pfsense 2.5 May Require Hardware Upgrade

[sfx2000]

It seems like a nice small home built pfsense machine. I guess they are trying to compete with the small commercial router boxes for sale. I am not sure it has AES-NI. What I want is a rack mount machine since I have a rack in the closet. It may burn a few watts more but I don't think I care other than buying a low voltage CPU. It is the way I have been doing it for years. I really like what I have but it does not support AES-NI.

The homebrew 2.0 build that Ars did was based around the Qotom J1900 - which sadly doesn't support AES-NI...

There's been mention over in the pfSense forums on a newer Qotom box that has an broadwell dual-core i5 mobile chip, and some chatter about the newer ApolloLake J3*** chips...

Checking over on the bays of the E (eBay) - there's quite a few 1U ex-server boxes with Sandy Bridge/Ivy Bridge based Xeons that do support AES-NI these days. Mostly HP and Dell stuff, with a smattering of IBM...

I'd just hate to have a 1U screamer in the house - those little fans are pretty loud...

 

[Xentrk]

I'd just hate to have a 1U screamer in the house - those little fans are pretty loud...

Having a screamer in in my house would rule it out for me. I already get screamed at enough as it is by my spouse.

Cooling is a concern for me as it gets hot here in Thailand. But I usually have the air conditioning running when things get too unbearable. My current pfSense box has a built in fan and is slightly noticeable when the room fans or TV are not turned on. I see the 2440 on the pfSense site is fanless. My Roku 4 player, ASUS routers and modem sit atop USB cooling pads which reduces the temps by 20C.

I am very tempted to build a pfSense box just for the experience and hobby aspect of it. I keep telling myself that what I have works and no need to get carried away. And to wait at least a year until we learn more about pfSense 2.5 and see what Netgate does with their product offerings.

 

[coxhaus]

Yes 1u is hard to take. I use 2u and 3u cases in my rack. I strip down my pfsense box down to a slow cpu fan with a big heat sink and the power supply fan. All other fans are disconnected. There is a small laptop hard disk and nothing else running in the box to generate heat. I could use flash now instead of a HD now but I built this 10 years ago and flash was too small back then.

I tried using no cpu fan but I occasionally get thermal shutdowns in the hot Texas summers even with the AC on.

 

[FatherLandDescendant]

I am very tempted to build a pfSense box just for the experience and hobby aspect of it. I keep telling myself that what I have works and no need to get carried away. And to wait at least a year until we learn more about pfSense 2.5 and see what Netgate does with their product offerings.

I've been looking into it. Went looking today for an old cheap PC I could re-purpose, but no luck. All I need is something with 2 RJ45s and I'm set, I have a 16 port TP Link switch in use now, I also have an 8 port LinkSys switch sitting on a shelf. But I don't want to build something that pfSense is going to render obsolete in 6 months to a year

 

[coxhaus]

I am wondering about the SkyLake i3-6100H for pfsense. It is a 35 watt processor. More than 2 cores is probably a waste. I don't think the Xeon version is out. I would need a motherboard with 2 Intel NICs which may be a problem. I may have to jump up to 4 cores to get a server board to get dual NICs.

 

[sfx2000]

I am wondering about the SkyLake i3-6100H for pfsense. It is a 35 watt processor. More than 2 cores is probably a waste. I don't think the Xeon version is out. I would need a motherboard with 2 Intel NICs which may be a problem. I may have to jump up to 4 cores to get a server board to get dual NICs.

More that 2C/4T is most Home/Small Office is going to be overkill...

Dual port i350 cards are actually reasonable these days - checking around the Amazon - around 40 bucks...

Quad port cards from HP/Dell on eBay - watch out for counterfeits, can be found for similar prices...

I like where you're thinking here - mini-ITX board with an adapter like above in a short 1U case - they don't all need to be screamers like most 1U servers...

Find a board that has M2 SATA/NVMe - so no spinning rust drives either, again, keeping heat/noise down.

 

[coxhaus]

More that 2C/4T is most Home/Small Office is going to be overkill...

Dual port i350 cards are actually reasonable these days - checking around the Amazon - around 40 bucks...

Quad port cards from HP/Dell on eBay - watch out for counterfeits, can be found for similar prices...

I like where you're thinking here - mini-ITX board with an adapter like above in a short 1U case - they don't all need to be screamers like most 1U servers...

Find a board that has M2 SATA/NVMe - so no spinning rust drives either, again, keeping heat/noise down.

Will the dual port i350 cards support 4 gig through put? Is the bus big enough for 2 full duplex ports running at the same time?

I always over build. I have been using my current hardware for 10 years and it still works well just missing AES-NI.

My routers only needs one WAN and one LAN. I use my layer 3 switch for all local routing.

Yes if I build again I won't use a hard drive.

 

[occamsrazor]

There's been mention over in the pfSense forums on a newer Qotom box that has an broadwell dual-core i5 mobile chip, and some chatter about the newer ApolloLake J3*** chips...

I guess you are talking about the Qotom Q355G4 model with i5-5250U, I have one and it supports AES-NI.

http://www.qotomchina.com/product/6..._with_4_Ehternet_NIC_LAN_Barebone_System.html

 

[FatherLandDescendant]

I guess you are talking about the Qotom Q355G4 model with i5-5250U, I have one and it supports AES-NI.

From what I've been reading all the i5s do.

 

[sfx2000]

Will the dual port i350 cards support 4 gig through put? Is the bus big enough for 2 full duplex ports running at the same time?

It's a server NIC, and the same chip is used for the 4-port cards...

I used the 2-port cards in our smtp cluster machines, replacing the onboard broadcom NIC's that had bad drivers (forget the brcm part number, but it was supported by the opensource driver in RHEL/Centos, and it would jam up hard) - 8 machines support 20 million users, and the i350 cards performed well..

 

[coxhaus]

There has been a new twist on AES-NI.

https://forum.pfsense.org/index.php?topic=131152.0

I wonder what the impact will be in the future?

 

[sfx2000]

There has been a new twist on AES-NI.

https://forum.pfsense.org/index.php?topic=131152.0

I wonder what the impact will be in the future?

None - follow the thread thru, and it relates to a malware named appropriately enough aes-ni...

There's a cohort of users on the pfsense forums that are pretty unhappy over the decision of requiring AES-NI support...

 

[sfx2000]

It looks like the future pfsense 2.5 is going to require AES-NI in the cpu. My old Xeon does not have AES-NI built-in so I don't know what I am going to do. I will have to decide whether to upgrade hardware or move back to Untangle. We still have probably a couple of years. So people buying hardware now might make a note. You may want to make sure your new hardware has AES-IN built-in to the Intel CPU.

Just as a reminder, pfSense 2.4 on x86 is going to be 64-bit only - which also impacts some 2.3 users on older hardware...

With 2.4, the only 32-bit platform there is ARMv7-A, and both of those supported chips (TI Sitara and Marvell Armada 38x) also support AES there as well in hardware...

Ugh... the price of progress - these moves by the pfSense team make sense, and they have telegraphed their intent for some time ahead of the cut-off so that folks can plan ahead and make some decisions...