Advice on Low power Firewall/fileserver powered by Picu+Edac

[Poodle]

Hi ya!

First: Thanks for reading this post!

I'm about to build a Linux Ip tables based firewall and fileserver (probably Devil-Linux) and I could need your input.


My wish list:


1: Really low power: max 100w including:
* 4 Samsung T 400GB hard-drives, (10w on load, each)
* Raid-controler
* and some extra GB-LAN-cards.
This because of that the Picu psu and Edac 110W will be used (see Mikes review). Some headroom would be nice also. I might wait with the raid array tough so don't spend too much time on that, OK?

2: mATX. This is a must, because of lack of space so mATX only guys.

3: Be able to run Linux (evidently). So because of Linux an undervolting bios would be great. But there doesn't seem to be any mATX that have this.

My thoughts.

Both Intel and Amd seem to have good products for this. Intel's new products seems to work better under Linux (compare 945 to Nf6150) and Amd seems to be cheaper. I have a 945GM card that will be available when I'll soon be buying a new DFI or Abit mobo for my main rig E6600 but it seems to be quite hard to get really low power on 775, so I might just sell that card. Smilingcrow has got some nice low power on the 479 but those setups are a little too expensive for a firewall but if the lowest wattage is 479 I might go there.

The Amd 754 seems to be the best chose here if it will behave well under Linux (why wouldn't it?). I heard about the Mobile Semprons. I should get one of those, shoudn't I?

Is the - SMS2800BOX3LB
Stepping: CBBID LBBID
Vcore: 1.25
Thermal Design Power: 25w - a good chose? Is it 90nm?

This 754 mobo mATX with VIA chipset is really easy to get here in Sweden: http://www.msi.com.tw/program/products/ ... hp?UID=690

It's also possible to get the DFI K8M800 which seems to have Vcore control in bios. Maybe it's better with the moblie Sempron?
Please comment on the Vcore ability on the DFI. Will it work or not?

I've got some DDR dimms in laying around so this would be a cheap system.

What do you think?

Thanks
/
Poodle

[bean1975]

Mobile Semprons are indeed a very good choice for a machine like this. There is very little work for the CPU here. Even if you get a board which does not officially support the mobile Sempron you can still be happy, if the BIOS is 'overclocker friendly' in our case 'underclocker friendly' You can set up the CPU in BIOS to some low vcore and speed and leave it so, no need for powernow-k8 support, that's extremely hard to find. You want to look at SPCR's list of boards for which board supports Turion. If you can't find any in Sweden, I suggest buying one on ebay.de or even ebay.com, I know there might be postage and customs / taxes but this never stopped me

[Poodle]

Thanks bean1975!

Do you think I should go for the Dfi? It can undervolt in bios right? Or could anyone recommend a power now mobo?

I'd prefer mATX.

[Poodle]

Ok the Mobile Sempron 25w is ordered for 19$ and 35$ for shipping. This is still less expensive than a normal Sempron here in Sweden.


Cpu sorted. What about the mobo?

[jaganath]

Cpu sorted. What about the mobo?

The DFI manual says it offers Vcore control, but doesn't say how low it will go. The mobile Sempron is probably cool enough not to need much undervolting anyway.

[Poodle]

Cpu sorted. What about the mobo?

The DFI manual says it offers Vcore control, but doesn't say how low it will go. The mobile Sempron is probably cool enough not to need much undervolting anyway.

I take it that you mean both up and down?

[jaganath]

why would you want to overvolt a mobile sempron?

[OmegaEntropy]

You must be in a hurry!

I feel obliged to mention that it is not a good security practice to have your firewall doing anything but firewalling (i.e. it should not be a server too).

Of course it's your network so it is your choice. </soapbox>

Before I can look for a mobo for you, how many ethernet interfaces are you looking for in your final setup? If you want "real" gigabit throughput you'll want the gigabit to be on a PCI-e bus, not a 32bit/33MHz PCI bus.

For example, I'm planning a low power firewall myself, except I'll be running pfsense. My requirements are:
1) 10/100 or GigE for the WAN
2) 2x GigE for my LAN and DMZ -- this allows fast throughput from the LAN to DMZ. Because that path is firewalled you also need enough horsepower to push the packets. This means a CPU with some grunt (which is needed for WAN above about 10Mbit anyway with pfsense which is something of a hog).

The best I've found for this is this announced but not yet available Tyan board: i945 s3095. It'll support a Core, Core Duo or C2D mobile. As you pointed out, more expensive, but it has all the ethernet interfaces built in and has all kinds of expansion as well as an optional CF slot if I want to run pfsense diskless. I point this mobo out not for you to get (obviously) but as an example of what to look for.

If you're looking at RAID and want to be able to break ~ 100MB/s you'll need either 64 bit PCI (not going to find that on a s754 mobo) or PCI-e. Either way it means 1 expansion slot for that card.

Do you need a "real" hardware RAID like 3ware or LSI, etc. or is software RAID (e.g. in Linux or Promise) what you're looking for?

If you want to add GigE ethernet interfaces you have the same problem with expansion. As you know mATX is not exactly an expansion powerhouse. See my question on what final network setup you need as that will drive your solution.

Lastly, Linux support is independent of the socket used. It is more a function of the chipset (VIA, etc.) and any add on chips (SATA, ethernet, firewire, etc.).

Do you know which chipsets and ethernet controllers are best supported in Linux? As I've been looking at pfsense I've only looked at FreeBSD.

[Poodle]

Thanks OmegaEntropy. You know a lot about this stuff that I don't.


I know about the danger though about having both firewall and fileserver as one system and I've actually been considering running two systems: One firewall and one fileserver. I was just being cheap


Are you saying that the firewall must have PCI-e? Will not normal Pci GB lan cards be enough for the Internet sharing? I had no idea that is was so demanding.

Can't I just connect the fileserver system like this. So that the fileserver doesn't have any direct contact with the wan?:


Wan ----->Firewall/router-------->Main Rig-------->Fileserver

[Poodle]

why would you want to overvolt a mobile sempron?

I don't. I just wanted to know if it really undervolts not just overvolt. Sorry for not being clear.

[floffe]

Are you saying that the firewall must have PCI-e? Will not normal Pci GB lan cards be enough for the Internet sharing? I had no idea that is was so demanding.

You won't get gigabit throughput from a PCI card, no. But the odds of you internet connection exceeding 100mbit are pretty low, even though you do live in Sweden

So you only need one gigabit interface, on the LAN side, and if so it'll only be used for the file-serving capabilities.

[OmegaEntropy]

Are you saying that the firewall must have PCI-e? Will not normal Pci GB lan cards be enough for the Internet sharing?

For your internet connection (WAN), a 10/100 will be plenty*. If the only thing the LAN side of the firewall is connected to is your main rig, then a 10/100 will be fine for that too, because all traffic going to the firewall is just going to the internet.

Really the only reason a GigE connection is desirable is:
1) You have a GigE switch and you want all the connections to that switch to be Gig (I have heard this is a "good thing" but I have no data to back it up)
2) You want/need to push more data through the firewall than a 100Mbit connection will give you. The only setup I know of for this is if you have 2 (or more) non-WAN connections on the firewall and they need to talk to each other. A setup with a firewalled LAN and a DMZ would be one such setup.

If, as you described, your network looks like this:

Internet---->Firewall---->Lan

Where there is only one connection to the internet and one to your LAN, then a 10/100 connection on each end will be plenty -- *Assuming your internet connection is <100 Mbit.

If, after reading the above you decide you need Gigabit ethernet, THEN, it is preferable (but not necessary) to have that Gigabit not be constrained to a 32bit/33MHz PCI bus.

I hope I've cleared up the Gigabit thing with the above. Tell me if I have not.

Onward:
How many computers/devices are in your LAN that will need access to the theoretical fileserver? In your drawing you only show one, which is why I ask -- if your "main rig" is the only computer/device needing access to the files, there is likely no need for a separate fileserver and you should build it into the main rig.

In most cases both firewalling and serving files can be done with systems with little horsepower. I currently have a firewall setup like described above (with no DMZ) and it is smoothwall (linux) running on a P75 with 48 MB of RAM and a 2 Gig hard drive. This is more than enough for my 4Mbit internet connection of today (no DMZ to push traffic to, just 2 interfaces, the cable modem on one end and a switch on the other). A $30 Linksys box would meet my traffic needs and consume only ~6Watts!

A Pentium 2 level machine with an appropriate OS is plenty for standard fileserving duties.

The lesson I take from the above 2 paragraphs is that unless ultimate low power and/or reliability are a driving concern, I'd look at used hardware for your needs.

If you did not want specifically to roll your own firewall with linux and wanted something to "just work" then some SOHO firewall box would be the way to go: lower power, more reliable (no hard drive or CPU fan) and gets it done.

See this page for an example of throughput capabilities and power usage:http://www.fractured.org/routers/

If you will post exactly what your needs and wants are for your firewall and fileserver I can be more specific.

I should note that for my wants/needs the following are driving factors:
1) reliability
2) pfsense software capabilities
3) low power
4) Push > 300Mbit from LAN to DMZ
5) Have enough grunt to do >50Mbit on the WAN while doing VPN.
6) Fit on the small custom rack I built for my switches and patch panels

Basically, I want to set up something that will last for 10 years without touching (reliability and horsepower) and that I can play with a bit (pfsense).

My current smoothwall setup works, but being based on P75 era hardware (read:old stuff) it is not the most reliable. I have not measured the power draw, but it it likely in the 25-40 watt range which is very good by today's standards for an entire non-mobile PC, but it is several times what an "appliance" would be.

[Poodle]

Thanks everyone for all the great input!

I really want to do like you Omega and get a firewall that will last and have headroom for 10 years. I've heard of Pfsense and I will look into it and maybe use that instead. As floffe also mentioned we have really fast Internet here and it just gets faster and faster. At the moment I'm on a proper fiber connection giving me 100Mbit, which might increase in bandwidth in the future.

That Tyan board makes sense also when I saw that it has lots of GbE ports which makes it easier. I'm not to sure if it comes with the CF module as it says: "optional". I found it at German e-tailers for around 250€ which is much but as a 10 year investment sounds better. All of them are out of stock though.

I think I will hold though on that Tyan and maybe get an Asus K8V-VM with the new chipset from Via and it has Pci-e and it goes for around $50-60 at e-tailers. Does anyone have undervolt info on this board?

http://www.asus.com/products.aspx?l1=3& ... odelmenu=1

Stay tuned and I will give you a description of my needs when I'm sure what I need and want. Meanwhile: Keep on posting boys and girls.


/
Poodle

I had a Toshiba laptop with a P75 back in the days.

[OmegaEntropy]

Poodle,

First, I want to make sure I'm not accidentally "talking" you into getting something yo do not need. I do not want this to be the firewall equivalent of recommending a 1000W power supply to someone with integrated video

Second, I'm very jealous of your WAN speed!

From a bandwidth standpoint that Asus board looks very good -- because it has integrated graphics that means you have 2 PCI-e slots open to use. It also does NOT have a chipset fan -- that's one less thing to fail.

If you decide to go pfsense, know that realtek is considered not good to bad because it can be flaky under FreeBSD. Intel's NICs are considered the best both because they are trouble free and because they have a good featureset (specifically, they support altq which is needed for traffic shaping). So, on that note, IF you decide to go the pfsense route, you would want either a dual port NIC or two separate ones. I recommend only putting one in a (parallel) PCI slot and the other in the 1x PCI-e slot or go for a dual port in the 16x PCI-e slot.*

Make sure to really read up on pfsense before you decide to go that route (things like the recommended NICs). Another option is just to keep it in mind as a future possibility, but plan for compatible hardware today (which I guess requires the same amount of planning as actually getting it today). The advantage of a board with 2 PCI-e slots is that it keeps your options open for the future as that slot will be around for some time.

*I'm not 100% sure this will work -- it should, but if you go this route best to try something that enables you to return the NIC if the mobo only likes video cards in that 16x slot.

As always, verify the compatability of any on-board chips with the OS you will be running.

Note the Tyan board with the CF slot has a different SKU. Also note I do not think this Tyan board is available in the channel yet.

I look forward to hearing back on confirmation/clarification of your needs and wants, note as it is no longer the weekend I will likely only be able to check back here once per day, likely in the evening US time.

[Poodle]

I've done some of my homework now.

...When it comes to Linux and freeBSD drivers on both the Nforce and Via chipsets are quite pathetic really. I don't not what to believe but it's not good. The situation looks like users with these chipsets are hoping/begging for drivers. They can run the boards in freebsd but the NIC and display is limited.

Linky: http://www.linuxjournal.com/node/1000074

I've never actually owned a Pci-e card other than gfx-card. Could those pci-e ports be used anyway without chipset drivers?

I've also been looking at this board with Nforce and undervolting in bios:
http://www.asrock.com/product/K8NF4G-VSTA.htm


That Tyan looks better and better. It would satisfy much of my needs as it is with two GbE and one FE ports. A dual GbE NIC pci-e adapter costs around $150 anyway so adding another 100$ would give me even more features. Too bad I can't find any decent 479 chips for $19 on ebay. It doesn't seem to have Vcore undervolt in bios either.

If the Amd chipsets would have worked it would be best (cheapest).

[OmegaEntropy]

I've no idea on the chipset driver and expansion slots thing -- always good to have a chipset that "the community" agrees is well supported, which (I think) generally just means has been around for a bit (not bleeding edge) and is popular enough for there to be demand. As I do not recall seeing chipsets on hardware compatability lists (?) perhaps it's not a problem? Sounds like a question for the appropriate *nix forum.

[ob]

Hi ya!

First: Thanks for reading this post!

I'm about to build a Linux Ip tables based firewall and fileserver (probably Devil-Linux) and I could need your input.


My wish list:


1: Really low power: max 100w including:
* 4 Samsung T 400GB hard-drives, (10w on load, each)
* Raid-controler
* and some extra GB-LAN-cards.
This because of that the Picu psu and Edac 110W will be used (see Mikes review). Some headroom would be nice also. I might wait with the raid array tough so don't spend too much time on that, OK?

2: mATX. This is a must, because of lack of space so mATX only guys.

3: Be able to run Linux (evidently). So because of Linux an undervolting bios would be great. But there doesn't seem to be any mATX that have this.

My thoughts.

Both Intel and Amd seem to have good products for this. Intel's new products seems to work better under Linux (compare 945 to Nf6150) and Amd seems to be cheaper. I have a 945GM card that will be available when I'll soon be buying a new DFI or Abit mobo for my main rig E6600 but it seems to be quite hard to get really low power on 775, so I might just sell that card. Smilingcrow has got some nice low power on the 479 but those setups are a little too expensive for a firewall but if the lowest wattage is 479 I might go there.

The Amd 754 seems to be the best chose here if it will behave well under Linux (why wouldn't it?). I heard about the Mobile Semprons. I should get one of those, shoudn't I?

Is the - SMS2800BOX3LB
Stepping: CBBID LBBID
Vcore: 1.25
Thermal Design Power: 25w - a good chose? Is it 90nm?

This 754 mobo mATX with VIA chipset is really easy to get here in Sweden: http://www.msi.com.tw/program/products/ ... hp?UID=690

It's also possible to get the DFI K8M800 which seems to have Vcore control in bios. Maybe it's better with the moblie Sempron?
Please comment on the Vcore ability on the DFI. Will it work or not?

I've got some DDR dimms in laying around so this would be a cheap system.

What do you think?

Thanks
/
Poodle

What case are you going to use?

[elec999]

What about you get a nice matx board, with a mobile amd or a sempron, and undervolt and underclock. My e6 sempron 3400+, does 5x200 at 1.100volts. I can lower it from windows to 0.875.
Thanks

[Poodle]

What about you get a nice matx board, with a mobile amd or a sempron, and undervolt and underclock. My e6 sempron 3400+, does 5x200 at 1.100volts. I can lower it from windows to 0.875.
Thanks

Thanks... but I have to ask if you've actually read the whole thread? I've already got the 25W Sempron as mentioned. It's more a question of mobo (yes it's gonna be uATX). Who said anything about Windows..? It's gonna run *nix and there isn't any program like Crystalcpuid on that platform.

Driver support under freeBSD is a big issue as well and the Amd platform seems to be cripled compared to Intel. This fact might force me to move to Intel. Pci, pci-e bandwidth and sockets are very important also.

If anyone happens to have any info on a uATX 754 board with:

* Low power chipset with IGP that has freeBSD support.
* Plenty of Pci-E sockets.
* Undervolting in bios.

Please post that info!

If you also know what chipset is the cooler of the two: Via K8M890 and Nvidia Nf6100/410 please let me know. As it seems that I've got only two options on socket 754:

Asus K8V-VM (K8M890 which might be the cooler chipset, better BSD support) and the Asrock K8NF4G-VSTA with Nf6100 (has underovolt option in bios + 1 xtra Pci-E 4x socket). See thread for links.

Thanks for reading.

[Poodle]

What case are you going to use?

Not relevant. But if you really want to kow, it's actually gonna be built into an Ikea steel case. So space is an issue, hence the uATX. I guess that I could squeeze in a normal ATX but uAtx would be better.

[kentc]

If you also know what chipset is the cooler of the two: Via K8M890 and Nvidia Nf6100/410 please let me know.

i don't know specifically, but generally via are considered slightly slower and much cooler. i know my 6150/430 is running rather hot. i've felt the need to put a big zalman on my 6150 although the sb isn't that bad.

[Alec Ross]

Not sure if anyone else is familiar with this software, but m0n0wall works on a number of integrated PCs, most of which are fanless.

Some examples

EDIT: Obviously this isn't all that interesting for you, Poodle, but I thought I should throw it out there. Also, frankly, I don't think that underclocking is going to be a big deal. You're running a 25W MAX CPU, and you'll probably have difficulty getting it over 10% usage (My PIII m0n0wall box gets all the way up to 2% or so running network games).

[Poodle]

If you also know what chipset is the cooler of the two: Via K8M890 and Nvidia Nf6100/410 please let me know.

i don't know specifically, but generally via are considered slightly slower and much cooler. i know my 6150/430 is running rather hot. i've felt the need to put a big zalman on my 6150 although the sb isn't that bad.

I know that the 6100 is about 10W cooler than the 6150. I just don't know where the K8M890 fits in. Probably cooler than the 6150, but is it also cooler than the 6100?

The Nf is probably the best performer. I don't really need high Fps and HD playback. I just want it cool and with Pci-E bandwidth. Undervolting would be a nice bonus.

Tack för hjälpen.

[Poodle]

Not sure if anyone else is familiar with this software, but m0n0wall works on a number of integrated PCs, most of which are fanless.

Some examples

EDIT: Obviously this isn't all that interesting for you, Poodle, but I thought I should throw it out there. Also, frankly, I don't think that underclocking is going to be a big deal. You're running a 25W MAX CPU, and you'll probably have difficulty getting it over 10% usage (My PIII m0n0wall box gets all the way up to 2% or so running network games).

I first thought about Ip-tables as it's very light on the CPU (which is really good) as you point out. It's just that Pfsense (which if I'm not mistaken is Monowall based+ freeBSD features) seems to have higher bandwidth headroom (at the cost of higher cpu load and memory useage) and as I don't want to get bottlenecked by the firewall/router, Pfsense might give a more future proof investment (for myself at least, maybe not so much for the environment). The best would be to get hardware that can do both. But I will probably go the Pfsense way. At least that's what I'm leaning at now as I have a high speed WAN that might get faster and I might also throw in a server or two and a/some additional desktop(s).

You could check out www.pfsense.com if you're interested.

Thanks.