Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [Many Pics] My new silent firewall build

    Hardware
    5
    23
    7324
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edwardwong last edited by

      This is the one I built last month, altogether < US$250.

      The board is Jetway NF9HG-2930, quad-core Silvermount N2930 CPU, with typical TDP 4.5W & max. 7.5W, in my build there is no any fan inside.
      1xmini pci-E + 1xmSATA (shared with one of SATA2 port) definitely enough for most applications. (If you want LAN bypass, there is a NF9HB-2930 for you). Of course the most important thing on this board: 4 x Intel i210-AT GbE LAN port.

      In my attached BIOS screen capture you can see that there is console redirection support as well.

      I used the M350 case bought from Amazon, this case has a removable front cover which allows you to hide 2 USB sticks inside, so I don't need those micro size USB memory for my firewall. I had thought about Silverstone PT-13 but the horizontal pci-e x1 slot is an obstacle, if you are willing to cut a hole on the case then this is actually a very good looking case.

      I live in Hong Kong so you know…..it can be very hot sometimes, during my test room temperature 20 degree Celsius, CPU temp around 40, so I would say this board will not overheat at all.

      I did iperf test for WAN-LAN throughput (with Macbook Retina + thunderbolt GbE as client & Macbook Pro 2010 + onboard GbE as WAN side), 940Mbps achieved easily with cpu loading ~30% (which is slightly more than 1 core's loading), and when I perform a bi-directional test it averaged at 790Mbps (it fluctuates as you see, but cpu loading usually < 60%), I guess the Macbook ethernet is getting problem under high stress.

      I actually had one more build last year, I bought those Intel 1037U + 6 x Intel LAN small firewall appliance from China, single direction 940Mbps NAT throughput is also possible (bidirectional might be a problem since 50-55% cpu usage for single direction already).













      1 Reply Last reply Reply Quote 0
      • E
        edwardwong last edited by

        Forgot to mention, I did OpenSSL test (by the internal testing command) with AES-256-CBC encryption algorithm, it's showing about 120-140Mbps, for a CPU without AES-NI, I can't complain too much about it.

        My home has 1G/1G fiber link so this platform suits me well, now I also added suricata into my new appliance.

        If someone want better stuff but don't want to pay too much for something like Supermicro C2x58 Rangeley CPU platform, you can consider the Supermicro X11SBA-LN4F ITX board, this board is using Intel N3700 CPU which supports AES-NI instruction, good for those who wants better encryption speed.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest last edited by

          If someone want better stuff but don't want to pay too much for something like Supermicro C2x58 Rangeley CPU platform, you can consider the Supermicro X11SBA-LN4F ITX board, this board is using Intel N3700 CPU which supports AES-NI instruction, good for those who wants better encryption speed.

          Please note there are some known issues with this board that are actually for a longer time
          will be discussed here in the forum. Link

          It is also available as a fully bare bone from Supermicro that is really looking awesome!
          Super Micro Supermicro SuperServer E200-9B Server SYS-E200-9B

          Otherwise thank you and +1 from me for the picture rich thread about that board and the measuring you
          have done. 940 Mbit/s + the overhead + the NAT and firewall rules workload and you got really 1 GBit/s
          please don´t forget this! And each installed packet and running service is also "eating" some CPU power
          and slows down the entire pfSense box a little bit.

          Edward, how many RAM you were inserting in that box?
          Did you enable PowerD (hi adaptive or adaptive)?
          If you are using a mSATA you should enable TRIM support for that machine too.
          With 8 GB RAM you could try out to high up the mbuf size from that machine to 1000000.

          Forgot to mention, I did OpenSSL test (by the internal testing command) with AES-256-CBC encryption algorithm, it's showing about 120-140Mbps, for a CPU without AES-NI, I can't complain too much about it.

          Thats not so much but also enough to upload from outside photos and other things with ease.

          1 Reply Last reply Reply Quote 0
          • E
            edwardwong last edited by

            @BlueKobold:

            If someone want better stuff but don't want to pay too much for something like Supermicro C2x58 Rangeley CPU platform, you can consider the Supermicro X11SBA-LN4F ITX board, this board is using Intel N3700 CPU which supports AES-NI instruction, good for those who wants better encryption speed.

            Please note there are some known issues with this board that are actually for a longer time
            will be discussed here in the forum. Link

            It is also available as a fully bare bone from Supermicro that is really looking awesome!
            Super Micro Supermicro SuperServer E200-9B Server SYS-E200-9B

            Otherwise thank you and +1 from me for the picture rich thread about that board and the measuring you
            have done. 940 Mbit/s + the overhead + the NAT and firewall rules workload and you got really 1 GBit/s
            please don´t forget this! And each installed packet and running service is also "eating" some CPU power
            and slows down the entire pfSense box a little bit.

            Edward, how many RAM you were inserting in that box?
            Did you enable PowerD (hi adaptive or adaptive)?
            If you are using a mSATA you should enable TRIM support for that machine too.
            With 8 GB RAM you could try out to high up the mbuf size from that machine to 1000000.

            Forgot to mention, I did OpenSSL test (by the internal testing command) with AES-256-CBC encryption algorithm, it's showing about 120-140Mbps, for a CPU without AES-NI, I can't complain too much about it.

            Thats not so much but also enough to upload from outside photos and other things with ease.

            wow…..the X11SBA-LN4F discussion is long, need to have some time to digest  :P
            For my system, I installed 4GB x 1 DDR3L. A bit stupid at the very beginning, I was trying to use my old laptop memory but the board doesn't even POST! Then I asked and got a notice from seller that this board accepts ONLY DDR3L SODIMM, but not normal 1.5V SODIMM, so I bought a 4GB DDR3L SODIMM, leaving one blank slot for future. This board supports 8GB max, but to be honest I believe 4GB is already more than enough for me.

            During my test, I disabled PowerD, but in real world application I've enabled "hi adaptive", I tried "adaptive" and it looks not reacting fast enough so I choose the former one. But during the first day of use, to confirm there will be no heat load issue I disabled PowerD and everything looks good.

            mbuf already being set to 1M, and from my tests you can see that NAT never eats > 60% so I do have plenty of remaining cpu power for other packages.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest last edited by

              mbuf already being set to 1M, and from my tests you can see that NAT never eats > 60% so I do have plenty of remaining cpu power for other packages.

              If you are using PPPoE only one single CPU core is in usage, if this will be changed at one day, it will
              be more smooth and liquid running as I see it right. The PowerD is also there fore that the CPU frequency
              is not freezing and will be used only at some MHz instead of the highest available frequency if this is needed.

              1 Reply Last reply Reply Quote 0
              • E
                edwardwong last edited by

                @BlueKobold:

                mbuf already being set to 1M, and from my tests you can see that NAT never eats > 60% so I do have plenty of remaining cpu power for other packages.

                If you are using PPPoE only one single CPU core is in usage, if this will be changed at one day, it will
                be more smooth and liquid running as I see it right. The PowerD is also there fore that the CPU frequency
                is not freezing and will be used only at some MHz instead of the highest available frequency if this is needed.

                In Hong Kong, unless people living in very remote area or building with very old infrastructure, most of our broadband using FTTH/FTTB with fiber/CAT5 to home, the last time I used PPPoE was about 6 years ago (FTTH for that building was built after using PPPoE for a few months)  8)
                For commercial, other than those for backup purposes, no one is using PPPoE anymore.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest last edited by

                  For commercial, other than those for backup purposes, no one is using PPPoE anyone.

                  Cool! Then you will be getting out of that single core using and all core can be used to work on that
                  WAN interface.

                  1 Reply Last reply Reply Quote 0
                  • E
                    edwardwong last edited by

                    @BlueKobold:

                    For commercial, other than those for backup purposes, no one is using PPPoE anymore.

                    Cool! Then you will be getting out of that single core using and all core can be used to work on that
                    WAN interface.

                    Yep, but with the fast development of internet in the country, most people using 300-1000Mbps broadband, and thus we are always chasing faster hardware for firewall/routers :)

                    1 Reply Last reply Reply Quote 0
                    • E
                      edwardwong last edited by

                      BTW I'm now still using 4GB USB memory running as nanobsd, thinking about the re-use of 16GB old pci-e ssd from Asus EEEPC for full install.
                      I actually wondering, why we can't use HAVP + Proxy with nanobsd with more memory as cache?

                      1 Reply Last reply Reply Quote 0
                      • E
                        Engineer last edited by

                        @edwardwong,

                        Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

                        Just curious as to how the two boards stack up with AES-NI and without?

                        1 Reply Last reply Reply Quote 0
                        • E
                          edwardwong last edited by

                          @Engineer:

                          @edwardwong,

                          Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

                          Just curious as to how the two boards stack up with AES-NI and without?

                          I did the test with reference to this document:
                          https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                          Of course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.

                          1 Reply Last reply Reply Quote 0
                          • E
                            Engineer last edited by

                            @edwardwong:

                            @Engineer:

                            @edwardwong,

                            Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

                            Just curious as to how the two boards stack up with AES-NI and without?

                            I did the test with reference to this document:
                            https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

                            Of course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.

                            Here's what I came up with (modified to 256 from the 128 command since you stated 256)….

                            $ openssl speed -evp aes-256-cbc -engine cryptodev
                            engine "cryptodev" set.
                            Doing aes-256-cbc for 3s on 16 size blocks: 947833 aes-256-cbc's in 0.32s
                            Doing aes-256-cbc for 3s on 64 size blocks: 945487 aes-256-cbc's in 0.36s
                            Doing aes-256-cbc for 3s on 256 size blocks: 772576 aes-256-cbc's in 0.21s
                            Doing aes-256-cbc for 3s on 1024 size blocks: 457823 aes-256-cbc's in 0.20s
                            Doing aes-256-cbc for 3s on 8192 size blocks: 91829 aes-256-cbc's in 0.03s
                            OpenSSL 1.0.1l-freebsd 15 Jan 2015
                            built on: date not available
                            options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
                            compiler: clang
                            The 'numbers' are in 1000s of bytes per second processed.
                            type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                            aes-256-cbc      47345.41k  168378.90k  937621.12k  2307991.39k 24072421.38k

                            1 Reply Last reply Reply Quote 0
                            • E
                              edwardwong last edited by

                              Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x

                              1 Reply Last reply Reply Quote 0
                              • E
                                Engineer last edited by

                                @edwardwong:

                                Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x

                                Something wrong.  Numbers are as good or better.  Do I need to turn off AES-NI in the settings menu?

                                Edit:  Turned off AES-NI in the Advanced menu but no difference (I didn't reboot - like my current 98 days uptime).  Anyone have thoughts on why no change?

                                $ openssl speed -evp aes-256-cbc
                                Doing aes-256-cbc for 3s on 16 size blocks: 949961 aes-256-cbc's in 0.38s
                                Doing aes-256-cbc for 3s on 64 size blocks: 968692 aes-256-cbc's in 0.25s
                                Doing aes-256-cbc for 3s on 256 size blocks: 793691 aes-256-cbc's in 0.31s
                                Doing aes-256-cbc for 3s on 1024 size blocks: 456773 aes-256-cbc's in 0.19s
                                Doing aes-256-cbc for 3s on 8192 size blocks: 91937 aes-256-cbc's in 0.05s
                                OpenSSL 1.0.1l-freebsd 15 Jan 2015
                                built on: date not available
                                options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
                                compiler: clang
                                The 'numbers' are in 1000s of bytes per second processed.
                                type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                                aes-256-cbc      40531.67k  247985.15k  650191.67k  2494589.61k 16067155.29k

                                1 Reply Last reply Reply Quote 0
                                • E
                                  edwardwong last edited by

                                  Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
                                  But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    Engineer last edited by

                                    $ openssl speed aes-256-cbc
                                    Doing aes-256 cbc for 3s on 16 size blocks: 5467107 aes-256 cbc's in 3.00s
                                    Doing aes-256 cbc for 3s on 64 size blocks: 1562852 aes-256 cbc's in 3.00s
                                    Doing aes-256 cbc for 3s on 256 size blocks: 403469 aes-256 cbc's in 3.00s
                                    Doing aes-256 cbc for 3s on 1024 size blocks: 254859 aes-256 cbc's in 3.00s
                                    Doing aes-256 cbc for 3s on 8192 size blocks: 32236 aes-256 cbc's in 3.00s
                                    OpenSSL 1.0.1l-freebsd 15 Jan 2015
                                    built on: date not available
                                    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
                                    compiler: clang
                                    The 'numbers' are in 1000s of bytes per second processed.
                                    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
                                    aes-256 cbc      29157.90k    33340.84k    34429.35k    86991.87k    88025.77k

                                    With -multi 4 added on hardware (slower than single thread??)….

                                    System

                                    $ openssl speed -multi 4 -evp aes-256-cbc -engine cryptodev
                                    engine "cryptodev" set.
                                    Forked child 0
                                    Forked child 1
                                    +DT:aes-256-cbc:3:16
                                    Forked child 2
                                    +DT:aes-256-cbc:3:16
                                    +DT:aes-256-cbc:3:16
                                    +DT:aes-256-cbc:3:16
                                    +R:836144:aes-256-cbc:3.000000
                                    +R:824538:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:64
                                    +DT:aes-256-cbc:3:64
                                    +R:857528:aes-256-cbc:3.000000
                                    +R:863606:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:64
                                    +DT:aes-256-cbc:3:64
                                    +R:811091:aes-256-cbc:3.000000
                                    +R:787191:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:256
                                    +DT:aes-256-cbc:3:256
                                    +R:838909:aes-256-cbc:3.000000
                                    +R:814793:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:256
                                    +DT:aes-256-cbc:3:256
                                    +R:657543:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:1024
                                    +R:671720:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:1024
                                    +R:682625:aes-256-cbc:3.000000
                                    +R:679516:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:1024
                                    +DT:aes-256-cbc:3:1024
                                    +R:420495:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:8192
                                    +R:418550:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:8192
                                    +R:426774:aes-256-cbc:3.000000
                                    +R:430329:aes-256-cbc:3.000000
                                    +DT:aes-256-cbc:3:8192
                                    +DT:aes-256-cbc:3:8192
                                    +R:91002:aes-256-cbc:3.000000
                                    +R:90558:aes-256-cbc:3.000000
                                    +R:90635:aes-256-cbc:3.000000
                                    +R:90792:aes-256-cbc:3.000000
                                    Forked child 3
                                    Got: +H:16:64:256:1024:8192 from 0
                                    Got: +F:22:aes-256-cbc:4397536.00:16793408.00:56110336.00:142865066.67:248496128.00 from 0
                                    Got: +H:16:64:256:1024:8192 from 1
                                    Got: +F:22:aes-256-cbc:4459434.67:17303274.67:57320106.67:143528960.00:247283712.00 from 1
                                    Got: +H:16:64:256:1024:8192 from 2
                                    Got: +F:22:aes-256-cbc:4573482.67:17382250.67:57985365.33:145672192.00:247493973.33 from 2
                                    Got: +H:16:64:256:1024:8192 from 3
                                    Got: +F:22:aes-256-cbc:4605898.67:17896725.33:58250666.67:146885632.00:247922688.00 from 3
                                    OpenSSL 1.0.1l-freebsd 15 Jan 2015
                                    built on: date not available
                                    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
                                    compiler: clang
                                    evp              18036.35k    69375.66k  229666.47k  578951.85k  991196.50k

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      edwardwong last edited by

                                      Try to add "-elapsed" when you use the hardware engine, according to OpenSSL document this will perform better when using hardware crypto method.

                                      But yeah, you see the difference with/without AES-NI already  8)

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        Keljian last edited by

                                        Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          Engineer last edited by

                                          @Keljian:

                                          Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

                                          I would assume just to see how much extra throughput is gained via AES-NI vs without.

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            Keljian last edited by

                                            @Engineer:

                                            @Keljian:

                                            Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

                                            I would assume just to see how much extra throughput is gained via AES-NI vs without.

                                            Yes but I don't see when you would be without it if you had a processor that supports it. Seems counterintuitive.

                                            1 Reply Last reply Reply Quote 0
                                            • L
                                              Limbi last edited by

                                              @edwardwong:

                                              Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
                                              But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

                                              Where I should put "-multi 4" to run 4 encryption together?
                                              Thank you

                                              Ciao

                                              1 Reply Last reply Reply Quote 0
                                              • E
                                                edwardwong last edited by

                                                @Limbi:

                                                @edwardwong:

                                                Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
                                                But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

                                                Where I should put "-multi 4" to run 4 encryption together?
                                                Thank you

                                                Ciao

                                                Read the posts above, answer is already there.

                                                1 Reply Last reply Reply Quote 0
                                                • L
                                                  Limbi last edited by

                                                  @edwardwong:

                                                  @Limbi:

                                                  @edwardwong:

                                                  Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
                                                  But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

                                                  Where I should put "-multi 4" to run 4 encryption together?
                                                  Thank you

                                                  Ciao

                                                  Read the posts above, answer is already there.

                                                  I read that, but I'm a newbie and I don't know witch file to edit.

                                                  1 Reply Last reply Reply Quote 0
                                                  • First post
                                                    Last post

                                                  Products

                                                  • Platform Overview
                                                  • TNSR
                                                  • pfSense
                                                  • Appliances

                                                  Services

                                                  • Training
                                                  • Professional Services

                                                  Support

                                                  • Subscription Plans
                                                  • Contact Support
                                                  • Product Lifecycle
                                                  • Documentation

                                                  News

                                                  • Media Coverage
                                                  • Press
                                                  • Events

                                                  Resources

                                                  • Blog
                                                  • FAQ
                                                  • Find a Partner
                                                  • Resource Library
                                                  • Security Information

                                                  Company

                                                  • About Us
                                                  • Careers
                                                  • Partners
                                                  • Contact Us
                                                  • Legal
                                                  Our Mission

                                                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                  Subscribe to our Newsletter

                                                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                  © 2021 Rubicon Communications, LLC | Privacy Policy