Pfsense Box - Hardware Selection

SiliconSwitch

Limp Gawd
Joined
Feb 6, 2006
Messages
233
I am planning a build that can theoretically handle 1Gbit/s VPN encryption/decryption. The goal was to get a CPU with AES-NI, iGPU, good single thread performance (OpenVPN is only single threaded), perhaps some extra cores for Wireguard use in the future. A Mobo with dual Intel NICs (for pfSense) and for the entire build to draw as little power as possible and be as quiet as possilble. This is what I have come up with:

PartDescriptionPrice
CPUIntel Pentium G5420 --> High single core speed and AES-NI$50
MoboAsrock H370M-itx/ac --> Dual Intel NICs$100
RAM8GB DDR4-2400 G.Skill Ripjaw V$30
StorageWD Green 240GB M2 SSD$40
PSUSeasonic SGX-500 --> Silent under 150W, SFX form factor$100
CaseSilverstone ML05 --> Small footprint, horizontal design$40
TOTAL~$360

I had considered going with an i3-9100 however I don't think the extra 2 cores will be of much use for my application, due to the single threaded nature of OpenVPN. The G5420 has a high enough clock speed to give it decent single core performance, and it has AES-NI. This Mobo also seems to be one of the only viable dual Intel NIC mini-itx options out there.

What do you all think? Will this be able to handle 1Gbit/s? Any suggestions?
 
If you're not planning on using the available IPS modules (Suricata and Snort), that seems perfect. If you do want to use IPS, might be worth grabbing the extra cores!
 
When is Suricata or Snort needed? This is my first pfsense build so I am still learning this stuff.

I dont plant on forwarding any ports to/from the outside (no SSH from outside), however I guess ports 80/443 will still need to be open for HTTP/S traffic? Would I need Suricata then?
 
When is Suricata or Snort needed? This is my first pfsense build so I am still learning this stuff.

I dont plant on forwarding any ports to/from the outside (no SSH from outside), however I guess ports 80/443 will still need to be open for HTTP/S traffic? Would I need Suricata then?

I believe pfSense is an implicit allow out, and and implicit deny in.

So you should not have to create allow rules to permit 80 and 443 traffic out.

For home, if you don't plan on allowing any inbound traffic from the internet, not a lot of purpose in enabling IPS engines if you're not permitting traffic in. This is not the case in businesses, though.
 
For home, if you don't plan on allowing any inbound traffic from the internet, not a lot of purpose in enabling IPS engines if you're not permitting traffic in. This is not the case in businesses, though.
I've viewed it as a 'curious' extra layer of protection. I agree that if there is no internal 'serving' going on that it shouldn't be much of an issue, it's more that an IPS can be used to scan traffic going out to indicate if there's something going on inside the network. Of course the utility is limited due to the use of TLS and the difficulty of inspecting that traffic as well as the impacts to sites and services that the OP may ned.
 
I've viewed it as a 'curious' extra layer of protection. I agree that if there is no internal 'serving' going on that it shouldn't be much of an issue, it's more that an IPS can be used to scan traffic going out to indicate if there's something going on inside the network. Of course the utility is limited due to the use of TLS and the difficulty of inspecting that traffic as well as the impacts to sites and services that the OP may ned.

Bingo!
 
Main reason I mention IPS is that it's usually the reason to run PFSense; everything else can be performed with less hassle using dedicated hardware. I was surprised to see it omitted from the OP, as basically anything today can run PFSense as just a router, firewall, and VPN concentrator given how fast basic CPUs are and that AES-NI (or equivalents) are included pretty universally.
 
Main reason I mention IPS is that it's usually the reason to run PFSense; everything else can be performed with less hassle using dedicated hardware. I was surprised to see it omitted from the OP, as basically anything today can run PFSense as just a router, firewall, and VPN concentrator given how fast basic CPUs are and that AES-NI (or equivalents) are included pretty universally.

The main reason I decided to build my own box is due to OpenVPN. I have a gigabit connection and I would like to try and achieve somewhere close to gigabit speeds over OpenVPN. This will require good single thread performance which I was unable to find in most of the single board computer solutions (APU2, Qotom, Odroid etc.). Even the high end Qotom boards with an i5-5200U will be much slower than the G5420 in single thread. If you can point me to another solution which beats the G5420 in single thread for less than $360, I would be delighted!
 
Try Wireguard instead?
OpenVPN is notoriously inefficient...

I will certainly be giving it a try, especially now that it is getting more adoption from VPN providers. I figured if I build a box that can hit my speeds on OpenVPN, as inefficient as it may be, then I will be able to do it with wireguard easily. If the goal was wireguard only, I would definitely have considered some of the lower clocked quad core CPUs.

My only concern now is if the G5420 will be able to handle the VPN + Suricata if I choose to run it. My feeling is that for my use case it will be sufficient, but you have certainly got me considering an i3-9100F...
 
I think your list is a good choice. The CPU says it supports ECC which is nice too. You can go crazy on extra cores with higher TDP as you mentioned, but I believe you hit the sweet spot. Personally I would go with something under 35W TDP, but I don't have your needs.

That CPU single-thread Passmark score is 2370. https://www.cpubenchmark.net/cpu.php?cpu=Intel+Pentium+Gold+G5420+@+3.80GHz&id=3471

If you're in to more research, check out the single-thread Passmark values from others on the pfSense forums who post their OpenVPN throughput. Do the math and extrapolate from there. I did something similar when picking my Plex server hardware to handle my streaming re-encoding needs.

One last tidbit....FreeBSD can be a bit behind Windows, so make sure everything is supported.
 
Personally I doubt you will hit 1gbps with OpenVPN on any CPU unless you use extremely low and insecure settings. You will probably want to run a VPN that offers greater performance.

If you plan to use a VPN not for its normal use but instead to connect to a VPN provider for anonymity, then you will be limited by the speeds they can give you through their saturated servers and you probably shouldn't even care about what CPU you get since the performance will be low no matter what.
 
I think your list is a good choice. The CPU says it supports ECC which is nice too. You can go crazy on extra cores with higher TDP as you mentioned, but I believe you hit the sweet spot. Personally I would go with something under 35W TDP, but I don't have your needs.

That CPU single-thread Passmark score is 2370. https://www.cpubenchmark.net/cpu.php?cpu=Intel+Pentium+Gold+G5420+@+3.80GHz&id=3471

If you're in to more research, check out the single-thread Passmark values from others on the pfSense forums who post their OpenVPN throughput. Do the math and extrapolate from there. I did something similar when picking my Plex server hardware to handle my streaming re-encoding needs.

One last tidbit....FreeBSD can be a bit behind Windows, so make sure everything is supported.

That is essentially what I did, I used the following single thread value list:

https://www.cpubenchmark.net/cpu_value_available.html#single-thread

I got the G5420 for the price of a G5400 which pretty much makes it the best single thread value you can buy. The i3-9100F is probably the optimal processor since it is better in single thread and gets you two extra cores for only 20$ more or so. Being this is my first experience with pfsense I wanted an iGPU, but for more experienced users I think the 9100F would be the best choice.
 
Being this is my first experience with pfsense I wanted an iGPU, but for more experienced users I think the 9100F would be the best choice.
Owning a 9100F... you still want the iGPU. I wouldn't buy a CPU without one, and I regret the 9100F. It was initially in my wife's desktop with a discrete GPU in a planned build, but when it was clear that she could actually use a few more cores, I repurposed the CPU, and then realized that I had to burn a GPU on that system.
 
Back
Top