CPU Recommendations?

[XrayDoc88]

I've been running pfSense for many years on mini PCs.  I'm thinking about upgrading my two home networks to at least 2.5G, and probably 10G.  I think I'm also going to switch to OPNsense.  Both home networks are currently connected with an IPsec site-to-site VPN.  When I upgrade, I plan on switching to wireguard.  Each home network has multiple APs, a NAS and several PCs.  Both homes have 1G fiberoptic WAN connections.  I also plan on creating VLANs on both networks, which I currently  do not have.  I'd like to stay with mini PCs if possible.

What would you consider the minimum CPU to get?  Is the Alder Lake-N150 adequate?  Should I get better?  Thanks!

P.S. I wouldn't mind mini PC suggestions either.  I've looked at the "official" OPNsense options.  I currently have Qotom, but want 10G connections.

[pfry]

I don't have any advice on mini PCs. But in general I would ask: What's your budget, for money, space, power, etc.?

[BrandyWine]

Intel i3. And I have a few N150 devices, some doing work and others rather idle like my opnsense fw, the N150 can do work.
I guess it depends on what type of work your fw will doing.

Is 10G an interface spec, or do you expect 10G worth of data all the time?

[XrayDoc88]

Budget is fluid.  I have to build or buy two mini PCs so I'd like to keep each purchase less than about $700.  The actual price will depend a lot on the current pricing of RAM, which is still ridiculous.  I obviously won't have 10G service from my ISP, but I'd like to upgrade my local networks to 10G.  Do I absolutely need that, no.  But we do stream a lot of movies from our local NAS servers and sometimes across the internet from a remote NAS.  We do have a fair amount of 4K movies to stream.  We're in the PLEX eco system for all of our media.  Plus, I work remotely and want the fastest site-to-site VPN, internet download speeds, etc.

[nero355]

I obviously won't have 10G service from my ISP, but I'd like to upgrade my local networks to 10G.  Do I absolutely need that, no.  But we do stream a lot of movies from our local NAS servers and sometimes across the internet from a remote NAS.  We do have a fair amount of 4K movies to stream.  We're in the PLEX eco system for all of our media.

You don't need 10 Gbps for that : Movies needing more than 120 Mbps are rare AFAIK so in theory you can stream 8 of those via 1 Gbps ;)

I don't see any WAN Connection info :
- Does your ISP perhaps use PPPoE ?
- What will be the WAN bandwidth ?

[XrayDoc88]

Both homes have 1G fiber to the home.  One ISP uses PPPoE.  The other uses DHCP.  I don't really know the bandwidth.  I just want to be future proofed.  I do share my PLEX servers with family members across the internet.  It's quite common for two people in the same house to be streaming at the same time.  I also have one NAS that makes backups across the internet to my second NAS every day of the week.  I also transfer Blu-ray movie rips between NAS boxes across the internet.  I want my site-to-site VPN to function as fast as possible.  Both NAS boxes also get every other day backups from the PCs in my homes.

[meyergru]

The N1x0 would be alright to route and firewall 10 Gbps. For Wireguard, you need CPU acceleration, but AFAIR, under FreeBSD, the optimized Intel libraries are only used under the commercial version of pfSense - and that is a proprietary implementation, see: https://forum.opnsense.org/index.php?topic=38909.0

That implementation is said to be twice as fast as the normal FreeBSD/OPNsense/pfSense CE one. That being said, I doubt that you will reach 10 Gbps speeds with that class of CPU either way. Measurements of WG speed to a local jail on OpnSense showed ~1.3 Gbps on my N100 and even on modern CPUs like an i5-13500 or Ryzen 9 5950X, it will likely hit no more than 8 Gbps.

Also, when you use some kind of fancy intrusion detection, your speeds will decrease as well. Zenarmor is known to to use only one single CPU thread, so even using a high-powered multi-core CPU would come at its limits.

On the other hand, a hefty CPU will come at a much higher cost for 24/7, so I would give up on my plan to be "future-proof" and buy what suits me now.

[XrayDoc88]

Thank you for the long, interesting, but somewhat depressing link to Wireguard problems on OPNsense.  I had no idea there was such a difference between performance on OPNsense and pfSense+.

1. Is there any real hope that the optimized Intel libraries will ever work in OPNsense, or that the speed discrepancy can be eliminated?
2. Do you happen to know if OPNsense Wireguard performance still typically beats IPsec for site-to-site VPN connections?

Thanks!

[meyergru]

1. It seems to be a somewhat hard task and I doubt that Deciso will re-enact the efforts that Netgate has put into it. Maybe Netgate will at some point make their work public, but for the time being, it is a discriminating feature (even from their own CE product).

2. IDK, maybe that would depend on the specific CPU and which algorithm you choose.

[rumshot]

Hey Mate,

Not sure if that would help you, but i've bought a EC-S (silver peak) on ebay, with interfaces 10gb and reused it with opnsense. Im extremelly happy with opnsense and im using my 3 gateways with wireguard for 1 month and no issues.
Im running all kind of plugins, ids/ips, zenarmor, avocado, papaya and i just have 20% of memory used.

Check on ebay and be happy.

ps: regarding opnsense... i never had any regret after installed it. I cant say the same about pfsense.... maybe skin thing, but i hated it.

[XrayDoc88]

Thanks.  I hadn't heard of Silver Peak.  Looking on Ebay, I don't see any mention of 10G ports nor SFP+ ports however.