The HP T730 Thin Client is a popular pfsense box. In this post, I analyze speeds and power draw of this particular box.
Introduction
With my APU2E4 pfsense router aging and sometimes reaching high CPU usage while running the many services I have, I upgraded to a HP T730 Thin Client + SuperMicro AOC-SGP-I2-P Rev 2.00 Dual Intel NIC (based on the popular Intel i350v2).
Test Setup
I’m mainly conducting a variety of iperf3 speed tests through these boxes and am monitoring current draw via a Kill-a-Watt.
Here’s what the test network looks like:
Devices
- WAN Client 192.168.2.10 (MacBook running iperf3 server)
- WAN Gateway: 192.168.2.1
- LAN Gateway: 192.168.1.1
- LAN Client: 192.168.1.10 (Arch Linux machine running iperf3 client)
- NOTE: I wasn’t consistent with using this IP address but the results were unaffected by this inconsistency
In the initial tests, I left all default services on. In the later tests, I enabled CPU intensive packages such as pfBlockerNG and Suricata.
Constants
There are a few things that are constant through these tests:
- 1Gbps cabling/interfaces
- iperf3 server: MacBook Pro with Thunderbolt to Ethernet NIC
- iperf3 client: Arch Linux Desktop with onboard NIC
- HP T730 Thin Client, 4 GB Memory, 128GB M.2 NVMe, running pfsense 2.6.0, w/ SuperMicro AOC-SGP-I2-P Rev 2.00 Dual Intel NIC
Test Results
Idling
Power Draw OOTB (out of the box) with pfsense running: Draws 18W at idle
Thermals: CPU Temps around 40C at idle
LAN to WAN iperf3, default services running
In this test, I ran the default OOTB pfsense services with others disabled.
Screenshot shows the services running in this test
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 942 Mbits/sec
Download: 939 Mbits/sec
Power Draw during test: 27W
LAN to WAN iperf3, default services + pfBlockerNG running
This test is the same as the last, except pfBlockerNG is also running.
Screenshot shows the services running in this test
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 943 Mbits/sec
Download: 941 Mbits/sec
Power Draw during test: 27W
LAN to WAN iperf3, default services + pfBlockerNG + Suricata (IDS Mode) running
This test is the same as the last, except Suricata (in IDS mode) is also running.
Screenshot shows the services running in this test
Screenshot shows IDS mode on and IPS (Blocking) mode off in Suricata package
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 939 Mbits/sec
Download: 936 Mbits/sec
Power Draw during test: 30W
LAN to WAN iperf3, default services + pfBlockerNG + Suricata (IPS Mode) running
This test is the same as the last, except Suricata is now in Inline IPS mode.
Screenshot shows the services running in this test
Screenshot shows Inline IPS Mode selected
Screenshot shows Hardware Checksum Offloading, Hardware TCP Segmentation Offloading, and Hardware Large Receive Offloading all Disabled under System -> Advanced -> Networking, which are required to be disabled for Inline IPS Mode
Note: I noticed that changes to Suricata IDS/IPS mode didn’t seem to take effect until after a pfsense reboot or restarting the Suricata service on the interface.
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 607 Mbits/sec
Download: 605 Mbits/sec
Power Draw during test: 30W
LAN to WAN iperf3, my services + pfBlockerNG + Suricata (IDS Mode) running
For this test, I loaded the HP T730 pfsense box with the configuration I run on my existing APU2E4 pfsense box to better simulate actual conditions. My existing pfsense config has a relatively large pfBlockerNG blocklist, two OpenVPN instances, and a few other packages running.
At idle with this config, I measured 25W power draw.
Screenshot shows the services running in this test
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 941 Mbits/sec
Download: 939 Mbits/sec
Power Draw during test: 30W
LAN to WAN iperf3, my services + pfBlockerNG + Suricata (IPS Mode) running
This is identical to the last test, except I put Suricata in Inline IPS Mode.
Screenshot shows the services running in this test
Screenshot shows IDS mode on and IPS (Blocking) mode off in Suricata package
Screenshot shows Inline IPS Mode selected
Screenshot shows the iperf3 performance in this test
iperf3 and power draw results
Upload: 560 Mbits/sec
Download: 558 Mbits/sec
Power Draw during test: 30W
Conclusions
Overall, I’m happy with the speeds and power draw from this setup. I’ve yet to benchmark my existing APU2E4 but I think these measurements are pretty good for a potential upgrade from that box. The high count of “retr” or retries (retransmission of TCP packets) in the iperf3 reports from when Suricata IPS was enabled are interesting — I don’t know if this is expected with Suricata in IPS Mode, but the fact that there are ~0 retries with Suricata not in IPS Mode reassure me that the hardware/cabling is probably fine.
Suricata with Inline IPS mode enabled is costing me about 30-40% bandwidth (I presume because of the added CPU load). I don’t yet know how this compares to the APU2E4, but I would venture to guess it’s quite a bit less bandwidth drop that Suricata Inline IPS enabled on that lower powered box.
With ~25W power consumption, I can expect to pay ~ $25/year to power this box, which seems reasonable to me!