using.  IIRC 100% would mean 100% of one core, not of the entire CPU.

If no monitor / keyboard, then enable SSH (System > Advanced).  I think it may be called Secure Shell in the Web UI.  Then use an SSH client like Putty to connect to the box using "root" as the user and the same admin password you use for the Web UI.  You'll get a console menu like described above.

Matt

TomHBP

Thanks for the explanation Matt  :)

Currently on my Christmas break, but I will test it out and report back in the New Year.

Tom.