Re: [pfSense] Hardware requirements for gigabit wirespead
Hi there, 2013/11/7 Thinker Rix thinke...@rocketmail.com Hi Michael, On 2013-11-06 11:37, Michael Schuh wrote: i have serval different Systems running, including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory: 4 Nic, throughput max (so far): 115 MBytes/s at 20k irqs (no polling enabled, no special tweaking) 1 Nic is Broadcom, 1 Nic is Intel Pro1000 Desktop Adapter, the other two Nic are an Intel Pro 1000 Dual Port Server Adapter. Memory is a bit short in this system, but it runs fine. Thank you for this interesting insight with the Pentium-D. As far as I figure, you are having full gigabit throughput between two interfaces with it?! That is exactly what I want to have, too and I am happy to learn that it is possible even with older dual cores. the 115MBytes is one nic, traffic gets splitted over the other 3 nics. yes, seems it is the maximum possible. the datarate is the native (including protocol payload/overhead) datarate. so i do not expect much more. :-) others Systems p.e. run with Core2Duo 2,66GHz (E7300) another one with a Pentium 2,9GHz (G2020) the last one i wouldn't recommend for high throughput and low latency. the reaction times and the latency rises up fast if the throughput rises or if i add some VPN-Tunnels( AES-256). Your comment about the G2020 is interesting, cince A) that is the CPU that I was planning to go for (due to it's ECC support) and B) I can't understand why it performs worse, than the other CPUs, especially the much older Pentium D. Here is the comparison: http://ark.intel.com/compare/ 71070,36463,27518,27517 Could that performance ditch / latency sensivity be due to it's https://en.wikipedia.org/wiki/Smart_Cache ? I do not see any other difference than that. well, i have no clue what the problem is. i can only say, what i could observe. the observations got made from the interntal network, the fastest side, directly connected. there is also no need to investigate it further. the $customer never reaches any bandwith limits. so the comparison with the older D-CPU Systems doesn't fit fully here. the E7300 should be slower than the G2020, also due to the different cache size and memory bandwith, but isn't. both are with normal memory, no ECC. Connections are fine, all nics Intel. may be, the mainboard. the System with the G2020 CPU is one out of 3, all with the same behaviour. those are $customer bought systems. so i guess, may be, the irq handling or as ever the sum of everything. the two older systems with the D-CPU are Serverboards with ECC Memory. i think this should make them even slower. Just those both systems have no VPN tunnels and under full load the D-CPU is 80% busy. if you like to compare it to them. so i would recommend also the Corei5, the core i3 IMO comes close to a Pentium CPU. imself keep the Celeron CPU's far away from me. except for small embedded systems in the lower range. Corei7 or Xeon is a way to much for my taste and feeling. Since I can't go for the i5 with the Supermicro X9/X10 series motherboards that I want to buy, I will either go for the Xeon - or buy the Pentium now and upgrade to the Xeon later on, if performance should turn out to be not enough. well, depending on the workload, i would take an eye on the irq rate and think about polling and may be rising the kern.hz up to 2000. one can watch this by applying systat -vmstat 1 at the console. thoughput per nic with systat -ifstat 1. as others recommended, i would also recommend: throw via, marvell, realtek(D-Link, Via Rhine) chipsets and also via mainboard chipsets as far as you can, if it comes to high performance. i had already the craziest behaviour with those chipsets. started from stuggles with autonegotiation up to errors in the chipsets itself not depending on the drivers. hth. Yes, thank you for your help so far! :-) Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
i have serval different Systems running, including an old 3GHz Intel Pentium D-CPU with 2GBytes ECC Memory: 4 Nic, throughput max (so far): 115 MBytes/s at 20k irqs (no polling enabled, no special tweaking) 1 Nic is Broadcom, 1 Nic is Intel Pro1000 Desktop Adapter, the other two Nic are an Intel Pro 1000 Dual Port Server Adapter. Memory is a bit short in this system, but it runs fine. others Systems p.e. run with Core2Duo 2,66GHz (E7300) another one with a Pentium 2,9GHz (G2020) the last one i wouldn't recommend for high throughput and low latency. the reaction times and the latency rises up fast if the throughput rises or if i add some VPN-Tunnels( AES-256). so i would recommend also the Corei5, the core i3 IMO comes close to a Pentium CPU. imself keep the Celeron CPU's far away from me. except for small embedded systems in the lower range. Corei7 or Xeon is a way to much for my taste and feeling. hth. = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Rev. Michael Schuhhttp://dudeism.com/ordcertificate?ordname=Michael+Schuhorddate=05/20/2012 *Ordained Dudeist Priest http://dudeism.com/* Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2013/11/6 Thinker Rix thinke...@rocketmail.com Hi Moshe, On 2013-11-06 08:35, Moshe Katz wrote: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix I don't see a Core i5 on that list. See if you can get one of those. It'll be between the i3 and the Xeon in price, but will have the AES-NI instruction set. (It will also have 4 physical cores instead of the i3's dual cores with hyperthreading.) Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. I have another thread going where I discuss motherboard compatiblity with pfSense. Should someone report, that finally I could also use the other of the two boards (the one with the 1150-socket and the C222 chipset), I could use different CPUs: - Pentium - 4th generation core i3 - Xeon E3-1200 v3 In this case I could go for the i3, since it supports AES-NI. But I do not expect that the C222 board will be compatible, so I most likely will have to stick with the CPUs mentioned above. Which one would you pick of those? If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. There is this one thing I want to learn: AES NI helps lowering CPU load for encryption/decryption tasks, sure. But what happens if the CPU is not under full load? Will there still be an advantage then, i.e. because the CPU can perform the de/encryption *faster* when having AES NI support, so that the VPN latency might be reduced, so that e.g. VoIP-over-VPN would improve? Or is it the case that there is no difference, as long as the CPU is not under full load, because all that AES NI does, is allow the CPU to computer with less resources? Thank you for your time! Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 6/11/13 7:11 am, Thinker Rix wrote: Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. - Pentium - 4th generation core i3 - Xeon E3-1200 v3 If your board supports a Core i3, it is *very* unlikely that it won't also support the i5 of the same generation (i.e. socket 1155, Sandy/Ivy Bridge cores) - given that i3 - i5 - i7 is an easy performance differentiator for system integrators, who will likely be using the same board across their range. Out of interest, any reason you're not looking at the newer Haswell core chips (i.e. socket 1150) - from what I've read their power consumption is a fair bit lower than previous Sandy/Ivy Bridge cores? Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Wed, Nov 06, 2013 at 09:11:08AM +0200, Thinker Rix wrote: Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. Anyone running pfSense on a HP Microserver G8? http://b3n.org/installed-xeon-e3-1230v2-in-gen8-hp-microserver/ These are dual Broadcoms BCM5717 onboard, but you can stick a dual-port Intel NIC in there as well. I have another thread going where I discuss motherboard compatiblity with pfSense. Should someone report, that finally I could also use the other of the two boards (the one with the 1150-socket and the C222 chipset), I could use different CPUs: - Pentium - 4th generation core i3 - Xeon E3-1200 v3 In this case I could go for the i3, since it supports AES-NI. But I do not expect that the C222 board will be compatible, so I most likely will have to stick with the CPUs mentioned above. Which one would you pick of those? If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. There is this one thing I want to learn: AES NI helps lowering CPU load for encryption/decryption tasks, sure. But what happens if the CPU is not under full load? Will there still be an advantage then, i.e. because the CPU can perform the de/encryption *faster* when having AES NI support, so that the VPN latency might be reduced, so that e.g. VoIP-over-VPN would improve? Or is it the case that there is no difference, as long as the CPU is not under full load, because all that AES NI does, is allow the CPU to computer with less resources? Thank you for your time! Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 6/11/13 12:30 pm, Eugen Leitl wrote: Anyone running pfSense on a HP Microserver G8? I have - in the past - had it running on a G5 and a G6 if that's any help. One of our clients is using it on a G7. lspci on both mine show: Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Wed, Nov 06, 2013 at 04:12:09PM +, Chris Bagnall wrote: On 6/11/13 12:30 pm, Eugen Leitl wrote: Anyone running pfSense on a HP Microserver G8? I have - in the past - had it running on a G5 and a G6 if that's any help. One of our clients is using it on a G7. lspci on both mine show: Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10) Are these borderline reliable with FreeBSD/pfSense? I've had a some strange behavior with my old Supermicro Atom lately, when I had to start using the onboard Realteks when my dual-port Intel NIC started playing yoyo with my cable modem port -- I suspect it's partially fried. The Realteks have been doing it, so far. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 2013-10-24 19:30, Thinker Rix wrote: I am planning a new pfSense box and am wondering if the hardware that I want to use will be sufficient. Hardware: 2x Intel PRO/1000 PT Quad Port Gigabit NICs, each directly connected via PCIe-8x to the North Bridge of the CPU 4x on-board Realtek 8111C Gigabit NICs, connected via PCIe-4x internally to the South Bridge of the CPU, which they share with the RAID controller = 12 NICs total Motherboard: Consumer Desktop Motherboard CPU: Intel Core2Duo 2,4 GHz or Core2Quad 2,4 GHz or Core2Quad 2,89GHz PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Config: I will: 1. be bonding 2 Intel NICs for the DMZ and 2 Intel NICs for the LAN zone 2. have Dual-WAN VDSL (50 Mbps downstream, 10 Mbps upstream each) 3. have 3-4 site-to site VPN connections and 1-2 VPN road warriors via the WAN 4. have 1-2 VPN road warriors in my WLAN zone, connected with 450 Mbps WLAN-NICs to a 450Mbps WLAN Access Point that is connected with a gigabit NIC to a Intel NIC of pfSense 5. have 4-5 VLANs Requirements: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) - full 450Mbps between the WLAN and pfsense - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Questions: 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? 2. Is there any other bottle neck that will prevent my performance requirements? 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? Hi all! I will finally go for brand new hardware for this pfSense box. Given the above-mentioned requirements, which of the following CPUs would you advise me to buy: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Wed, Nov 6, 2013 at 1:20 AM, Thinker Rix thinke...@rocketmail.comwrote: Hi all! I will finally go for brand new hardware for this pfSense box. Given the above-mentioned requirements, which of the following CPUs would you advise me to buy: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 € Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 € Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 € Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 € Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix I don't see a Core i5 on that list. See if you can get one of those. It'll be between the i3 and the Xeon in price, but will have the AES-NI instruction set. (It will also have 4 physical cores instead of the i3's dual cores with hyperthreading.) If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. Whatever you do, stay* very far away* from the Celeron. Performance will likely be terrible. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Moshe, On 2013-11-06 08:35, Moshe Katz wrote: Price Name Socket Cores Threads Cache Clock default Clock Turbo 33.69 EUR Celeron 1155 2 2 2 MB 2.7 GHz -- 44.31 EUR Pentium 1155 2 2 3 MB 2.9 GHz -- 93.77 EUR Core i3 1155 2 4 3 MB 3.4 GHz -- 167.25 EUR Xeon 1155 4 4 8 MB 3.1 GHz 3.5 GHz The Xeon has hardware support for AES encryption that might speed up VPN traffic? Which of the CPUs do you advise me to pick? Thanks for any feedback, best regards Thinker Rix I don't see a Core i5 on that list. See if you can get one of those. It'll be between the i3 and the Xeon in price, but will have the AES-NI instruction set. (It will also have 4 physical cores instead of the i3's dual cores with hyperthreading.) Unfortunately the motherboards I plan to buy supports only the above-mentioned CPUs. I have another thread going where I discuss motherboard compatiblity with pfSense. Should someone report, that finally I could also use the other of the two boards (the one with the 1150-socket and the C222 chipset), I could use different CPUs: - Pentium - 4th generation core i3 - Xeon E3-1200 v3 In this case I could go for the i3, since it supports AES-NI. But I do not expect that the C222 board will be compatible, so I most likely will have to stick with the CPUs mentioned above. Which one would you pick of those? If you look around online, you will find almost universal agreement that AES-NI significantly improves VPN speed. This also means that even if you aren't maxing out the VPN's capacity, you will still be saving processor cycles for doing the other stuff that the machine needs to do. There is this one thing I want to learn: AES NI helps lowering CPU load for encryption/decryption tasks, sure. But what happens if the CPU is not under full load? Will there still be an advantage then, i.e. because the CPU can perform the de/encryption *faster* when having AES NI support, so that the VPN latency might be reduced, so that e.g. VoIP-over-VPN would improve? Or is it the case that there is no difference, as long as the CPU is not under full load, because all that AES NI does, is allow the CPU to computer with less resources? Thank you for your time! Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Thu, Oct 24, 2013 at 07:18:28PM -0500, Jim Thompson wrote: The topic has wandered away from pfSense. It is rather interesting though, so please don't kill that thread just yet. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Am Fri, 25 Oct 2013 10:08:14 +0200 schrieb Eugen Leitl eu...@leitl.org: On Thu, Oct 24, 2013 at 07:18:28PM -0500, Jim Thompson wrote: The topic has wandered away from pfSense. It is rather interesting though, so please don't kill that thread just yet. Indeed. I'd like to add that AFAIK, for pure firewalling, single-thread performance is most important as pf(4) is not yet multi-threaded. FreeBSD 10 seems to change that, but it will be some time before it shows up in a production pfSense image, I guess ;-) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
I will use a 802.11n router with 3 antennas that is able to operate simultaneously in the 2,4 GHz and 5 GHz band, so it advertises up to 900Mbps (i.e. 450 Mbps in the 2,4 + 450 Mbps in the 5 GHz band) - I do not know if it is able to use 80 MHz channels, but I read at wikipedia that this is only available for the new 802.11ac generation and not for the 11n that I own. Is that correct? I suppose theoretically with 3 radios in the 2.4Ghz spectrum and 3 in the 5Ghz spectrum (so 6 radios total) you could potentially push higher speeds (possibly ~160Mbps total across both spectra). Could I tweak an 11n to use 80 MHz channels, e.g. by using an alternative firmware on the router such as dd-wrt? I think with 3 radios, you could potentially use 60Mhz across 3 channels, though you will need to be very careful (especially at 5Ghz) to make sure the frequencies you're using are legal - the 5Ghz spectrum is complicated - bands A B and C have different regulations and allowable power levels. Not responding to all explanations here, there do seem to be some misunderstandings: With .11n you either use HT20 or HT40 (20Mhz or 40Mhz wide channel). You don't have multiple radios per card. You have multiple RF-chains which each can carry their own spatial stream. The number of antennas most often (but not necessarily) correlate with the number of RF-chains you have internally. You can have one spatial stream per chain. However multiple spatial streams only work if you are in an environment where reflections exist. -- in a long-distance point-to-point link without reflections you can have only a single spatial stream, limiting the bandwidth to 150Mbps (MCS7, SGI and HT40). The additional Antennas there only help the signal integrity (google Space-Time-Block-Code). For a list of what bandwidth is to be expected with which settings see: http://mcsindex.com/ The claimed 450Mbps of WLAN usually refers to MCS23 -- 3 spatial streams each with SGI and HT40. So you have per radio (refering to a single WLAN-card): one center-frequency (be it 2.4 or 5 GHz band) multiple MCS-indices which change with an algorithm (google wireless minstel). multiple bandwidths: 20Mhz or 40Mhz (with 11.ac 80MHz) which change with minstrel too Depending on the link quality the MCS index, the bandwidth and the guard interval change controlled by minstrel. The 450Mbit are only possible when both sides (client and AP) have a 3x3 radio (3 receive chains, 3 transmit chains), there are enough reflections around for the spatial streams to be differentiated, the signal strength of each stream is high enough that it can be decoded correctly (consumer market devices usually require a signal greater than -60dBm.) If one side has only a 1x1 radio (usually the client), then you will be limited to 72.2/150Mbps at MCS7. I have yet to see a consumer-market device (besides the APs) actually containing a 3x3 radio (sometimes 2x2). So yes there are quite many things which can limit your bandwidth to only 50-80Mbps, but they usually aren't a limitation of the hardware/software, but simply of a misunderstanding what is actually required to achieve higher bandwidths. It's usually not the AP which is the problem, but the client. Some real-world advice (which you probably already know): Use two radios: one 2.4Ghz, one 5Ghz, Use a frequency no-one uses if possible, allow HT40, allow SGI. Minstrel will scale down to HT20 and no SGI when required. There really isn't much more you can do other than using better hardware which costs remarkably more. Regards Matthias May ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hello Matthias, Thank you for your time! On 2013-10-25 12:45, Matthias May wrote: I will use a 802.11n router with 3 antennas that is able to operate simultaneously in the 2,4 GHz and 5 GHz band, so it advertises up to 900Mbps (i.e. 450 Mbps in the 2,4 + 450 Mbps in the 5 GHz band) - I do not know if it is able to use 80 MHz channels, but I read at wikipedia that this is only available for the new 802.11ac generation and not for the 11n that I own. Is that correct? I suppose theoretically with 3 radios in the 2.4Ghz spectrum and 3 in the 5Ghz spectrum (so 6 radios total) you could potentially push higher speeds (possibly ~160Mbps total across both spectra). Could I tweak an 11n to use 80 MHz channels, e.g. by using an alternative firmware on the router such as dd-wrt? I think with 3 radios, you could potentially use 60Mhz across 3 channels, though you will need to be very careful (especially at 5Ghz) to make sure the frequencies you're using are legal - the 5Ghz spectrum is complicated - bands A B and C have different regulations and allowable power levels. Not responding to all explanations here, there do seem to be some misunderstandings: With .11n you either use HT20 or HT40 (20Mhz or 40Mhz wide channel). Ok, that confirms what I read on wikipedia: 80 MHz comes with 801.11ac only.. You don't have multiple radios per card. You have multiple RF-chains which each can carry their own spatial stream. The number of antennas most often (but not necessarily) correlate with the number of RF-chains you have internally. Yes, as far as I know, each RF-chain of N-draft is 150 Mbps, so a router/AP that is advertised as 450Mbps and that comes with 3 antennas, should have 3 RF-chains, isn't it? In contrast to that I have seen some routers with 3 antennas but only 300Mbps, so they seem to have only 2 RF-chains but for some reason come with 3 antennas. You can have one spatial stream per chain. What exactly is a spatial stream and how do I initiate it? However multiple spatial streams only work if you are in an environment where reflections exist. .. such as a WLAN inside a normal building, right? -- in a long-distance point-to-point link without reflections you can have only a single spatial stream, limiting the bandwidth to 150Mbps (MCS7, SGI and HT40). The additional Antennas there only help the signal integrity (google Space-Time-Block-Code). For a list of what bandwidth is to be expected with which settings see: http://mcsindex.com/ The claimed 450Mbps of WLAN usually refers to MCS23 -- 3 spatial streams each with SGI and HT40. I do not understand this section and the table at mscindex.com, since my knowledge of WLAN seems to be too limited. Could you give me some kick-off help to understand what and how I need to set my AP/router so to achieve the highest bandwidth possible (i.e. as close to the advertised 450 Mbps per band, as possible)? So you have per radio (refering to a single WLAN-card): one center-frequency (be it 2.4 or 5 GHz band) multiple MCS-indices which change with an algorithm (google wireless minstel). multiple bandwidths: 20Mhz or 40Mhz (with 11.ac 80MHz) which change with minstrel too Depending on the link quality the MCS index, the bandwidth and the guard interval change controlled by minstrel. Ok, I will experiment with ministrel! The 450Mbit are only possible when both sides (client and AP) have a 3x3 radio (3 receive chains, 3 transmit chains), I will be using such clients so I guess I comply with that requirements... ... there are enough reflections around for the spatial streams to be differentiated, ... the WLAN will be inside a normal office building with solid brick walls and drywalls; is that what is needed to get those reflections, or am I misunderstanding something? ... .. the signal strength of each stream is high enough that it can be decoded correctly (consumer market devices usually require a signal greater than -60dBm.) ... the AP will be located in a closed room at the center of the floor of the building that I want to provide with WLAN. The clients will be arranged circularly around the AP in distances of 3-15 meters each, with an average of approx 5 meters. Do you think that this setup will be able to approximate the 450 Mbps or will I need to take additional measures? If one side has only a 1x1 radio (usually the client), then you will be limited to 72.2/150Mbps at MCS7. I have yet to see a consumer-market device (besides the APs) actually containing a 3x3 radio (sometimes 2x2). How about: http://www.tp-link.com/us/products/details/?model=TL-WDN4800 http://www.intel.com/content/www/us/en/wireless-products/ultimate-n-wifi-link-5300-brief.html Aren't those such 3x3 radio interfaces that you meant? So yes there are quite many things which can limit your bandwidth to only 50-80Mbps, but they usually aren't a limitation of the hardware/software, but simply of a misunderstanding what
Re: [pfSense] Hardware requirements for gigabit wirespead
On 25/10/13 13:56, Thinker Rix wrote: You don't have multiple radios per card. You have multiple RF-chains which each can carry their own spatial stream. The number of antennas most often (but not necessarily) correlate with the number of RF-chains you have internally. Yes, as far as I know, each RF-chain of N-draft is 150 Mbps, so a router/AP that is advertised as 450Mbps and that comes with 3 antennas, should have 3 RF-chains, isn't it? In contrast to that I have seen some routers with 3 antennas but only 300Mbps, so they seem to have only 2 RF-chains but for some reason come with 3 antennas. Yes. Some manufacturers use a 2x2 radio and delay the signal of the 3rd antenna slightly (and feed the delayed signal to the second input). In complex reflecting environments this might improve the signal quality. You can have one spatial stream per chain. What exactly is a spatial stream and how do I initiate it? http://en.wikipedia.org/wiki/Spatial_multiplexing http://en.wikipedia.org/wiki/Transfer_function You calculate the transfer function of the space the signal traverses and multiply the inverse function with the received signal. Since different spatial streams take different physical paths you get different transfer functions and thus can calculate multiple distinct signals out of the received signal in the timedomain. However multiple spatial streams only work if you are in an environment where reflections exist. .. such as a WLAN inside a normal building, right? Yes. -- in a long-distance point-to-point link without reflections you can have only a single spatial stream, limiting the bandwidth to 150Mbps (MCS7, SGI and HT40). The additional Antennas there only help the signal integrity (google Space-Time-Block-Code). For a list of what bandwidth is to be expected with which settings see: http://mcsindex.com/ The claimed 450Mbps of WLAN usually refers to MCS23 -- 3 spatial streams each with SGI and HT40. I do not understand this section and the table at mscindex.com, since my knowledge of WLAN seems to be too limited. Could you give me some kick-off help to understand what and how I need to set my AP/router so to achieve the highest bandwidth possible (i.e. as close to the advertised 450 Mbps per band, as possible)? This really depends on the router you are using. Most consumer-grade users don't allow you to adjust these values. If you have one where you can change this stuff: The MCS index is usually what you can influence. MCS0-7 define a single spatial stream. MCS8-15 define two spatial streams. etc... If you want reliable connections it often makes sense to fix the MCS index and don't allow it to be changed by minstrel. So you have per radio (refering to a single WLAN-card): one center-frequency (be it 2.4 or 5 GHz band) multiple MCS-indices which change with an algorithm (google wireless minstel). multiple bandwidths: 20Mhz or 40Mhz (with 11.ac 80MHz) which change with minstrel too Depending on the link quality the MCS index, the bandwidth and the guard interval change controlled by minstrel. Ok, I will experiment with ministrel! If you are interested in some background: These are good starting points: http://ecs.victoria.ac.nz/foswiki/pub/Courses/NWEN403_2013T1/LectureSchedule/Minstrel_slides.pdf https://internetnz.net.nz/system/files/pages/2013/icc_13_final.pdf The 450Mbit are only possible when both sides (client and AP) have a 3x3 radio (3 receive chains, 3 transmit chains), I will be using such clients so I guess I comply with that requirements... ... there are enough reflections around for the spatial streams to be differentiated, ... the WLAN will be inside a normal office building with solid brick walls and drywalls; is that what is needed to get those reflections, or am I misunderstanding something? ... Yes, as long as stuff is around you get reflections. .. the signal strength of each stream is high enough that it can be decoded correctly (consumer market devices usually require a signal greater than -60dBm.) ... the AP will be located in a closed room at the center of the floor of the building that I want to provide with WLAN. The clients will be arranged circularly around the AP in distances of 3-15 meters each, with an average of approx 5 meters. Do you think that this setup will be able to approximate the 450 Mbps or will I need to take additional measures? To calculate the distance you always start at an attenuation of 20dB and for 2.4GhZ a distance of about 12cm, for 5GHz about 6cm. Double the distance, add 6dB to the attenuation. So: 25cm: 26 / 32 50cm: 32 / 38 1m: 38 / 44 2m: 44 / 50 4m: 50 / 56 8m: 56 / 62. So already at 8m you go over the physically possible range to achieve the highest MCS indices. Add some more dBi to the link budget from the txpower of the transmitter (above i calculated with txpower of 0 dBm) and the antennas, but at higher speeds you will not get more than around
Re: [pfSense] Hardware requirements for gigabit wirespead
On 24/10/13 5:30 pm, Thinker Rix wrote: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) Would have thought you'd be fine here. - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps out of 3x3 is probably realistic. Unless you're in a really isolated area, using an 80Mhz channel (which is what you'd need for 450Mbps radio speed) will slaughter spectrum availability for your neighbours. Short of really needing that speed, try to stick with 20Mhz channels where possible. And if you're in a very congested WiFi area, you may even get better speeds out of 20Mhz (much easier to find one free 20Mhz channel than a free 80Mhz channel). - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Depends on your choice of crypto algorithm and whether you can do it in hardware. 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. 2. Is there any other bottle neck that will prevent my performance requirements? Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than throughput at this level. If you really need 1Gbps, you're going to have to consider 10GE kit. 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? No, I agree that bonding 2 ports on separate cards is the best option. You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). 4x on-board Realtek 8111C Gigabit NICs Personally I'd spec a board that has Intel or Broadcom NICs - the Realtek ones are just rubbish by comparison. There are no shortage of boards with 2 Intel NICs on them these days. look at some of the Intel-manufactured boards rather than third parties - they nearly always have Intel NICs. A few years back I used lots of DG965RY boards (Intel NIC, onboard video, so ideal for server environments). PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Given pfSense uses 1GB space, why? A little SSD on the chipset's native SATA controller should be fine (see above, use CARP for redundancy). Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Oct 24, 2013, at 12:02 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 5:30 pm, Thinker Rix wrote: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) Would have thought you'd be fine here. - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps out of 3x3 is probably realistic. depends on your RF environment and channel orthogonality. Unless you're in a really isolated area, using an 80Mhz channel (which is what you'd need for 450Mbps radio speed) will slaughter spectrum availability for your neighbours. Short of really needing that speed, try to stick with 20Mhz channels where possible. And if you're in a very congested WiFi area, you may even get better speeds out of 20Mhz (much easier to find one free 20Mhz channel than a free 80Mhz channel). - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Depends on your choice of crypto algorithm and whether you can do it in hardware. I’d recommend for a CPU that supports AES-NI, even if the FreeBSD support for same turns out to be lagging. ‘wire speed’ would need to be defined. I do know of boxes that will run at 25Gbps. As the guy at the hot rod shop told me 30 years ago, “Speed costs money son. How fast do you want to go? 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. That’s not what I’d have guessed. If your application load is single-threaded (or a single process), then clock speed will win every time. If your application (load) can be broken down into prices that execute in parallel, then cores will be a win. You’ve not specified the problem well enough to discuss. An AS with internal BGP (iBGP) must have all of its iBGP peers connect to each other in a full mesh (where everyone speaks to everyone directly). This full-mesh configuration requires that each router maintain a session to every other router. In large networks, this number of sessions may degrade performance of routers, due to either a lack of memory, or too much CPU process requirements. There will also need be some serious consideration on the reliability of the network, and its constituent part(s). If those wireless links are for exterior paths, and not simply 802.11 LANs, then you’re in for a huge amount of trouble, as wireless isn’t reliable. At all. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. But that would require completely re-archtecting the application(s). Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. 2. Is there any other bottle neck that will prevent my performance requirements? Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than throughput at this level. If you really need 1Gbps, you're going to have to consider 10GE kit. 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? No, I agree that bonding 2 ports on separate cards is the best option. You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). 4x on-board Realtek 8111C Gigabit NICs Personally
Re: [pfSense] Hardware requirements for gigabit wirespead
On 13-10-24 12:49 PM, Jim Thompson wrote: If those wireless links are for exterior paths, and not simply 802.11 LANs, then you’re in for a huge amount of trouble, as wireless isn’t reliable. At all. I have to disagree, at least partially. In the wireless world, reliability costs! Wireless reliability also depends heavily on the specific environment you're running it in, and the quality of link engineering that went into each installation. Also making a big difference is whether it's point-to-point (dedicated) or point-to-multipoint (typical for WISPs), or multipoint-to-multipoint (omnidirectional broadcast, i.e. mesh). I have a 68' tower in my back yard anchored into 80 cubic feet of concrete with fairly cheap Ubiquity 2.4Ghz gear up top, running point-to-point using directional (closed parabolic dish) antennas at both ends (2' my end, 3' far end). With this setup, I have yet to experience any (non-self-inflicted) outages. I do notice that available channel throughput varies from ~18Mbps to ~30Mbps depending on RF and atmospheric conditions, although latency stays low at around 1msec. If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. I'm told to expect intermittent service in the case of a whiteout (blizzard), which hasn't happened yet. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Of course, my personal link is only 6.8km long - not exactly a worst-case scenario. I also used Dragonwave (5GHz, licensed) equipment mounted on cell towers to cover ~500,000 square kilometers at speeds of up to 800Mbps on links of up to 60km, and the only failures or outages we had on a regular basis were power-related. (Yes, some of the radios failed over time. Cisco switches failed about four times as often, in the hostile and lightning-prone environment we were running in.) We did experience some link flapping during a severe ice storm, because the ice was forming on some of the dishes faster than the RF power and/or heater could melt it. Turns out even Dragonwave radios can't transmit or receive very well through solid water :-). Rough rule of thumb boils down to: 1. If you aren't spending at least $5000 per link, then wireless will be noticeably unreliable. 2. Point-to-point (dedicated) is always more reliable than point-to-multipoint (shared). 3. WiFi (802.11) equipment pretty much always sucks. If you're spending enough money, wireless can be made more reliable than copper or fiber (but not necessarily faster). We weren't spending quite that much money, but our Dragonwave radio links were still 99.99+% reliable as a rule. Dragonwave and Alvarion(?) radios are considered to be the cream of the crop; telcos regularly use them for backhaul in areas where it's too expensive or difficult to trench cable. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Thu, Oct 24, 2013 at 1:02 PM, Chris Bagnall pfse...@lists.minotaur.ccwrote: On 24/10/13 5:30 pm, Thinker Rix wrote: 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. If it's true that the number of cores is so important, why not an AMD FX-series (Bulldozer or Piledriver) 8-core chip? The Bulldozer chips are particularly inexpensive right now (possibly even cheaper than a Core 2 Duo/Quad - unless you already happen to have one lying around), and this sounds like a case where they should be more than adequate for your needs. They include the AES instruction set AES-NI, which might make a significant difference for your VPN traffic (depending on what encryption algorithm you choose and if the binaries were compiled with AES-NI support). This doesn't *exactly *help, but there's a thread from February 2012 on the FreeBSD forums showing that a quad-core Xeon will easily route 800 Mbps (100Mpps) with very low load averages. See http://forums.freebsd.org/showpost.php?s=5cf37ee89e50d395317ec0d0555378d5p=167391postcount=6 for details. Since you want to do VPN, you'll likely need a lot more power for the encryption stuff, but I would think that the processing power required for the routing itself should scale somewhat linearly. Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. This may help, from the FreeBSD release notes: Symmetric multi-processor (SMP) systems are generally supported by FreeBSD, although in some cases, BIOS or motherboard bugs may generate some problems. Perusal of the archives of the FreeBSD symmetric multiprocessing mailing listhttp://lists.freebsd.org/mailman/listinfo/freebsd-smp may yield some clues. 4x on-board Realtek 8111C Gigabit NICs Personally I'd spec a board that has Intel or Broadcom NICs - the Realtek ones are just rubbish by comparison. There are no shortage of boards with 2 Intel NICs on them these days. look at some of the Intel-manufactured boards rather than third parties - they nearly always have Intel NICs. A few years back I used lots of DG965RY boards (Intel NIC, onboard video, so ideal for server environments). I'm going to second this one - stay away from Realtek NICs for real work (though if you go with AMD as I mentioned above, you'll likely be Broadcom onboard, not Intel, and you will have a hard time finding AMD boards with more than two onboard NICs). I hope that helps (at least a little). Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
Hi Chris, thank you for your time! On 2013-10-24 20:02, Chris Bagnall wrote: - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps out of 3x3 is probably realistic. Ok, I see. Does this change with a router that has a Gigabit-NIC to connect with pfSense, or isn't that the bottle neck? Unless you're in a really isolated area, using an 80Mhz channel (which is what you'd need for 450Mbps radio speed) will slaughter spectrum availability for your neighbours. Short of really needing that speed, try to stick with 20Mhz channels where possible. And if you're in a very congested WiFi area, you may even get better speeds out of 20Mhz (much easier to find one free 20Mhz channel than a free 80Mhz channel). I will use a 802.11n router with 3 antennas that is able to operate simultaneously in the 2,4 GHz and 5 GHz band, so it advertises up to 900Mbps (i.e. 450 Mbps in the 2,4 + 450 Mbps in the 5 GHz band) - I do not know if it is able to use 80 MHz channels, but I read at wikipedia that this is only available for the new 802.11ac generation and not for the 11n that I own. Is that correct? Could I tweak an 11n to use 80 MHz channels, e.g. by using an alternative firmware on the router such as dd-wrt? The premises that the router will be installed are indeed quite remote and when I did a brief check with a mobile device, it did not detect any WLANs at all. - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Depends on your choice of crypto algorithm and whether you can do it in hardware. The CPU/Motherboard combination available (see above) unfortunately does not support any hardware encryption CPU-commands, so it will be done entirely software based. I was thinking about AES - although the book of Christopher and Jim says that Blowfish and CAST would be better choices for non-hardware accelerated cryptography - due to the fact that I am more familiar with it and do not know much (Blowfish) or anything (CAST) about the others. Do you have any advice on this one? 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. Ok, but which of the 3 CPUs that I have at my disposal would you chose so to meet my requirements? 2. Is there any other bottle neck that will prevent my performance requirements? Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than throughput at this level. If you really need 1Gbps, you're going to have to consider 10GE kit. 10Gbps unfortunately is totally out of financial scope for this project - and I guess it would be an overkill, too. I have to stick with the hardware listed above. The reason I was thinking about bonding is to add an additional channel between LAN - DMZ. Let me explain what traffic is expected: WAN - DMZ: - Access to a Webserver in the DMZ - Access to a FTP-Server in the DMZ with a lot of bulk traffic, transferring very big files for very long time and possibly with concurrent users (i.e. using all the 2x 10Mbps upload bandwidth for many hours permanently; saying that: is FTP via dual WAN possible in the mean time or is there still the restriction of using only one uplink?!) - A VoIP PBX that routes up to 5 concurrent phonecalls between WAN and LAN LAN - DMZ: - Many times per day a lot of bulk FTP traffic initiated by clients in the LAN who are connected with gigabit NICs. I want to work with VLANs and QoS so that the normal traffic and VoIP traffic will be prioritized as much as possible above the bulk FTP traffic, but my idea was that I might increase chances of not jamming the line for normal web browsing or get VoIP latency problems by adding a second channel in the bond between DMZ and LAN. So to summarize: What I want to achieve is to be able to copy files from
Re: [pfSense] Hardware requirements for gigabit wirespead
On 25/10/13 12:02 am, Thinker Rix wrote: Ok, I see. Does this change with a router that has a Gigabit-NIC to connect with pfSense, or isn't that the bottle neck? I've never encountered even a 100Mbps NIC being a wireless bottleneck at 2.4Ghz. The limitation is effective throughput through the wireless radios. Granted, you can get well over 100Mbps using licensed frequencies, but in the unlicensed 2.4 and 5Ghz spectrum you are unlikely to get 100Mbps (you might just manage it in a rural area with no other nearby spectrum users). I will use a 802.11n router with 3 antennas that is able to operate simultaneously in the 2,4 GHz and 5 GHz band, so it advertises up to 900Mbps (i.e. 450 Mbps in the 2,4 + 450 Mbps in the 5 GHz band) - I do not know if it is able to use 80 MHz channels, but I read at wikipedia that this is only available for the new 802.11ac generation and not for the 11n that I own. Is that correct? I suppose theoretically with 3 radios in the 2.4Ghz spectrum and 3 in the 5Ghz spectrum (so 6 radios total) you could potentially push higher speeds (possibly ~160Mbps total across both spectra). Could I tweak an 11n to use 80 MHz channels, e.g. by using an alternative firmware on the router such as dd-wrt? I think with 3 radios, you could potentially use 60Mhz across 3 channels, though you will need to be very careful (especially at 5Ghz) to make sure the frequencies you're using are legal - the 5Ghz spectrum is complicated - bands A B and C have different regulations and allowable power levels. Ok, but which of the 3 CPUs that I have at my disposal would you chose so to meet my requirements? Well, if you've all 3 at your disposal and nothing else to do with them, then go with the fastest (2.93Ghz quad core). It is, however, probably an overkill (not that that's always a bad thing). is FTP via dual WAN possible in the mean time or is there still the restriction of using only one uplink You should be able to use both, though assuming your 2 VDSLs have separate external IPs, you'll need to perform something like DNS load balancing on the A/ records to ensure external connections are spread amongst both connections. So my question is: Ok, 2x Gigabit != 2 Gigabit. But do you think that it will yet help to contribute to my objective to add a second channel to a bond so that there will be 2x Gigabit = 1 Gigabit for the user transferring bulk traffic plus additional 0,2-0,4 Gigabit for additional VoIP, browsing, etc., or is it senseless to do that this way? QoS often falls down because the speed of the connection you want to perform QoS over fluctuates (often *DSL WAN links). On a link where you can guarantee the speed will be constant, this probably isn't an issue. I'd probably perform QoS at the switch level (up-priority your VoIP VLAN, for example): this takes load away from pfSense and gives the switch something to do. Taking a step back for a moment, it looks like your biggest limitation is going to be your upstream WAN bandwidth long before your LAN/DMZ bandwidth becomes an issue. PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA disks RAID5 Is pfSense immune against sudden power losses, system crashes, media surface failures, e.g. because it has read-only file systems or something similar, so that adding RAID, parity, BBU, etc. is never needed? No, disk failure is a risk in any system. However, I am pointing out that there's little point in spending large sums on redundant disks, NICs, etc. when you're relying on a consumer desktop motherboard as a single point of failure. Much better to spec 2 lower cost systems and run them in CARP (or even warm spare, if you aren't comfortable with CARP yet). As I have a RAID controller and disks on stock I could use them without any cost If they're going to cost you nothing, then I'd go with a pair in RAID1 (not RAID0). RAID5 is pointless in this context: P(array failure) with 3 disks in RAID5 is no better than a pair in RAID1. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
The topic has wandered away from pfSense. -- Jim On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
What else is new with thinker as op. 25. okt. 2013 02:18 skrev Jim Thompson j...@netgate.com følgende: The topic has wandered away from pfSense. -- Jim On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
