SG-2220 / 2440 purchase questions



  • Hello all.

    I'm trying to determine which product will be optimal for my usage.  I have looked at building rather than buying, where I know I can get more 'horse power', but the new hardware in the store looks appealing, albeit above the cash I currently have budgeted - more saving is required.

    Here's the use case:

    Home connection for two telecommuters using VPN on their clients (Windows)
    5 iPads pounding the crap out of Netflix and FaceTime
    Console gaming system
    2 PCs playing video games
    3 Macs mundanely surfing.
    Plex server serving local and transcoding remotely.
    Current connection speed is 100/10, however Fiber is currently rolling out in the area, and I expect to upgrade soon.

    Services currently on my hacked together from spare parts PC are:

    Squid3
    Squidguard  (all 'bad things' are rerouted to puppies and kittens)
    Squid AV
    Snort

    So the questions boil down to these:

    1. Which device is recommended for my application?  2220 or 2440?  I assume 2440 because of the ability to add extra storage for Squid, but I'll let the experts chime in.

    2.  Purchasing from Pfsense direct offers two support calls - Does it also include access to the 2.1 book that comes with Gold?    While I am not clear on its content, my hope is it include some 'recipes' for setting up and tuning configurations.  Most of what I've done has been based on Google-fu and forum reading, and I'm sure the book will cover topics not found easily in search.

    3.  Will the AES-NI of these devices help VPN clients on the network, or is it just for pfSense-based VPN?  Same question applies to the future implementation of QAT.

    4.  Futureproofing is top of mind for me, as I expect line speeds to increase from my provider.  I've spent a good part of the past two weeks reading about the SuperMicro 8-core builds, which the general consensus is it's massive overkill for my needs, but my concern is when I do get gigabit and want to run all these services - will I need to upgrade again, or would these devices keep me in firewall/content filtering bliss for years to come?



  • Just answering some questions as I'm not aware of gigabit WAN capabilities on those devices (especially with packages).

    @TheSpatulaOfLove:

    2.  Purchasing from Pfsense direct offers two support calls - Does it also include access to the 2.1 book that comes with Gold?    While I am not clear on its content, my hope is it include some 'recipes' for setting up and tuning configurations.  Most of what I've done has been based on Google-fu and forum reading, and I'm sure the book will cover topics not found easily in search.

    Yes, the book is included.

    @TheSpatulaOfLove:

    3.  Will the AES-NI of these devices help VPN clients on the network, or is it just for pfSense-based VPN?  Same question applies to the future implementation of QAT.

    It only helps when the VPN endpoint is on the pfSense, not when you are using VPN from a client behind.



  • 1. Which device is recommended for my application? 2220 or 2440? I assume 2440 because of the ability to add extra storage for Squid, but I'll let the experts chime in.

    Building a fully UTM device, for ~14 users, with VPN & gaming on top and a future climbing
    up Internet connection till 1 GBit/s is not really the point, but more how many throughput you
    will get out after passing all this things!?

    So if i am in your situation I would more deal with the SG-4860 or SG-8860 or alternatively;

    • Netgate RCC-VE 8860 (budget hint)
    • self made SuperMicro C2758
    • self made Xeon E31225v3
    • self made Xeon D-1518 or D-1528

    2.  Purchasing from Pfsense direct offers two support calls - Does it also include access to the 2.1 book that comes with Gold?    While I am not clear on its content, my hope is it include some 'recipes' for setting up and tuning configurations.  Most of what I've done has been based on Google-fu and forum reading, and I'm sure the book will cover topics not found easily in search.

    The most you will get out of the pfSense Docs because they are even maintained and a book get fast outdated

    • The 2.1 book is available to get hands on
    • The older book will be also nice to dig out informations about pfSense
    • Also nice to have and getting much out of this Squid performance tuning

    3.  Will the AES-NI of these devices help VPN clients on the network, or is it just for pfSense-based VPN?  Same question applies to the future implementation of QAT.

    • Just for pfSense based VPN with best results using IPSec (AES-GCM)
    • Intel QuickAssist is actual not present in the pfSense code or activated, but could be a real gain.

    4.  Futureproofing is top of mind for me, as I expect line speeds to increase from my provider.

    Routing the 1 GBit/s will be not so far away, at the moment the PPPoE part is only single threated but not
    for ever and they are working on this I am pretty sure, because many peoples are getting 1.000 MBit/s or
    plain 1 GBit/s at the moment.

    I've spent a good part of the past two weeks reading about the SuperMicro 8-core builds, which the general consensus is it's massive overkill for my needs,

    I am not really sure about what we are talking here now, but let me explain it backwards for you.
    Please go and Google-fu for UTM devices and their price if they are able to deliver 1 GBit/s after
    passing the following tasks;

    • NAT
    • firewall rules
    • Snort (IDS/IPS)
    • http proxy (squid)
    • AV Scan (CalmAV)

    And then we should talk once more about what is overkill or right sorted to handle this for;

    • 14 users (likes a small or SMB company)
    • Gaming, VPN, streaming, QoS, VLANs (perhaps)
    • firewall, Proxy, IDS, AV scan (full UTM) tasks
      And then on top perhaps 1 GBit/s routing at the WAN port would be not really overkill to go with a
      8 Core Intel Atom SoC in my eyes. Others might see it different.

    but my concern is when I do get gigabit and want to run all these services - will I need to upgrade again,

    No you don´t must do this, but if then only 200 MBit/s - 500 MBit/s throughput are there you
    must live with this.

    or would these devices keep me in firewall/content filtering bliss for years to come?

    Could be or not, this is not so easy to answer, because the development team is really hard working
    on the pfSense code!!! It could be that you were better gone with an Intel Xeon E3-1225v3 or, and
    this is the part no one could answering you today;

    • netmap and DPDK will speeding up the entire routing process massively
    • really CPU multicore usage also on the PPPoE WAN part will be jumping in
    • Intel QuickAssist will be enabled to speed up OpenVPN & other VPN connections
    • AVX/AVX2 registers will be used for some other parts to be acting faster or more strong
    • Other unknown things are occurring and pushing the entire system based on there capabilities

    Again if I would be in your situation I would really thing about first or twice and the decide to go
    with something what is really nice, power saving, but strong enough to handle all this load and tasks!
    My favorite would be a SG-8860, Netgate RCC-VE 8860, Supermicro C2758 or a self made Intel Xeon
    E3-1225v3 system that is able to handle all of your wishes and fitting your needs. Being future proof
    I would suggest to go with AES-NI and Intel QuickAssist or on top ready for DPDK enabled software.


Log in to reply