pfsense on old Athlon questions

Discussion in 'Networking & Security' started by Outlaw85, Oct 15, 2019.

  1. Outlaw85

    Outlaw85 Gawd

    Feb 7, 2012
    Because it's a small form factor, i'd like to throw it in my cabinet I recently cleaned out. I'm hoping its still up to to the challenge. If it's not, I'll have to wait til the new job starts paying to get something better.

    Shuttle case
    Athlon x2 5600+
    4GB DDR2 800
    320GB HDD
    4x 1GB NIC
    1x Linksys-G card

    Internet- Spectrum 200Mb/10Mb

    I would like to be able to get the full throughput and possibly VPN to mess around with.

    My understanding for wiring is:
    Modem -> pfSense In /pfSense Out -> Router In /Router Out -> Switch
  2. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Jun 13, 2003
    Can certainly try it, but the age of the CPU is likely to inhibit performance -- it's missing hardware acceleration for newer instructions for stuff like encryption, for example, and is likely behind enough for SIMD.

    At the same time, you're not asking much of it so it might be 'just enough', so I will say that it's worth trying. Good luck!
    N4CR and Outlaw85 like this.
  3. Outlaw85

    Outlaw85 Gawd

    Feb 7, 2012
    I do have a system with a Phenom 9500 that it looks like the shuttle (SN78SH7) supports. It's at least a quad core but it seems it's more than just core/thread count that matters here.

    I also have an Acer Aspire XC-630G with a dead board. Looks like I could get a XC-704 board on fleabay for about 40-60 bucks with a J3060 CPU. Seems like it may be a little light on resources? Am I just beating a dead horse with this and just wait to get an i3/5 system for 'future proofing' if I up the internet package? They do offer upto 1Gb. Ideally, I'll put it into a 1u space for the cabinet.

    I do have a Q9300/matx or Q9450/atx combo I would just need to get a case for.
    Last edited: Oct 16, 2019
    N4CR likes this.
  4. bman212121

    bman212121 [H]ard|Gawd

    Aug 18, 2011
    An X2 should easily have enough power to run full gig speeds in both directions in the default configuration. You don't need much power to switch network traffic, and that processor is likely 10x as powerful as most little soho appliances are.

    As for VPN, the encryption does use some processing power, but if you're planning on using VPN into your network, you can only get up to 10mbps throughput. That really isn't much traffic, and you should have no problems reaching the performance you need. Yes that processor lacks AES-Ni, which if you were trying to get 100mbps+ VPN throughput would be important, but you aren't at this time.

    An i3 easily fast enough to be throwing around 10gbps connections. If you look at their official hardware they sell, they rate a lowly quad core atom processor to be fast enough for medium to large businesses with gigabit or 10 gigbit connections. Definitely overkill for just about any home user.

    As for how to hook it up, PFSense is a router / firewall. So:

    Modem -> PFSense -> switch

    No need to even use your older router unless you want to continue using it for wireless. If you do want to do that, you would need to first turn off DHCP on that device, and make sure it's LAN IP is outside of the DHCP scope that your PFSense box is handing out. Once that's done, then you would plug a cable from say your switch into another LAN port on the old router, leaving the WAN port unplugged. This allows wireless clients to use the old router as a wireless bridge, but still have PFSense running the show.
    Red Falcon, Sulphademus and Outlaw85 like this.
  5. Outlaw85

    Outlaw85 Gawd

    Feb 7, 2012
    Thank you for all the info.
    -Even at the full 1Gbs offered, it's not symmetrical. So no worries about ever pushing that out through it in the near future. I think their best is 30-50Mb out.
    -VPN would be mostly to mess around and learn on. I've thought about paying for the VPN services to "hide in the shadows" lol but would most like to learn from a business"y" side too. So, I guess I could/would like to hit 200 if possible, but very much not a requirement right now.
    -Excellent point on the i3. Maybe if I can find a cheap combo in the fs/t section, if for nothing else, to save power.

    Sorry, it was bad wording on my part but that makes sense. It's an apple airport router and I'll need it for the wireless for now, the family would kill me. Any reason I can't/shouldn't let the router run DHCP?

    I did find out that you can't disable dhcp on the airport router but was able to "trick" it by assigning the range to 2 IPs and then reserving them. pfSense is currently offering DHCP.

    Everything appears to be working but it was weird. I must have changed too much before testing so I reset back to default and went through the setup wizard.

    I was able to speed test:
    236.00Mb down
    11.73Mb up

    During test:
    CPU- 14% peak
    Mem- 7% seems to just be what it consumes. No test running, just typing this... 7%.
    Last edited: Oct 18, 2019
    Red Falcon and IdiotInCharge like this.
  6. Dead Parrot

    Dead Parrot 2[H]4U

    Mar 4, 2013
    Might look for one of the Raspberry PI type boards for your future router. The one often overlooked issue with the "Just throw an old PC at it" solutions is the power usage. A device with a 100 watt usage can use $70+ per year at an ~ 8 cent per kw cost if ran 24/7/365. I get the issue of use what you have now if money is short. Just don't forget it once it is in the cabinet or at some point you may start wonder why your electric bill stays stubbornly high.
    Outlaw85 and ThreeDee like this.
  7. OFaceSIG

    OFaceSIG 2[H]4U

    Aug 31, 2009
    The only thing you'll miss without AES-NI is hardware crypto acceleration. Everything else will be just fine on that dual core. Netgate has a table on their website how much perf you need for how much speed. Hell they have a ARM based appliance the size of a raspberry that runs up to 500Mbps no issues.

    My own pfsense build is currently an old, used, Ivy Bridge T low wattage (35W tdp) chip that runs everything just fine. The AES-NI is only used when I VPN home from public hotspots or my job's wifi. Which is a fantastic feature by the way.
    Red Falcon and Outlaw85 like this.
  8. ThreeDee

    ThreeDee [H]ardForum Junkie

    Sep 5, 2001
    I used to run an older computer for my firewall .. used to run a lot of Smoothwall setups for a school for troubled teens I used to work at and it carried over into my overly complicated home network to fart around on/with .. but power bill was too much (especially now that I run a FreeNAS server 24/7 w/Plex) so I picked up an Edgerouter X-SFP and use a free OpenDNS account with some category blocking..etc. I tried different distros and what not and I had fun .. but if you are paying for your own power usage .. using older hardware will cost you more in the long run. :(
    Spectrum 400/20
    speed tested 420/21
    Outlaw85 likes this.
  9. Burner27

    Burner27 [H]ardness Supreme

    Oct 23, 2000
    I'm using a pfsense box that has an I3-7100 CPU, 8GB ram, & 120GB SSD. It idles at 24w and peaks at 39w. Modern hardware for the win!
  10. Outlaw85

    Outlaw85 Gawd

    Feb 7, 2012
    100% agree. Low power is usually not in the vocabulary around here lol. I was running 2xDL380s and an MSA for a while. Running the shuttle wasn't a big deal but now, with the help of a new job (hopefully), I'll be able to get some newer stuff like the Raspberry or at least an I3.. something with power down mode. Do you have a recommendation or just look at what the pre-builts are coming with and go from there?

    I definitely need to do more homework before buying but even bumping the power down to a max of 35w would be cutting the power draw by 2/3's. I would like to do the same with VPN, at least to play around.

    Thanks, never heard of Smoothwall. Something to look at. And for the other stuff. I hear ya, I was doing the same with the above setup running xpenology/plex on esxi.

    Thanks for a build list. Doesn't look too expensive building that out from ebay. might need to dig a little in the fs/t here though first.

    Thanks everyone! It's much appreciated.
    OFaceSIG likes this.
  11. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Jun 13, 2003
    The fanless versions of these available on Amazon seem pretty effective; it's definitely more than enough CPU to push some packets through rules, filters, and encrypted tunnels as needed.
  12. Private_Ops

    Private_Ops [H]ard|Gawd

    Jun 4, 2007
    Missing on AES is the only downfall i see, so if you don't need that then give it a shot, power usage would be the only other concern.

    Modern hardware has came long ways in idle or low usage states.

    Reminds me, i used to run smoothwall on a Pentium 1 with 128mb of ram, an old gateway 2000. That was back in my high school years on DSL. Miss those days.
    Last edited: Oct 25, 2019
    Red Falcon likes this.
  13. acascianelli

    acascianelli [H]ardness Supreme

    Feb 25, 2004
    That system will handle that internet connection just fine. You're problems will be power consumption and the lack of AES acceleration on the chip for VPN. Although, I'd bet doing the AES in software will still be fast enough.

    I'm running a 250/10 Comcast connection with one of these:

    Runs about 8-10W and had a MUCH slower CPU than an old Athlon X2 5600. Only advantage mine has is that AES acceleration is built into the CPU.

    As for the wiring:

    Modem > pfSense (WAN port) > pfsense (LAN port) > Switch.
    Outlaw85 likes this.
  14. Shikami

    Shikami Gawd

    Apr 5, 2010
    CPU's supporting some modern instructions and architecture would net you an input/ouput that would, obviously, be better for multiple reasons. You will get some capable I/O with the Athlon X2, but you will seriously start to hit a plateau with multiple users and higher bandwidth available. There are other reasons for a more modern architectures besides supporting instructions, there is also cache design, and memory supported speeds; networking is very memory intensive. So, from wire, to bus, to memory, to cache, to register you want to build up a router. Like using particular and modern NIC's (q.v. i350-T2). This has excellent RSS for multicore (or socket) processor(s), supports virtualization features (which gives you many options such as NAS, pi-Hole, and router in one) and its performance is excellent. Having DDR3-1600 or DDR4-2133 will net you some networking speed-especially DDR4. CPU's that have decent size L2, or L2/L3 will help. Along with instructions such as BMI (Big endian support for TCP/IP), SSEx, AES, and AVX will get you some better typical packet flow throughput, and a more acceptable VPN performance.

    What you have will do 200/10. No reason to spend and give you time to learn the preferred firewall, unless there are good opportunities like I had for my router build many years ago. I wanted low power, fan-less, excellent 1Gb performance and close to with NAT, no affect with user load. So there were some parts on sale and with rebates, and decided to invest with these: ASRock QC5000-ITX/PH (note: wanted integrated PCIe interface to NIC for less latency), 8GB DDR3-1600, i350-T2, 120GB SSD, 400w plat rated PSU, Cooler Master mini-ITX chasis. I feel that with AMD hardware you will net more for the dollar investment. More supporting instructions, and virtualization support-plus no mitigation performance hits. One day I will get a 3rd gen APU and DDR4 memory to replace for something better when the time is right. Would prefer a similar embedded low wattage like the A4-5000, which is basically the same processor that is used with the XBOne and PS4 ( A4-5000.html), that it would replace. Over the years I couldn't have been happier.

    Make sure that the wireless AP/router is placed in AP mode and doesn't provide any routing/DHCP/et. Just use it as a L2 switch and AP. And also, configure pfSense for DNS over TLS.