Replacing the guts of my pfSense appliance

[Xentrk]

Here are some pics of my pfSense appliance. The Atom D525 CPU does not support AES-NI which is a requirement for the soon to be released pfSense 2.5. The other reason I want AES-NI is to improve OpenVPN performance. The box measures 11 3/4 inches x 8 inches. The case is good. I will need to replace the motherboard and I need more disk space. Current BIOS is American Megatrends Inc. If you have any recommendations, please let me know.

 

[Internet Man]

Your signature mentions that you have a SG-2440 but you explain in this thread that your SG-2440 does not match the specs listed by Netgate and indeed yours looks nothing like that device. It would be very difficult to try to guess what parts might fit inside of that box. You should probably just get an entirely new device and sell that one.

 

[Xentrk]

Your signature mentions that you have a SG-2440 but you explain in this thread that your SG-2440 does not match the specs listed by Netgate and indeed yours looks nothing like that device. It would be very difficult to try to guess what parts might fit inside of that box. You should probably just get an entirely new device and sell that one.

You are correct about the specs not matching. What happened is I purchased it from an official pfSense reseller in Thailand. Something must have got lost in translation and I ended up with different specs.

 

[sfx2000]

Check for availability of LannerInc boxes in SE Asia - might have better pricing than Netgate...

http://www.lannerinc.com/

 

[Xentrk]

I spent some time yesterday researching desktop network appliances. When researching the CPUs inside the appliances, I came across this benchmark study.

https://www.servethehome.com/intel-atom-c3338-benchmarks-why-denverton-is-so-sweet/

Interesting metrics when it comes to Openssl performance. I can now see why the Intel Atom D525 was such a poor performer when it came to VPN performance.

What I am seeing from this study is the Openssl performance of the older C2758 appears to be superior when compared to the C3000 series. The C2758 also offers the Integrated Intel® QuickAssist Technology. This feature provides security and compression acceleration capabilities used to improve performance and efficiency across the data center. The C3000 series does not have this feature.

Support for QuickAssist is in the works for pfSense but I can't find any firm dates: https://www.servethehome.com/quickassist-driver-freebsd-pfsupport-coming/

Netgate is using the C2558 in the SG-4860 https://www.netgate.com/solutions/pfsense/sg-4860.html.

My take away from the benchmark study is that the older Intel Atom C2758 launched in 2013 has better openssl performance when compared to the newer C3338. Am I missing something here?

If this is so, why am I seeing new appliances using the C3000 series rather than the C2758? Perhaps to save power? Aaeon's site, which is a Asus partner has some examples.

http://www.aaeon.com/en/c/desktop-network-security-appliance/

 

[snbdora]

Is Netgate appliance better in terms of the performance than the ClearBox (ClearOS) box if someone has experienced both?

 

[sfx2000]

The C2758 also offers the Integrated Intel® QuickAssist Technology.

the challenge with QAT on the C2000 series is it a bit of a one-off, and Intel has moved forward with both the add-in boards and the follow on chips - and the drivers are unique to the C2000 series, and newer stuff is not being back-ported at Intel...

that being said, the C2000 series are decent performers on a per-watt basis...

The Netgate/ADI boards do not have the LPC issue that some of the other C2000 series boards do, as they not not have the LPC in use - ADI did issue a BIOS update to disable the suspect GPIO pin, so the errata is not an issue for them.

 

[Manny]

what will Netgate use for a new CPU in the SG-4860...

 

[Xentrk]

I was wondering the same. During my recent search for Desktop Network Appliances, I see other companies are now using the Intel 3000 series CPUs. While Netgate is still using the older 2758.

 

[Manny]

we are getting there, the XG-7100 1U pfsense security gateway appliance is out and it has a Quad core Intel Atom C3558 CPU. it's a grate start. Pre - Orders

We love pfsense and support the project.
we just need an updated CPU for the SG-4860


Thank You,

 

[Xentrk]

we are getting there, the XG-7100 1U pfsense security gateway appliance is out and it has a Quad core Intel Atom C3558 CPU. it's a grate start. Pre - Orders

We love pfsense and support the project.
we just need an updated CPU for the SG-4860


Thank You,

Thanks for update.

Last night, I requested quotes on two Desktop Network Appliances that use the C3000 series CPU

Lanner NCA-1510
FWS-2360

I would like to see a comparison of the C2758 and the C3558. But this is the best I can find.

 

[Manny]

Thanks for update.

Last night, I requested quotes on two Desktop Network Appliances that use the C3000 series CPU

Lanner NCA-1510
FWS-2360

I would like to see a comparison of the C2758 and the C3558. But this is the best I can find.
View attachment 12075

lol I was looking at the same ones

Here is one comparison: Intel Atom C2758 vs C3558
This looks good: Inte Atom C2758 vs C3955

And the Review from STH: Intel Atom C3558

 

[Xentrk]

lol I was looking at the same ones

Here is one comparison: Intel Atom C2758 vs C3558
This looks good: Inte Atom C2758 vs C3955

And the Review from STH: Intel Atom C3558

Is it your understanding that the C3558 will perform better on openssl performance compared to the C2758? From the graph in my prior post, it definitely is for the C2558.

Found AES-NI OpenSSL study at https://calomel.org/aesni_ssl_performance.html. I ran some numbers on my build:

AES-128-GCM is definately the go to cipher to use for speed and performance.

 

[ARAMP1]

I just built a 1U pfSense box using a Supermicro A1SRM 2858 motherboard that I picked up used off of evilbay. Probably a little overkill with 8 cores and 16Gb of RAM. But, it's been working flawlessly.

 

[sfx2000]

I just built a 1U pfSense box using a Supermicro A1SRM 2858 motherboard that I picked up used off of evilbay. Probably a little overkill with 8 cores and 16Gb of RAM. But, it's been working flawlessly.

Nice board - make sure it has the rework in place for the C2xxx series LPC hardware bug - SuperMicro has been pretty good about fixing them once failed, and new stock should have the engineering change already in place.

 

[Xentrk]

@sfx2000, The Lanner NCA-1510 comes in four models:

1. NCA-1510A C3558, 6x GbE RJ45 w/ 1 Pair of Gen3 Bypass, 8G EMMC Onboard
2. NCA-1510B C3558, 4x GbE RJ45 w/ 1 Pair of Gen3 Bypass & 2x GbE SFP w/ LED or GbE RJ45 Intel i210 (By SKU) , 8G EMMC Onboard
3. NCA-1510C C3308, 4x GbE RJ45 w/o Bypass, 8G EMMC Onboard
4. NCA-1510D C3758, 6x GbE RJ45 w/ 1 Pair of Gen3 Bypass, 8G EMMC Onboard

Trying to determine the trade off in models CPU and port. My primary goal is to maximize OpenVPN performance. So, the NCA-1510D wins that category followed by the A and B versions. I don't need all of the ETH ports. I will flash with pfSense. One port will be designated as WAN and the other as LAN. The LAN port will connect to a switch. Inbound connection is fiber 200 Mbps. I will use ISP modem/router in bridge mode as a GPON terminal and leave the routing to the appliance, like I do today. I connect the ISP modem/router to the appliance with CAT7 ETH cable. I do not see a need for the SFP ports. I do not have a use case to step up to a NAS that supports SFP. I have heard nothing but good reviews on the Intel i210 NIC's. Should I get the B model so I can take advantage of their architecture? Will it really matter in my situation? Thanks in advance for the help.

 

[sfx2000]

1. 
   
   
   • NCA-1510C C3308, 4x GbE RJ45 w/o Bypass, 8G EMMC Onboard
   • NCA-1510A C3558, 6x GbE RJ45 w/ 1 Pair of Gen3 Bypass, 8G EMMC Onboard

Either would be a good choice - the 3558 is clocked a bit higher, which is better for OpenVPN, and gives you a bit of room to grow.

I wouldn't worry about the SFP model, as the connectivity there is still 1Gb, not 10

 

[Xentrk]

1. 
   
   
   • NCA-1510C C3308, 4x GbE RJ45 w/o Bypass, 8G EMMC Onboard
   • NCA-1510A C3558, 6x GbE RJ45 w/ 1 Pair of Gen3 Bypass, 8G EMMC Onboard

Either would be a good choice - the 3558 is clocked a bit higher, which is better for OpenVPN, and gives you a bit of room to grow.

I wouldn't worry about the SFP model, as the connectivity there is still 1Gb, not 10

Curious why option 4 that uses the C3758 did not make the recommendation? Trade off of power costs and performance? Thread and core count start at 4 on the C3308, followed by 6 on the C3558 and 8 on the C3758. Since OpenVPN is single core threaded, are the extra cores any benefit for my goals to optimize VPN performance? Watts are 9, 16 and 25 respectively. So the C3308 and C3558 will have lower power costs than the C3758. According to this blog, C3758 may be overkill for a VPN gateway and says the C3558 is a great choice...

https://www.servethehome.com/intel-atom-c3558-linux-benchmarks-and-review/

...There are many firewalls, VPN gateways and 4-8 bay NAS units that simply do not need more HSIO or cores. For those numerous applications, the Intel Atom C3558 is a great chip.

The OpenVPN performance I have with the i5 CPU when compared to the AC88U is night and day. Hoping the newer C series will give me an even bigger bump. And this appliance will take up less space than my custom PC build and hopefully be a little quieter.

 

[sfx2000]

Curious why option 4 that uses the C3758 did not make the recommendation? Trade off of power costs and performance?

Exactly - and cost of the chip itself...

Consider that many of the Netgate 2440's are more than sufficient to run 300 bed hotels and small enterprises with pfSense, and that's a dual-core chip.

 

[coxhaus]

Everything now is at least dual core , I think the highest clock rate and low power would be more important than the number of cores in smaller applications.