NIC question for build



  • Hi,
    I'll preface this with me stating I'm new to pfsense and was hesitant to ask this question prematurely.  I'll happily take a direction to a thread for any stupid questions.

    I'm looking to build a pfsense box.  I'm currently running a Netgear R7000 with a 1Gb/250Mb FTTH service.  I'm moving and will no longer have access to that service.

    I work for the ISP i use currently and they can only give me a 30Mb/2Mb VDSL2 line at my new home.  I can also get a 300Mb/20Mb connection from TimeWarner.  I will probably get both, as I'll get the 30Mb service for free…so two services.  I'd expect our buildout to be offering me the 1Gb/250Mb service in 12-24 months though, so building with that in mind.

    I'm not interesting in bonding or multi-linking the WAN, I fully understand the issues involved(or I'd "shotgun" a second VDSL line from my employer and at 60Mb or less, it just doesn't seem worth it).  However, I would love to enable fail over support.

    I have an older i5-2500k system with 8Gb of RAM.  I'd probably start with that, as it'll be more than capable of running pfsense.

    Now my question...NIC's.

    I'll need two obviously for the two WAN ports.  I'm also interested in running link aggregation(2) to my LAN.  I have a Cisco SG300-10 switch.  I have a NAS and another file server that are both connected with link aggregation via the switch on the home network.  I know it's not entirely "necessary" to do this...but if I can without huge expense, I'd like to.

    So I need 4 NIC's for this.  Two for WAN, two for LAN.  I've seen some slightly confusing posts about the 4 port Intel boards.  Would the concensus be that I'd be better off grabbing two Dual NIC Intel solutions, as opposed to a single quad NIC?

    Or am I completely overthinking this and any system overhead experienced by doing link agg on a quad NIC board will never show up as an issue for me?



  • As long as the card has enough bandwidth, quad port is fine.
    Some cheaper build or expansion board might have quad port with a PCI-E x1 which obviously doesn't have enough bandwidth if all 4 ports running at full speed. But if you get those proper cards like Intel i350 quad port, those are PCI-E x4 card which definitely able to handle the traffic.

    i5 is an overkill for 1G, too much power consumption for a firewall. You can refer to my build here to see we can have much more light weight device for that.



  • Thanks for the advice!

    I agree that the system will be overkill, but I have it and have no other specific use for it now and would only need to add the NIC's.  I'll start with this, get familiar, see how much benefit pfsense gives me.  I may decide to grab one of the lower power setups down the road, but I'm buying a house right now(first house) so I have plenty of furniture and other costs to absorb.



  • I work for the ISP i use currently and they can only give me a 30Mb/2Mb VDSL2 line at my new home.  I can also get a 300Mb/20Mb connection from TimeWarner.  I will probably get both, as I'll get the 30Mb service for free…so two services.

    30 and 300 MBit/s will be not the real problem as I see it right.

    I'm not interesting in bonding or multi-linking the WAN, I fully understand the issues involved (or I'd "shotgun" a second VDSL line from my employer and at 60Mb or less, it just doesn't seem worth it). However, I would love to enable fail over support.

    Would be also not the problem.

    I have an older i5-2500k system with 8Gb of RAM.  I'd probably start with that, as it'll be more than capable of running pfsense.

    Would be really a pfSense bomb, and might be running very long time for you.

    Now my question…NIC's.

    Go for a refurbished or used Intel i350 or i354 one with four ports thats it.

    I'll need two obviously for the two WAN ports.  I'm also interested in running link aggregation(2) to my LAN.  I have a Cisco SG300-10 switch.

    Why? For the 300 + 30 MBit/s at the WAN ports that is not necessary, or? The SG300-10 is routing between
    the VLANs or the plain but entire LAN traffic. Its a Layer3 switch, so wire speed will be inside of the LAN
    between the devices there.

    I have a NAS and another file server that are both connected with link aggregation via the switch on the home network.  I know it's not entirely "necessary" to do this…but if I can without huge expense, I'd like to

    For sure you will be able to realize it, but if the SG300 is routing the entire LAN traffic it must not be run
    through the pfSense firewall, or?

    So I need 4 NIC's for this.  Two for WAN, two for LAN.  I've seen some slightly confusing posts about the 4 port Intel boards.  Would the concensus be that I'd be better off grabbing two Dual NIC Intel solutions, as opposed to a single quad NIC?

    Dual Port NICs will be also matching well likes the quad port variant from Intel too.

    Or am I completely overthinking this and any system overhead experienced by doing link agg on a quad NIC board will never show up as an issue for me?

    Those things no of us can answer to you, this is also pending on the devices and their horse power.
    Try it out and then report it to us.



  • @tullnd:

    Thanks for the advice!

    I agree that the system will be overkill, but I have it and have no other specific use for it now and would only need to add the NIC's.  I'll start with this, get familiar, see how much benefit pfsense gives me.  I may decide to grab one of the lower power setups down the road, but I'm buying a house right now(first house) so I have plenty of furniture and other costs to absorb.

    Try to think about the power consumption, your i5 has a 95W TDP, while mine is just 7.5W max. I don't know how much you pay for electricity, for me, a 90W difference per hour means running the firewall 1~1.5yrs the extra electricity I pay for = cost of new board



  • @edwardwong:

    @tullnd:

    Thanks for the advice!

    I agree that the system will be overkill, but I have it and have no other specific use for it now and would only need to add the NIC's.  I'll start with this, get familiar, see how much benefit pfsense gives me.  I may decide to grab one of the lower power setups down the road, but I'm buying a house right now(first house) so I have plenty of furniture and other costs to absorb.

    Try to think about the power consumption, your i5 has a 95W TDP, while mine is just 7.5W max. I don't know how much you pay for electricity, for me, a 90W difference per hour means running the firewall 1~1.5yrs the extra electricity I pay for = cost of new board

    I'm totally with you on power consumption.  I need to make sure I'm gonna stick with this setup before I throw much money at it though.  I live in the USA, so electricity is pretty darn cheap here.  It'd take 3-4 years for me to even approach the cost of return on a $300 system, and by then there'd be newer stuff out that's even more efficient.  I'm more concerned with heat, but my new home has a huge basement I can place the system in, so no real concerns about heat/noise, if it's gonna be secured down there.

    I sourced a SuperMicro 8x PCI-E card with 4 GBe ports that was referenced in another thread I found(the same one pfsense recommends) and picked it up off Ebay for just $45 shipped(did a "make offer").  So for now, I can use an extra computer with a $45 investment just to get it up and running, figure out what all features I want to use.  If I decide to stay with it, I'll look at buying something dedicated later this year.



  • That would be fine, I live in HK, in summer it can be 100F with high humidity, really not good to put such a "heater" at home (previously I had an old PC which uses 95W TDP CPU at home, I put it in my room and after half a day, my room was 9F higher than other room  :( ), so I have to find a good way to minimize the heat load at home.



  • I live in the USA, so electricity is pretty darn cheap here.

    Be happy about that! You have cheap electric power and 1 GBit/s line rate as internet connection, go with an
    4 core Intel Core i5 @3,xGHz and all is fine for you. 8 GB on on top of this and you might be happy also with
    Snort and Squid. A refurbished quad port Intel server grade NIC and you will be fine for a longer time to go.



  • @edwardwong:

    That would be fine, I live in HK, in summer it can be 100F with high humidity, really not good to put such a "heater" at home (previously I had an old PC which uses 95W TDP CPU at home, I put it in my room and after half a day, my room was 9F higher than other room

    95W TDP does not mean it disapates 95W all the time. You may be surprised to know that most modern processors (post sandybridge) use about 7-10w most of the time.



  • @BlueKobold:

    Go for a refurbished or used Intel i350 or i354 one with four ports thats it.

    I'm curious.

    What does the i350/i354 have that the significantly easier to find (and cheaper) Intel Pro/1000 PT (82571EB) doesn't, in your opinion?

    I have three 82571 based dual port adapters and one quad port, and they have always worked great, but I wonder if there is something I am missing out on?



  • @mattlach:

    @BlueKobold:

    Go for a refurbished or used Intel i350 or i354 one with four ports thats it.

    I'm curious.

    What does the i350/i354 have that the significantly easier to find (and cheaper) Intel Pro/1000 PT (82571EB) doesn't, in your opinion?

    I have three 82571 based dual port adapters and one quad port, and they have always worked great, but I wonder if there is something I am missing out on?

    Bigger queues
    Sr-iov
    Lower consumption (5w vs 15w)
    Faster interface
    More of the tcp/ip stack offloaded
    More cache
    On chip QoS

    Off the top of my head



  • What does the i350/i354 have that the significantly easier to find (and cheaper) Intel Pro/1000 PT (82571EB) doesn't, in your opinion?

    There are actual cards, nothing more but also nothing less. You and all others can surely go with any card
    you find useful or cheap enough. At this moment I personally prefer to go and consider the Intel i210 and
    Intel i350 or i354 NICs because they are pretty new, good driver supported in pfSense and cheap to get.
    What more should be there to consider that cards? And I am pretty sure that will not change in the near
    future otherwise if in 2017 or 2018 new Intel NICs will be released and also well driver supported I would
    then recommend them if I am using them or many success stories here in the forum will be up and shown.

    I have three 82571 based dual port adapters and one quad port, and they have always worked great, but I wonder if there is something I am missing out on?

    If you are sorted with cards and you are really impressed by them, go with them how long you want and
    how long they will work. And feel free to suggest them to anybody or all peoples, pfSense users and customers.

    I am a more quality, server grade and/or on newer hardware orientated user, other may see this different
    and love their older but well running hardware and want to go longer with them, and yes only because
    something exist, it must not be changed into newer hardware, but if something new is standing out, I
    would first thinking on the nweer hardware that is well driver supported and running in pfSense or
    any other OS.



  • @BlueKobold:

    What does the i350/i354 have that the significantly easier to find (and cheaper) Intel Pro/1000 PT (82571EB) doesn't, in your opinion?

    There are actual cards, nothing more but also nothing less. You and all others can surely go with any card
    you find useful or cheap enough. At this moment I personally prefer to go and consider the Intel i210 and
    Intel i350 or i354 NICs because they are pretty new, good driver supported in pfSense and cheap to get.
    What more should be there to consider that cards? And I am pretty sure that will not change in the near
    future otherwise if in 2017 or 2018 new Intel NICs will be released and also well driver supported I would
    then recommend them if I am using them or many success stories here in the forum will be up and shown.

    I have three 82571 based dual port adapters and one quad port, and they have always worked great, but I wonder if there is something I am missing out on?

    If you are sorted with cards and you are really impressed by them, go with them how long you want and
    how long they will work. And feel free to suggest them to anybody or all peoples, pfSense users and customers.

    I am a more quality, server grade and/or on newer hardware orientated user, other may see this different
    and love their older but well running hardware and want to go longer with them, and yes only because
    something exist, it must not be changed into newer hardware, but if something new is standing out, I
    would first thinking on the nweer hardware that is well driver supported and running in pfSense or
    any other OS.

    Ah,

    My philosophy is slightly different.  I like using very mature enterprise/server grade hardware, provided it performs well enough.

    It tends to be more stable.

    I'd be interested in newer chipsets like the i350/i354 if they perform better in real world tests though.



  • @edwardwong:

    @tullnd:

    Thanks for the advice!

    I agree that the system will be overkill, but I have it and have no other specific use for it now and would only need to add the NIC's.  I'll start with this, get familiar, see how much benefit pfsense gives me.  I may decide to grab one of the lower power setups down the road, but I'm buying a house right now(first house) so I have plenty of furniture and other costs to absorb.

    Try to think about the power consumption, your i5 has a 95W TDP, while mine is just 7.5W max. I don't know how much you pay for electricity, for me, a 90W difference per hour means running the firewall 1~1.5yrs the extra electricity I pay for = cost of new board

    Idle TDP of my wife's i5 3.5ghz 6MiB cache quad-core Skylake is 4 watts, even though it has a 65watt TDP. The bigger issue is the entire platform, motherboard, etc. Now it's about 40watts idle.

    Those C2758 Atom CPUs are wicked awesome. They only became avaliable at retail about 1 month after I built my Haswell i5 firewall.




Log in to reply