Currently running pfSense (Intel® Xeon® CPU E5-2609 0 @ 2.40GHz 4 CPUs, 8GB RAM) in ESXi on a Dell R720. I would like to go with a standalone hardware appliance, as having a 2U server running at home is a bit overkill right now. Looking for suggestions. Using pfBlockerNG, Suricata, OpenVPN, etc.
Looking at the following:
Want enough horsepower to be able to do filtering/IDS/IPS etc., with horsepower and throughput to spare.
I bought a dell outlet Inspiron 3880 for $250 OTD.
i3-10100 4c8t 3.60Ghz w/ 4.3Ghz turbo.
4Gb of Memory. It can with 4, I stuck in an extra 8 stick for 12 total.
1Tb 7200 RPM HDD. I replaced with a 500Gb HGST server grade 7200 RPM drive.
I bought an intel i350V2T4 Network card which fits in its only available pci slot. I
t’s dells small form factor, so it has a small foot print.
With Defaults + Surricata it pushes my 1000/1000 line just fine. I did add some tuneables which helped.
Currently 1G/35Mb. Also do a bunch of BOVPN and OpenVPN for work. Don’t mind paying a bit extra for the speed and performance. Those were the models I have been looking at to replace what I have virtually.
I don’t have anything in the wild running everything you are looking for but the spec on the 1100 seems to indicate that it will more than cope with the general load but keep in mind that’s without filtering/IDS/IPS (I assume you are thinking Surricata).
I do have a spare 1100 on my desk that I keep thinking I should take home if I get around to it I’ll post back up here but it’s been there for 5 months now (just to give you a timescale…)
If you want that kind of horsepower out of that small of a footprint, you are going to pay the tax for it. You are basically wanting a device that can push (1 gig I assume) with everything enabled. Anything in the NUCish form like protectli can easily get around $1,000.00 versus a similar spec’d SFF or mATX for half the price.
I mean the FW6E starts at $700.00 with an i7 8550U (no ram, hdd, etc). The i3 10100 outperforms that i7 by miles (nearly 80% in some cases) with only a 40 watt higher max TDP (mere pennies in energy cost).The ability to upgrade is also gone with no PCI/e slots, minimal ram slots, and so forth.
It’s an 8th gen i7 (laptop cpu basically) vs a 10th gen i3.
I have my doubts but no real world experience with the atom processor used in the 5100.
Turns out the solution was, as you suggested, setting Crypto Hardware as: AES-NI CPU-based acceleration.
Now I get close to 900 mbps in both directions. But interesting the C3758 is nearly maxed out (cpu usage at 94%) when it’s on the download side. The i3 is solid, encryption causing the cpu to roll along at 40%.
I’m not going to lie, I’m a huge fanboi of the i310100 for routing. For home use, it can do everything as long as you have the ram to match it. And it even has iGPU support.
If you are considering the SG5100 then the HP T620 Plus or the T730 thin client with a i340-T4//i350-T4 card could work as well. It would have 2 less network ports, but hey, that’s what VLANs are for !!
I just bought 2 for $85 each on ebay and added a i340-T4 card and a 32GB m.2 SSD. It has an AMD Quad core processor – 2.7GHz base with turbo at 3.6GHz. It came with 4GB RAM but is upgradable upto 16 (official) but has had reports that upto 32GB RAM works as well. All in, it came to $126 each. I am going to set up P2P VPN (IPSec or OpenVPN) and connect my parent’s house with mine. I use OPNsense instead of pfSense though.
Cheap when bought used, comparable to the SG-5100 in terms of cpu + RAM etc. and can handle your connection speed pretty easily. Plus, near silent operation.
I haven’t done any IDS/IPS but since it is similar in configuration to SG-5100, you might be surprised.
I have kind of a corollary question/issue for non-netgate hardware pfSense users; to what extent does the processor(s) actually inhibit bandwidth throughput? I have been running pfSense/pfBlocker/Suricata on a dual homed HP thin client with AMD G-T56N dual core processors running at 1.6 Ghz with 4 GB of RAM. ( I am not sure if I am actually using these in 64 bit mode since if I run sysctl -a | grep -i, I can see the follwing : “kern.sched.cpusetsize:32”, which leads me to believe I may have missed a BIOS setting and might be running in 32 bit mode, or some compatibility mode that defaults to 32 bit). My “problem” is that pfSense running on this hardware seems to be passing no more than about 640 Mbps (of an available 970 Mbps) through the firewall/IDS. This is perplexing to me since the processors never seem to indicate more than about 30% usage for more than a few seconds, the RAM seems similarly taxed, and as far as I can tell, the little firewall/IDS never pages anything to swap. This really isn’t hurting me at the moment, since I have a family of five sitting behind the firewall and no one complaining of slow performance, but I will be moving a production environment of 24 end users behind a pfSense firewall in the next couple of months, and I had planned to install pfSense on an old Optiplex 7010 SFF with 8 GB of ram and a quad core i5 to do that. I am now wondering if I have enough compute for that environment in the Optiplex, or whether I should bite the bullet and buy a Netgate 3100 to be sure. That has a dual core running at 1.6 Ghz as well, but seems to have much better reported firewall throughput than I am getting on non-netgate hardware. So my questions are two: How important is the processor speed for this type of application?, and how much more optimized is the performance on netgate specific hardware?
As previously mentioned, a netgate 3100 has less CPU power than an i3 or i5 in general. I’m using an Optiplex 7020 for pfsense with IDS, and it hits the limit of my cable internet at 300 mbps.
How are you measuring your router throughput? I recommend iperf3 - it can reliably saturate even 10g ethernet.