Intel hardware for pfsense
-
I see. If in the future, I wanted to use pfsense to route between subnets, at gigabit speed, what should I get, assuming cost is not an option?
On the VLAN note, I'm wondering how secure pfsense's Inter-VLAN routing mechanism is, especially in a one armed router scenario. I'm reading some whitepapers on this as a type.
thanks.
-
For gigabit wire speed, you're going to need server class hardware, or something with PCI-e NIC's. You can't firewall gigabit at true wire speed with a 32 bit PCI bus - the bus isn't fast enough. Any new server class machine with dual onboard gig NIC's should be more than adequate for 1 Gb wire speed.
The router on a stick scenario (as Cisco calls it, and I tend to stick with Cisco's nomenclature) is as secure as your firewall rules and your switch configuration. Never use the default VLAN, and adhere to any security recommendations your switch vendor outlines in their documentation. And of course with your firewall ruleset, be as restrictive as possible.
-
Thanks cmb. i forgot to mention that I'll be running Snort and doing traffic shaping as well. Some of those packages, like ntop, pfstat and iperf look real nice too…
-
Just out of curiosity: If a NIC is inserted, with a duel connector, like to Intel server nic the topicstarter suggested. Will he see two interfaces at the PfSense-GUI he needs to configure? –> How does this work in practice? ???
(Give that guy of the Firefox spelling checker a huge icecream, I sure do need it!) -
Shows up as two interfaces. Just like two separate cards.
-
Yeah, to the OS, a two port card looks no different than two individual NIC's. A four port card looks no diff than four individual NIC's. etc.
If you want to run Snort, that's one of the (ahem) piggier packages resource-wise, you'll want 512 MB RAM minimum.
-
That's no prob, I wanna equip it with 2 GB.
-
I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?
-
Load balancing essentially breaks several of the useful packages/services, particularly traffic shaping, just an FYI
-
I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?
This is more than I'd suggest running on any single box.
I'd split it out into two machines (or two CARP clusters). One for routing and filtering between internal subnets for gigabit. You'll have to run Snort on a different machine most likely, you're not going to be able to route gigabit speeds and have Snort analyze at the same speeds on any hardware. Routing 4+ Gbps is going to require a new server class machine.
Second, I'd put up another machine or CARP cluster at your perimeter, which could do Snort, load balancing, etc. Not sure how the shaper would work in a multi WAN environment, but I'm guessing not real well.