Rilo Ravestein
Guru
- Joined
- Mar 6, 2014
- Messages
- 686
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
pfSense hardware
- Thread starter Rilo Ravestein
- Start date
Given the number of connections that a minimal C2558 pfsense computer is capable of handling according to the pfsense website, I should have thought that any recent (? ten years) 64bit computer was well capable of handling anything a home network could use without effort. So I would concentrate on relatively low power, reliable components. Something intended for server use like C2558 and a high quality PSU would be overkill, but nice if you could afford it, and, with BSD, you have to be a bit careful about driver availability. So Intel CPU and Intel NICs would be desirable, and check your proposed chipset with the FreeBSD compatibility lists. Something like the Supermicro A1SAM has 4 Intel NICs built in so saves some money though it is relatively large (microATX) and ridiculously expensive.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
First off, that's "perimeter", not "parameter," and second off, we're talking a deployment for a home user, where "network infrastructure" typically is "NAT gateway", a switch, and an access point. The home users typically have as a prime requirement the desire to keep costs low. We know. Lots of them come to FreeNAS hoping to repurpose that old desktop, which doesn't work well for FreeNAS, but isn't so bad - at least in some cases - for pfSense.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Nearly enough correct, unless you're dredging around at the bottom of the performance curve, like, let's say, Atoms (D525 etc), or have a ridiculously large pipe (gigabit).
There's a bunch of J1900 based stuff out there that's probably generally suitable for such use. Some good discussion over at
https://forum.pfsense.org/index.php?topic=78955.15
etc.
Given the frequency with which 'home routers' have to be rebooted, I suspect ECC RAM might be quite desirable for a firewall; this may be a non-sequitur, as other causes are possible, but cumulative one bit errors may well have noticeable effects on function.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
While I have a strong preference for ECC, and I agree that cumulative one bit errors could be undesirable...
I doubt any consumer-grade gear uses ECC in such a role, and I'll bet that a good chunk of "pro"-grade gear doesn't either. Most of the data on a NAT device is moving through the network and is protected by, for example, TCP checksums, and the network is typically moderately resilient to a bit corruption here or there. Bit corruption in the executable code or internal data structures could result in crashing (maybe of a service, maybe of the box) but the damage is also quite possibly going to be to something relatively irrelevant.
The frequency with which home routers have to be rebooted has a lot more to do with overall code quality than with ECC. Consumer grade devices are designed with the cheapest hardware, and have firmware written by a team of angry coders who've been given half the hardware resources that they'd prefer to have as a bare minimum, writing code under deadline, and who then are often shuffled onto another project once the crapNAT has shipped, so the remaining one poor guy who has been retained to "support" the product gets burnt out and quits, and there's no more updates, or, worse, updates from "contractors" who are brought in to try to "fix" a "critical" problem. The prime concern is getting the crapNAT out the door and onto the shelves, which makes the money, after which point, the user is stuck with the device, and the company has very little incentive to support the device further. So what if it crashes frequently?
When you look at something like pfSense (or, yay, FreeNAS!), the project works the other way around... it is the platform itself that users are buying into, and the platform continues to mature and evolve, developed by the same group of developers. Sure, iXsystems is doing it in order to sell TrueNAS boxes, but that product isn't seen as a "release-and-forget-about-it" product line.
If you look at the experience of the crews releasing software like OpenWRT, you can see that it's possible to release high quality software for networking devices. They're also well aware of the tradeoffs device manufacturers have made, and owners of these devices have figured out how to work around at least some of those.
I hope this gives you some idea of why I don't think ECC is a significant problem for these devices. I certainly think that you can reduce the failure modes and get a more reliable device by using high quality software, and a well designed hardware platform (which can include ECC).
Oko
Contributor
- Joined
- Nov 30, 2013
- Messages
- 132
I personally have half dozen of theseSo what exactly is your advice then?
http://www.ebay.com/itm/Supermicro-...ount-Server-/110686406110?pt=LH_DefaultDomain
in production but they are overkill for home user.
I just saw this on e-bay
http://www.ebay.com/itm/Intel-D2500...805?pt=LH_DefaultDomain_0&hash=item19e55470f5
Make sure it is dual Intel LAN controller not crappy Realtek. If you get significantly cheaper with Realtek or slower LAN go for it and add dual Intel PCI NIC. You can find used for $10 on e-bay.
Add 2GB HDD and 16 GB SSD. You don't even have to use the case. Or you can make some really cute looking case yourself.
OpenBSD people really like this
http://www.pcengines.ch/alix.htm
but they little price. I like Axiomtek hardware but it is very pricey. Jetway might have something nice and cheap.
Last edited:
I've got a consumer NAT Gateway: Linksys E4200 running dd-wrt which is 100% completely stable. I think it ran for 600 days last time before I had to reboot it due to changing the UPS it was plugged in to.
Very occasionally I'll have to release / renew my IP via it's web interface, but I've never had to reboot it to 'fix' the internet.
I very much doubt it's using ECC RAM. As jgreco says, it's all about the software of such devices. I never ran the official linksys software on it so I can't compare to stock.
At some point I'll replace it with a 'proper' pfsense box. But it's doing it's job well for now, and it's dead nuts stable.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Mostly about the software. The hardware sometimes often sucks too, but for some reason they tend to build them well enough that they at least survive the warranty. Things that make you go "hmmmm."
Rilo Ravestein
Guru
- Joined
- Mar 6, 2014
- Messages
- 686
I do have an Cisco/Linksys EA6500 and there are dd-wrt builds fort it. But I doubt it will be able to handle 500Mbit with all the things I would like it to do, with all the devices and including VPN.
Wolf666
Dabbler
- Joined
- Mar 20, 2015
- Messages
- 14
Definitely not.
From pfSense hardware specification:
101-500 Mbps
Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters. No less than a modern Intel or AMD CPU clocked at 2.0 GHz.
501+ Mbps
Server class hardware with PCI-e network adapters. Multiple cores at > 2.0GHz are required.
It is a matter of throughput.
Ref.: https://www.pfsense.org/hardware/
Hardware specification for pfSense should be kept in consideration with the same attention we all have for FreeNAS.
Sent from my iPad using Tapatalk
Last edited:
- Joined
- Mar 6, 2014
- Messages
- 9,554
My current pfsense testbed/tinkering box is an old firebox x700. Hardware is basically crap (PIII, 256MB SD-RAM, 6x realtek 8139 10/100 NICs, and a Safenet crypto-accelerator) , but it does it job remarkably well for passing backets.
Despite all these things and being 10 years old, I feel it is still way better than a new D-Linksys-Gear home flaming-crap-in-a-box. Probably not a good choice though for those younguns who don't know what a serial cable is.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
Naw, it's more complicated than that. You can definitely find workloads where you can cram 101-500Mbps through a D525, and you can also find workloads where you melt a "server class" modern box.
The problem is that users like guarantees. Just like I wouldn't suggest less than 32GB for iSCSI (even though it works), the pfSense people want to suggest things that are likely to work for most people. Real world, you can probably make do with less.
I say this as someone who's been routing packets with FreeBSD for 20+ years. Too many variables to make broad generalizations.
Rilo Ravestein
Guru
- Joined
- Mar 6, 2014
- Messages
- 686
Yeah, I was just replying to the "I have an E4200 and it works" comment. I know it will not do the job for me ;)
I wasn't claiming anything about the E4200's potential. Throughput wise with dd-wrt it's not great. I max out at about 75 mbit. Which is fine for now because I only have 50 mbit internet. I doubt it would make a very good VPN client / server, but I don't need it for that.
I was stating that's it's extremely stable despite the fact that I very much doubt it has ECC memory.
JJT211
Patron
- Joined
- Jul 4, 2014
- Messages
- 323
How about this?
It's based on the Rangeley C2338, hasnt been released yet for some strange reason (nevermind, reason is prob cuz this is in nano-itx), but looks like the PERFECT future-proofed, VPN, pfsense box for the home user and a bit more reasonable on cost.
I wish I could just find the mobo in C2338 or C2358 in mini/nano-itx though.
Edit: oh wait, here we go
http://store.netgate.com/mobile/ADI/RCC-DFF-2220-board.aspx
It's based on the Rangeley C2338, hasnt been released yet for some strange reason (nevermind, reason is prob cuz this is in nano-itx), but looks like the PERFECT future-proofed, VPN, pfsense box for the home user and a bit more reasonable on cost.
I wish I could just find the mobo in C2338 or C2358 in mini/nano-itx though.
Edit: oh wait, here we go
http://store.netgate.com/mobile/ADI/RCC-DFF-2220-board.aspx
Last edited:
Here is what I did. I always wanted to have my own VM lab. So, For approx $300 I got second TS140 (my first one is FreeNAS), extra 8GB of memory, Intel PRO/1000 Dual Port NIC. Setup Xenserver, NIC in a hardware passthrough mode to a virtualized pfSense. Perhaps an overkill, but this gave me a lab platform for testing FreeNAS via VM and other Linux machines that I play with. And if ever decide to use more packages on pfSense, I can just allocate more CPU and memory.
Upgrading pfSense is extremely easy, just snapshot VM, install new upgrade. If it doesn't work, revert snapshot.
Upgrading pfSense is extremely easy, just snapshot VM, install new upgrade. If it doesn't work, revert snapshot.
Crotalus
Dabbler
- Joined
- May 5, 2015
- Messages
- 22
My first post with you guys!
I thought I would try FreeNAS so I signed up for the forum and found this thread. I thought I would add my two cents for what I did for a pfSense build. I had an old Linksys router that was giving me problems, had to power down/up daily as the thing would stop working. Comcast said the problem was on my end. MicroCenter was having a great sale the day after Christmas as the prices were good and most items came with rebates. The store was like Black Friday. This what I did for a home setup.
Motherboard - Gigabyte GA-H97N-WIFI ITX --> I didn't need the WIFI and FreeBSD does not recognize the Intel Dual Band wireless AC model #7260HMW. Also one of the NICs is an Atheros AR8161 GB and it also is not recognized by FreeBSD. The other NIC is an Intel Pro 1000. The Atheros NIC is supported in version 11.0 STABLE. That required to get an INTEL NIC add in card.
Memory - DDR3 4GB 1600
Processor - INTEL Celeron G1840 -- I wanted the G1820 but the price of the G1840 , $35.00 was less than the G1820
Storage - SanDisk 64GB SSD --> Overkill, but the price was excellent.
Case - Silvestone MLO5 --> Beautiful small case.
PSU - Silverstone SST-ST30SF SFX form Factor --> I have never heard or seen the fan run.
I have CRON, NUT(Battery Backup), pfBlockerNG, squid, and squidGuard installed. I have downloaded a blacklist for the squidGuard and no longer subjected to obnoxious ads. I also use the system as the DHCP server.
I completed the build and brought it online in the middle of January and it has caused no problems of any kind. To date I have never used more than 12% of the CPU. That occurred when somebody was trying to enter every port one at a time for an hour or so and was being blocked. The typical use is 1% to 3%. The core temperature has never gone over 44C. It is using 13% of the memory and 2% of the drive. The unit is my basement that is typically cool.
I know that this is overkill but I am as happy as a frog on a lily pad.
Keith
I thought I would try FreeNAS so I signed up for the forum and found this thread. I thought I would add my two cents for what I did for a pfSense build. I had an old Linksys router that was giving me problems, had to power down/up daily as the thing would stop working. Comcast said the problem was on my end. MicroCenter was having a great sale the day after Christmas as the prices were good and most items came with rebates. The store was like Black Friday. This what I did for a home setup.
Motherboard - Gigabyte GA-H97N-WIFI ITX --> I didn't need the WIFI and FreeBSD does not recognize the Intel Dual Band wireless AC model #7260HMW. Also one of the NICs is an Atheros AR8161 GB and it also is not recognized by FreeBSD. The other NIC is an Intel Pro 1000. The Atheros NIC is supported in version 11.0 STABLE. That required to get an INTEL NIC add in card.
Memory - DDR3 4GB 1600
Processor - INTEL Celeron G1840 -- I wanted the G1820 but the price of the G1840 , $35.00 was less than the G1820
Storage - SanDisk 64GB SSD --> Overkill, but the price was excellent.
Case - Silvestone MLO5 --> Beautiful small case.
PSU - Silverstone SST-ST30SF SFX form Factor --> I have never heard or seen the fan run.
I have CRON, NUT(Battery Backup), pfBlockerNG, squid, and squidGuard installed. I have downloaded a blacklist for the squidGuard and no longer subjected to obnoxious ads. I also use the system as the DHCP server.
I completed the build and brought it online in the middle of January and it has caused no problems of any kind. To date I have never used more than 12% of the CPU. That occurred when somebody was trying to enter every port one at a time for an hour or so and was being blocked. The typical use is 1% to 3%. The core temperature has never gone over 44C. It is using 13% of the memory and 2% of the drive. The unit is my basement that is typically cool.
I know that this is overkill but I am as happy as a frog on a lily pad.
Keith
Fraoch
Patron
- Joined
- Aug 14, 2014
- Messages
- 395
I built the following to use as a Sophos UTM but after having troubles getting it working with my router I may turn it to pfSense:
- Supermicro X10SLV-Q - a very nice mini-ITX board with two onboard Intel network interfaces (i217 & i210AT, much like my X10SLM used for FreeNAS)
- Intel Core i3 4370...the consensus was that quad-core was overkill so I went with the fastest dual-core to date. Yes it's massive, massive overkill but it should use the same amount of power at idle as any dual-core Haswell.
- 2 X 4 GB Crucial Ballistix DDR3 SODIMM
- 128 GB Crucial M550 mSATA SSD
- Antec ISK-110 VESA mini-ITX case. It's about the smallest case you can get. It can hang off the back of a monitor with VESA mounts. It comes with a 90 W DC-DC power supply powered by an included laptop-style brick. I believe it's discontinued, unfortunately.
- Noctua NH-L9i low-profile cooler. This just fits the case and is silent even at full speed.
I had my doubts that the 90 W PS would be enough but it works fine.
I got Sophos UTM to install fine on it but had troubles integrating it into my network so I tried pfSense on it. pfSense runs fine but gives indications during install that it does not like the mSATA drive. It will only run off a USB key. I haven't tried the most recent pfSense build or done extensive troubleshooting though.
It should be extremely powerful and doesn't consume a whole lot of power - 10-15 W idle, 65 W peak. The Core i3-4370 should have no problem at all with Snort or just about anything else I can throw at it.
- Supermicro X10SLV-Q - a very nice mini-ITX board with two onboard Intel network interfaces (i217 & i210AT, much like my X10SLM used for FreeNAS)
- Intel Core i3 4370...the consensus was that quad-core was overkill so I went with the fastest dual-core to date. Yes it's massive, massive overkill but it should use the same amount of power at idle as any dual-core Haswell.
- 2 X 4 GB Crucial Ballistix DDR3 SODIMM
- 128 GB Crucial M550 mSATA SSD
- Antec ISK-110 VESA mini-ITX case. It's about the smallest case you can get. It can hang off the back of a monitor with VESA mounts. It comes with a 90 W DC-DC power supply powered by an included laptop-style brick. I believe it's discontinued, unfortunately.
- Noctua NH-L9i low-profile cooler. This just fits the case and is silent even at full speed.
I had my doubts that the 90 W PS would be enough but it works fine.
I got Sophos UTM to install fine on it but had troubles integrating it into my network so I tried pfSense on it. pfSense runs fine but gives indications during install that it does not like the mSATA drive. It will only run off a USB key. I haven't tried the most recent pfSense build or done extensive troubleshooting though.
It should be extremely powerful and doesn't consume a whole lot of power - 10-15 W idle, 65 W peak. The Core i3-4370 should have no problem at all with Snort or just about anything else I can throw at it.
Similar threads
- Locked