Is there anything 1 level above pfSense?

[avtella]

I'm trying to get Lenovo to sell me a desktop system without an OS, but it doesn't seem possible.

I do have a quote for a ThinkCentre M920q (1L 'Tiny' desktop) with an i7-9700T processor and the Intel I350-T4 Quad Port Gigabit Ethernet Card for $930 including taxes (about 50% savings).

I'll see if I can configure anything like you're suggesting @Maverick009, thank you.

@Trip are you seeing any obvious pitfalls in the path I'm taking? Do you think a full-size Tower or a SFF tower would be a better option instead of the 'Tiny' I'm looking at now?

If going for just a home firewall I can guarantee you it’s gonna be wasted buying a powerful 6-8 core CPU if you are paying more so I hope it’s for a combo.You can probably even ask the actual OPNSense and pfSense devs on their forums for appliance sizing/specs and they’d probably say the same, having seen past interactions on forums and Reddit.

Unless your doing a some enterprise grade stuff it’s going to be way overpowered. This is my experience with my own EPYC3251 which has pFsense on ESXi along with some VMs. FYI the SuperMicro and Asrock use ASPEED AST2500 BMCs and actually do have video ports I just don’t find the need to as I can connect to the BMC web interface/KVM via my laptop from anywhere in the house via the IPMI port. Not a necessity obviously but a nice perk.

Also EPYC and Intel embedded in general moves slower architecture wise this is normal. This doesn’t mean they’re losing support in fact Asrock even expanded the EPYC 3K line with a newer 3451 mATX model, these things get supported for a long while. Also not sure one would need to worry about upgrading a CPU on a firewall, by that time the entire platform may have be replaced by something newer and cheaper and more power efficient and anyway many years down the line, I mean it’s not a gaming PC or something.

Also realize most of internal LAN work would be handled by a switch like transfers between devices.

You could do what ddaenen1 did and get a used system like with Xeon E series and save the money. After all this is isn’t a gaming PC it’s a firewall. It’s still gonna last a very long time without breaking a sweat. I didn’t mention used much earlier as you seemed against it when you said no eBay. Also take a look at ServeTheHome forums a lot of more experienced people there unlike me.

 

[Maverick009]

I'm trying to get Lenovo to sell me a desktop system without an OS, but it doesn't seem possible.

I do have a quote for a ThinkCentre M920q (1L 'Tiny' desktop) with an i7-9700T processor and the Intel I350-T4 Quad Port Gigabit Ethernet Card for $930 including taxes (about 50% savings).

I'll see if I can configure anything like you're suggesting @Maverick009, thank you.

@Trip are you seeing any obvious pitfalls in the path I'm taking? Do you think a full-size Tower or a SFF tower would be a better option instead of the 'Tiny' I'm looking at now?

Unless you are doing some serious serving of Networking like a LAN party, or powering as a combo Firewall/NAS/Virtual Server, the i7-9700T would be overkill. That is why I did not mention higher then the Ryzen APU 4600G 6C/12T processor, as it is more then 4 cores but not completely overkill and even more expensive than what I suggested with less and a locked BIOS by an OEM.

I would cut back on that type of CPU unless you absolutely need it and invest in the NICS and I/O. Even the 6C/12T could do some decent NAS and has better I/O and I could see that i7-9700T being even more under utilized.

 

[avtella]

This is my current setup:

1.) Netgear CAX80 Modem with 2.5 Gbe port

2.) SuperMicro Short Depth 1U Rear IO Chassis with an M11SDV AMD EPYC 3251 Board, 2666 MHz 16 GB ECC Registered DIMMs, 2x Crucial MX100 256GB SSDs in Raid 1Z mirror (pFSense), Samsung 970 Pro (for other VMs), Intel X710-T2L adapter and 3x Nidec 8500 RPM Fans (@1,500 RPM normally).

3.) Zyxel XS1930-10 Multigig switch. Fan on this was pretty loud and RPM would dive up and down but worked with Zyxel and they released a new firmware within a week or two of reporting so it’s pretty quite now.

4.) Netgear RAX120 router in AP mode.

5.) NetgearReadyNAS 524X: Intel Pentium D-1508, 4 GB ECC RAM and 2x 7200 RPMToshiba Drives in RAID 1. Has a 10Gbe and 1Gbe port.


My NAS is actually the the most audible thing, not loud but annoying hum from the fan while ironically 1U server is barely audible as mentioned unless at full load from test VMs when it’s at like 30-35 decibels at most even then.

Maverick and L&LD mind posting yours? Might be nice to see different setups.

 

[L&LD]

Nothing to see here yet. Just 2x RT-AX86U's connected to an ONT.

 

[avtella]

In regards to noise I also wanted to add be careful what switch you get if going multigig/10Gbe. The new QNAP 10 port I’ve heard is pretty quite and is $299.

 

[Maverick009]

I am going through a semi-rapid upgrade of my equipment, but currently in place from top to bottom

Gaming/NAS Multimedia Windows 2019 Server with an AMD Ryzen 2700 on a Gigabyte Aorus X470 Motherboard with 16GB Corsair Vengeance Pro RGB memory, 240GB Samsung 960 EVO M.2 SSD and a 10G Ethernet and 1G Ethernet connection (I am planning to add 2 sets of 3x 10-12TB Seagate Ironwolf drives with a 240-512GB SSD drive for caching to start out. The Silverstone case can house at least 10-12 hard drives and I will have at least 6 soon.)

Asus ROG GT-AX11000 802.11AX Wireless Router in AP mode, 4TB SATA driver housed in an external USB 3.0 case connected to the server, HDHomerun Prime 3

TP-Link T1600G-28TS managed - 24 x 10/100/1000 + 4 x combo Gigabit SFP Switch

OpnSense 20.7.7 Firewall Server currently with Intel Core 2 Quad 2.4Ghz 4C/8T CPU, Gigabyte 775 socket Motherboard and 4GB Corsair DDR3 Dual Channel Dominator memory 10/100/1000 Realtek onboard Ethernet, with Intel I350-T4 Quad Port Gigabit card and Syba Realtek RTL8125 Dual Port 2.5G cards installed, 240GB Kingston SATA SSD (Plan is to upgrade hardware to at least a Ryzen 5 4600G 6C/12T APU, 16GB DDR4, on possibly the ASUS B550 TUF MATX Motherboard)

Netgear CM1200 Multigig Modem (looking at possibly upgrading to the new CM2000)

Makeshift HP Laptop converted to Ubuntu Server with 1TB SATA drive

 

[Trip]

Considering how well @avtella, @Maverick009 and @ddaenen1 are guiding you in regards to right-sizing and picking a good match for a board, CPU and NICs, I think you're in pretty good hands there.

If I could add one item, I would say don't let form-factor constrict your buying decisions too much. Even the conception that "rack mount" #U may not work for you. Using PlinkUSA and ServerCase.co.uk as examples, there are plenty of 2U, 3U and 4U cases out there, many with nice, short, sub-20" depths, which can even be run desktop/floor-standing, and will accommodate wider, quieter fans, plus even things like dual power supplies and, with many coming with 5.25 bays, things like IcyDock HDD/SSD storage caddies (they are AWESOME!), should you want to hyper-converge your build and make it a NAS, etc.

Even though this thread got a bit hijacked, I do like the direction it's gone in!

 

[thecheapseats]

<snip>don't let form-factor constrict your buying decisions too much... <snip> ...things like IcyDock HDD/SSD storage caddies (they are AWESOME!)...<snip>

Good point - Never let the form-factor tail, wag the application dog...

and ECC ram is always your friend, eventually...

also, +5000 for just about anything IcyDock makes - been using them since they became available in the u.s... all upside...

 

[L&LD]

Small update here and a question.

First: Just the facts

The 4 port I350 adaptor is $500 here.

The QNAP QHORA-301W AX3600 Wi-Fi 6 Dual-Port 10GbE SD-WAN Router is $500 here.

Anything I can find locally, refurbished, and worth buying is $500 (plus the cost of the Intel NICs above).

Anything I can order online with the Intel NICs above is over $900 and when I'm done with it, closer to $1,200 to make it useful to me (RAM and SSD).


Secondly:
I am really liking the QNAP offering here to handle the routing aspects of my ISP connection. With Dual 10GbE and 5GbE/2.5GbE compatibility, I should not have to upgrade this router for many years until the ISP speeds catch up or surpass it. From everything I've read, it is also very stable and reliable too.

Not to mention silent (no fans). 2x 10GbE Ports that are also downwards compatible 5/2.5/1/.100/.010 GbE speeds. With 4 extra 1GbE Ports too.

I have seen the review that states how 'simple' the interface is. But this is acceptable to me if it just keeps routing fast.

I am a QNAP user for many years and really like the value their products add. All these hi-speed ports (and configurable as I need them) along with a very reasonable price makes this a tempting offer.


Question:
Forgetting the vast options pfSense, OpnSense and other DIY firewalls may offer, (which honestly, I don't care too much about), will the hardware specs the QNAP offer, provide me with a faster routing connection/experience to my 1Gbps ISP? i.e. more than my current RT-AX86U does?

I know how responsive an i7 with 16GB RAM and pfSense felt like (before it would degrade within hours), will the Qhora offer that level of immediacy, all the time?

 

[avtella]

Hey there’s nothing wrong going with the likes of the QNAP vs a DIY firewall. Go with what you’re more comfortable with. I’d imagine it would get OpenWRT support eventually being as it is a QCA chipset. Netgear/Asus/QNAP are all usually pretty decent these days about getting security fixes in decent intervals, putting aside stability bugs of course. As for will it be faster than your current model, I doubt it will be noticeable amount, especially on WiFi with the internal antenna layout. Dual Multigig would be nice allowing you to utilize your AX86U (AP mode) to its full potential for both WAN and LAN use if you have NAS connected to the other multigig port.

There’s also cheaper DIY options like on Newegg OpenBox/refurbished small Acer/Lenovo PCs with i3 9th Gen Quad Core CPUs and 8GB RAM for ~$360 with PCIE expansion available or like this if new:

Lenovo V530 Desktop, Intel Core i3-9100 Upto 4.2GHz, 4GB RAM, 128GB SSD, DVDRW, HDMI, DisplayPort, VGA, UK Keyboard, Wi-Fi, Windows 10 Pro - Newegg.com

Buy Lenovo V530 Desktop, Intel Core i3-9100 Upto 4.2GHz, 4GB RAM, 128GB SSD, DVDRW, HDMI, DisplayPort, VGA, UK Keyboard, Wi-Fi, Windows 10 Pro with fast shipping and top-rated customer service. Once you know, you Newegg!

www.newegg.com

I would definitely not burn $500 for the i350-T4. That’s multigig price territory X710-T4/X710-T4L as I mentioned earlier. I’d consider what ddanen1 and I said about getting a used/server pull NIC. Dual port X550-T2s can be had as low as $150 (used) (Quad port doesn’t exist outside of custom board implements), X710-T2L new is ~$300. Intel has an upcoming V710 5Gbe model coming probably this year.

Realtek while you can get away with newer self compiled drivers, they can generally still have much higher CPU usage than equivalent Intel parts in my experience, like 8% vs 15-20% under similar load test in one comparison I saw a few months back, I’ll try to find a link. And checksum offloads are reccomended off on RTK cards as it’s usually broken in them unlike Intel and Chelsio, so it’s another thing on the CPU but with current gen CPU performance not too big a deal.

 

[Trip]

@L&LD - With all due respect, I would try to move one from your previous edge case in regards to pfSense's "responsiveness". Again, I would respectfully suggest it was more than likely an underlying hardware issue, and/or mis-configuration, and/or the fault of a separate discrete component, which may have been responsible for the overall experience. Additionally, there are simply too many pfSense installs running production networks, all with appropriately low latency, to imply that it has a baseline fault in that regard. If that were the case, you'd see way more about it on the places with more authoritative knowledge (reddit/r/networking, /r/sysadmin, Netgate's own forums, etc.). It's water under the bridge at this point, but I would urge you stay more neutral about it, or any firewall OS, in and of itself, as a possible tool.

Moving on, the QHora-301W looks OK at best. For starters, it's a brand-new product, with a brand-new OS, released by a company whose core competency is network storage, not routing, switching or firewall. But let's say they knocked all that out of the park -- rock-solid stable, etc. Looking at the box itself, from what I can tell, it's Qualcomm ARM-based, so in order to make anywhere close to full use of those 10Gb and multi-gig NICs, it better have one hell of an offload schema, because there's no way it would be able to drive that much traffic via the CPU alone... As to whether how much it can actually handle would be good enough for you, that is mostly speculative at this point, at least until more benchmarks are released by the masses...

I think you may be best served by creating your own thread on exactly what you're looking for, viewed from a "what does done look like?" perspective, and work backwards from there, rather than to trying buffeting would-be solutions and/or setups against pfSense in this thread. Again, pfSense's legitimacy here is less so in question, than your or anyone else's interpretation of what they may need or want. Those are two completely different things.

 

[Maverick009]

Small update here and a question.

First: Just the facts

The 4 port I350 adaptor is $500 here.

The QNAP QHORA-301W AX3600 Wi-Fi 6 Dual-Port 10GbE SD-WAN Router is $500 here.

Anything I can find locally, refurbished, and worth buying is $500 (plus the cost of the Intel NICs above).

Anything I can order online with the Intel NICs above is over $900 and when I'm done with it, closer to $1,200 to make it useful to me (RAM and SSD).


Secondly:
I am really liking the QNAP offering here to handle the routing aspects of my ISP connection. With Dual 10GbE and 5GbE/2.5GbE compatibility, I should not have to upgrade this router for many years until the ISP speeds catch up or surpass it. From everything I've read, it is also very stable and reliable too.

Not to mention silent (no fans). 2x 10GbE Ports that are also downwards compatible 5/2.5/1/.100/.010 GbE speeds. With 4 extra 1GbE Ports too.

I have seen the review that states how 'simple' the interface is. But this is acceptable to me if it just keeps routing fast.

I am a QNAP user for many years and really like the value their products add. All these hi-speed ports (and configurable as I need them) along with a very reasonable price makes this a tempting offer.


Question:
Forgetting the vast options pfSense, OpnSense and other DIY firewalls may offer, (which honestly, I don't care too much about), will the hardware specs the QNAP offer, provide me with a faster routing connection/experience to my 1Gbps ISP? i.e. more than my current RT-AX86U does?

I know how responsive an i7 with 16GB RAM and pfSense felt like (before it would degrade within hours), will the Qhora offer that level of immediacy, all the time?

The I350 4-port Gigabit NIC should not be anywhere near $500. It would be between $90-150 at most.

The QNAP equipment is quite good from what I know but I have never personally used them.

If you are looking to replace the RT-AX88U to gain faster 1Gbps performance, then I would not recommend it if doing basic to moderate connections to it as it is more then enough.

Now if you plan doing a lot more and doing heavy NAS with multiple devices, Gaming, and or looking for advance features then I would recommend something like PfSense/Opnsense. Honestly an i7 processor is not needed. A powerful 4C/8T CPU or recommended at least a 6C/12T CPU is plenty to feed the beast. 16GB can go either way since it's cheap enough and reason I plan on skipping right to it when I do my upgrades.

It may be easier if we knew what you were needing it for or running on it, to really point you in the right direction.

 

[Maverick009]

I have noticed something after using OpnSense for a little while now....It has no QOS/Traffic Shaper Wizard....Loving the stability and that it supports my Realtek RTL8125 Dual 2.5G card, but QOS manually looks like it will be very needed missed easy setup feature, that my AX11000 router could do and be setup with 2mins. I guess I will have to play with that some as before I left the AX11000 to handle Smart QOS, where it would automatically make adjustments on the fly based on needs priority.. I think that will be one of the few easy tasks I will miss.

 

[L&LD]

@avtella, @Trip, @Maverick009, very much appreciate your input.

Understood about creating a new thread (I will do that after further research on what was already provided above).

The prices seem 'stable' here as I've reported them, for the Intel NICs. Unfortunately!

As I don't want to use what I have laying around this time, Lenovo is the best bet for a (to me) $500 NIC and a $350 processor and a Windows 10 license too (Lenovo states they don't sell computers without one) for less than I can buy those myself separately (and they include the case, ram, power supply, fans, assembly, and a warranty too).

I am actively looking for a local 'SuperMicro/Enterprise' used parts supplier that I can trust that offers the prices indicated in this thread!

Just want to clear a couple of points up with regards to pfSense.

• I am not (or ever, I think) questioning what performance benefits pfSense brings.
• I was questioning though what hardware requirements/compatibility it required.
• The link below is (I believe) my first post on this forum here about my inability to get pfSense to run optimally for me.
• https://www.snbforums.com/threads/pfsense-computer-bulid.61903/post-552783
• Again, it doesn't seem to be a pfSense issue in and of itself, on the right hardware.
• It may have been that particular build with my particular hardware in my specific network at the time.

Again, I appreciate all the input here. Insights that would have cost me a lot of time and money to find out for myself (if I ever could, before running out of one or the other!).

 

[Maverick009]

So just wanted to post a link here to a post I put up recently as I have switched back to Pfsense and explain some of the reasoning. Good read and gmay help anyone else thinking of switching or running into same issues.

Switch back to Pfsense from Opnsense and why.

I wanted to post this in case anyone else has questions about Pfsense vs. Opnsense, or why to use one over the other, as I have personally used both, and recently made the decision to switch back to Pfsense where I started in the first place. The main reason I switched from Pfsense to Opnsense...

www.snbforums.com

 

[thecheapseats]

So just wanted to post a link here to a post I put up recently as I have switched back to Pfsense and explain some of the reasoning.<snip

yep - that was a good read... insightful for consideration of the two forks, hardware dependencies and freebsd...

 

[aps]

@L&LD The unit you are looking at may be good, but I worry more about the Intel Core i3 CPU in it, as we are now seeing some of the Broadcom/ARM based 4-6 core CPUs match or beat that processor in performance on the mid highend to top highend home routers.

So this concern relates to the "performance for the price" of the Core i3 CPU or the actual ability of the i3 to do the task?

If truly looking for modularity, and starting out but with future expandability that requires minimum effort, I provided a list of a build I plan going with my firewall upgrade and the price in not really that different, but with a significant uplift in performance out of the box.

AMD Ryzen 5 4650G 6C/12T APU with Radeon Graphics (Save $100 and go to the last gen 3100G 4C/8T APU)
16GB Corsair Vengeance LPX Dual-Channel Memory
ASUS B550M TUF mATX motherboard with built-in 2.5G LAN
240GB Kingston NVME M.2 SSD
Intel based I350-T4 Quad 1GB Ethernet Card
500W EVGA Power Supply
Rackmount Case

Price: $855 ($755 with Ryzen 3100G)

Packs a lot more power and punch for very little difference is price (especially when you take long term effect into account) and it will give you everything you really one and still be significantly cheaper then what you were originally looking at. You can also add the X550-T2/T4 out of the gate if want to, but with what you currently have you do not need that out of the gate and can always add it later.

Edit: The I350-T4 is a good start with 4x 1GB ports, and you can invest in a Smart Switch (I have a TP-Link T1600G-28TS) and link at least 1 port or 2 ports in LAGG config and from that you will have a decent amount of ports to plug all your devices into including your access point.

Edit 2: SuperMicro boards can also be good as @avtella mentioned, but I have noticed that some of their boards are specially designed to only go into certain cases they design or partnered with someone on and why I have not gone that route entirely.

Seems a lot more powerful that commercial firewall offerings. Is that just to future proof the unit?

 

[daveforever]

To give this question a sensible answer it's probably worth discussing the various objectives.

If pure routing performance is the desired improvement, then learning to incorporate Layer 3 switches within your network design and appropriate VLAN/subnet configuration is going to be important.

This is because L3 switches allow traffic between VLANs at wire-speed, which becomes important for larger networks where shared resources (for example servers) may need to be readily accessible by multiple subnets. Likewise, in an MPLS or VPLS scenario, NAT (and inherently the network 'edge') may be occurring remotely also.

If security is the desired improvement then people tend to prefer to work with vendors that have rapid commercially-maintained security threat intelligence and firmware updates.

Examples of heavy-hitting vendors in this category include Cisco, Check Point, Forcepoint, Palo Alto, etc.

Typically network edge scanning will provide web content filtering and malware scanning although in many cases these can be replicable with endpoint protections.

However, network edge appliances start to come in to their own for protection mechanisms such as IPS intrusion prevention and (a comparatively newer concept) network threat analytics.

What is important to consider is that for some use cases - and I expect especially in light of COVID - some networks are becoming far less perimeter centric.

Endpoints can be integrated in to network fabrics (with associated security) without these responsibilities falling to the network edge. Especially useful for mobile endpoints and remote workers.

Examples of this include iBoss, ZScaler, Wandera, and Cisco Umbrella SIG. The first three are an emergent category of ZTNA solution (Zero Trust Network Access) where clients can be granted access network resources without being a) on or b) directly connected to - the actual network. All four are designed to fully tunnel client traffic to a remote/cloud 'edge'.

So to answer your question about what is 'one above' pfsense (apologies I've probably strayed 2-3 above here but oh well):

1. Improve your understanding of network edge intrusion prevention, malware scanning, web content filtering. I believe some or all of this can be achieved with pfsense without big bux.

2. Understand that for business - uptime, security and updates are the main considerations. They'll pay for a large, tested, commercial vendor that offers those readily.

3. Definitely familiarise yourself with layer 3 switches as in certain scenarios they can be invaluable. I once saved the bacon of a $100m turnover company with a $200 Cisco SG300 switch to bridge two MPLS/VPLS networks together. You can get an SG300 cheaply on eBay to tinker with this concept.

4. Look at the pros/cons of security and connectivity mechanisms that aren't actually vested in the network edge. Even APs are now directly connecting to security solutions which is great for guest WiFi etc. But definitely read up on ZTNA and client gateway solutions. Although they'll be out of your reach for testing. ZScaler probably won't even talk to you unless you have 1000 endpoints and a large bank account :0)

I hope this advice finds you well, and best of luck with your journey.

 

[Maverick009]

So this concern relates to the "performance for the price" of the Core i3 CPU or the actual ability of the i3 to do the task?



Seems a lot more powerful that commercial firewall offerings. Is that just to future proof the unit?

There are actually commercial firewall systems more powerful then that. Most Commercial systems use either a complete high-end ARM solution and may get that from the likes of HP/CISCO/Etc. for also the support. The other option when not completely using proprietary equipment, would be to use a box powered by Intel/AMD Xeon/Epyc for the CPU, and the hardware in most cases may already be integrated or have a little room for expandability, based on the use case scenario and environment it is driving. The purchase for businesses both in medium/large to commercial are done in a point to not only drive what they plan on having connected now, but also be able to handle usually 2-4 times that capacity and may even be be purchased in pairs, that way it makes expanding much easier too.

For Home use, a Core i3 can still be considered under powered, especially since Intel even reserves some Business/Pro features and HT only for the i5/i7 series, and even then may be on the high-end side. It took a competitive AMD to get them to start trickling that down into the lower price points. Also as most low-end routers prebuilt are shipping with 4 cores, they are built with no expandability in mind, and start with someone that may have maybe only 2-8 devices connected but also not running at the same time, and scale to 6+ cores on the higher end of things.

If building something as simple but also as sophisticated as a Pfsense or Opnsense router and you are going the complete DIY route, then I recommend going no less then a 6C/12T CPU with at least 4GB RAM (8GB or 16GB may be the better option due to cheap enough pricing). That CPU power, gives enough room to scale with needs and does not require further CPU upgrades down the road for quite a while. The AMD Ryzen/Pro 4000 series or soon 5000 series APU, gives you a very powerful CPU that can handle multiple multigig connections at once and due to the it being an APU, you save a PCIe slot for a high-end NIC in that network box. Also the APU price/performance per watt is substantially better then the Intel offerings making it an ideal fit and when you combine it with the fact that the AM4 socket is the same socket after multiple CPU launches and Intel has changed their socket with nearly each new CPU launch, you also have to factor in a cost of ownership and upgradability into that.

If doing a custom build even for a network box, you have to take those considerations and factor them into total cost of ownership, expandability, and performance.

 

[avtella]

Not a bad idea building using an APU like @Maverick009 said, with modularity for wider array of upgrades.

@aps just remember when buying parts however it also really depends on your use case, for example even OPNSense’s highest end appliance is a Quadcore. Not saying don’t get better hardware with more cores, but make sure you’re getting what you need based on your usage/requirements or its more money, only for little to no gain in real use.

Additionally I’d also suggest getting a dedicated switch for multigig LAN work as the ASIC chips in the switches are designed for that kind of work unlike the x86 or ARM CPUs in the firewalls where they’d just be wasting CPU cycles doing that work through bridging with significantly higher latency especially at higher speeds and more ports in use and at times even likely unable to even reach 5-10Gbps depending on how many ports are in use and what other work is competing for CPU cycles like VPN etc. Some firewalls/router appliances do have switches built in ie like your home router.

I personally have multigig Zyxel XS1930-10 switch handling all my multigig and standard LAN devices. For my use case for example, the firewall CPU has no real affect on my 10Gbe LAN work/transfers unless it's across VLANS as the switch is handling all of it, my firewall CPU cores are rarely ever above 5-10% and that too when I had Suricata or OPNVPN running. Importantly your internet connection will likely actually be your biggest bottleneck rather than a Quad Core i3 or AMD APU.