Small footprint box

covex · Apr 29, 2007, 7:25 PM

hey guys! could somebody recomend a small footprint box that can hold 50-100 ipsec (3des/md5) tunnels and 30 stations on the lan side. my inet connection is 4077/1451 kbps but can be upgraded in the future to something slightly faster. currently i have pfsense running on an ugly p4 box but would like to have something compact and looking like network appliance (no audio jacks or other unnessesary staff sticking out LOL)
here is one i'm loking at currently http://www.axiomtek.com/Download/Spec/na-806b.pdf
but it has celeron inside and all i see here is c7 or p4 people talking about.
ps. rackmounted is not an option. i got no racks here. ;D

hoba · Apr 29, 2007, 8:43 PM

Check our recommended vendors: http://pfsense.org/index.php?id=40
Some offer smal desktop appliances, just what you are looking for.

covex · Apr 29, 2007, 9:23 PM

what about celerons? are they up to the task at all?

hoba · Apr 29, 2007, 9:43 PM

It is a question of how much bandwidth you need to push and which encryption you have to handle. For you WAN-bandwidth it should be able to handle the encryption on the fly. However 50-100 tunnels on that bandwidth sounds a bit keen imo. Depends on traffic needs however.

covex · Apr 29, 2007, 9:55 PM

right now the whole setup been used for tech support access to remote pc's via pcanywhere-like soft, access to internal website over the vpn and file transfer. there are plans to add access to a sql server from remote sites in the nearest future.
what puzzles me is that i have netgear fvx538 device with intel ixp425 533mhg cpu/16mb flash/32mb ram and they claiming that it can run 200 vpn tunnels. it has cavium nitrox on board though.

hoba · Apr 29, 2007, 10:26 PM

The via C3/C7 have support for hardware encryption inside the CPU (padlock) but afaik we don't have it enabled currently. The last time we tested it (which was a long time ago) it didn't work, that's why we disabled it.

covex · Apr 29, 2007, 11:00 PM

what about pentium m. is it any good?

hoba · Apr 29, 2007, 11:07 PM

The question is always "good for what". You can't say that in general. I don't see any cpu (celeron, pentium-m, c3, c7,…) having problems with the specs that you mention unless you run from something with very low megahertz (like a wrap or a soekris).

covex · Apr 30, 2007, 12:40 AM

:)
ok, lets put it this way. how far celeron/pentium m with 1gb memory and some intel nics can go as a strictly vpn appliance?
for example, netgear tells me that ixp425/32mb ram will run 200 tunnels with 60 mbps 3des throughput, or linksys on samsung arm/have_no_idea_how_much_memory device befvp41 will run 50 tunnels with 700kbps.

cmb · Apr 30, 2007, 12:56 AM

We have decent test environments thanks to the vendors on our recommended vendors page, but we don't have the huge resources that Netgear has for setting up a test environment to simulate 200 tunnels and 60 Mb throughput, etc.

My educated guess would be 500 MHz with 256 MB RAM will handle 50-100 IPsec tunnels and your 4/1.5 Mb Internet connection with no problem. Bandwidth would be the primary concern for hardware sizing, and 4/1.5 is so little that pretty much any CPU over 300-400 MHz should be fine, just a matter of having enough RAM for that many tunnels and even 128 MB may be adequate for that.

covex · Apr 30, 2007, 5:07 AM

well… as some girls say "size doesn't matter" ;D
even with it's huge resourses netgear can't come up with a decent firmware for it's business-class router and yours is working right out of the box.

covex · May 1, 2007, 4:39 AM

i've found what i was looking for! :)
http://www.portwell.com/products/detail.asp?CUSTCHAR1=NAD-2081
but i has marvell nics on board and i can't find them in the list of supported hardware. are they not supported at all?
and also is cavium supported by pfsense?

Cry Havok · May 1, 2007, 8:50 AM

It looks like the sk driver has supported that chip since FreeBSD 5.3, so pfSense should be fine. That said, the official FreeBSD documentation doesn't reflect this, just some CVS logs and mailing list postings…

covex · May 8, 2007, 5:53 PM

i tried to google "marvell 88e8001 pfsense" and all posts there say that it's not working. can't find anything about freebsd.

covex · May 29, 2007, 4:42 AM

dear experts…
between these two boxes
http://advantech.com/products/Model_Detail.asp?model_id=1-23A32I&BU=NCG&PD=

http://portwell.com/products/detail.asp?CUSTCHAR1=NAD-2081

which one would you pick...

cmb · May 29, 2007, 11:12 PM

I believe that Marvell chipset is the same one Scott has in one of his firewalls at work and hasn't had good luck with. The other box doesn't even list what NIC chipset is used at all, that I see.

Given that, my answer would be "neither", unless you can figure out what NIC chipset that other one uses.

covex · May 30, 2007, 2:34 AM

_One 10/100 Intel 82562 FE port for management
Gigabit Ethernet Four 10/100/1000 Mbps GbE ports

FWA-700 GbE Controller 4 x Marvell 8053_

or

_FWA-710 4 x Intel 82573

LAN Bypass Two segment on GbE ports_

dotdash · May 31, 2007, 3:15 AM

I think your best bet of those would be the FWA-710. Intel GB NICs FTW.

kapara · Jun 9, 2007, 1:19 AM

Did you end up buying the FWA-710? Looks interesting. Did you get pricing on the unit? Would be interested to know.

Thanks

covex · Jun 10, 2007, 1:31 AM

no… couldn't get through to sales rep there so i got myself nad-2081 http://portwell.com/products/detail.asp?CUSTCHAR1=NAD-2081
nice unit. even though cmb was warning me about marvell chips it works fine. all 4 interfaces were recognized right out of the box.