SG-2440 vs SG-4860 for this home setup?



  • I tried searching here and generally at google and found conflicting info. So, I thought I'd ask:

    I don't need the extra ports of the SG-4860, but I don't have a feel for if I'll need the CPU power.

    Home environment:
    WAN

    • 100-200Mbps from my ISP (100MBps now, more in the future)
    • OpenVPN client on the WAN interface, could I achieve 100Mbps?

    LAN

    • Four subnets to segregate things like IoT devices, guest, and regular users.
    • Subnets would be hanging off of a VLAN capable switch.
    • What rate can I expect between subnets? I'm hoping for at least several hundred Mbps. Usually there won't be much traffic between them and definitely not lots of traffic between them all at the same time, but I occasionally want to do large file transfers and it would be nice not to have to wait.

    Other Services taking CPU

    • OpenVPN client, as I said earlier
    • NAT on the WAN interface (if it helps I can move this to my modem), caching DNS, DHCP
    • Basic firewall rules, to keep 3 of 4 subnets connecting only to WAN, while the last subnet can connect to a few of the others.

    I'm hoping with AES-NI (And QuickAssist coming) the OpenVPN client won't use much CPU. I'm not planning on Suricata or Squid. Will the SG-2440 do it? Is there room to grow with it? Where would the CPU on the SG-4860 improve things?

    One last thing, in order to not be a bottleneck would I need to bonding a couple of ports between the switch and pfSense box?



    • 100-200Mbps from my ISP (100MBps now, more in the future)

    1 GBit/s or 2 or perhaps 3 GBit/s? Then a stronger CPU should be used to solve this.
    2GHz and server grade CPU to route 1 GBit/s at the WAN perhaps this will be changing around
    if the netmap-fwd is coming in the version 2.3.

    • OpenVPN client on the WAN interface, could I achieve 100Mbps?

    All VPNs are both ended things and if on the other side a lame device is still working, who knows it.

    I'm hoping with AES-NI (And QuickAssist coming) the OpenVPN client won't use much CPU.

    Like all of us. Then the OpenVPN will be also getting much more benefits from that AES-NI CPU function.

    I'm not planning on Suricata or Squid. Will the SG-2440 do it?

    For your connection speed now and the VPN throughput for sure!

    Is there room to grow with it?

    It all depends on what you want to run, serve and offer to your network.
    Massively VLAN & QoS would be able to narrow down the entire box, or it runs fine but the
    throughput on the end to the LAN would not then so high as you perhaps wished or need it.

    Where would the CPU on the SG-4860 improve things?

    More cores, more RAM, and more GHz, its hard to say, but it will be able to route 1 GBit/s at the WAN
    port and does also delivering 500+ MBit/s IPSec VPN throughput. So it is a really strong appliance.
    Together with a WiFi or mSATA it might be a really long time running firewall.

    One last thing, in order to not be a bottleneck would I need to bonding a couple of ports between the switch and pfSense box?

    If you talking about bonding you may means building a LAG (LACP) and this is only nice to have if many
    users or devices are targeting one other device alone! Such a file server gets hitting by many clients!
    In some rarely cases this would be nice to have and to realize but in the most common set ups it will
    be not the real solution. If you get a Layer3 switch that will be delivering today nearly wire speed
    and is routing all the VLANs through you will be much better sorted as I see it right.



  • Thanks for the reply. So to summarize, it should be possible that the SG-2440 will

    • Handle 100Mbps to/from the WAN with NAT. Maybe more, but not 1Gbps.

    • Handle 50Mpbs to/from an OpenVPN connection over the WAN port. I understand the other end could limit me, but I'm getting 50-100Mbps now using an OpenVPN client on my laptop. So I want to be sure the hardware I'm choosing for pfSense isn't a bottleneck at 50Mbps. (I just realized my VPN service will let me use L2TP w/ IPSec!)

    • You say the a stronger CPU is required for 1Gbits from my ISP, does that mean I couldn't route 1Gbps between VLANS? I'm going to have 3-4, no QoS

    Regarding pfSense 2.3, I see it was released today! I don't see anything about netmap-fwd, just "tryforward()" function that gives slighly better forwarding while not disabling IPSEC.

    Regarding AES-NI and OpenVPN, I thought this was already working. After reading more, I now understand that there is currently some small benefit from AES-NI instructions, but until an OpenVPN release supports AES-GCM, and that release makes it to a pfSense release, we won't see the full benefit of AES-NI instructions.
    Thanks for setting me straight on the link aggregation. I guess I won't need it.

    I'm really just trying to figure out if the 2440 will do 100Mbps thru NAT to my ISP, 50Mbps with an OpenVPN client on top of that, and how much I can expect between four VLANs.



  • Since you'll be using VLANs, I'd set up link aggregation anyway.  Doesn't mean you have to plug in all the NICs right away, but if you wish to use it in the future it will save you some pain with config.  It won't hurt your performance and may help, depending on your load.

    EDIT:  You might be fine with the 2220 actually.  Same CPU if I'm reading right. That's what you care about in this scenario. Just LAGG the 2 NICS, set up your VLANS and you'd be just fine.



  • Re CPU: It's not the same CPU in any of them that's the struggle I'm having!
    SG-2220 has the Atom C2338 1.7 Ghz with 2 cores.
    SG-2440 has the Atom C2358 1.7 Ghz with 2 cores and Quick Assist (not useful yet, fingers crossed for the future)
    SG-4860 has the Atom C2558 2.4 Ghz with 4 cores and Quick Assist.

    Re LAG:
    I was wondering about LAG between the switch and the router, just in case more than 1Gbps was going on between VLANs with different connections. Honestly that would be fun, but it's a rare case at best, likely never happen.

    I'm reading https://blog.pfsense.org/?p=1866 now, where he quotes PPS (Packets Per Second) for these systems in an effort to see what best case numbers are.

    EDIT: Changed C2358 spec from 4 core to 2. My bad.



  • @gertty:

    Re CPU: It's not the same CPU in any of them that's the struggle I'm having!
    SG-2220 has the Atom C2338 1.7 Ghz with 2 cores.
    SG-2440 has the Atom C2358 1.7 Ghz with 4 cores and Quick Assist (not useful yet, fingers crossed for the future)
    SG-4860 has the Atom C2558 2.4 Ghz with 4 cores and Quick Assist.

    Re LAG:
    I was wondering about LAG between the switch and the router, just in case more than 1Gbps was going on between VLANs with different connections. Honestly that would be fun, but it's a rare case at best, likely never happen.

    I'm reading https://blog.pfsense.org/?p=1866 now, where he quotes PPS (Packets Per Second) for these systems in an effort to see what best case numbers are.

    Ah, I see the difference now.  The hardware page is wrong, showing the C2358 as dual core.
    https://store.pfsense.org/SG-2440/ 
    My mistake.

    EDIT:  nope.  http://ark.intel.com/products/77978/Intel-Atom-Processor-C2358-1M-Cache-1_70-GHz



  • Yea, I copy-pasta'd that. Just fixed to "2" in my post.

    So according to the "pfSense Digest" I read, the SG-2220, will do 217K packet/sec with the new tryforward() code in pfSense 2.3. Assuming some small packets of maybe 100 bytes, that gives it 174Mbps raw speed. I'm not happy with that, so it's either the 2440 or 4860 for me. Going to the more expensive 4860 gets me higher frequency per core and two more cores. If end up with anything single threaded,  (like the PPPoe problem), having for per-core oomph will be nice.

    Man, I really just want the 4860 CPU with only 4-ports.



  • @gertty:

    SG-2440 has the Atom C2358 1.7 Ghz with 42 cores and Quick Assist (not useful yet, fingers crossed for the future)

    I'd buy that!



  • Man, I really just want the 4860 CPU with only 4-ports.

    No in real you want likes us all, the fan less SG-8860 for only the price of the 2440!  ;)

    Single core usage on PPPoE will be not being for ever! They are working on it, this is one
    thing they will ba able to make all customers and users be happy for sure!

    To route 1 GBit/s at the WAN interface it will be need a 2GHz CPU and server grade hardware.
    This is written on the pfSense website and these are the minimum requirements.
    pfSense hardware & system requirements



  • @BlueKobold:

    To route 1 GBit/s at the WAN interface it will be need a 2GHz CPU and server grade hardware.
    This is written on the pfSense website and these are the minimum requirements.
    pfSense hardware & system requirements

    I've seen that, but it doesn't tell me whether I can route 1Gbits internally between VLANs with less CPU. My instinct is no, but maybe that number you quoted includes overhead for NAT?



  • For routing VLANs internally with wire speed you might be getting a Layer3 switch likes the and let them
    do that job with more ease.

    • Cisco SG300 series
    • D-Link DGS1510 series


  • @BlueKobold:

    For routing VLANs internally with wire speed you might be getting a Layer3 switch likes the and let them
    do that job with more ease.

    • Cisco SG300 series
    • D-Link DGS1510 series

    Oh, that works? I will have a VLAN capable switch in place. I'm a newbie to VLANs.  I assumed each VLAN had to be on its own subnet, so for my desktop on VLAN2 to reach a box on VLAN3 each would have to talk to their default gateway (the pfsense router).



  • Oh, that works? I will have a VLAN capable switch in place. I'm a newbie to VLANs.

    There are two different sorts of switches. The Layer2 ones are not routing between the VLANs itself
    and the router or firewall must that job. And then there are Layer3 switches and they can route the
    entire network traffic from each VLAN to the other ones by its self without needing the router or firewall.

    I assumed each VLAN had to be on its own subnet, so for my desktop on VLAN2 to reach a box on VLAN3 each would have to talk to their default gateway (the pfsense router).

    Using a Layer3 switch likes the Cisco SG300-10 or SG300-08 each VLAN will have their own IP broadcast net
    and the gateway will be inside of their own IP range. And the switch it self is then routing the traffic between
    all of the VLANs. And usually this switches today are ready to route the entire traffic between the VLANs with
    wire speed and the firewall will have then more power for other things to do.



  • Thanks so much for the detailed explanation! I may need to return and order a different switch. Glad I understand this now.



  • @gertty:

    Thanks so much for the detailed explanation! I may need to return and order a different switch. Glad I understand this now.

    You might consider that by using a Layer 3 switch you'll be moving your inter-VLAN firewalling to the switch.  This is fine, but adds an extra layer of complexity.  Another solution that gets around having to route very high throughput workloads through the pfsense box is using multiple network interfaces.  Let's say you have a NAS that is serving iSCSI to a machine in VLAN2 and CIFS to a machine in VLAN3.  How to prevent this traffic from having to traverse the firewall is to have the NAS have interfaces in both VLANs.  Then your traffic never has to traverse the firewall.  I work in a medium size business that uses pfsense as both edge and core routers and this is how we get around bottlenecking our routers with workloads that require wirespeed.  And best of all, it keeps all the rules in the same place.  And rembember, you don't need physical network interfaces to do this. That's what VLANs are for.  And NIC teaming (LAGG) helps tremendously in this scenario (EDIT: if you do it on the NAS).



  • @whosmatt:

    You might consider that by using a Layer 3 switch you'll be moving your inter-VLAN firewalling to the switch.  This is fine, but adds an extra layer of complexity.

    I prefer to have the local network fully configured on a layer 3 switch with inter-VLAN routing, ACL and DHCP server. Makes it easy to change front-door router/firewall. Besides the router/firewall has more capacity doing WAN and firewall duties.

    I currently use a Linksys LRT224 as router/firewall, but I´m considering to replace the LRT224 with a pfSense firewall.

    ![Oles Home Network.png_thumb](/public/imported_attachments/1/Oles Home Network.png_thumb)
    ![Oles Home Network.png](/public/imported_attachments/1/Oles Home Network.png)



  • I prefer to have the local network fully configured on a layer 3 switch with inter-VLAN routing, ACL and DHCP server

    Thats like I am using that Layer3 switch also! I love to have full LAN connectivity setting up new things
    at the firewall.

    Makes it easy to change front-door router/firewall. Besides the router/firewall has more capacity doing WAN and firewall duties.

    There are mostly two camps that are want it in another direction, one is performing the firewall rules at the entire
    LAN and the VLANs and the other loves it to be more free from that firewall rules and works with ACLs.

    I currently use a Linksys LRT224 as router/firewall, but I´m considering to replace the LRT224 with a pfSense firewall.

    Actual there are cool devices on the market from lower end till the higher top, to run pfSense on it.
    For your wireless LAN you could get also a benefit through the Captive Portal for guests and the
    radius server for your won devices to secure that better then now.

    • APU2C4
    • Jetway N2930
    • Supermicro C2x58 (Rangeley)
    • SG-xxx units from Netgate or the pfSense store


  • Actual there are cool devices on the market from lower end till the higher top, to run pfSense on it.
    For your wireless LAN you could get also a benefit through the Captive Portal for guests and the
    radius server for your won devices to secure that better then now.

    • APU2C4
    • Jetway N2930
    • Supermicro C2x58 (Rangeley)
    • SG-xxx units from Netgate or the pfSense store
    • Supermicro Xeon D-15x8 (Broadwell-DE) ;D

    Ole



    • Supermicro Xeon D-15x8 (Broadwell-DE)

    Yep its an really amazing platform, it would be a really pfSense bomb.