Return to Level1Techs.com

Hardware advice for new pfsense router


#1

I’m planning on building a pfsense router and wanted some advice on hardware requirements (this is new territory for me, and in part, I am doing this for the learning experience). The router should be able to: 1) route traffic, firewall, usual stuff, 2) 10Gb network, 3) VPN (potentially with Intel 8960 for quick assist to help with speed for encrypted communication), 4) IDS/IPS with Snort, others, ?

For my hardware requirement I’ve been basing my decision on a LTT video where a Supermicro barebones server was presented for a similar use case, although they would probably have more traffic; mine is for my home. The Supermicro server that I was trying to mimic is (https://www.supermicro.com/products/system/1U/5019/SYS-5019D-FN8TP.cfm). In that regard I was planning on a Xeon Silver 4110 (8C/16T) and Supermicro MB: MBD-X11SPI-TF per a Newegg combo deal: https://www.newegg.com/Product/ComboDealDetails.aspx?ItemList=Combo.3863504). I’d add a Intel 8960 later if I decided I wanted the quick assist feature.

My question is: Is this overkill? On the low end of the spectrum, I’d consider buying a Dell poweredge server T30: https://www.dell.com/en-us/work/shop/cty/pdp/spd/poweredge-t30/pet30_12084_3; which has a Xeon E3-1225 v5 (4C/4T). I don’t want to make this too broad of a question, but if there is an epyc option I should be thinking about, I’d consider that too; but my guess was that I’d be giving up some of the nice Intel features like AES-NI for help with encrypted traffic.

Thanks in advance for any help!


#2

Do you have 10Gb WAN coming into your home??? Or is this going to be an internal only router in a 10Gb network? Keep in mind that a 10Gb switch behind a 1Gb router wills till do 10Gb for LAN to LAN traffic


#3

The 10Gb is just for the local LAN. The WAN speed is much lower, but I hope it will have 1Gb in the near future given what ISPs are doing


#4

Would also ask what ISP speed you have and do you really have a use case for VPN to it at those full speeds?


#5

With that said you don’t need more than a decent clock 4 core with aes on it.


#6

Right, currently I don’t have the WAN speed for a high speed VPN. But 1Gb up & down seems to be on the horizon for major cities so I think it will be a reality in the lifetime of the router.


#7

For a little context too. I did a test with transfer speeds on a local NAS. If I used just the smb protocol I got 20x the speed of connecting via sshfs. The local NAS has a 4 Core 1225 v3 with AES-NI. Not sure if more cores will help this though


#8

True but what use case would you need the VPN to run at those speeds? Also remember that the connection you are using remotely is going to affect your VPN speeds. Apart from streaming a bluray rip from plex to a hotel room I am saying don’t out a lot of effort into maximum VPN throughput. Also the processor specs I said above should handle routing at full gigabit. Let the switch do the 10gb handling. Also keep your ids stuff at a decent security but not overkill headache level.


#9

Great points. However, one of the main use cases I want for the VPN is Plex streaming. Also, I probably should have mentioned this, but the router won’t be behind a separate 10Gb switch. It will also handle the switching (the MB has two 10GB ports and I plan on adding an Intel NIC with 2 extra ports). Also, should mention my gaming computers will be directly connected so if by chance more cores helps reduce latency (my guess is not) it would be worth it to me. One more thing I forgot—not sure it matters—I’d like to have 2 of the 10Gb lines from the router go to my NAS and aggregate/team the links (not sure my terminology is correct but my guess is you get the jest). Given these considerations, would you still go with the 4 Core?


#10

What on earth do you need two 10gb links for to a NAS?
Redundancy is one thing but teaming them together is just that thing you throw into a conversation to get the wow factor.
Does this NAS run full blown NVME storage ?

I guess if you have money burning a whole in your pocket than maybe an i7-8700k with 8gb of ram and a 240gb ssd should suffice for all things needed.
While it would be a cool “hey look what I have for my router” I just don’t think you need to waste money on something that overkill.
Personally stick with a 4 core processor and buy a 10gb switch. Let the switch do what it was designed to do and let the router do what it was designed to do.


#11

Really appreciate the comments! Yeah, the aggregated link to the NAS is way over the top; my motivation is more from a learning standpoint. The 10Gb connection is desirable for faster transfer times for moving a ripped movie to the Plex server on the NAS. But in truth, I probably don’t do it that much to justify the cost. But, I wanted to get a good feel for the hardware requirements and make the decision based on that versus taking a stab in the dark on how much CPU power I need to do everything I might want. Again, really appreciate the time and feedback!


#12

You wouldn’t be able to saturate a single 10gb connection on a NAS unless you are doing multiple file transfers at a time or your NAS has SSD arrays. My pfSense has a 35w i3-4130T that supports AES-NI with 8gb RAM, a 60 ssd, and an Intel 1gb NIC. It handles everything that I throw at it and I don’t think I’ve seen it get over 25% cpu utilization unless there was something wrong like a php script stuck in a loop.

I would suggest spending the money on a 10gb switch instead of another add in card for the router. If the router goes down then your whole network will be out, but if you use a switch then the LAN ip addresses will still be retained by the devices if you have them configured properly so you’ll still have LAN communication if the router crashes for some reason. My desktop motherboard has 10gb onboard and my FreeNAS box has an Intel 10gb NIC. My largest FreeNAS vdev is a 6 7200 rpm 24TB array and I’ve seen max file transfers around 575MB/s. The transfer speeds are always going to be based on the slowest components.

I also use a VPN and the i3 has no problems with either. You don’t need a VPN for streaming from Plex if you have PlexPass. It’s encrypted anyway so I use a firewall rule to route Plex traffic outside the VPN.


#13

I wasn’t aware that 10Gb switches were as relatively cheap as they are (Currently I’m looking at Netgear XS708T - let me know if you have a different suggestion). I looked into that option after both your posts and I’m convinced your both right, the 10Gb switch is the better route (pun intended). Thanks again for taking the time to comment, your contribution on this topic led to actual results, not just empty words in the wind.