Build: Hardware sanity check



  • heya,

    I'm considering building a new firewall/router. A month ago I fell in love with FreeNAS, being super satisfied with its performance. The FreeNAS experience prooved to be really picky on hardware. That's why I'm posting here prior to 'purchase and yolo'.

    I'm on a 250/100 Mbit LAN connection, using OpenVPN (via Anonine). I wish to have the pfsense box handle all the VPN, rather than each machine behind my PnP low buck router.

    Here is the hardware I've my eyes on currently (not bought yet!).
    The i3-6100 provides AES-NI instructions which as far as I've understood, will greatly improve encryption performance.
    The Other parts are just the 'cheap and recommended' items I've access to locally.

    Intel option
    ASUS H110I PLUS (mITX) or ASUS H110M-A (mATX)
    Intel Core i3 6100 3.7 GHz 3MB (passmark: 5502)
    Corsair 8GB (2x4GB) DDR4 2400Mhz CL Vengeance
    Corsair CX430 430W

    Or the budget version, at roughly half the cost.
    AMD
    ASUS AM1M-A, Socket-AM1 (passmark: 2570)
    Corsair Value S. DDR3 1333MHz 4GB CL9
    AMD Athlon 5350, Socket-AM1

    Any thoughts and suggestions/pointers to newbie reads are greatly appreciated.

    Cheers.



  • Reading up some more, I've come to realize there are some obstacles to 'get right' (as with FreeNAS ;) ) that I'm trying to get my head wrapped around.

    I checked the list of compatible WiFi cards& drivers. ( this one https://docs.google.com/spreadsheets/d/11cF4UoNL68Me5ZC6qhjFPmzdW7mib56dBIAKz30Qpug/edit?hl=en#gid=0

    "Most Atheros" cards would be capable of running a Hostap, and generally seemingly being the preferred brand.

    A lookaround on e-bay, I found this little fellow that seems to fit the bill nicely. PCIe, Atheros AR5B22 300M, and some antennas.

    http://www.ebay.com/itm/Atheros-AR5B22-300M-Wireless-Wifi-Bluetooth-BT-4-0-PCI-E-Card-Desktop-Adapter-/151585800448?hash=item234b37c100:g:7UwAAOSwMmBV1YxD

    Beyond that, I figured it is appropriate to invest in an Intel NIC. At first I was looking at dualports until realizing the price difference to a quadport, was "acceptable".
    I figured the extra ports may come in handy if wanting a separate port to feed a wifi subnet on a rather stupid external AP..

    This is the card I liked:
    IBM Intel EXPI9404PTL Pro/1000 PT Quad Port Server Adapter PCI-E D72468 39Y6138

    http://www.ebay.com/itm/172137059115?_trksid=p2055119.m1438.l2649&ssPageName=STRK%3AMEBIDX%3AIT

    Please, fill me in with thoughts on this. I've a guestimate this is rather overkill in every sense of the way, but …the lower end mark of a Sempron 2650, no AES-NI or real juice to speak of.. I'm really open to any suggestions here.

    Please chime in and help reason, newb or pro.



  • Wifi: get an access point or use a wireless router as an access point.. Do not use pfsense for wireless

    Re quad Nic: why do you want 4 ports? Have you got separate networks to route between or are you trying to use link aggregation or ?

    What I am getting at is: don't use pfsense as a switch. A five port switch is cheaper than a quad port Nic

    If it were me, I would look at virtualising pfsense and running openwrt in a VM for access point functionality (with a passed through wireless card)



  • Thank you for chiming in Keljian!

    @Keljian:

    Wifi: get an access point or use a wireless router as an access point.. Do not use pfsense for wireless

    Alright.
    Curiosity: Is this due to the amount of problems people are experiencing, or for security reasons, or something else?

    @Keljian:

    Re quad Nic: why do you want 4 ports? Have you got separate networks to route between or are you trying to use link aggregation or ?
    What I am getting at is: don't use pfsense as a switch. A five port switch is cheaper than a quad port Nic

    I see your point. It wasn't really my intention to use pfsense as switch alone, I will definitely have a standalone switch behind.
    4 ports are probably overkill even for me, a dual port would probably do the trick. I really would like to avoid any internal realtek cards on the motherboard.
    However, once 2 are utilized for the basics, it could be cool to have enough ports for flexibility to have different wifi's up which are limited in access through pfsense. (this is a far fetched use-case to me though…)
    I would save the cost of 2 pizzas to not get this flexibility from the start.

    @Keljian:

    If it were me, I would look at virtualising pfsense and running openwrt in a VM for access point functionality (with a passed through wireless card)

    This is probably a bit over my head, I've no experience with virtualization at all. At the moment, Im happy to buy stand alone machines to pull the duties.

    What about the AMD system spec in the OP? Is this "enough" even for 250mbit and VPN?

    Cheers, Tarran



  • @Tarrandio:

    Thank you for chiming in Keljian!

    Welcome

    @Keljian:

    Wifi: get an access point or use a wireless router as an access point.. Do not use pfsense for wireless

    Alright.
    Curiosity: Is this due to the amount of problems people are experiencing, or for security reasons, or something else?

    Simply - it's not well supported. Features such as 802.11ac are not implemented and chipset support isn't great.

    @Keljian:

    Re quad Nic: why do you want 4 ports? Have you got separate networks to route between or are you trying to use link aggregation or ?
    What I am getting at is: don't use pfsense as a switch. A five port switch is cheaper than a quad port Nic

    I see your point. It wasn't really my intention to use pfsense as switch alone, I will definitely have a standalone switch behind.
    4 ports are probably overkill even for me, a dual port would probably do the trick. I really would like to avoid any internal realtek cards on the motherboard.
    However, once 2 are utilized for the basics, it could be cool to have enough ports for flexibility to have different wifi's up which are limited in access through pfsense. (this is a far fetched use-case to me though…)
    I would save the cost of 2 pizzas to not get this flexibility from the start.

    Your call - bridging interfaces in Pfsense can be done, but you'll introduce latency, and cpu load unnecessarily

    @Keljian:

    If it were me, I would look at virtualising pfsense and running openwrt in a VM for access point functionality (with a passed through wireless card)

    This is probably a bit over my head, I've no experience with virtualization at all. At the moment, Im happy to buy stand alone machines to pull the duties.

    Really, it isn't. It's not rocket science. ESXi is free, and easy to use if you have a windows box (or VM) hanging around.

    What about the AMD system spec in the OP? Is this "enough" even for 250mbit and VPN?

    Cheers, Tarran

    Should do, but I prefer intel to AMD at the moment. intel's chips tend to use less power (when on 24/7).

    Practically any setup (short of REALLY low end) will do those speeds. I like to have a bit of headroom.



  • Thanks for comments.
    I've been contemplating around these suggestions and done some further reading on my own.

    I found the J1900 and the rather recent 3150 low power chips as interesting candidates… really interesting concerning their low power profile. They seem to be able to handle virtually any connection.. However, when reading up further on these options, it turns out VPN is a completely different beast. Both of these seem to max out at around 250Mbit. Yet, that was not specified what type of traffic involved.. where as torrents with loads of handles probably are more intensive than single transfers.

    Fun fact, my current 8port Gbit switch was bought in 2006. 10 years down the line, I've no plans to change it. On the other hand, I've probably gone through at least 5 router solutions since.

    Further upgrades beyond the current 250/100mbit connection are not "that far off", which would make it unreasonalbe to purchase a router machine this advanced with such a limited life span.

    So here is what I've gotten:
    M/B: ASUS H110I PLUS

    • has the dandy 24pin standard ATX, and the "p4 contact" 4pin ATX  additional cpu power. This matches with the cables on the standard PicoPSU!
    • Asus kick ass fan control from within bios which allows for way accurate settings compared to Gigabyte's recent solutions. My hope here is to produce a box that can be completely passive at times!
      CPU: Intel Core i3 6100 3.7 GHz 3MB
      CPU cooler: Cooler Master TX3 EVO
    • attempt to make the box passively cooled for the majority of the time
      RAM: Corsair 8GB (2x4GB) DDR4 2400Mhz CL Vengeance LPX
      Case: Raijintek Metis Red
    • beyond cute little nice case!
      For nic: IBM Intel EXPI9404PTL Pro/1000 PT Quad Port Server Adapter PCI-E D72468 39Y6138
    • I chose 4port to at not have any regrets.
      PSU: DC 12V 160W Pico ATX switch PSU Car Auto MINI ITX ATX Power Supply 24pin DC-ATX
    • has the appropriate 4pin CPU connector (this is a big watchout when pairing motherboards with PicoPsu's!)
      Power brick: 12V 10A Charger for Pico ITX PSU LCD Mini ITX Pico 160XT 160-XT AC Power Adapter

    Cheers / Tarran



  • The thing is, an i3 won't consume much more power than the J or Q or whatever Celerons/Pentiums you're talking about for the majority of the time, because you'll be idling. Therefore if price is about the same, it doesn't matter.

    When you floor it, as in are pushing a large number of connections, over VPN, while streaming, and doing 5 other things you're barely going to make the i3 sweat, especially on 250mbit.

    Btw I like Asrock consumer boards because you can guarantee that they support vt-d, where you can't with the other big players. If you have no intention of passing devices through to VMs it really doesn't matter what brand you go for.

    My dual virtual cores allocated to pfsense barely get stressed on a 100mbit connection, and could easily handle 1gbit if/when I get it.

    Fun fact:
    I moved to pfsense back in 2011(though I had intended to move earlier) while the hardware I run it on has changed(largely due to me trying to save power by consolidation), I still run pfsense because I have yet to find anything that meets or surpasses it for features/ease of use and power. It just works, and it works well.



  • @Keljian:

    Wifi: get an access point or use a wireless router as an access point.. Do not use pfsense for wireless

    I'd agree with this, and I'd go ahead and recommend Unifi access points.  They have served me very well over the last several years, and are surprisingly cheap.

    @Keljian:

    Re quad Nic: why do you want 4 ports? Have you got separate networks to route between or are you trying to use link aggregation or ?

    What I am getting at is: don't use pfsense as a switch. A five port switch is cheaper than a quad port Nic

    Not only that, but bridging separate NIC ports comes with some performance penalties.  A real switch is much better for the purpose of switching.

    Unless you plan on routing to multiple separate networks, I'd stick with a dual port NIC, one WAN and one LAN, plug the LAN end into a switch, and let the switch do what it does best.  Then plug the Wifi access point(s) into the switch as well.



  • @Keljian:

    The thing is, an i3 won't consume much more power than the J or Q or whatever Celerons/Pentiums you're talking about for the majority of the time, because you'll be idling. Therefore if price is about the same, it doesn't matter.

    When you floor it, as in are pushing a large number of connections, over VPN, while streaming, and doing 5 other things you're barely going to make the i3 sweat, especially on 250mbit.

    Yup, I've come to realize this during my recent FreeNAS project. Really interesting. Tho there are penalties for having 'juice on tap' to some extent, not that I think they matter in my usecase anyways (definitely not in relation to the amount of rotating rust in my clothset xP )

    The idea is really to go enough overkill to not need to look back for 'any forseeable future'. Which - would've been the case on a J1900 or 3150.

    Hardware is mostly shipped, I'm really looking forward to try it out as soon as I possibly can.
    The bummer is - PicoPSU, powerbrick and the quad NIC are ~5weeks away due to e-bay shipping time.
    When saving ~600USD compared to sourcing those items locally …it is a no-brainer.

    Regarding mattlach comment about switching:
    The bulk of the data may be going through the switch and a single port to feed it. My switch is as stupid can be, no VLAN support or anything alike.
    Just to learn & play around abit, it'll be fun to have access to surplus ports to setup the network.
    You guy's point is clear - don't use it for switching purposes if there <is a="" switch="">to be used.

    Hoping to return with some pics n build progress :)

    Cheers / Tarran</is>



  • I personally suggest not throwing hundred dollars bills at this issue when you'd be better off throwing 20 dollars bills. If you goto the products page and look at the system requirements for pfsense; which is nicely broken out by desired Internet speeds, you find that you are over building . The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

    Last thing to add, don't add more hardware than needed i.e nic ports, ram. They just consume needed resource and serve no purpose at the same time.

    Oh and pfsense works best with a with a single wan, single lan and a single opt port. Don't bridge in pfSense becaus you only make it work harder than it should. Remember, pfsense it designed to be a security appliance, not a router in the since of an off the shelf netgear, or linksys unit so don't overcomplicate it and you get the best experience with it. Remember the we K.I.S.S. analogy. KEEP IT SIMPLE STUPID.



  • @jbhowlesr:

    The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

    Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
    BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
    Which is my application. Which is why I am aiming for hardware that will last at least a decade.

    To next guy feeling like having a rant regarding overdoing the hardware part:

    • Grab a anana and smile  8)
              OR
    • Read up a little on the boatloads of stress high speed VPN takes out on cpu.


  • @Tarrandio:

    @jbhowlesr:

    The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

    Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
    BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
    Which is my application. Which is why I am aiming for hardware that will last at least a decade.

    To next guy feeling like having a rant regarding overdoing the hardware part:

    • Grab a anana and smile  8)
              OR
    • Read up a little on the boatloads of stress high speed VPN takes out on cpu.

    Honestly, you'd be better off not using pfsense for a VPN. In the past I turned on a VPN for my media streaming server because a family member wanted to copy some of my content. What I did was setup up VPN on that server since it was running windows server 2012 and I made no changes to pfsense and it worked like a charm. Your best bet is to set up something like a dell poweredge server with windows server and use it for your VPN. I suggest this because, if you run VPN on windows server along with Active Directory, you can control access on multiple levels.

    What everyone is saying is not to apply to many roles to pfsense in a single box. In doing so, it becomes bogged and over laden. If you are managing a big network, it would seem the right thing to have several boxes in line using pfsense that all have set roles; one for gateway defense, one for secure access followed by gateway services such as DNS and DHCP.



  • By the way PicoPSU are garbage. If you are looking for 10 year of service look elsewhere for a PSU. I used to mess with them 10 years ago when I was playing with CAR PC's and I had more issues with them then they were worth. What is sad is they have not changed at all and are still made of the same low quality parts they were then. I used to wonder if they were made by some dude in his garage. I would strongly suggest buying a chassis that allows you to use a normal PSU, that is completely internal, and comes in standard size formats where replacements are readily available.

    PicoPSU, may be an internal PSU, but it still requires and external PSU brick.



  • @Tarrandio:

    @jbhowlesr:

    The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

    Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
    BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
    Which is my application. Which is why I am aiming for hardware that will last at least a decade.

    To next guy feeling like having a rant regarding overdoing the hardware part:

    • Grab a anana and smile  8)
              OR
    • Read up a little on the boatloads of stress high speed VPN takes out on cpu.

    What type of encryption does VPN use?  Do the AES-NI instruction sets in newer CPU's help with this at all?  Is AES-NI accelerated encryption implemented by FreeBSD 10 and pfSense?

    I'm kind of in the same boat as you are.  my current pfSense router is running virtualized off of two of my 12 older 2.2ghz cores in my Dual Xeon L5640 server.  It never sees any significant load performing just NAT and firewall duty, but I plan on doing full QoS on on my 160Mbps/160Mbps connection, and I understand this can take some horsepower, so I decided to be safe rather than sorry, and went with teh overkill i5-4570T, a dual core low power (35W TDP) with a base clock of 2.9Ghz and a max turbo of 3.6Ghz.  It has HT, but that will likely just waste power, and go unused by pfSense since it prefer fewer faster cores, over more slower ones, so I plan on disabling the HT in the bios.

    The only downside of this CPU is - IMHO - the lack of ECC.



  • @jbhowlesr:

    By the way PicoPSU are garbage. If you are looking for 10 year of service look elsewhere for a PSU. I used to mess with them 10 years ago when I was playing with CAR PC's and I had more issues with them then they were worth. What is sad is they have not changed at all and are still made of the same low quality parts they were then. I used to wonder if they were made by some dude in his garage. I would strongly suggest buying a chassis that allows you to use a normal PSU, that is completely internal, and comes in standard size formats where replacements are readily available.

    PicoPSU, may be an internal PSU, but it still requires and external PSU brick.

    Meh,  I'm OK with not having 10 year viability in cheap hardware.  Before 10 years I'll likely get frustrated with something and go in there and change it anyway.

    The main draw of the PicoPSU to me is the high efficiency at low loads.    Most traditional PSU's - even 80plus platinum ones - have good efficiency at about 50% of their rated load, but if you build an efficient system that spends most of it's time idling at 10-15W the efficiency is atrocious.    This is where the PicoPSU's shine.  If I have to spend another $25 and replace it in 5 years, that's a small price to pay :p

    As long as it doesn't fail spectacularly and destroy hardware when it goes, but I haven't read of anyone having problems like that with them.



  • When I used the VPN, I used pure AES since I installed on a dual xeon quad core poweredge 1950.

    The issues I had with PicoPSU's were low quality which result in repetitive failure that sometimes burned up motherboards. They may be efficient but due to thier size, they lack protection circuitry.

    This is the difference between them an your platinum desktop psu. If they fail, your system will not be effected.

    Now, I've been using corsair platinum PSU's for years and I've got one that has run smoothly for 7 years without issue. I swear by them.