Build: Hardware sanity check

Keljian

The thing is, an i3 won't consume much more power than the J or Q or whatever Celerons/Pentiums you're talking about for the majority of the time, because you'll be idling. Therefore if price is about the same, it doesn't matter.

When you floor it, as in are pushing a large number of connections, over VPN, while streaming, and doing 5 other things you're barely going to make the i3 sweat, especially on 250mbit.

Btw I like Asrock consumer boards because you can guarantee that they support vt-d, where you can't with the other big players. If you have no intention of passing devices through to VMs it really doesn't matter what brand you go for.

My dual virtual cores allocated to pfsense barely get stressed on a 100mbit connection, and could easily handle 1gbit if/when I get it.

Fun fact:
I moved to pfsense back in 2011(though I had intended to move earlier) while the hardware I run it on has changed(largely due to me trying to save power by consolidation), I still run pfsense because I have yet to find anything that meets or surpasses it for features/ease of use and power. It just works, and it works well.

mattlach

@Keljian:

Wifi: get an access point or use a wireless router as an access point.. Do not use pfsense for wireless

I'd agree with this, and I'd go ahead and recommend Unifi access points.  They have served me very well over the last several years, and are surprisingly cheap.

@Keljian:

Re quad Nic: why do you want 4 ports? Have you got separate networks to route between or are you trying to use link aggregation or ?

What I am getting at is: don't use pfsense as a switch. A five port switch is cheaper than a quad port Nic

Not only that, but bridging separate NIC ports comes with some performance penalties.  A real switch is much better for the purpose of switching.

Unless you plan on routing to multiple separate networks, I'd stick with a dual port NIC, one WAN and one LAN, plug the LAN end into a switch, and let the switch do what it does best.  Then plug the Wifi access point(s) into the switch as well.

Tarrandio

@Keljian:

The thing is, an i3 won't consume much more power than the J or Q or whatever Celerons/Pentiums you're talking about for the majority of the time, because you'll be idling. Therefore if price is about the same, it doesn't matter.

When you floor it, as in are pushing a large number of connections, over VPN, while streaming, and doing 5 other things you're barely going to make the i3 sweat, especially on 250mbit.

Yup, I've come to realize this during my recent FreeNAS project. Really interesting. Tho there are penalties for having 'juice on tap' to some extent, not that I think they matter in my usecase anyways (definitely not in relation to the amount of rotating rust in my clothset xP )

The idea is really to go enough overkill to not need to look back for 'any forseeable future'. Which - would've been the case on a J1900 or 3150.

Hardware is mostly shipped, I'm really looking forward to try it out as soon as I possibly can.
The bummer is - PicoPSU, powerbrick and the quad NIC are ~5weeks away due to e-bay shipping time.
When saving ~600USD compared to sourcing those items locally …it is a no-brainer.

Regarding mattlach comment about switching:
The bulk of the data may be going through the switch and a single port to feed it. My switch is as stupid can be, no VLAN support or anything alike.
Just to learn & play around abit, it'll be fun to have access to surplus ports to setup the network.
You guy's point is clear - don't use it for switching purposes if there <is a="" switch="">to be used.

Hoping to return with some pics n build progress :)

Cheers / Tarran</is>

Guest

I personally suggest not throwing hundred dollars bills at this issue when you'd be better off throwing 20 dollars bills. If you goto the products page and look at the system requirements for pfsense; which is nicely broken out by desired Internet speeds, you find that you are over building . The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

Last thing to add, don't add more hardware than needed i.e nic ports, ram. They just consume needed resource and serve no purpose at the same time.

Oh and pfsense works best with a with a single wan, single lan and a single opt port. Don't bridge in pfSense becaus you only make it work harder than it should. Remember, pfsense it designed to be a security appliance, not a router in the since of an off the shelf netgear, or linksys unit so don't overcomplicate it and you get the best experience with it. Remember the we K.I.S.S. analogy. KEEP IT SIMPLE STUPID.

Tarrandio

@jbhowlesr:

The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
Which is my application. Which is why I am aiming for hardware that will last at least a decade.

To next guy feeling like having a rant regarding overdoing the hardware part:

• Grab a anana and smile  8)
          OR
• Read up a little on the boatloads of stress high speed VPN takes out on cpu.

Guest

@Tarrandio:

@jbhowlesr:

The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
Which is my application. Which is why I am aiming for hardware that will last at least a decade.

To next guy feeling like having a rant regarding overdoing the hardware part:

• Grab a anana and smile  8)
          OR
• Read up a little on the boatloads of stress high speed VPN takes out on cpu.

Honestly, you'd be better off not using pfsense for a VPN. In the past I turned on a VPN for my media streaming server because a family member wanted to copy some of my content. What I did was setup up VPN on that server since it was running windows server 2012 and I made no changes to pfsense and it worked like a charm. Your best bet is to set up something like a dell poweredge server with windows server and use it for your VPN. I suggest this because, if you run VPN on windows server along with Active Directory, you can control access on multiple levels.

What everyone is saying is not to apply to many roles to pfsense in a single box. In doing so, it becomes bogged and over laden. If you are managing a big network, it would seem the right thing to have several boxes in line using pfsense that all have set roles; one for gateway defense, one for secure access followed by gateway services such as DNS and DHCP.

Guest

By the way PicoPSU are garbage. If you are looking for 10 year of service look elsewhere for a PSU. I used to mess with them 10 years ago when I was playing with CAR PC's and I had more issues with them then they were worth. What is sad is they have not changed at all and are still made of the same low quality parts they were then. I used to wonder if they were made by some dude in his garage. I would strongly suggest buying a chassis that allows you to use a normal PSU, that is completely internal, and comes in standard size formats where replacements are readily available.

PicoPSU, may be an internal PSU, but it still requires and external PSU brick.

mattlach

@Tarrandio:

@jbhowlesr:

The requirements are not high-end and anything above that should be considered unnecessary. The actual system requirements of pfsense equal that of PC's from 10 years ago. In a nutshell chasing "industrial grade" hardware is largely wasteful.

Thank you for, yet another pointer in the same direction. Which is probably true to a regular connection without VPN.
BUT, according to enthusiast benchmarks - will not do for high speed VPN solutions.
Which is my application. Which is why I am aiming for hardware that will last at least a decade.

To next guy feeling like having a rant regarding overdoing the hardware part:

• Grab a anana and smile  8)
          OR
• Read up a little on the boatloads of stress high speed VPN takes out on cpu.

What type of encryption does VPN use?  Do the AES-NI instruction sets in newer CPU's help with this at all?  Is AES-NI accelerated encryption implemented by FreeBSD 10 and pfSense?

I'm kind of in the same boat as you are.  my current pfSense router is running virtualized off of two of my 12 older 2.2ghz cores in my Dual Xeon L5640 server.  It never sees any significant load performing just NAT and firewall duty, but I plan on doing full QoS on on my 160Mbps/160Mbps connection, and I understand this can take some horsepower, so I decided to be safe rather than sorry, and went with teh overkill i5-4570T, a dual core low power (35W TDP) with a base clock of 2.9Ghz and a max turbo of 3.6Ghz.  It has HT, but that will likely just waste power, and go unused by pfSense since it prefer fewer faster cores, over more slower ones, so I plan on disabling the HT in the bios.

The only downside of this CPU is - IMHO - the lack of ECC.

mattlach

@jbhowlesr:

By the way PicoPSU are garbage. If you are looking for 10 year of service look elsewhere for a PSU. I used to mess with them 10 years ago when I was playing with CAR PC's and I had more issues with them then they were worth. What is sad is they have not changed at all and are still made of the same low quality parts they were then. I used to wonder if they were made by some dude in his garage. I would strongly suggest buying a chassis that allows you to use a normal PSU, that is completely internal, and comes in standard size formats where replacements are readily available.

PicoPSU, may be an internal PSU, but it still requires and external PSU brick.

Meh,  I'm OK with not having 10 year viability in cheap hardware.  Before 10 years I'll likely get frustrated with something and go in there and change it anyway.

The main draw of the PicoPSU to me is the high efficiency at low loads.    Most traditional PSU's - even 80plus platinum ones - have good efficiency at about 50% of their rated load, but if you build an efficient system that spends most of it's time idling at 10-15W the efficiency is atrocious.    This is where the PicoPSU's shine.  If I have to spend another $25 and replace it in 5 years, that's a small price to pay :p

As long as it doesn't fail spectacularly and destroy hardware when it goes, but I haven't read of anyone having problems like that with them.

Guest

When I used the VPN, I used pure AES since I installed on a dual xeon quad core poweredge 1950.

The issues I had with PicoPSU's were low quality which result in repetitive failure that sometimes burned up motherboards. They may be efficient but due to thier size, they lack protection circuitry.

This is the difference between them an your platinum desktop psu. If they fail, your system will not be effected.

Now, I've been using corsair platinum PSU's for years and I've got one that has run smoothly for 7 years without issue. I swear by them.