Messages

Hi all,
I'll be getting 10Gbit wan soon so will be looking at upgrading my current Qotom i5 (which has worked well!). I've been on these forums before discussing options, including Epyc embedded etc.

I've got one specific question regarding Dell Optiplex SFF, as these seem a popular choice. They actually have two PCIe slots, one x16 and one x4. From what I can tell this is unusual, as many consumer/business PCs only have 1x16 for graphics and then x1 slots for other stuff. I am planning to put a Chelsio 10Gb SFP+ in one slot and Intel i350-T4 in the other, so I need both slots.

Does anyone know if this would work, or if the Dell is hardwired to assume that the x16 card is a GPU? I've seen some reports like that for earlier versions.

Qotom with i5-5250U (1.6GHz, 4 cores) here and no problem saturating 1Gb WAN with Suricata and a bunch of rules enabled. CPU load is around 50% when I max out, where Suricata represents most of it.

Do you run other VMs on it, or just OpnSense?

So I've been looking at the AMD Epyc embedded for a while, considering one of the SuperMicro M11SDV motherboards with its 4 on-board Intel NICs. In truth the humble 3101 would probably do me fine (domestic use, 1Gb fiber wan, Suricata, VPN) but it bothers me that the embedded series are still 1st generation Epyc when the regular series are now on 3rd, with large performance and efficiency gains. And prices for the M11SDV haven't even adjusted, they are the same as when they were released a few years back.

I don't see much if any information online on whether a refresh is expected. Any thoughts or clues from anyone on this forum?

Otherwise I'll probably bite the bullet and get desktop hardware and in that case a quiet business PC with intel CPU and PCIe quad NIC. However I prefer server hardware if poss... for IPMI if nothing else.

For what it's worth, I'm the author of that other thread you linked to in the opening post and I never to this day have managed to get this to work... other than by hacking a cron job to force clearing states. I've never seen the states flush automatically when a rule expires neither do I know how do debug it. But according to these last comments, maybe there's hope... ;-)

Hi, thanks for your reply. No more clues but also hasn't happened for a while. Maybe it's random, maybe it's related to which configure is changed. I agree it's a bit unnerving.

Hi guys,
My OPNSense has started to freeze up completely on any config change I make through the GUI. I am not sure what has changed other than I installed the node exporter plugin.

The symptom is a stalled GUI and complete system freeze; it doesn't even respond to ping.

Log file around the time shows

Code Select Expand

[...]
2021-01-24T21:33:01 opnsense[53206] /usr/local/etc/rc.linkup: DEVD Ethernet attached event for lan
2021-01-24T21:33:01 kernel igb1: link state changed to UP
2021-01-24T21:32:58 kernel pflog0: promiscuous mode enabled
2021-01-24T21:32:58 kernel pflog0: promiscuous mode disabled
2021-01-24T21:32:57 opnsense[63288] /usr/local/etc/rc.linkup: DEVD Ethernet detached event for lan
2021-01-24T21:32:57 kernel igb1: link state changed to DOWN
2021-01-24T21:32:55 configctl[1695] event @ 1611520374.79 exec: system event config_changed
2021-01-24T21:32:55 configctl[1695] event @ 1611520374.79 msg: Jan 24 21:32:54 xxx.yyy.org.uk config[79201]: config-event: new_config /conf/backup/config-1611520374.7843.xml

I.e. it enter some re-initialization of all network interfaces after my config change? In any case it seems to render OPNsense dead and unresponsive afterwards. On a soft reset (using hardware reset button) it shuts down ok and when it come back up it has taken my config change and works as normal again.

Edit: should have said I am running 20.7.8 and upgraded recently. I saw the same behaviour on 20.7.7 just before I upgraded. Also, I notice now the freeze doesn't always happen. I am not sure yet what the pattern is though.

Where should I start to troubleshoot...?

Thermaltake Core V1 looks solid but it's massive. Cooler Master Elite 110 looks really good I think. 120 or 140mm fan at front and optional 2x 80mm on the side. That must be enough for the passive heatsink on the AMD CPU, and can get quality fans to taste and budget to keep the noise down.

Been looking at that too and looks ideal in many way. What puts me off is the many reports on the internet of that case being very loud (small but high rpm fans). Never seen or heard one myself though.

Personally I've boiled it down to either one of those Supermicro AMD embedded but in a non-Supermicro (quiet) case mini itx case - or a small form factor business PC with PCIe nic added.

Haven't pulled the trigger on either yet though.

I did purchase one of the amd 3101 EPYC processors with the supermicro mini itx motherboard. GREAT firewall.

Good to hear. What case have you got it in?

Actually your linked item card has title "Dell Intel PRO/1000 VT Quad Port Server Adapter LP PCI-E with Both BR". I would read "Both BR" as both brackets ie full height and shorter. So you may be in luck.

I don't know about that particular card. If you look at the listings on Amazon you'll see quite a few cards with pictures of both full height and low profile brackets in the listing. I guess you could check eBay as well.

Yes, I should have said - you need at least the SFF (small form factor) Optiplex, the Micro ones have no PCIe expansion slots... Also the PCIe is half-height (as opposed to full-height). Many network cards come with both full-height and low profile brackets. You may want to check that too.

Where are you based? Personally I'm a big fan of SuperMicro but they can be more or less difficult to buy depending on where you are. It's enterprise level stuff so (almost always?) comes with IPMI which is useful. Many of their motherboards have 2 or 4 NICs built-in so you wouldn't have to mess around with separate network card.

Is noise a concern? If so you may want to go small form factor PC instead. The Dell Optiplex business PCs seem popular and are built to run 24x7 for years and years. You would have to add one or two PCI-e NICs to taste. Also popular on this forum is the Qotom boxes. They are fanless so completely silent. Best bought directly from AliExpress.

All depends on your needs including your WAN speed. The gen 10 i3 would be insanely fast in the context of a (home?) firewall for 15 clients and you would saturate at least gigabit WAN with IDS very easily. I've got an older gen 5 i5 laptop chip and it saturates gigabit WAN with Suricata IDS at about 50% CPU load.

Very interesting, thanks. Do you know if they would be impacted in the same way or not to the (FreeBSD 12.1) problems mentioned above?