PfSense or other Firewall for growing company with 10Gbps internet connection?
-
@shaw222 If you compare specs to say the 1541 that will give you a starting point.
https://shop.netgate.com/collections/rack-appliancesOpenVPN uses a single core. Don’t expect 10 Gbps speed. Note the 1541 shows IPSec “IMIX Traffic: 1.77 Gbps.” How active are the 125 connections?
10gbps fiber or copper?
TNSR doesn’t have IDS or OpenVPN but has IPSec.
-
@shaw222 said in PfSense or other Firewall for growing company with 10Gbps internet connection?:
I intend to buy pfsense plus and pay for the netgate support if I chose to deploy the pfsense solution.
Maybe you should contact support to help you with picking the hardware as well
-
@steveits said in PfSense or other Firewall for growing company with 10Gbps internet connection?:
https://shop.netgate.com/collections/rack-appliances
Thanks Steve. If TNSR doesn't support OpenVPN, how do I get the VPN connections?
Also, how can I implement an IDS/IPS solution with this?I will send you the typical bandwidth usage by VPN clients by end of business today.
-
@heper I will, thanks
-
@shaw222 “throw hardware at it” seems overly simplistic but the requirements are really high for pfSense. Can you somehow offload the VPN to an internal server or second router instead of the primary router? Switch to IPSec?
@stephenw10 may have suggestions.
-
Yeah to get a real 10Gbps throughput in pfSense requires serious hardware and if you need to Snort/Suricata and ntopng at those rates then you're looking at close to the fastest you can get.
Off loading the OpenVPN connection is certainly something I would consider for a connection that size. It would at least make it a lot more flexible.
-
@steveits said in PfSense or other Firewall for growing company with 10Gbps internet connection?:
Can you somehow offload the VPN to an internal server or second router instead of the primary router? Switch to IPSec?
Hi Steve - I haven't done this. Can you guide me on to a link on how to do it. So if I am to guess, the primary firewall will allow the vpn traffic and direct it to a secondary firewall which will do the authentication and management (thereby freeing the overhead from the primary firewall? )
-
@stephenw10 said in PfSense or other Firewall for growing company with 10Gbps internet connection?:
Yeah to get a real 10Gbps throughput in pfSense requires serious hardware and if you need to Snort/Suricata and ntopng at those rates then you're looking at close to the fastest you can get.
Off loading the OpenVPN connection is certainly something I would consider for a connection that size. It would at least make it a lot more flexible.Hi Stephenw10 - Can I run snort/suricata on a secondary machine? How do I go about doing that. Also how can I make the primary firewall High Availability? (by adding a similar hardware and being on standby?)
-
As an IDS you could. In fact we had a write up of using TNSR tio mirror traffic to Snort:
https://github.com/Netgate/TNSR_IDS
But that would only be for analysing not for blocking.pfSense supports HA: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#high-availability
-
@shaw222 I don’t have a link but forward the ports to your VPN server running on your LAN. I was just brainstorming.
