Status of Realtek NIC support and the importance of AES-NI?
-
After a long sojourn over to OpenWRT and a brief experiment with a EdgeRouter Lite I'm looking to come back to PFsense which I've not really used since version 1.x.
What I'm after is something that is small, low power and fanless, and not hugely expensive. The SG-2220 looks interesting, but doesn't appear to be sold in Europe making hardware support a little tricky. Supermicro is another option, but they are quite pricey. So I'm looking at stuff from Aliexpress which falls into the territory of "if it breaks, it's cheap enough to throw away".
What I would like to know is the status of support for Realtek NIC's like the RTL8111 and RTL8168, and how well they work for a typical SOHO setup. I know Intel is better, but I'm not going to be doing hugely intensive routing.
Also, other than accelerating AES VPN's, would AES-NI be useful for anything?
My ideal setup would be a Braswell ITX board with a i340 T4 card, but I can't seem to find a Braswell ITX with a x4 slot yet.
-
AES-NI is useful for accelerating any task where AES used and the appropriate code has AES support. As you note, AES-NI is only really useful for AES VPNs on pfSense.
My understanding is that Realtek NICs mostly work well enough, though they are not as robust as Intel NICs nor do they have all the offload capabilities of Intel NICs. There are many people using small embedded boards with Realtek NICs successfully.
Given that you appear to be looking for new hardware, it may be worth looking around for boards with Intel NICs - they do exist. One option is PC Engines apu2 series, but, before buying one of those I would look around in the forums. My impression is that there are still some BIOS issues and stability issues with pfSense running on apu2 at the moment. This is not terribly surprising, as apu2 is still a fairly new product. apu2c boards seem to be a respin of apu2b that incorporates the apu2b wire fixes into the PCB.
Edit to add: You might find it worthwhile to read the apu2 thread.
Make sure that whatever you buy has 64 bit support, and that you install the amd64 versions of pfSense. The i386 version of pfSense is likely to disappear in the future, possibly following the last 2.3 release.
If you are starting fresh with pfSense, it might be in your interests to go straight to 2.3. 2.3 is still a beta version, with the resulting potential for some instability, but the base code is now pretty stable and there are numerous issues with 2.2.x that are fixed in 2.3.
The main drawback of 2.3 at present is that package support is not as mature as 2.3. Some packages are unavailable for 2.3, whilst others do not have a fully functional GUI.
-
I have looked at the APU2, as I own an ALIX 2D3 which is still running without issue. I would use this for PFsense (in the short term) but the GUI is too slow to be used. It's currently running Halon Security Router without issue.
The main reason I'm not as tempted by the APU2 is the CPU might not be enough for Snort, based on what I've seen so far. So I think I would be better placed to wait until the recently announced Braswell desktop CPU's make their way into ITX boards with dual Intel NIC's.
How is the J1900 for PFsense? I've seen a number of fanless ITX boards with 4-6 Intel NIC's for about £100 on Aliexpress.
-
Seems like you can buy a sg-2220 at https://shop.voleatech.de/
After a long sojourn over to OpenWRT and a brief experiment with a EdgeRouter Lite I'm looking to come back to PFsense which I've not really used since version 1.x.
What I'm after is something that is small, low power and fanless, and not hugely expensive. The SG-2220 looks interesting, but doesn't appear to be sold in Europe making hardware support a little tricky. Supermicro is another option, but they are quite pricey. So I'm looking at stuff from Aliexpress which falls into the territory of "if it breaks, it's cheap enough to throw away".
What I would like to know is the status of support for Realtek NIC's like the RTL8111 and RTL8168, and how well they work for a typical SOHO setup. I know Intel is better, but I'm not going to be doing hugely intensive routing.
Also, other than accelerating AES VPN's, would AES-NI be useful for anything?
My ideal setup would be a Braswell ITX board with a i340 T4 card, but I can't seem to find a Braswell ITX with a x4 slot yet.
-
It's over $400 in the EU, which puts it into the range of a C2758 ITX system. It's a nice system but at that price other options look more cost effective for SOHO.
-
My understanding is that Realtek NICs mostly work well enough, though they are not as robust as Intel NICs nor do they have all the offload capabilities of Intel NICs. There are many people using small embedded boards with Realtek NICs successfully.
My experience is that the difference is mostly CPU load at a given level of throughput. The difference is negligible IMO unless you're trying to realize close to the full theoretical throughput. For a SOHO environment with less than a symmetrical 1Gbps connection, you'll probably be fine.
-
Status of Realtek NIC support and the importance of AES-NI?
Realtek NICs are also supported likes the Intel or Broadwell ones, but often the Intel ones
are coming with a better driver support and are often giving more throughput like the
cheaper RT NICs but the Intel NICs are often a little bit higher in the price.The SG-2220 looks interesting, but doesn't appear to be sold in Europe making hardware support a little tricky. Supermicro is another option, but they are quite pricey. So I'm looking at stuff from Aliexpress which falls into the territory of "if it breaks, it's cheap enough to throw away".
Hm, you are asking for something from Alixexpress and then you ask also for a SG-xxxx unit from
the pfSense store? This are two really different worlds in my eyes, but the Sg-xx unit is more reliable
for you and more future proof in my eyes. They can be bought at the following stores here in Europe:- Volatech (Germany)
- Varia-store (Germany)
- Amica (U.K.)
- viatitude (France)
A full list of all resellers in Europe you will be able to see here under choosing "Europe" as your area.
Partner & Reseller listWhat I would like to know is the status of support for Realtek NIC's like the RTL8111 and RTL8168, and how well they work for a typical SOHO setup. I know Intel is better, but I'm not going to be doing hugely intensive routing.
If you are able to get your hands on a device with Intel NICs I would suggest it, if not and the Realtek
chip sets are on the supported list (FreeBSD) you also can go with them with ease.Also, other than accelerating AES VPN's, would AES-NI be useful for anything?
It would be only used for VPN, nothing else, and then at this time only IPSec over AES-GCM will be
getting a benefit or profit from AES-NI, but then something around x4 or x5 speeding up the entire
throughput. So in an ideal case the throughput increases from 100 MBit/s to 450 MBIt/s - 500 MBit/s
which is in my eyes really cool!My ideal setup would be a Braswell ITX board with a i340 T4 card, but I can't seem to find a Braswell ITX with a x4 slot yet.
Did you ever thought about a Intel Atom C2x58 (Rangeley) based board? It will be able to get in three
different versions and it is really powerful. Also the new APU2 board will be a really good choice, perhaps
not really in this moment because the board is in the Beta stadium (B) and not in the consumer or distributor
stadium (C or D in the name of the board), but with 4 CPU cores, AES-NI and Intel NICs it will be really fine
for pfSense and enough for a home set up.I have looked at the APU2, as I own an ALIX 2D3 which is still running without issue. I would use this for PFsense (in the short term) but the GUI is too slow to be used. It's currently running Halon Security Router without issue.
The APU2 is coming for nearly the same price or for a little bit more, but it comes on top sorted with;
- AES-NI support
- Quad core CPU
- 4 GB ECC RAM
- Intel NICs
The main reason I'm not as tempted by the APU2 is the CPU might not be enough for Snort, based on what I've seen so far. So I think I would be better placed to wait until the recently announced Braswell desktop CPU's make their way into ITX boards with dual Intel NIC's.
It all depends on the Internet connection speed or the needed throughput, it will be able to run snort and
pfBlocker-NG without any issue, but the throughput you get then out is the point in my eyes.How is the J1900 for PFsense? I've seen a number of fanless ITX boards with 4-6 Intel NIC's for about £100 on Aliexpress.
Again, you get what you pay for! And Alixexpress is not well known for quality parts, but more for cheap parts.
Here are two well known things that would be matching your criteria and will fitting your needs for sure, but
not cheap as cheap can sell! The Intel J1900 is from 2013 and the N2930 is the follower from 2014.
IntelN2930:- Best Board in my eyes
It can be used together with normal mini ITX and thin mini ITX cases and the PSU will be sticked directly
on the board nothing else is needed
Intel J1900: - Axiomtek NA342
- Axiomtek NA342R
It's over $400 in the EU, which puts it into the range of a C2758 ITX system. It's a nice system but at that price other options look more cost effective for SOHO.
A C2758 Supermicro Board is at ~399 € here
- RAM
- Case
- PSU
- SSD
You might be fast running into the ~600 € - 700 € and a Jetway board and spare parts is only landing
at ~400 € in total here in Germany. - N2930 ~200 €
- case 50 €
- RAM 80 €
- mSATA 60 €