I just started a job in a school here in Germany (so apologies in advance if i translate something wrong). One of my first tasks was to get a so called “Time for Kids School Router” (I attached a picture of it’s insides), which is a (rackmounted) router / filter customised for use in schools, back running because it had some problems with the HDD and it’s constantly running at 58 °C CPU Temp on idle. I was planning to replace it with a NAS SSD. It was purchased in 2014 therefore it’s components are a bit old too. It has a Intel Atom D525 (2 cores with 1,8 GHz), 2 GB of DDR2 Ram (upradable to 4 GB) and a total number of 4 Gigabit Networking Ports at the back.
I was wondering whether this performance is still suitable for a school router in 2020. I remembered that you can build your own router with pfsense. So my questions are the following:
Can I do same things with a DIY pfsense router (filtering, logging, etc.) than with this old system?
Are the components of this old machine enough for our use or what would be suitable specs for a DIY school router when I would build one now? We have plenty place in our network cabinet, so it can surely take up to 4U.
Does it make any difference when I would put a 10 Gig NIC in a DIY router?
For context our school has 700+ students, 6 iPad “Boxes” with 15-16 iPads each for use in classrooms (websearching, watching tutorial videos on Youtube, …), WLAN APs are installed in the buildings (mostly Ubiquiti ap ac lite), students are not allowed to log in to the WLAN with there own devices, only teachers (50+) have the PW to the WLAN, so they can use it with there own devices, we have 2 buildings (both with classrooms, the router is conneted to a DSL Modem in the main building) which are connected with several fibre optic cables and cabeling in the wall is Cat. 7. It is also planned that we will get fibre optic internet this fall.
there might be some sort of half truth there when you consider some of these people might be working from home via VPN. In that case AES-NI would be a very nice thing to have for that kind of overhead but might still struggle if you had a lot of users trying to use that.
This is easily solved with a dedicated VPN appliance behind the firewall of course. Which I would assume OP might be using in the form of RRAS on Windows Server.
The CPU in a Pfsense box isn’t anything special, this is completely, 100% true. But to get any sort of real speed in there, you pretty much need a dedicated ASIC or FPGA chip. A general-purpose CPU will not be nearly fast enough to do packet filtering at 1 GBPS for more than a few connections at a time. Chances are your $50 home consumer gigabit router will be faster than a Ryzen 5 3600 at this specific task.
Ryzen 3600 is a good CPU don’t get me wrong, it’s just that it is not very good at switching packets compared to ASICs, just like it is not very good at pushing pixels to your screen.
Routing 1Gbps of ~1500B packets on a 5W Celeron J3455 with NAT and roughly 20 firewall rules, with a realtek chip on one side and an el cheapo usb3 gigabit adapter on the other side leaves about 85% of my CPU idle. (This is a horrible CPU for a lot off use cases btw… I needed a small x86 router back when I lived in an apartment and had no space for a small rack).
In this case we’re not talking about 20year old geode CPUs that Cisco chooses to use in their not yet eol Cisco ASA 5505, or the anemic Avoton CPUs you’d find as main CPUs running the os in your (not-so-)modern big name vendor switches whose sole purpose in life is to twiddle a few registers of asics (which btw is what netgate pfsense boxes use).
10Gbps is very much on the low end what modern CPUs do in software (assuming you don’t have horribly buggy drivers or network stack - which is why I prefer Linux to pfsense and pfsense users swear by Intel nics).
Grab the latest debian minimal image and a pair of 40Gbps QSFP+ nics and DAC cables off of ebay and hook them up to a pair of “gaming machines” to give them a spin. You’ll be pleasantly surprised (or possibly freaked out - if you work in low end corporate IT where you pay tons of cash for big router company contracts).
Yeah, but how much traffic are you really routing? Or to put it another way… How often is that line saturated?
This is exponential growth we’re talking about. Your setup is fine for a SOHO or household operation. Not hundreds of concurrent users that needs to filter and traffic shape dozens of ongoing connections all the time.
Please, do yourself a favor and read up on network processor units (NPUs), because what you just said is pretty much the equivalent of “Of course the integrated graphics of an Ivy Bridge Processor is capable of delivering 144Hz 4k gaming!”
Incidentally, this point is pretty moot if you put in a slightly more expensive 4-NIC network card with built in switch core, like this one.
About a gigabit of mostly 1500 byte packets. It can do that whenever - it does that every time I move data between my samba server and my windows box (sitting on different VLANs).
I’m not suggesting that weak j3455, but was giving it as an example of a super weak CPU that can probably deal with a gig of casual browsing YouTube ing and torrenting without looking inside the packets too closely - clock per clock an old sandy bridge might be faster.
Again, I’m not dismissing fancy programmable network cards either, they’re invaluable at high speeds, but they’re not cost effective and they’re a pain to use, not worth it for small volumes under 40Gbps IMHO probably. Definitely not under 10Gbps.
You obviously did not understand the question. I own a $10 switch that can do the exact same thing and cost a whole lot less. It’s not a matter of how much throughput you have, but how much different each package is.
Any potato can route a single one gig 2 terabyte file transfer these days. But the OP mentioned this:
I read that as “minimum 60 simultaneous users up to 175-200 total users”. So your CPU will need to keep track of the state of 400-500 active connections at any one time, with peaks at 2000 active connections.
I could be wrong here, because I haven’t been experimenting with this in like five years, but last I checked the throughput of CPU-bound firewall routing bottlenecked at around 80 simultaneous connections on a quad-core, and the growth was exponential meaning you required twice the CPU power for 10 more connections, quadruple for 20, and so on. Maybe it could handle 160 filtered channels today, but even then, your QoS will suffer.
Dedicated hardware NIC cards have a lot more parallell channels and use some early filtering tricks and white/blacklists to quickly identify ongoing sessions, which is how they manage to run packets so fast.