good in a business environment 50-100 users?

[apollumi]

I am curious how the stability is particularly in a business VM environment and what kind of CPU utilization can be expected using the majority of features and heavy traffic on a 1 or 2 gig internet connection. Right now in my lab I am not pumping enough traffic to see if suricata and multiple IPSEC L2L VPN tunnels will bring it to it's knees so I am asking for input. The environment I would end up running this in is VMware (ESXi 6.5 free) VM using vlan tagged virtual machine port group on a four port etherchannel trunk (port group, trunk, whatever) with 4 vm interfaces dedicated to a particular role (Outside, Inside, Server, Wireless).

My background has been Cisco ASA VPN/Firewall, Cisco and HP switches and routers, Webense/Cymphonix web filtering, etc. Equipment that ran for years without a reboot that was under a load and worked very admirably. Multiple tools that accomplished very similar tasks but at a much much higher cost.

For my use it is ok if it hangs up once a month or so. Just can't do it every day or multiple times a day, god forbid. I know that depends on things like hardware, environment, clean power, etc but I am hopeful.

Thank you for any input.

[rgo]

I do not know about VPN.  I can tell you opteron 6386 will handle 1gig with with out problem at 1gig speed.  So will i7 4770k will handle it with 1 core no problem.  I do not know how many VPN it can handle at 1 gig.

[apollumi]

How I wanted to use it is with AMD Ryzen 1700 (65w) processors, 64 gig ram, esxi 6.5, 1 or 2 four port nic cards. The OPNsense vm would exists along with freepbx among other appliances.

Throughput doesn't have to be perfect just not abysmal. I was most interested in OPNsense due to the look of the interface to be honest. I've been into computers and doing IT for a long long time. It's like a car IMO. People will buy a shitty car as long as it looks nice and works mostly well. You could have the most stable car ever built but if it looks bad then sales probably will not be good.

OPNsense has a good look to it. Clean and simple. If it can perform pretty well in day to day operations it is my choice over pfsense and sophos UTM software.

[rgo]

I do not run anything that is dual os or hypervisor as some people call is or as you are referencing as ESXi unless the box has over 40+ cores above 2.5 ghz and has over 100gig of ram.  Systems above that I have found to have benefits to running dual os.  Since I run over 100+ systems and have been for over 20 years now.  If the system is under that level of resources, you do not get any benefits of VM / Dual OS and you actually lose resources!

I have not tested opnsense under dual os yet.  My guess it should have no problem doing what you are after with dual os setup.  From what I saw of Ryze 1700, when I saw it in austin at AMD office is a okay processor.  Their arm line coming out is better in my opinion.  Will the 1700 do it?  I do not know but my gut would say yes it should with dual os.

5ghz for opnsense + 4ghz for your VPN load = 9 ghz so call it a even 10 ghz total compute you need just in operations of code.  Then times it by 2 for dual os so you are looking at 20 ghz in total compute for all operations of code.

https://www.amd.com/en/products/cpu/amd-ryzen-7-1700x

Real compute is 30 to 31 ghz compute on ryzen 1700.  So you are right near the max of what it can do by the numbers with a little over or under depending on how you want to look at it around 70% you have not put in the OS overhead if it is more than double...1 for 1 on dual os side... or your VoIP stuff if it would not fit into the 10 ghz where opnsense is allotted...so you would be pushing the limits in my opinion...You will be at the max of what the cpu can do or over what the cpu can do.

I found systems work best when load is keep to under 1/2 of what the system can do.  Extra 50% allows for unknown events like cpu issues or memory or io issues.  So I do not allow anyone to run systems over 50% of their calc ability.  Just my hard rule I make everyone do in my company.

[apollumi]

Thank you for your response.

I do not run anything that is dual os or hypervisor as some people call is or as you are referencing as ESXi unless the box has over 40+ cores above 2.5 ghz and has over 100gig of ram.  Systems above that I have found to have benefits to running dual os.  Since I run over 100+ systems and have been for over 20 years now.  If the system is under that level of resources, you do not get any benefits of VM / Dual OS and you actually lose resources!

I have not tested opnsense under dual os yet.  My guess it should have no problem doing what you are after with dual os setup.  From what I saw of Ryze 1700, when I saw it in austin at AMD office is a okay processor.  Their arm line coming out is better in my opinion.  Will the 1700 do it?  I do not know but my gut would say yes it should with dual os.

Currently ESXi and Ryzen is pink screen of death and I plan on running it as the free version. I'd imagine this will be fixed in the future. I'm thinking it will be enough to work. If not I can just tune the resource pools.

Austin, TX? It's where I live.

5ghz for opnsense + 4ghz for your VPN load = 9 ghz so call it a even 10 ghz total compute you need just in operations of code.  Then times it by 2 for dual os so you are looking at 20 ghz in total compute for all operations of code.

https://www.amd.com/en/products/cpu/amd-ryzen-7-1700x

Real compute is 30 to 31 ghz compute on ryzen 1700.  So you are right near the max of what it can do by the numbers with a little over or under depending on how you want to look at it around 70% you have not put in the OS overhead if it is more than double...1 for 1 on dual os side... or your VoIP stuff if it would not fit into the 10 ghz where opnsense is allotted...so you would be pushing the limits in my opinion...You will be at the max of what the cpu can do or over what the cpu can do.

I found systems work best when load is keep to under 1/2 of what the system can do.  Extra 50% allows for unknown events like cpu issues or memory or io issues.  So I do not allow anyone to run systems over 50% of their calc ability.  Just my hard rule I make everyone do in my company.

Thanks for the input. Yeah, running it at full tilt isn't smart. Just like you don't want your storage having no room to breath.

I was hoping somebody would tell me it is as stable as the rock of Gibraltar. Or something like that. Thinking I could use these "appliances" at a branch or small office in conjunction with Cisco ASA devices at a main office possibly. Really like the Cisco ASA devices. Occasional flubbed software release aside that is.

[bartjsmit]

AMD Ryzen are not on the VMware HCL (yet?) http://www.vmware.com/resources/compatibility/search.php

FWIW, many people run VM's quite happily on things as small as Intel NUC's with quad cores and 32GB of RAM. Horses for courses.

Bart...

[ky41083]

I do not run anything that is dual os or hypervisor as some people call is or as you are referencing as ESXi unless the box has over 40+ cores above 2.5 ghz and has over 100gig of ram.  Systems above that I have found to have benefits to running dual os.  Since I run over 100+ systems and have been for over 20 years now.  If the system is under that level of resources, you do not get any benefits of VM / Dual OS and you actually lose resources!

I have not tested opnsense under dual os yet.  My guess it should have no problem doing what you are after with dual os setup.  From what I saw of Ryze 1700, when I saw it in austin at AMD office is a okay processor.  Their arm line coming out is better in my opinion.  Will the 1700 do it?  I do not know but my gut would say yes it should with dual os.

5ghz for opnsense + 4ghz for your VPN load = 9 ghz so call it a even 10 ghz total compute you need just in operations of code.  Then times it by 2 for dual os so you are looking at 20 ghz in total compute for all operations of code.

https://www.amd.com/en/products/cpu/amd-ryzen-7-1700x

Real compute is 30 to 31 ghz compute on ryzen 1700.  So you are right near the max of what it can do by the numbers with a little over or under depending on how you want to look at it around 70% you have not put in the OS overhead if it is more than double...1 for 1 on dual os side... or your VoIP stuff if it would not fit into the 10 ghz where opnsense is allotted...so you would be pushing the limits in my opinion...You will be at the max of what the cpu can do or over what the cpu can do.

I found systems work best when load is keep to under 1/2 of what the system can do.  Extra 50% allows for unknown events like cpu issues or memory or io issues.  So I do not allow anyone to run systems over 50% of their calc ability.  Just my hard rule I make everyone do in my company.

Sorry, I don't normally do this, but this whole post is essentially wrong. Don't pay it much attention in your decision making process...

[ky41083]

How I wanted to use it is with AMD Ryzen 1700 (65w) processors, 64 gig ram, esxi 6.5, 1 or 2 four port nic cards. The OPNsense vm would exists along with freepbx among other appliances.

Throughput doesn't have to be perfect just not abysmal. I was most interested in OPNsense due to the look of the interface to be honest. I've been into computers and doing IT for a long long time. It's like a car IMO. People will buy a shitty car as long as it looks nice and works mostly well. You could have the most stable car ever built but if it looks bad then sales probably will not be good.

OPNsense has a good look to it. Clean and simple. If it can perform pretty well in day to day operations it is my choice over pfsense and sophos UTM software.

Ryzen is not well supported yet on hypervisors. ESXi simply doesn't, and KVM (all Linux actually) needs to be at kernel 4.10 or higher until the Ryzen bits are stable enough to be backported.

OPNsense should perform extremely well and stable using VirtIO devices on KVM, or PV devices on ESXi. Full 1Gb routing need not a lot of power, anything you can buy new today should do this on top of running other OS's assuming enough RAM.

It should be more stable than pfSense, and faster than SUTM, if you've run them. It is definitely more bug free than pfSense. And routing performance (as they both use FreeBSD and pf) should be similar.

If using a CPU that accelerates VPN's encryption (AES-NI for example), even VM'd, you should easily see 1-2Gb wire speeds without maxing out any physical cores, or even needing more than 2 (more than 1 core mostly to prevent process blocking) assigned to the OPNsense VM.

[fabian]

Ryzen is not well supported yet on hypervisors. ESXi simply doesn't, and KVM (all Linux actually) needs to be at kernel 4.10 or higher until the Ryzen bits are stable enough to be backported.

No problem, Arch Linux has 4.10.6 ;)

[ky41083]

No problem, Arch Linux has 4.10.6 ;)

Nice :D

[ky41083]

No Proxmox on Arch though  ;)

[fabian]

No Proxmox on Arch though  ;)

Just use plain libvirt - I know that it works well on Arch Linux

[apollumi]

Thank you for the continued responses.

Yep, Ryzen is still pink screen of death on vmware. I'd bet it gets fixed by the time I need it. If not, I'll just consider the Intel product since Ryzen is forcing price drop on them. I'm stuck on VMware because the "consciousness" of people can identify with vmware readily and many people know it. I really like the ESXi hypervisor also. Just have to wait for VMware to provide support and spend a couple months "pouring" over the forums looking for a hint of disaster and putting it through the paces myself. After 30 plus years of IT I value stability much more than shiny and fast. Same as I do my women these days. :P

I don't mind doing Proxmox but it is an unknown to me. And I do like known qualities. I've seen VMware keep on a trucking and has many many businesses dependent on it and a lot of development dollars. It has never let me down. And then there is existing infrastructure. Most places may already have vsphere in place and could just add it to their license, etc.

Once again, thanks for the replies. I'm going to invest more time in learning OPNsense. Time to try out the web filtering.