Will a dual core Atom be sufficient to run a firewall at home?

[Jeff7181]

I'm thinking about picking up a small form factor box to install a firewall on... either Astaro or Untangle. I'm wondering if a dual core Atom is beefy enough to run firewall software. I have Astaro running in a VM right now and I noticed my throughput drops from 12 Mbps to under 10 Mbps when downloading from Steam with no other devices using the pipe. It's running on a Celeron E3300 with 1 GB of RAM allocated to the VM in VMware ESXi 4.x

Astaro reported 33% CPU usage at that time, but there's no question that it's the firewall that slows it down. When I change the gateway to my router, speed jumps back up to 12 Mbps, flip it over to the firewall and it drops down between 9 and 10.

I'm not sure if it's due to the fact it's running in a VM or if it's due to the processor/platform/NIC just not being able to keep up.

*EDIT* If I got an Atom box, it would be dedicated to the firewall software.

 

[jumpncrash]

I'm pretty sure you'd be more than fine with that kind of setup. I'm running pfsense on a dual P2 with 512mb of ram and I don't get any slowdowns. What's your connection speed?

 

[pitz]

Had no problems running that sort of traffic through an old Pentium-66 back in the 1990s with Linux and ipchains (at the time).

The sort of traffic you're talking about would generate a lot of interrupts, which probably would not be dealt with in a timely fashion especially on that Celeron hardware (especially if you're using old PCI cards...).

Even in terms of embedded platforms, a 200MHz dd-wrt device like a wrt54gl wouldn't have any trouble whatsoever keeping up (they top out at around 50-60mbit/sec). If you need wireless, you might just want to look into something like that..

You are referring to 10-12 megabits per second, right? Not 10-12 megabytesse?

 

[weovpac]

I have used an old laptop Thinkpad T23[P3 1.1GHz with 1G of RAM] with pfSense with no problems. My speeds got better using this setup. Plenty of people use dual core atoms with pfSense. It all depends what you want to do with the firewall. But for the price of a dual core atom setup, you can build something much better with a SB Celeron like a G530[currently using here].

Check out http://www.pfsense.org for more info, search the forums there is plenty of info and help there.

 

[Jeff7181]

I was looking at Atom because of the (lack of) power use. I'd like it to be as low as possible because I intend to use this for years. I have an older P4 desktop, but P4's don't sip power, so the money I'd save by not replacing it would probably be spent in a year or two on electricity.

And yes, 12 megabits per second is what my Internet connection is capable of. However, I'd like something that can handle as much as 50 Mbps. I'd also like something that won't fall on it's face if I were to set up an IPsec VPN connection for work.

I got to looking at the firewall logs and I saw it dropping a lot of packets that belong to the Steam transfers I had running. Maybe that was the cause of the slower speed I was seeing and not necessarily that the VM can't hack it. I haven't figured out why it was dropping the packets yet, but maybe later today I'll have time to look into that.

 

[weovpac]

Yes power usage is important. You can look at my build here:
http://forum.pfsense.org/index.php/topic,44269.0.html

As you can see ~30 watts is good IMHO, of course that depends on you. Using an atom setup will save you maybe ~10 watts. For me the trade off, of power savings to cpu power is not worth it. That SB Celeron can handle pretty much any package you throw at it and more.

Edit: Forgot to mention, if you invest in a pico PSU the power usage can be brought a bit more. But they are costly and again not worth it to me tho.

 

[Jeff7181]

What kind of hard drive did you use?

 

[Magic Carpet]

Yes power usage is important. You can look at my build here:
http://forum.pfsense.org/index.php/topic,44269.0.html

As you can see ~30 watts is good IMHO, of course that depends on you. Using an atom setup will save you maybe ~10 watts. For me the trade off, of power savings to cpu power is not worth it. That SB Celeron can handle pretty much any package you throw at it and more.

30w is good, I am with you here. There is total cost of ownership which must be taking into account as well. Usually, more efficient stuff costs more but doesn't always pay off.

Edit: Forgot to mention, if you invest in a pico PSU the power usage can be brought a bit more. But they are costly and again not worth it to me tho.

I like pico's but... they are rather expensive and the actual power savings aren't that huge, to be frank. Good bragging rights... they are the most efficient under lower loads, though. Something like this is a nice balance between price and efficiency.

 

[weovpac]

What kind of hard drive did you use?

I had an old 80GB 2.5 inch 5400rpm laptop drive laying around.

 

[weovpac]

30w is good, I am with you here. There is total cost of ownership which must be taking into account as well. Usually, more efficient stuff costs more but doesn't always pay off.

My thoughts as well.

I like pico's but... they are rather expensive and the actual power savings aren't that huge, to be frank. Good bragging rights... they are the most efficient under lower loads, though. Something like this is a nice balance between price and efficiency.

That PSU you linked is very similar to the one that came in the SilverStone SG06B.

 

[cmetz]

Jeff7181, seriously consider the Sandy Bridge based Pentium CPU and a H61 chipset motherboard. For about $20-$30 more money and about 5-10W more idle power consumption when tweaked, you get a massively more powerful system.

Or consider swapping around and using the SB box as your ESX box and do some underclocking/tweaking on your Celeron and make it the firewall.

The current Atoms are - in my personal opinion - uninteresting chips in 2012. ARM chips are massively better in platform power consumption while delivering only a modest performance cut, while the low end SB chips offer a massively better performance for only a modest power increase, and all are similar enough in cost. Intel knows this, there are new Atoms on the horizon that should be much better in both performance and power consumption.

 

[wirednuts]

heh, i still use an n270 asus netbook as my main laptop... i think the atoms are a lot faster then what they seem on paper. i rarely miss the extra speed my full desktop gives me, and theres nothing i do on that that i cant do on this netbook besides gaming.

 

[Modelworks]

Don't use a hard drive for a firewall setup, you are wasting power. Instead get a compact flash card and an SATA or IDE adapter for it. Even a 2GB card is enough for pfsense and a home user.

 

[RadiclDreamer]

They will be more than fine, think about it, even the mid-high end ASA 5520 only use a celeron 2ghz. The 5505 uses a 500mhz amd geode

 

[Jeff7181]

Don't use a hard drive for a firewall setup, you are wasting power. Instead get a compact flash card and an SATA or IDE adapter for it. Even a 2GB card is enough for pfsense and a home user.

I don't have any CF cards but I have plenty of SD cards... do they make SD to SATA adapters? I couldn't find any on Newegg and a Google search only turned up a manufacturer in China and I can't find a reseller of the part (SLSA5001) in the US.

 

[Jeff7181]

Or, could I just use something like this maybe? http://www.newegg.com/Product/Produc...82E16820270007

 

[weovpac]

Don't use a hard drive for a firewall setup, you are wasting power. Instead get a compact flash card and an SATA or IDE adapter for it. Even a 2GB card is enough for pfsense and a home user.

This is fine if you don't plan to run Squid package or packages that use a hard drive. But if you do plan to run packages like Squid, then a hard drive is the way to go. Also a laptop hard drive will not use much power.

 

[weovpac]

I don't have any CF cards but I have plenty of SD cards... do they make SD to SATA adapters? I couldn't find any on Newegg and a Google search only turned up a manufacturer in China and I can't find a reseller of the part (SLSA5001) in the US.

This should help, with your SD question:
http://forum.pfsense.org/index.php/topic,44417.0.html

 

[Jeff7181]

This should help, with your SD question:
http://forum.pfsense.org/index.php/topic,44417.0.html

It does, thank you. In that case, I may just use a spare 80 GB 2.5 inch drive I have laying around. Power savings with CF shouldn't be that much compared to a 2.5 inch notebook drive.

 

[ScoobMaster]

Hey - sorry to join this discussion a little late, but I can offer some first hand experience for you. I built a dual core Atom rig specifically to run Astaro security gateway on at home and have been using it for the past 9 months. It has been running flawlessly.

I bought a Foxconn D525 barebones unit from newegg for under $100 (Foxconn SFF R20-D4 Intel Atom D525) and added this low profile ethernet card for my second adapter (StarTech ST100SLP). Pop in 2GB of ram and a hard drive and you are good to go. I bought a 500GB WD SATA drive (ironically it was the cheapest drive I could find at the time back before the flood) and it is WAY overkill as I only use about 15Gb of it. I am going to be pulling it soon to use in a budget gaming rig I am building for my son - I am going to replace it with a 2.5 60GB drive I removed from my PS3 during an upgrade.

I highly recommend Astaro if you don't mind the learning curve. I have been administering an Enterprise install at the K-12 school district where I work for 2 years and was surprised to see that the FREE home license they offer is FULLY functional and includes almost all the features of the Enterprise level. You can set it as basic as you want (web filtering and firewall) or go crazy with custom rules and packet filtering. There is a great community of users that can answer questions at http://www.astaro.org

Back to the hardware - my little Atom rig uses under 35 watts and most of the time I don't notice it is there. With 2Gb of RAM, the Astaro dashboard ususally shows between 1-10% processor utilization and 40-65% on the RAM (the Foxconn board will support 4GB if I feel the need to up it down the road. Another plus of this setup is that Astaro has built-in support for APC USB smart UPS units - simply plug in the USB cable and a UPS battery meter shows up on the Astaro dashboard page. I set the Foxconn bios to startup on recovery from power loss and it gracefully shuts itself down and powers back on automatically during a power loss (just tested - had one two weeks ago!).

The Foxconn model I have is discontinued, but there are similar models still available at "the Egg" - they seem to go on special often too. I can easily recommend the Atom dual-core and Astaro combo for a robust and power friendly home firewall/filter/antivirus solution.

I would be happy to answer any other questions either in this thread or PM.
Good Luck!

 

[Jeff7181]

Good information, thanks. I didn't really look to see if there was the option since I was using an ISO to install Astaro in a VM, but can you install it from a USB flash drive?

 

[ScoobMaster]

I have not tried it (yet), but the question has been asked on the astaro forums and someone claims to have been successful using unetbootin.

http://www.astaro.org/astaro-gatewa...ling-astaro-home-edition-using-usb-flash.html

 

[Geofram]

I wanted to chime in as well, and 2nd the "it works fine" feeling. I have been running Astaro on an Atom machine for several months as well. I'm actually using a 30 GB SSD for the HD in it; I bought it when SSDs were brand new, and it's too small for use in about anything else now, but it works wonders in my router.

That being said, if I was building it today, i'd get a Sandy Bridge celeron instead of the Atom. They are cheap, and power efficient as well; it never hurts to err on the side of extra power.

Something else to keep in mind; use good NICs. I used Untangle at first (instead of Astaro), and the community there was very vocal about how proper workstation/server level NICs were much, much more efficient in this kind of environment than onboard/cheapo NICs were. I've got a couple of Intel ones in my box, and never had any issues.

 

[Jeff7181]

Yeah... I'm torn. On one hand, a little purpose-built Atom machine that uses less than 30 watts would be kinda cool. On the other hand, if I switch ISP's at some point and they provide me with a router that includes the type of control I want, there's not much else the Atom box would be good for where as a SB Celeron setup could be used as a secondary PC, a HTPC, another ESXi host, etc.

I fired up my girlfriend's old PC and just sitting idle it uses 120 watts (Kill A Watts are handy). I'll have to look at my electric bill and find out how much that would cost me over time to see if it's really worth spending $200-250 up front to save money in the long run. If it would take 8-10 years to see the savings then I probably won't bother... I'll just throw a quality $30 Intel NIC in the old PC and stick it in the closet.

*EDIT* Did a rough number crunch and it looks like it would take 1.5 years to break even if I went with the Atom box... 2.5 years if I went with a SB Celeron setup.

 

[Red Squirrel]

I'm running pfsense on a Pentium 3 1U Dell server, and it runs fine. The bandwidth going through it is not crazy as my connection only goes up to 5m/1m but with torrents, there is lot of packets, so that adds extra load. The cpu is usually around 0-5% usage. So yeah, an Atom would be fine.

These are awesome little boxes:

http://www.newegg.ca/Product/Product...82E16816101364

Once the P3 server's hard drive dies (it's SCSI) I will probably get one of those. Some models have an expansion slot, so I'd probably throw in a 2 port Intel nic for separate physical networks.