That is not my experience at all. I've had no problems handling a gigabit/sec with both J1900 and 1037U devices, The J1900 was, last I checked, 1,877 aggegate, 524 single-core Passmark. The 1037U, 1,743 aggregate and 951 single-core Passmark.
is that with SQM, Encypted DNS, VLAN and VPN at the same time?
VPN is a different story, and it depends on getting aes-ni working or not, which requires the hardware and software compiled for it. Otherwise, yes gigabit shaping w vlan and etc is very doable with j1900 or better.
I'd highly recommend you to get Pentium (G4XXX, G5XXX) or i3-class CPU based system if you're going to get something new. Don't bother with the legacy J1*** or 1037U stuff unless it's dirt cheap. There's no need to get the quad stuff, it's not going to help your cause unless you're doing to run a huge squid cache or whatever.
https://www.newegg.com/Product/Product.aspx?Item=N82E16856102213 + https://www.amazon.com/Apple-Thunderbolt-Gigabit-Ethernet-MD463LL/dp/B011K4RKFW?crid=2I2AFJ2J7GCEF + https://www.newegg.com/Product/Product.aspx?Item=N82E16820156148 (or 8Gb) + a USB-stick
That'll give you Intel and Broadcom NICs, all the new fancy CPU instructions and whatnot.
hows the connectivity and latency on the thunderbolt nics?
EDIT: so this zbox has intel nics for about the same price. also like 15w under peak sustained load or something like that. i also may have found a 3rd options. i also see those NUCs get sold in user groups used for cheap sometimes too.
Agreed -- there are newer options for ITX boards that provide greater performance at a comparable price point. Those older boards are just what I have had running here successfully for several years.
USB 3 / Thunderbolt is faster than GigE and a quality NIC shouldn't introduce any significant latency.
Thunderbolt is essentially PCIe so much better than USB or similar.
...and apparently the new NUCs uses TB3 which uses another connector.. :-/
Just to chime in here, we have at least 10 customers running on CI327s with LEDE/OpenWRT installed and have never had an issue with the Realtek NICs. That said, the older firmware/driver for them did cause things to crash, but its been 2-3 years since that seems to have been fixed. We don't have anyone doing higher than 50/50 right now so can't speak to actual performance on VPN/etc but others have already covered that. If you are future proofing, the Ci329 is finally starting to hit availability and might be a nice incremental upgrade for almost the same price...
There are other X86 options available for sure, but for us key point was price point and product availability; Zotac is a long-standing brand and is stocked locally here by a number of suppliers so if we ever need a spare unit they are easily attainable.
So long as there are still no problems with Realtek at 900+mbps I think this would say it all. Realtek may have improved enough that it's not an issue anymore, and I know the CI327 has been good for me as a media box and to let my kids play minecraft and things. If i could find it the CI329 would be my first choice, but seems like they're not widespread yet, so I'd look into the 327. I agree totally about availability issue. Lots of fly by night chinese importers are out there, but Zotac is available consistently via major sources, like Amazon, Newegg, Frys etc, and the prices are very good.
EDIT: testing between my kid's CI327 and my desktop I can use iperf3 to transfer ~920 Mbps consistently without issue.
Despite being announced in the spring there was obviously some kind of manufacture or logistics delay on the 329's as we have just seen them starting to show up at suppliers in the last week or two. I would expect because the models are so close that before long the 327 will be dropped and directly replaced by the 329. Zotac was offering $20-$30 rebates on the 327 in October so I suspect they are trying to help retailers clear them out to make room for the newer units. That's just my guess though, I'm in no way associated with Zotac to know for sure....
the Ci329 would likely choke @ 900mbps especially with stuff like SQM, encrypted DNS VPN all stacked on. it bench marks lower than the AMD chip listed in the servethehome article linked a few posts above. it benchmarks lower by a significant amount, almost half, this is sayign something if a chip almost twice as powerful chokes (roughly speakings benchmarks are not an end all be all) so would this.
that's not to say the Ci329 wouldn't be good (as commenters have stated above requirements aren't as high as I think but, no comments on stacking multiple features or enabling VPN/IDS) but, but, i'd consider an i5 future proof. additionally the zbox linked above with realtek nics still has complaints form this year and last of NIC drivers crashing and hanging on semi regular intervals with pfsense/opnsense. it could be a NIC with an older firmware?
encrypted DNS is going to be roundoff error. I can't imagine you are going to make more than 100 DNS requests a second continuously, and that'd be maybe 1.2 Mbps
VPN is its own thing. There are two issues, one is processor power on your end, and the other is processor power on your VPN provider's end. Even if your computer can handle say 600Mbps of VPN, it's unlikely your provider is willing to dedicate that kind of resources to you, so they'll probably limit you to something like 100Mbps.
As far as shaping goes, I know the CI329 is substantially faster than the J1900 and the J1900 can do a gigabit shaping, particularly on a bonded dual NIC setup. The CI329 has dual NICs, so I'd definitely bond them and use different VLANs for WAN and LAN (you'll need a smart switch).
In all likelihood the CI329 will do everything you realistically are going to want it to do at a gigabit + several hundred megabits of VPN.
Note also that pf/opnsense is an entirely different operating system so the performance of the drivers there is totally unrelated to the linux performance. Also I suspect the shaping code on pfsense is very very different as well.
shaping on pfsense is broken or i'd be on the pfsense forums. right now as pointed out by one of the bufferbloat.net guys, the fqcodel or whatever SQM pfsense uses has a NAT bug/issue atm. This also factors in for me as well LEDE may not be my end all be all. However $ is also big factor. right now most of the suggestions are similarly-ish priced. the only icker is the NIC dongle for the NUC is a pita in with my very limited space.
however your points really helpout. the only question i have is would you still bother bonding with INTEL NICs? even @ 200mbps service?
EDIT: so is the CI329 confirmed realtek?
I would but for other reasons. The bond will also give you redundancy, which means if you have a cable issue or whatever you wouldn't lose your connection. Whereas without the bond, if you lose a cable on NIC 1 it's either going to completely kill WAN or completely kill LAN. So the bond is useful for both speed reasons and reliability reasons.
I would "bother" with either Intel or Broadcom, I've seen too much funky stuff with Realtek NICs to consider them reliable...
how bad would a Intel Core i3-3220 do? it has NO AES or AES-NI? would a VPN tunnel between 2 of my own networks (at 200mbps and 1gig) murder the routing performance?
EDIT: i assume a Ryzen or AMD Athlon 200GE wouldn't do to badly?
Without hardware crypto acceleration, getting anywhere close to 1 Gbps of VPN throughput is unlikely.
Might be doable with wireguard?
getting AES-NI is more important than getting a Ryzen or etc. J3160 and J4050 or whatever recent celeron processors with 4 cores and AES-NI should do very well for routing, SQM, VPN at certainly 200Mbps and maybe up to 1G (wireguard on those processors might handle a Gig? I don't know)