pfSense hardware

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
2.5 years and Rangeley/Avoton is still the go-to solution for networking.

So much for Intel's accelerated Atom development.
 

cdgonzalez

Dabbler
Joined
Dec 19, 2014
Messages
21
2.5 years and Rangeley/Avoton is still the go-to solution for networking.

So much for Intel's accelerated Atom development.

And the price has more or less risen on those models over the 2.5 years, it's crazy. I'm not hopeful for reasonable pricing on the Denverton line.
 

ric

Contributor
Joined
Dec 22, 2013
Messages
180
My goodness, that's ridonkulous! I'm paying about the same ($60 USD) for 50/5. It's crazy to hear what some people are able to get in some of the smaller countries. The US will always be relatively behind, we just have too much damn space!

Anyways, back to the OP, have you made a decision yet?

I fired away about a month ago and purchased the below for my pfSense build:

Supermicro C2558 Rangeley (2.4 ghz, 4-core, AES-NI and Quickassist enabled, 4 ports)
4gb ECC RAM (Had to go ECC here as non-ECC isnt supported on this board)
30GB mSata w/ 2.5in adapter
80W pico PSU and PS
M350 Mini-ITX Enclosure

Total cost = $380 USD

All parts from Amazon except board (Ebay $250) and RAM (Newegg $40)

A bit pricey for a Router/Firewall I know, but AES-NI was a must as I planned to move my traffic over VPN.

My only other cheaper AES-NI options were:

Netgate RCC-DFF 2220 System (1.7 ghz, dual core, 2 ports, AES-NI only) ($280) *Not yet available, date keeps getting moved back

and

Netgate RCC-VE 2440 System (same as above except 4 ports w/ Quickassist) ($350)

I figured I'd future proof myself a bit more for an extra 30-100 bucks. If you stretch that cost differential over an few years of blazing Routing and uber-Firewalling, then its worth it IMO.

I turned my old Netgear R7000 running DD-WRT into a WAP and was also able to use it as a managed switch to VLAN my guest/neighbor (we split bill) network.

So far, I've got my OpenVPN running both ways, getting my full 50/5 ISP speeds. I'm also running Snort and experimenting with a few other packages. The highest CPU utilization I've seen so far with everything running full blast is about 15-20%. And from what I understand, pfSense hasnt even implemented AES-NI w/ OpenVPN or anything with Quickassist yet!

So im feeling really good about my purchase and that I'll get many years out of this bad boy!
Please help me decide on this.. C2558 Rangeley has 4 cores, and the C2758 has double up the cores up to 8.

Also, there is a huge price deference between the two.

C2758 Rangeley >> $299
C2558 Rangeley >> $234
 
Last edited:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
What is your connection speed and what packages, if any, do you plan on running?
 

ric

Contributor
Joined
Dec 22, 2013
Messages
180
ISP connection speed is 60-80 mbps. VPN speed varries all the time.

I will use this mainly for VPN/proxy/UTM, and packages(I always want to do something new to experiment in my lab)?

Thanks..
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
2558 will be more than enough for your needs.
 

JJT211

Patron
Joined
Jul 4, 2014
Messages
323
Please help me decide on this.. C2558 Rangeley has 4 cores, and the C2758 has double up the cores up to 8.

Also, there is a huge price deference between the two.

C2758 Rangeley >> $299
C2558 Rangeley >> $234

Yea, go for the 4-core. Its more than you'll ever need.

The 8-core is more of an enterprise level router, you wont see any benefit in home use.
 

lmannyr

Contributor
Joined
Oct 11, 2015
Messages
198
How are the pfsense boxes doing? Overkill, just right? Squid, or other packages running too. RAM, CPU, Disk, usage info would be nice too.

Looking to build a pfsense box in the next few weeks and just doing my homework.
 
Joined
Mar 6, 2014
Messages
686
Working fine for me. But due to family matters, i have not done much with it yet, except playing with the usual stuff like the DHCP server, firewall rules, NAT & forwarding. I play with VLANs, and also OpenVPN to connect to my home network. For these tasks, my setup is overkill, but i'm planning to look into pfBlocker / Squid / SquidGuard and also expanding my knowledge of VPN to utilize more functonality on my pfsense box. From what i've seen so far, i'm quite sure this box should have no problem running all that.
 
Joined
Feb 2, 2016
Messages
574
Yes, I'm the dumbass who resurrects a three-year-old thread. I apologize in advance.

Is the C2758 still the go-to for mid-sized pfSense installs with pretty heavy IPsec traffic?

We've been using a repurposed HP ProLiant DL360 G5 with dual Xeon E5345s as our corporate firewall for eight years. It is an absolute beast. Reliable - not even a reboot in four years - but draws massive amounts of power, is starting to show its age and is scheduled for replacement.

Since installed, we've greatly increased the number of branch offices feeding security video to the main office over IPsec, upgraded internet bandwidth from 50 mbps to 300 mbps, quadrupled employees, VLANed everything, gone 10G at the core and added half a dozen OpenVPN road warriors.

The C2758 seems like a solid choice except that it is already four years old, the new Atom C 3xxx processors seem just around the corner and the Supermicro A2SDi-H-TP4F seems especially tasty since it has native 10G.

Thoughts? Recommendations? Something we're missing entirely?

Cheers,
Matt
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
There are also some Xeon-D models with quickassist, but there's so many of them that I can't keep track of model numbers. I expect high-end C3000 Quickassist to be noticeably faster than on Xeon-D.
 
Joined
Feb 2, 2016
Messages
574

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Right, that part has me a lot more confused than when I first researched this. On their website, they had numbers that very clearly hinted that Quickassist was being used - but it turns out support wasn't implemented yet?
I've spent the last four hours crawling around the internets and am more confused than when I started.
I know the pain...
 
Joined
Feb 2, 2016
Messages
574
clearly hinted that Quickassist was being used - but it turns out support wasn't implemented yet?

Near as I can figure, QuickAssist can be made to work with pfSense if you use specific QuickAssist add-in cards but it does not utilize the built-in QuickAssist functions built into Intel processors. And, even then, it seems experimental. There are different levels/versions of QuickAssist and it seems the cards are more robust and feature-rich than in-processor?

Unless I'm feeling really ambitious Monday morning, I'll probably just flip a coin and pick either the C2758 or the Xeon D-1518. Both are well-supported by pfSense, readily available and capable of pumping a lot more packets than what we have now at a fraction of the power draw. No real bad choice between the two.

In another six months, the Atom C 3xxx platform would probably be the better choice but it doesn't look as though pfSense supports the Intel X553 10G NIC chipset. (The ixgbe driver supports X553 but Denverton changed the ID so ixgbe doesn't recognize the NIC. Might be upstream in FreeBSD now but not in pfSense?)

Cheers,
Matt
 

JJT211

Patron
Joined
Jul 4, 2014
Messages
323
I'd go with the Xeon D as it's much more powerful than the Atom. Especially if you're going to be doing any VPN stuff as it's mostly single threaded.
 

Stux

MVP
Joined
Jun 2, 2016
Messages
4,358
Just a rough finger in the air, I'd go with the Xeon D over the Avoton, purely because Avoton is now ancient, and cursed. And I wouldn't pick the dual-core 1508, i'd pick the quad core for twice the capacity.
 
Last edited:

Zwck

Patron
Joined
Oct 27, 2016
Messages
371
I recently bought on aliexpress an all-in-one pc that works well with my symmetrical 1Gbit internet, this is of course for home purpose not an enterprise solution i suppose. anyway here the spec sheet.
Code:
QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD


Works well with pfsense 2.4 as well as 2.3. You can also check out the pfsense forum https://forum.pfsense.org/index.php?topic=132528.0 about other people who bought the same hardware. For me it serves as my router and my HAproxy is now installed there.

Cheers
 
Joined
Feb 2, 2016
Messages
574
Pulled the trigger on a Supermicro with Xeon D-1518 (quad core, eight threads). It has 10G as well as plenty of 1G ports, looks to be able to move five times packets than what we have now at a quarter of the power draw. I'll follow up in a couple months when it is in production and we a feel for how well it does.

Thank you, everyone!

Cheers,
Matt
 

JJT211

Patron
Joined
Jul 4, 2014
Messages
323
Any updates?
 
Joined
Feb 2, 2016
Messages
574
Any updates?

Working like a champ. No (hardware) problems at all (*).

pfSense recognized all the NICs which is always my (probably irrational) concern with embedded 10G ports. We put it online over Thanksgiving weekend and we haven't had a single issue.

Performance has been great but we aren't sure sure if a single Xeon D-1518 beats the old dual Xeon E5345s in raw performance. We never had CPU-related performance problems before and we don't have them now even with heavy IPsec VPN usage and OpenVPN for our roadies. I don't know what I was expecting but replacing an eight year old system with a fancy new system, well, I was kinda hoping to magically double our VPN throughput. (A guy can dream, right?)

Power saved on the new firewall is nothing short of amazing. I underestimated how much that old beast of a machine was pulling. I'm not sure how but, based on the front panel UPS display, the old server was pulling three or three and a quarter amps. Which is stupid high for a 1U firewall. It guzzled electricity. Even more than I thought when I was considering it for replacement. The new Supermicro 5018D-FN8T firewall sips electricity in comparison. Gained a few minutes of UPS runtime just by swapping out the firewall.

Pardon the delayed response. I should have followed-up in January. Thanks for all the advice and support. I don't care what anyone says about the FreeNAS support forums, y'all are great.

Cheers,
Matt

(* Migrating the configuration from the old firewall to the new firewall wasn't as seamless as I had hoped. Part of that was our fault: we were a version behind on the old firewall and started with the latest version of pfSense on the new firewall. Part of it seems that the more NICs you have, the more trouble the migration will be. Lot of interlinking between NIC names and rules and configurations. When you import the new config, some of the configuration doesn't get associated with the NICs as expected? We might have been better to start the new firewall with the same version as the old firewall and then upgrade on new hardware? Or it could just be we never do this and someone who knew what they were doing would have done it better? In any case, after the configuration was applied, it took three or four hours to tweak the configuration, copy and pasting and two-screen comparing the GUIs to make sure the new firewall worked just like the old firewall. But, not the fault of the hardware. Potentially a strong wetware issue.)
 
Top