Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Just a firewall, in hardware.

    Scheduled Pinned Locked Moved Hardware
    33 Posts 8 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kroberts
      last edited by

      @P3R,

      I'm still looking at options for hardware, and using some of your recommendations as starting points.

      My outer firewall will probably be Linux.  It's something I know, and I can compile a kernel with almost all the features removed and throw together an insanely small flash card image with nothing on it which is unnecessary.  I can script the install to a flash card, and software updates would be swapping out the flash card.

      This way there won't even be any support for features I don't want, and no way to instigate a connection from that box inward.

      @Pylor,

      I posted all that because it seems you don't understand it, or maybe it's just the nature of vulnerabilities.  You don't anticipate where a future bug or vulnerability might be.  If you knew where to look, someone could just pay more attention to that bit of code and everything would be cool.

      Anything which is designed by a human can and probably does have faults.  Our minds are not all-encompassing, and if a scenario comes up we hadn't thought of, then it's extremely possible that our hardware or software is lacking.

      I really don't think the "small target" theory holds much water.  If nothing else, attackers are interested in a new place to attack from, even if my computers don't hold any data they're interested in.  And you can't anticipate the reasoning for what a black hat does either.  The NSA is looking for intelligence it can use for fulfillment of its mission, and probably people who work there have a few of their own personal interests as well, who knows?  Some guys want your money, some guys want your identity, some guys want to break anything they can touch, and some guys are after information of a different sort.

      The universe we don't know is much bigger than the one we know.  I intend to do what I can about the things I know, and account for as much that I don't know as I'm able.

      1 Reply Last reply Reply Quote 0
      • P
        P3R
        last edited by

        @kroberts,

        Since you already have the knowledge, the Linux approach is perfect. If you search this forum you will find many suggestions of non-expensive hardware that should be adequate even for high speeds if necessary, considering the fairly simple task your outer firewall will have.

        1 Reply Last reply Reply Quote 0
        • P
          Pylor
          last edited by

          OP, it sounds like you know what you want, so I apologize for derailing this topic with conjecture.  I'm curious as to what you plan to run on this appliance; in your first post you mention you want logging incase there's "something fishy" going on.  Does that include packet filtering on the gigabit internet connection?  It sounds like you'll need something ITX size atleast if you plan on being prepared for 10GB , do you have any size preferences or sound preferences?

          I'm not good at picking out appliances-like devices, but it may help some other people offer suggestions

          1 Reply Last reply Reply Quote 0
          • K
            kroberts
            last edited by

            I have a very specific idea of what I want to do, but I'm terrible at picking hardware.  Which is why I started this thread.

            The 10gbps nic isn't actually planned, but it would be nice to have something that could handle it.  Thinking about it now, I should remove that as a requirement because I think it automatically bumps me up in price beyond any reasonable over-sizing of a gigabit connection.

            I would prefer ecc-capable hardware though, which I don't think I added to my original spec.

            Logging:  My intent is a read-only boot for the outside firewall.  Perhaps even dhcp-boot, and maintain the image on a server inside.  Logging would necessarily be abbreviated so it can fit inside of a gigabit line.  I guess that could technically be a reason for a third nic.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              @kroberts:

              I have a very specific idea of what I want to do, but I'm terrible at picking hardware.  Which is why I started this thread.

              The 10gbps nic isn't actually planned, but it would be nice to have something that could handle it.  Thinking about it now, I should remove that as a requirement because I think it automatically bumps me up in price beyond any reasonable over-sizing of a gigabit connection.

              I would prefer ecc-capable hardware though, which I don't think I added to my original spec.

              Logging:  My intent is a read-only boot for the outside firewall.  Perhaps even dhcp-boot, and maintain the image on a server inside.  Logging would necessarily be abbreviated so it can fit inside of a gigabit line.  I guess that could technically be a reason for a third nic.

              Read-only booting can be done using a CD-R, or a USB stick with hardware write-protect switch. Configuration needs to be somewhere tho, maybe on a separate writable storage device? Using network booting or server-served images isn't going to help you security-wise if the server would be compromised. If you want to protect yourself from local hardware access hacks, network-booting only helps if your image server cannot be compromised the same way the router can be.

              Regarding hardware: would a X10SLV-Q and a Xeon E3 v3 (use a Dynatron K199 cooler) not fit the bill? There is no iKVM on that board, but other than that it gets pretty much everything done and can be mounted in a 1U high case (be it an actual rack case or a wallmounted or desktop case). It's about 500 euros to setup here, not sure what the prices would be at your location.

              1 Reply Last reply Reply Quote 0
              • P
                Pylor
                last edited by

                Is there a price range/region for what you're looking for?  Maybe power considerations?  I know you have an atom board for your virtualization box, which leads me to think you'd want something similar in power point to that box.  I will say, that if you want something relatively solid but lightweight processing wise, you could use a TS-140 which sell for cheap on amazon.  They come with the lowest end i3 there is (4130) and 4GB of ecc 1600mhz memory, which fits your original specs.  It also has 3x pci-express expansion slots, 2 of which could easily support a modern NIC card.  I will say that the bios is a bit "meh" on it though.  With an old gigabit CT card I had laying around it booted fine and fast.  With the intel 82571GB dual port card I grabbed off of ebay it would hang at the bios screen for a minute and a half before reluctantly booting.  It did work fine once booted, I just think it has some sort of code in the bios that looks for vendor information.  It also could have been due to the UEFI booting, but I didn't test non UEFI.  Mine idles at 30 watts from the wall with an SSD and an AMD 270x video card in it.  I re-purposed it as an HTPC with a backup copy of my pfsense.  They also have lots of USB3 ports, so you could get a write protect switch USB3 drive and use that.

                If you were looking for something more appliance like, the netgate store looks like it has some really neat light-weight/powered appliances that could suit your purpose.  They have devices that run off of the SD cards like what you originally mentioned.  They'd use less power, take up less space, and also in general be more appliance-y.

                1 Reply Last reply Reply Quote 0
                • K
                  kroberts
                  last edited by

                  For price point, I guess I would be looking for "cheaper."  Meaning, cheaper than some sort of QuickAssist-enabled hardware.  Netgate has a RCC-VE-2440 appliance for $350 USD, I guess if the alternative were more than $250 I would have to think hard before going with the 2440.  It's non-ecc which is a drag but it's already set up, which kinda makes up for it.

                  Size, I was thinking about 1u or an appliance.  Power, I would hope for something less than my c2758 draws.

                  I guess a reiteration of specs based on what I think now:

                  • Cheaper than QuickAssist hardware

                  • 1u or possibly desktop, 1u preferred

                  • Probably going to be Linux

                  • Prefer Intel

                  • 2x Intel gigabit nics

                  • Ability to boot from dhcp or usb/msata

                  • Start with 4g ecc, would like ability for more

                  • PCIe-v3x8 would be nice, but not required.

                  • Capable of easily handling gigabit routing and firewall duties.

                  • Heavy lifting passed through to pfSense VM image (snort, VPN, etc)

                  M 1 Reply Last reply Reply Quote 0
                  • K
                    Keljian
                    last edited by

                    If (quote) "all the heavy lifting is going to be done by the Pfsense vm"

                    My advice would be to look at secondhand Haswell grade processors (i3, et al)

                    That said the aforementioned Amazon buy looks to be very cheap/worthwhile for this task.

                    I would go for an i3 over an atom because it has avx2, and that allows some serious speed with dpdk…

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      Hi folks,

                      there are often two camps if someone is talking about running pfSense VMs, the only ones love this
                      and consider but the other ones hate it and don´t want drive it in productive networks.

                      @kroberts
                      Did you perhaps thought about installing OpenBSD and let pfSense running in a jail?
                      Could be a solution for as I see it right.

                      Intel CPU

                      Intel Xeon E3 or Xeon E5 or the new one D-1500 would be great to know at first
                      for us to come closer to the point and guess you something.
                      For what exactly this pfSense appliance should run? Tasks? Users? Throughput?

                      Intel nics – 2 of them.  I wouldn't mind more being present but don't
                      intend to use them right now.

                      Tyan S5530
                      ASRock D-1500 Platform
                      Supermicro D-1500 platform

                      4g RAM, preferably can max at 8

                      Using ECC RAM can be good because the VPN keys are generated in RAM.
                      Alix APU 1C4 - little dog
                      Soekris net6801 (Q4/2015) - small bear
                      Lanner FW-8895 - great beast

                      Use embedded image, log to another box.

                      In some cases related to the security it will be good, but then you can install as
                      recommended pfSense on one "normal" box and the Squid, snort, logging and AV
                      tasks on another one.

                      At least one 8-lane pcie-v3 slot to handle a 10gbps nic just in case my scenario changes.

                      HotLava Systems Multiport NICs
                      High port density and much power by using original Intel chip sets can savemoney and PCIe slots
                      as I see it right.

                      Cheaper than QuickAssist hardware

                      Ok at this point I want that we both think about what you really want and/or
                      what you really need! The word "cheap" contingent on 10 GBit/s is here clearly
                      a thinking false of yours! 10 GBit/s is not cheap and will not be cheap. related to
                      the backside of the pfSense, I mean the connection to a DMZ or LAN Switch it
                      will perhaps going, but 10 GBit/s at the front side, the WAN side I mean, we
                      are talking about two different things and both are not cheap!

                      pfSense is still OpenSource but this means not it can handle every stuff on a
                      35 € hardware.

                      1u or possibly desktop, 1u preferred
                      Probably going to be Linux

                      As a Squid Proxy with AV, SquidGuard, snorting and logging ok, therefore Linux will be
                      also great, perhaps ClearOS or CentOS based. But this is not related to the pfSense
                      hardware you are asking here.

                      How urgent is vpn encryption in your scenario?
                      For how many peoples you have to set this box?
                      What kind and how much traffic is running through this Box?

                      Is a smaller Box for pfSense and a greater one behind this box
                      as a Squid, Snort, AV and logging proxy better for you?

                      1 Reply Last reply Reply Quote 0
                      • M
                        Markus 1 @kroberts
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.