Pfsense hardware help

BigTy

Gawd
Joined
Feb 19, 2003
Messages
943
Hello I'm looking to build a PFS box and need some direction on hardware.

My requirements are as follows:

1. Gigabit throughput
2. Low power consumption
3. Lowest cost possible

Optional
1. DPI

Not using snort or VPN.

Links are very welcome.

Thank you
 
Why not use snort?

Anything low power should be fine. I use an AM1 setup with a dual Intel nic from eBay.

25watts max
 
We have a few supermicro a1sri-2758f boards. They can push about 940mbps TCP with NAT (limited by the network interface, not the CPU). We put them together for about $675USD including 1u rack mount case, 8GB DDR3, and a 120GB SSD.
 
I recently just fabricated a pfSense system using the ASRock QC5000-ITX/PH, i350-T2 adapter, 8GB 1600 RAM, SSD. The PSU is fanless, modular, 80 platinum rated, which never gets hot, and neither does the processor (finger on heat sink).

It has been benchmarked (in comments https://www.youtube.com/watch?v=z9AToI-fHeg) to be rated as fast as a C2000 Atom. I actually preferred the AMD processor due to the instruction set support. There are AVX instructions being included that increase PPS which are being implemented for recent architectures. Also the A4-5000 suppots Big Endian instruction that increases TCP processing. The only thing that truly makes the 2700 great is the Quick Assist for encrypted traffic which is very very capable.

https://blog.pfsense.org/?p=1626
Speaking of the next-gen work: Preliminary results from Matt Smith have yielded 2.8Mpps on a c2758, and 14.88Mpps on a 12 core X5680 Xeon box. Note that these are (millions of) packets per second, not (billions of) bits per second, and that 14.88Mpps is “line rate” on a 10G cards. This is with reassembly, packet filtering, forwarding and (re)-fragmentation running in a “fast-forwarding” kind of way.

Part of the difference between the two platforms is that the packet filtering code perform an N-tuple search over a set of rules with multiple categories and find the best match (highest priority) for each category. (Succinctly, it is not ‘pf’, though it is designed to implement something a lot like ‘pf’.) On platforms which support AVX/AVX2, this code runs in vector registers, but the C2758 doesn’t support these, so the code has to run ‘scalar’.

https://blog.pfsense.org/?p=1588
And finally, pfSense will move to use even more advanced encryption techniques for IPsec, TLS and OpenVPN. It should be well-known by now that Netgate and the FreeBSD Foundation co-sponsored a project to enable AES-GCM for IPsec, enabling faster encryption speeds on Intel and AMD processors that support AES-NI instructions. On a pair of fast quad core Xeon systems we can run IPsec at over 2Gbps now. More speed is possible, and I expect the first results showing this to be a port of Intel’s “QuickAssist”. On a C2758, this should provide around 8Gbps of IPsec throughput. Other, more exotic QuickAssist hardware exists to take this throughput to 40Gbps and beyond. Additionally, more speed can be had from better “pipelined” implementations of AES-GCM and AES-CBC on existing and near-future Intel CPUs. In particular, SHA1 and SHA256 can be accelerated via AVX2 instructions, reducing the time required for AH processing in IPsec (and its similar processing in OpenVPN and OpenSSL) on processors that support AVX/AVX2.


The C2000 Atom is still a bit weak in comparison for the cost and also rated for a higher wattage; ~20w compared to ~15w The AMD cores are a bit "fatter" and a longer shelf life it seems to me due to instruction support. Not only to mention the cost difference is substantial enough to consider otherwise.

However, the only negative is BSD can take some time to include support for architectures and hardware features. This affected the C2000 system pfSense for a bit. An example for the AMD system, powerd enabled causes a reboot issue that others have had with this board besides me when compared to Intel's supported EIST and it being easily implemented.

I have tried a 2758, and was not impressed due to cost/performance. There is a difference, oddly enough, with the A4-5000. As BSD support continues to progress, I think this hardware would sufficiently perform well and last long enough. Oh, one last thing that was annoying was the need to buy a DB15 cable or the hoops to get video support for DB15. With the system I built I had multiple output types to utilize, and plenty of modern cables for them.

http://www.asrock.com/mb/AMD/QC5000-ITXPH/
 
OpenVPN performance wont happen as its currently designed, I have no idea why they're trying to implay that.
 
Well, it does say "And finally, pfSense will move to use even more advanced encryption techniques for IPsec, TLS and OpenVPN."

Then there is a bit that seems a bit on "how" by mentioning: "Additionally, more speed can be had from better “pipelined” implementations of AES-GCM and AES-CBC on existing and near-future Intel CPUs. In particular, SHA1 and SHA256 can be accelerated via AVX2 instructions, reducing the time required for AH processing in IPsec (and its similar processing in OpenVPN and OpenSSL) on processors that support AVX/AVX2."

But they have been working on some major improvements for BSD and in tandem with others in the industry. Making me have the tendency to not discredit. OpenVPN's code may not be optimal, but we will see results, if any are better or worse, one day.
 
No, you have too much context swapping between kernel and userland in OpenVPN. IPSec is in kernel which is a completely different story. This has already been attempted in the past...
 
What nic did you guys pair up with those setups? I would like to stick with a hardware Intel dial or quad low profile card.
 
What nic did you guys pair up with those setups? I would like to stick with a hardware Intel dial or quad low profile card.

The C2000 systems are all Intel NIC's, with sometimes physicals ASIC's by someone else. That doesn't matter much at all. With my build it was a i350-T2 adapter.

The T2 and T4 are x4 adapters. As long as you have a PCIe 2.x x4 slot, or the integrated amount you want it should be easy enough.
 
OpenVPN performance wont happen as its currently designed, I have no idea why they're trying to implay that.

No, you have too much context swapping between kernel and userland in OpenVPN. IPSec is in kernel which is a completely different story. This has already been attempted in the past...


I was doing a little BSD reading and found this. Thought that you, dizzy, may find it interesting since it is mentioned in the What's New for BSD 10:

https://wiki.freebsd.org/WhatsNew/FreeBSD10

Improved AES-NI support

Status:
Committed to -CURRENT
Author:
John-Mark Gurney
Web:
http://svn.freebsd.org/changeset/base/r247012 http://svn.freebsd.org/changeset/base/r247117 http://svn.freebsd.org/changeset/base/r255185 http://svn.freebsd.org/changeset/base/r255187
Support for AES-NI instruction and intrinsics has been added to gcc. The aesni module has been improved to use pipelining when possible. This results in a significant speed up for AES-XTS and AES-CBC decrypt.
 
Last edited by a moderator:
I do know, but you need a kernel module for this to be useful... (which OpenVPN isn't)
 
Last edited:
Back
Top