My APU2 can’t rich more that 400 Mb/s even with snort disabled and other services disabled. I tried several advices but nothing change. So I guess it’s time to change my APU2 to a powerful hardware. My only rule: It must be fan less (or noiseless) and not a big server rack. Protectli seems promising but not sure for VPN + Snort enabled. Any idea?
There’s a new generation of Jasper Lake based units with 2.5 Gbit nics comming out of china which fits your requirements, maybe worth taking a look?
Servethehome did some articles on them recently. Performance is excellent and futureproof for quite a while.
Spoiler alert, bought one of them myself with the N6005 CPU and it has been running flawless for over a month now. Looking back I would have chosen the N5105 instead as the added performance from the N6005 is overkill (I don’t plan on redundant dual 2.5 Gbe WAN…)
EDIT: might just add that passing gigabit with suricata barely stress the CPU past 20%
Have you tried updating the BIOS? I’ve seen an APU2 achieve more than that, most say 600-700mbps with pfSense.
Any reason to not use Netgate’s hardware? Quite a few price/size options.
My Protectli Vault with an i3 handles gigabit with Snort without issue, there are i5 and i7 versions of it as well. They are supposed to have a 2.5Gbit variant coming out later this year, as well.
HP make these small little x86 Intel computers minis. Get a Netgear smart managed switch and run it as a router on a stick. Aka trunk your ports to the pfsense box.
HP EliteDesk 800 G2 Desktop Mini Business PC, Intel Quad-Core i5-6500T up to 3.1G,16G DDR4,240G SSD,VGA,DP,Win 10 Pro 64 bit-Multi-Language Support English/Spanish (Renewed) Amazon.com: HP EliteDesk 800 G2 Desktop Mini Business PC, Intel Quad-Core i5-6500T up to 3.1G,16G DDR4,240G SSD,VGA,DP,Win 10 Pro 64 bit-Multi-Language Support English/Spanish (Renewed) : Electronics
What about vpn? How does that affect the cpu usage?
Would you reccomend the N6005 for 2.5gbe + Suricata or do you think the 5105 is sufficient? I don’t have 2.5 gbe yet, but want to futureproof.
Yep already did but still same speeds
None. Actually I am considering seriously the Netgate 4100. It seems to be a pretty good option to my requirements with less complications.
I’ve been waiting on the 2.5 variant. I had a crash recently on my PF since box and I’m hoping it holds out long enough.
This should be enough for gigabit?
I only use wireguard, and I cannot see any discernible difference in cpu use for vpn or not.
Can post a openssl benchmark from the command line if anyone would like it for comparison. Should give a ballpark reference.
I would still say the N6005 is overkill. There might, however, be a case for some obscene rule set in Suricata that might warrant that much CPU performance.
For normal use including suricata, I have to push atleast 500mbit before I even see the CPU go beyond the 800 mhz min.
As a reference point, the most stressfull test I’ve seen on the N6005 was pushing 900 mbit/s through a wireguard S2S tunnel, with Suricata (23500 rules active) on the LAN interface aswell. CPU usage was 28% in total.
Yeah way more than enough. I suggest a cheap Netgear prosafe switch that you can program vlans into.
Vlan 10 - wan
Vlan 11 - lan
Make one port the trunk to the router.
One port your wan
Rest make vlan 11 and plug whatever you want into it.
Ah nice, thanks for the input. One more quick question; do you have any security concerns with the hardware or do you think it’s generally fine enough?
Sounds like you have some experience with different hardware. What do you think about a Celeron J3160 handling gigabit with either Suricata or Snort? I’m also trying to find the right speed/price ratio.
I bought the box as barebone, so no worries about previous installs and such.
With the hardware itself I do not give it much thought tbh. I would certainly not expect such a platform to contain hardware level “spy chips”, considering most enterprises and targets worthy of such attack vector (ie. government / state level), would not use a china based firewall. The hardware itself for such an implementation would be more expensive than the box itself 
For any compromise that are firmware based, normal firewall rulesets and such on pfSense “should” catch it.