I’ve decided I want to do a custom build and thinking through the CPU selection. Obviously there are a plethora of choices but I have primarily been focused on finding something that is about 35W output or less, has a minimum of 4 cores, onboard graphics and supports AES-NI. The motherboard will have Intel ethernet ports and minimum 2 PCI x16 slots so that I can add a QAT card and NIC as appropriate.
It seems the 6-core chips offer a better bang for the buck and the AMD chips offer that same bang but with higher clock speeds. Assuming you can find the GE chips, which is hard.
This raises the following two questions:
Does pfSense respond best to more cores or more clock speed? For instance, would an 8-core i7-11700T provide better performance than the 6-core i3-12100T, i5-12400T or Ryzen 5-5600GE?
I know NIC’s need to be Intel, but do I need to be concerned with compatibility issues if I would lean towards the AMD chips & motherboards?
I’m using a Dell Optiplex 9020 SFF at home and in my office. Both are configured with the i5-4570 | 32GB RAM | 500GB SSD. I’ve never came close to hitting the 50% mark on system utilization, my office has a few servers running several services, 3 wireless networks and roughly 15 endpoints. My office has several site-to-site VPN’s connected at any given time, and a few wireguard sessions.
Personally I would stick with what is known to be working, stable and extremely functional which is Intel. Or just buy a netgate device and not worry about anything.
Thank you @ZebraOverlords. And I agree that Intel is likely the tried & true way.
What kind of line speed are you getting from your ISP and are you able to maintain that speed? I suspect VPN will slow down. What kind of speeds are you getting on those? Really interested to hear feedback on the Wireguard VPN portion as most items are reported as OpenVPN or IPSEC.
Lastly, what kind of packages are you running? I’m looking at Suricata, pfBlockerNG, Squid, SquidGuard and LiteSquid. I would be looking at probably 6-8 different VLAN’s with various rules to direct traffic but trying not to go overboard on rules.
I get fiber from my ISP, 1000Mbps is the speed I’m paying for after everything I can get 600Mbps down with 150Mbps up most of the time.
As for packages I have [acme, bandwidthd, bind, freeradious, nmap, openvpn, wireguard, syslog]
I’m running 2 pi-hole servers on both setups, roughly 6 VLAN’s on the home network and 11 at my office. I’ve got what some might call some pretty tight rules with segregation and what not.
Further into office: 3 Server 2019 Servers, 2 FreeBSD and 2 Ubuntu all of which are running on a 3 host xcp-ng & xen orchestra HA setup. Some of the services are email server, phone system, crm, wazuh, etc.
@ZebraOverlords that’s a fairly significant drop in line speed vs actual throughput. What do you think is causing the reduction in throughput? My first thoughts are more hardware would help get you there, but you indicated you are maxing out around 50% CPU usage which doesn’t make sense to me.
Perhaps I just don’t understand how pfSense works well enough.
Also, not sure how this affects pfSense but apparently Gen 11 and 12 CPU’s are having issues, or were as of Feb 2022. I’m trying to do more research but going with older proven hardware or Netgate hardware is likely safer.
Probably the NIC in my MBP, my office is in the far corner of the building. Don’t hook up an Ethernet cable as I don’t care for dongle life all the time. I’m sure I could test other devices and it would be better…I’m using WiFi 6 LR’s so no reason for a hardware limitation either from this or the pfsense box.
Ahhh. Wireless makes a difference. To get 1gb you will need to be on the wire. I’d think 600-ish on Wi-Fi 6 is about normal. Might get a little better if you had the ideal setup in regards to range, etc. I am a little confused why your upload suffers @ 150 if your ISP offers symmetrical speeds up & down.
Funny what I consider suffering now, lol. I just got symmetrical fiber about a year ago. The year before I was on cable with 1gb down and 35mb up.
You are a handful of the few that I’ve heard say this. Usually most folks thinks it’s overpriced. However when you look at compatibility, 10gb ports, low power consumption, etc then I don’t think it’s as bad as some proclaim. The 6100 would fit me fine for the most part. I was just trying to be greedy and push 1gb on VPN. In reality the tested 500mb speeds would be sufficient.
I understand this, and anything where speed matters is hardwired. Anything else I could really care less lol compared to speeds I was getting 5 years ago and god forbid 10 years ago this is still amazing.
These are the limitations of the business plan surprisingly. We had another fiber company move in and another in the next year or so. I’m sure plans will be better structured with some good ol fashioned competition in the are.
I don’t care about price if it’s backed by stability, performance and support. I own a business and support other businesses. I could care less about the price and I can say the same for my clients as none have complained.
Moving on to your other comment.
I’ve been more than pleased with the UniFi equipment being under my pfsense firewall, everything communicates properly and I haven’t had any issues. I’ve always self hosted the controllers on a debian box, and or Ubuntu server.
Hope my previous comments didn’t come across the wrong way. You seem well versed and smarter than me in regards to networking.
I also remember speeds from 5-10 years ago and we have came so far. We too operate a small business and I’m less worried about cost as I am reliability. Thankfully we have a pretty great fiber ISP. We also have a cable ISP option that offers 1gb down and 50mb up but word is they are horrendous. We moved here about a year ago and I immediately jumped on fiber because of symmetrical speeds then learned of their superior reputation with the local community. So I don’t have any experience with the cable ISP but at least have a backup option if things go awry.
In regards to the controller, I toyed with the idea of self hosting. We just aren’t quite there yet. We are just now transitioning to pfSense + Unifi so the “easy button” controller seemed better for now. Later we plan to expand and I expect we will also self host.
Self hosting just gives you more control of your data, all the data is stored on something you manage. You can have a controller on basically anything. Windows, Linux, etc. Windows is probably the easiest to host on for most and you can use either OpenJDK or Jave, personally I use OpenJDK. You can use any distro really, some are more difficult than others but Ubiquiti provides good documentation, and while I don’t recommend copy/paste text from the internet you can find some good guides that do just that. Show you how to install the controller, offering a text box to copy with the correct commands.
They are more or less the same outside of one is hosted through hardware you purchased and the other is hosted on something you configure. I run all of mine on VM’s, it’s nice since even with a huge UnIFi infrastructure it’s still a low resource thing.
