Hardware Advice

[t10009]

I am looking into buying some hardware to run Opnsense but I am not sure exactly which specs I will need.

The internet connection is 1000/500 and I want to be able to be able to utilize the full speed of my connection
or as close to it as possible.

I will use the usual basic features such as NAT, firewall and IDS which I know will impact perfomance.
I have done some research but I am unable to see how much processing power or memory I will need.

The only other thing I want is to keep power consumption as low as possible.

Budget isnt a concern right now I am looking more at performance but I know it wont be cheap.

Can anyone give me some assistance?

[mimugmail]

You should really reconsider if you need IDS.
i5 and 8GB and good Intel NIC should be fine with IDS. If IPS I'm a bit unsure, perhaps a better XEON, but I cant imagine why IPS is really needed

[t10009]

Thanks for the reply.

I ended up building a box with the an Intel i3-8100, 8gb RAM and Intel 1gb NICs.

Opnsense had appalling performance without IDS turned on.
Without IDS I was getting 640mb down and 400mb up.

With IDS turned on I was only getting 290mb down and 300mb up.

This was with stock settings. The same box running FreeBSD 11 is able to perform without a problem.

Linux based firewalls such as IPFire and Untangle give me pretty much 1gb down and 500mb up

For now I will stick with Untangle. There isn’t really any compelling reason for me to see what is wrong with Opnsense.

[mimugmail]

IDS or IPS? IDS shouldnt take bandwidth with Intel and good CPU

[t10009]

Both IDS and IPS.

Even with both turned off the performance isn’t great.

If I had more spare time I would look into it further as I like Opnsense as a product.
But for now I will use Untangle and install Opnsense again to figure out what is going when I have enough free time.

The Intel cards are both Intel EXPI9301CTBLK.

They aren’t the greatest NICs but they should be up to the task.

[mimugmail]

This is a desktop adapter? Why dont you try I210?

[t10009]

They are marketed asa “desktop” adaptor but considering I can easily get 1gb throughput through them with other firewall solutions I don’t see the point in replacing them.

I searched the model number quickly on google and it seems there are a few people using them successfully on pfsense.

[mimugmail]

Must be something eith irq or your testing, I can achieve nearly 10Gbit with similar hardware

[t10009]

The tests were all run the same way on the same hardware.

Untangle
IPFire
Sophos XG
FreeBSD 11.2 (basic PF firewall)

They all performed just fine without any strain on the hardware.
Untangle and Sophos XG easily outperformed Opnsense even with IDS/IPS enabled.
Opnsense as a basic firewall was still slower.

The hardware itself is fine and is overkill for what I need it for.
IRQ problems are very rare on modern hardware so it’s not that.

I would say it would have alot to do with Linux currently having superior SMP.

Given that most of these solutions use utilise many of the same opensource technologies there isn’t really a compelling reason to switch between them if what you currently use is working fine. Of course that will change depending on your requirements.

[mimugmail]

You sadly said nothing about how you tested it.

https://www.routerperformance.net/routers/nexcom-nsa/thomas-krenn-ri1102d/

[t10009]

The usual ways.

Fast.com
Speedtest.net
and iperf

Opnsense performed the worst by far.

[mimugmail]

Single stream or multi stream?

[t10009]

I’m not too sure about fast.com but the rest were multi stream.

[mimugmail]

single stream is known to be low .. on GB you only get 600mbit, same similar on 10G .. but multi stream is always wire speed. You should test in LAN/LAB, not via internet. My observation was that public iperf servers are variing from test to test.

[t10009]

Iperf was done via LAN and internet.

Considering the majaority of the traffic will be over the WAN I care more about how it will perform via the internet.