New Build: 1U rackmount system for PfSense

[SSri]

I have recently networked the entire house with CAT6. Two UAP AC Pros drive the wifi. The cat6 cables are terminated at a patch panel at the loft. I am getting a cisco switch. I have an aging router. I want to replace it with a custom built PfSense. I want to avoid Intel Atom range, given the C2000 series risks detected recently.

This is the build so far.

http://

Could you please advise the following?

• 
  
  The build.
  Is there a room to reduce the cost further ?
  A suitable 1U rackmount case for the spec.

I have not chosen the fan yet.

Thanks

 

[rhysiam]

Your link is just a PCPartpicker build, that doesn't work. You need to hit the "bb" button and copy and paste the text, then we can see it.

 

[rhysiam]

A general comment though... is there a particular reason you're aiming for 1RU, or even rackmount at all? It looks like you're trying to do things "right" and that's an admirable goal, but the only real advantage of rackmount gear is that it allows you to get much more hardware into a limited space, while still being relatively serviceable.

Unless you're literally trying to squeeze this into a room which only fits the gear you have, and nothing else, a normal whitebox build in a standard ATX case is going to make things waaaaay easier in the long run. The extra space you get in a normal build is far more servicable than most rackmount gear (especially 1RU stuff!), can be cooled without super noisy 40mm fans, and allows far more capacity for upgrade... using normal (and cheap!) off the shelf gear to boot.

I've run cables throughout my house to a Opensense firewall (similar to PFsense), which has 5 separate network (actually for good reason... I promise). While I went with a patch panel I decided a cheap shelf with a standard ATX build for the software router was by far the better way to go.

 

[SSri]

Your link is just a PCPartpicker build, that doesn't work. You need to hit the "bb" button and copy and paste the text, then we can see it.

Sorry.

PCPartPicker part list / Price breakdown by merchant

CPU: Intel Pentium G4560 3.5GHz Dual-Core Processor (£52.96 @ CCL Computers)
CPU Cooler: Noctua NH-L9x65 33.8 CFM CPU Cooler (£38.99 @ Amazon UK)
Motherboard: ASRock B250M Pro4 Micro ATX LGA1151 Motherboard (£79.57 @ BT Shop)
Memory: Crucial 4GB (1 x 4GB) DDR4-2133 Memory (£27.81 @ Eclipse Computers)
Storage: Samsung 120GB 2.5" Solid State Drive (£59.40 @ Aria PC)
Power Supply: Silverstone 300W 80+ Bronze Certified SFX Power Supply (£50.94 @ CCL Computers)
Optical Drive: Asus BC-12D2HT Blu-Ray/DVD/CD Writer (£58.92 @ Eclipse Computers)
Wired Network Adapter: Intel EXPI9404PTL PCI-Express x4 10/100/1000 Mbps Network Adapter (£148.96 @ Scan.co.uk)
Total: £517.55
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-03-28 09:35 BST+0100

 

[SSri]

A general comment though... is there a particular reason you're aiming for 1RU, or even rackmount at all?

I agree with all advantages a standard case would bring. I am terminating everything on my loft (there is no loft conversion, which is not possible though) and putting all in a rack. It will therefore be neat and tidy.

I,in fact, looked at this as well, which is not a rack mount.

https://www.amazon.co.uk/Pfsense-Fanless-Barebone-Computer-firewall/dp/B01NCXC44R/ref=sr_1_3?s=computers&ie=UTF8&qid=1490691771&sr=1-3&keywords=q310g4+barebone

 

[rhysiam]

I agree with all advantages a standard case would bring. I am terminating everything on my loft (there is no loft conversion, which is not possible though) and putting all in a rack. It will therefore be neat and tidy.

Those parts look fine, except it's not going to go in a 1U case. 1U is literally 45mm (1.7 inches tall). Both your SFX PSU and that "low profile" cooler are the height of one and a half U all on their own. For the cooler, that's before it's mounted on a motherboard with standoffs.

Plus, you'd need a riser cable for the network card.

I still don't understand why you can't just build a standard ATX or mATX case. Or at least a HTPC case which will have much better compatibility. You can get "rack mount shelves" on the cheap so it's a normal case rested in a 19" rack, if you'd wedded to your rack.

Anyway, if you're adamant about rackmount then you at least need to go 2U. Most of those at least allows space for low profile PCIe cards without a riser cable. Get a case with a decent power supply bundled, or standard ATX or SFX support, and drop to the Noctua NH-L9i cooler which should fit (check the case specs to make sure it has 37mm clearance - but a 2U case should. Actually you want a bunch more than 37mm anyway, because the fan needs to pull the air from somewhere other than the metal top of the case. At least that will fit relatively standard hardware.

 

[SSri]

Plus, you'd need a riser cable for the network card.

Anyway, if you're adamant about rackmount then you at least need to go 2U. Most of those at least allows space for low profile PCIe cards without a riser cable. Get a case with a decent power supply bundled, or standard ATX or SFX support, and drop to the Noctua NH-L9i cooler which should fit (check the case specs to make sure it has 37mm clearance - but a 2U case should. Actually you want a bunch more than 37mm anyway, because the fan needs to pull the air from somewhere other than the metal top of the case. At least that will fit relatively standard hardware.

Thanks. I will get the 2U case and get a riser cable, just in case. I will post the revised spec later on. Thanks.

Anyway, if you're adamant ......

I wont use this word, if I were you. It is rude

 

[rhysiam]

Thanks. I will get the 2U case and get a riser cable, just in case. I will post the revised spec later on. Thanks.

You shouldn't need the riser cable for a 2U case. They have sufficient height for low profile cards. Of course check the specs on the case, but I expect you'd be fine.

Anyway, if you're adamant ......

I wont use this word, if I were you. It is rude

I simply used adamant as in "not being persuaded" or "not changing your mind", which I understand is the literal definition. I asked in my first post (and again in my second) why you're so attached to a rack-mount case and unless I've missed something, your only response is "neat and tidy". You can do neat and tidy with any normal case sitting on other components in the rack, or on a shelf, or next to the rack... and you get a more serviceable and flexible build to boot.

Part of the role of people here on the forums, in my opinion at least, is to ask questions and encourage people to re-think their plans to try and ensure people get what they actually want/need in the long run. That's all I'm trying to do in questioning your rack mount approach, especially the hugely difficult and constraining 1U requirement. Obviously you don't need to convince me or justify your decisions to me. It's your money, you can spend it however you like.

In any case (pun intended!), most of my concerns are alleviated by choosing the right 2U case, as most of these take standard ATX PSUs and can fit off-the-shelf coolers like the one I suggested above.
Something like this should serve you well: https://www.scan.co.uk/products/logic-case-2u-rackmount-standard-chassis-6x-35-hdd-bays-2x-525-bays-4x-80mm-fans-2x-front-usb-20-7x-

 

[SSri]

In any case (pun intended!), most of my concerns are alleviated by choosing the right 2U case, as most of these take standard ATX PSUs and can fit off-the-shelf coolers like the one I suggested above.
Something like this should serve you well: https://www.scan.co.uk/products/logic-case-2u-rackmount-standard-chassis-6x-35-hdd-bays-2x-525-bays-4x-80mm-fans-2x-front-usb-20-7x-

Thanks. Although it was a little unusual to see that comment, I knew you are helping me to choose well. Point taken.
You have indeed made me thinking. I have made some changes, which you will see below. I have dropped the intel NIC and trying to source from ebay. Hope that works. I also have an old Sandisk mSATA (PCIe). Will that work please?

Finally, If I were to go a non-rackmount, it needs to be a horizontal unit that can be kept in a bookshelf cupboard. There are so many choices, I am a little lost considering it needs to be as good, in terms of features, as the 2U case that you have recommended.

PCPartPicker part list / Price breakdown by merchant

CPU: Intel Core i3-7100 3.9GHz Dual-Core Processor (£107.76 @ CCL Computers)
CPU Cooler: Noctua NH-L9i 33.8 CFM CPU Cooler (£34.74 @ Ebuyer)
Motherboard: ASRock B250M Pro4 Micro ATX LGA1151 Motherboard (£79.57 @ BT Shop)
Memory: Kingston FURY 8GB (1 x 8GB) DDR4-2400 Memory (£58.00 @ Amazon UK)
Total: £280.07
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-03-30 13:04 BST+0100

Case and PSU = £150

https://www.scan.co.uk/products/logic-case-2u-rackmount-standard-chassis-6x-35-hdd-bays-2x-525-bays-4x-80mm-fans-2x-front-usb-20-7x-

https://www.scan.co.uk/products/450w-corsair-sf450-high-performance-80plus-gold-full-modular-sli-crossfire-single-rail-37a-plus12v-e

I have removed the DVD RW/R. I will use the usb 3.0 for loading/installing PfSense.
Storage

I have an unused old mSATA from Sandisk. It is a PCIe. Is this ok or would you recommend putting a latest one and keep this to back up the PfSense or use it for webcache please?

https://www.amazon.co.uk/SanDisk-SDSA5DK-128G-Harddisk-Laptop-Notebook/dp/B00S0O5QMU

Quad GBit Intel NIC - £ 70

This is a used from ebay, which is Intel i350 Quad GBit. Is this ok please? I hope there won't be any installation issues.

http://www.ebay.co.uk/itm/Intel-i350-1Gb-s-Quad-Port-RNDC-R1XFC-/381060857850?hash=item58b8ff3ffa:g:~YMAAOSwdzVXqf5K

Total is ~£500.00

I know i3-7100 supports AES-NI. Is Intel Quick Assist required for PfSense? Did I miss anything please?

Thanks.

 

[rhysiam]

PFSense doesn't need much in the way of Hardware unless you're running a network for hundreds of users, or aiming for very high throughput VPN connections. I'm assuming this is for your home network with a couple of users, and maybe ~100mbps Internet connection or less. Is that about right? If so, don't worry about your hardware, it'll be fine!

You can drop the i3 to a Pentium G4560. Much cheaper. You do lose AVX 2.0 instructions, but that's very, very rarely actually an issue. Both processors support AES-NI, which I understand pfsense does utilise for VPN traffic. Anyway, unless you have a particular reason to pay more, get the Pentium G4560 and save yourself some cash.
You don't need QuickAssist again, unless you're trying to push really high bandwidth (like well over 1Gbps - as I understand it) through a VPN tunnel.

Storage is of minimal importance. You don't need a second drive. Just use whatever you have lying around.
Backup and restore is very straightforward and you can just do it through the web interface, much like you can with many off-the-shelf routers.
When you make a config change, just take a second to extract a new backup/config file and store it somewhere safe. If the computer or drives dies, just build a fresh pfsense and load the saved the config... done.

My only concern is "mSata". Are you sure it's actually mSATA and not m.2? They're different and not compatible with one another. The mobo you chose has two M.2 slots, but NOT mSATA.
What's the drive make/model specifically?

That NIC you linked is, I believe, a "daughter board" for specific Dell servers which have that module connector. You just need a standard PCIe card.
Also, be aware that many cheap eBay "Intel" NICs are dubiously sourced and I've seen numerous reports of them having much higher failure rates than genuine gear. There are loads floating around on eBay "brand new" that are questionable. Actually second hand gear (as long it's PCIe and from a reputable seller) is a better choice here, if it's coming from decommissioned servers it should be genuine Intel equipment and much more reliable, despite being second hand.

The 2U case is fine... as long as it fits standard motherboards, coolers and power supplies. On reflection, my issue was really the 1U request, not the rackmount request itself.
Your build is likely to draw a whopping 50W or so, maybe 75W at a stretch, as will probably spend most of its life at around 15-20W... case airflow is just irrelevant for those kind of loads. It'll be fine in any case that has even a tiny bit of airflow.
So don't be too bothered by the case.
1) does it fit an mATX board?
2) does it have clearance for you CPU cooler?
3) does it fit a standard ATX power supply?
If "yes" to the above, then it'll do the job. Pick one you like or get the rackmount 2U case if that's what you want.

 

[SSri]

Sorry for the delay.

PFSense doesn't need much in the way of Hardware unless you're running a network for hundreds of users, or aiming for very high throughput VPN connections. I'm assuming this is for your home network with a couple of users, and maybe ~100mbps Internet connection or less. Is that about right? If so, don't worry about your hardware, it'll be fine!

I work from home a lot and I need to route all my work traffic through VPN. I would definitely be putting VPN to route as much traffic as possible. I have 20 clients that access the net. This will be more. My internet speed is 300 down / about 30 up.

My only concern is "mSata". Are you sure it's actually mSATA and not m.2? They're different and not compatible with one another. The mobo you chose has two M.2 slots, but NOT mSATA.
What's the drive make/model specifically?

You are correct. My old stock is a plain mSata ad not M.2. It won't fit.

Actually second hand gear (as long it's PCIe and from a reputable seller) is a better choice here, if it's coming from decommissioned servers it should be genuine Intel equipment and much more reliable, despite being second hand..

I have seen reasonably priced HP gigabit cards that are basically intel cards. I read in amazon review that these server cards fit the PCs as well. They cost about £80-£100. I would probably choose one of them, depending on my final choice.

For the the Pfsense FW/Router, I have now come to three choices:

Refurbished HP z220 sporting Xeon E3-2270.v2 / E31220.v3 / i7 3770 workstation costing about £250-£300
New build using i3 7100 costing about £600
Netgate 2000 series for PfSense.

The refurbished HP z200 is pretty tempting indeed as I have identified a few pulled from a corporate environment.

 

[rhysiam]

I work from home a lot and I need to route all my work traffic through VPN. I would definitely be putting VPN to route as much traffic as possible. I have 20 clients that access the net. This will be more. My internet speed is 300 down / about 30 up.

So you're going to set up your PFSense router at your house as a VPN client to your work network, is that right? That can be done, but it's not super-straightforward as I understand it.
Or is your workstation at home going to act as the VPN client?
What do you mean by "20 clients"? You have 20 people in your house? If not, how are those 20 people connecting to your PFSense Router?
If your PFSense box is regularly going to be pushing 200Mbps + over VPN connections then I can see why you wouldn't want to skimp on the CPU. It's not really about the number of clients, it's about the throughput, because all that data has to be encrypted/decrypted. Having said that, even the G4560 supports AES-NI, which I understand pfsense leverages for much more efficient processing of those workloads.
I don't claim to be an expert on this, so you might be better on a dedicated pfsense forum if you want to find out CPU requirements for a 300Mpbs VPN tunnel.
However... if your workstation is acting as the VPN client, then the router is not doing any of the encryption and all the hardware requirements fall back to your workstation (and your work's VPN server).

You are correct. My old stock is a plain mSata ad not M.2. It won't fit.

You can get a cheap mSATA to SATA adapter... it's the same protocol, so all the adapter/enclosure does is get pin-compatibility for standard SATA data and power connectors.
Here's an example from a UK store: https://www.scan.co.uk/products/lycom-st-168m-msata-ssd-to-25-sata-drive-converter-with-25-frame

For the the Pfsense FW/Router, I have now come to three choices:

Refurbished HP z220 sporting Xeon E3-2270.v2 / E31220.v3 / i7 3770 workstation costing about £250-£300
New build using i3 7100 costing about £600
Netgate 2000 series for PfSense.

I don't know what a Netgate 2000 series is, but either of the other two would do the job, pending confirmation on the VPN requirements.
If you do build your own, I'd drop to the Pentium G4560... still supports AES-NI and you save nearly half the price for a few hundred mhz.

 

[SSri]

So you're going to set up your PFSense router at your house as a VPN client to your work network, is that right? That can be done, but it's not super-straightforward as I understand it.

PfSense box will also act as a VPN server.

What do you mean by "20 clients"?

Laptops, PCs, etc.

you might be better on a dedicated pfsense forum if you want to find out CPU requirements for a 300Mpbs VPN tunnel

Yes. I was thinking the same in the last few days.

Thanks very much for your help, which I appreciate very much.