Looking for advice on building a low power 1u or 2u pfsense box
-
well after searching the web non-stop it looks like i found what I was looking for, it's a somewhat expensive board, but if you consider the price of adding the nics it starts to even out.
Quanmax Industrial KEMX-4030 Core 2 Duo Mini-ITX Mainboard
http://www.logicsupply.com/products/kemx_4030
Sucks that it's out of stock at the moment.
3 onboard intel nics, and supports the mobile version of the core 2 duo. I found a similar msi board, but it supports the older Merom core and not the newer 45 nm Penryn core which has less power usage. It appears the Nehalem core is scheduled out in a mobile version (called Clarksfield) Q3 this year. One report I read says it will supposedly have 30% less power usage than the Penryn, though another report i read say it will be 30% faster clock for clock. Guess it all depends how you spin it.
Though I'm sure the Clarksfield will cost an arm and a leg when it's released, which doesn't make it a viable option, that and I want something soon. I also still wonder if an atom would meet my needs, though the more i think about it the more i doubt it. Especially since i use QOS, bit torrent, and tor somewhat heavily.Power usage is a huge concern for me. I'd rather spend an extra 100$ now to save $5 a month and make it up over the long run, but there's a limit to that too. I had one system that once i turned it off I saw the monthly electric bill drop by just over $50 (nas box with 12x200gb hard drives, 2 x 750gb, 3x400gb, that could all be replaced with like 3 x 2tb drives now)… I shut down my desktop and switched to using a laptop as my main system and the monthly electric bill dropped another $20.
-
As you have already discovered, one of the problems with the readily available mini-ITX boards is getting enough quality LAN ports. One way around that is to use a VLAN capable switch as a "port multiplier". For example, the HP/Procurve 1700-8G is one of the cheapest VLAN capable switches I have been able to find in Australia. It has a single GigE port and 7 10/100 ports. Connect the GigE port on the switch to a GigE port on a mini-ITX board and you can effectively have up to 7 "10/100" interfaces instead of the GigE interface. In practice it would probably be sufficient to have two virtual interfaces on the pfSense system: one for the WAN interface and one for LAN and switch between your in-home systems rather than route.
If you want to get a bit more switch throughput you could go to the Procurve 1800-8G (8 GigE ports).
Oh, and if your ISP provides a 100/15 link (presumablely 100Mbps download, 15Mbps upoad) you can probably still use a 10/100 link (either 10Mpbs each direction OR 100Mbps each direction) to your "modem" and still get full bandwidth. Its not clear to me why this change in itself would necessitate "going to gigabit".
-
http://www.lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/FW-7872
I've got one of these on the way (should be here in two weeks or so). It's got more than enough power, even with a Celeron, and comes with nice Intel Gig-E NICs. They're not cheap though at close to $800 w/o a CPU or RAM.
I'm going to be testing this out as a replacement for my current Atom systems at work (I've got two in a single 1U case that run CARP for failover, plus a cold spare) because I'm not sure that the Atom + Realtek NICs will be able to handle the increase in bandwidth I'm planning (4xT1+3.0/768 DSL to DS3 + 20/2 Cable).
-
Why not go virtual with PF-Sense on a Free Citrix XenServer. Build a box big enough to handle serveral different servers and functions. I have 4 virtual machines running in 6 GB of ram with 5 phyisical adapters in the box. Plenty of power, and reall saves on the utility bill.
RC
-
As you have already discovered, one of the problems with the readily available mini-ITX boards is getting enough quality LAN ports. One way around that is to use a VLAN capable switch as a "port multiplier". For example, the HP/Procurve 1700-8G is one of the cheapest VLAN capable switches I have been able to find in Australia. It has a single GigE port and 7 10/100 ports. Connect the GigE port on the switch to a GigE port on a mini-ITX board and you can effectively have up to 7 "10/100" interfaces instead of the GigE interface. In practice it would probably be sufficient to have two virtual interfaces on the pfSense system: one for the WAN interface and one for LAN and switch between your in-home systems rather than route.
If you want to get a bit more switch throughput you could go to the Procurve 1800-8G (8 GigE ports).
Oh, and if your ISP provides a 100/15 link (presumablely 100Mbps download, 15Mbps upoad) you can probably still use a 10/100 link (either 10Mpbs each direction OR 100Mbps each direction) to your "modem" and still get full bandwidth. Its not clear to me why this change in itself would necessitate "going to gigabit".
After doing some research that vlan capable switch seems like a good idea, it's one i'm looking into now, thanks. As far as needing gigabit, to my understanding, i'll be more likely to be able to fully utilize the 100mbit line using gigE, that way i know my nic isn't the bottle neck but rather the circuit.
-
http://www.lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/FW-7872
I've got one of these on the way (should be here in two weeks or so). It's got more than enough power, even with a Celeron, and comes with nice Intel Gig-E NICs. They're not cheap though at close to $800 w/o a CPU or RAM.
I'm going to be testing this out as a replacement for my current Atom systems at work (I've got two in a single 1U case that run CARP for failover, plus a cold spare) because I'm not sure that the Atom + Realtek NICs will be able to handle the increase in bandwidth I'm planning (4xT1+3.0/768 DSL to DS3 + 20/2 Cable).
That thing looks pretty slick thanks for the linky, though you're right it's definitely not cheap. Say 300 for a board I was looking at, plus 300 for a 1u case = 600. It can definitely be done cheaper than that, I'm just using prices for some of the more expensive components I've come across to justify that as not being too outrageous.
-
Why not go virtual with PF-Sense on a Free Citrix XenServer. Build a box big enough to handle serveral different servers and functions. I have 4 virtual machines running in 6 GB of ram with 5 phyisical adapters in the box. Plenty of power, and reall saves on the utility bill.
RC
I've thought about virtualization, but I dunno something about doing it on a router kinda rubs me the wrong way from a perceived security standpoint, I'm sure it's actually fine, but the physical layer of separation causes me to raise an eyebrow.
-
I need mentoring in setting up a firewall for a small business that has a single server with exchange server.
I need a cheap solution that will frovide firewalling etc.I need someone to recommend a solution that will meet these requirements.
I need to know how I can easily configure this firewall to configure ports.
I have experience in netwrking and installed windows firewall solutions in the past.
Due to the cost of this it is not a feasable option.
For a solution manually built "from scratch" I would install a Ubuntu Server 6.06 LTS (Dapper), and add:
OpenSSH server for remote administration,
FireHOL for easy configuration of a firewall through text files,
DenyHosts for increasing the security of the SSH server.
Of course it would be good to add other security software such as chkrootkit, clamav, etc.Many solutions are possible but I am trying to keep you within Ubuntu or Debian, instead of directing you to other BSD systems. Right now I do not have time available for describing the installation and configuration details, but I would encourage you to look at the Ubuntu wiki.
.Ubuntu is not the best solution for a firewall appliance, and saying it is will be an exercise in aggravation.Dear Brazen, When you write that Ubuntu is an "exercise in aggravation" I cannot understand why you use a negative expression for a good, stable and flexible Debian server.
I hope that we are not being too dogmatic here but the choice of Ubuntu for a firewall would allow a easy and smooth evolution into a gateway up to a desired level of complexity for the business enterprise in question. OK, I confess that I am not being completely neutral in this issue since my heart is closer to Linux, Debian, and Ubuntu, but far from the fierce fights at the the BSD space.
A pragmatic and safe solution could be to buy a simple box that costs around $50, consumes less than 30W of power and furthermore cannot be hacked with conventional methods. An even add OpenWRT to it.
Please tell us later how pfsense performs, I am curious!
The Ubuntu server is a "Swiss Army Knife", a base or set of tools suitable for building and experimenting with solutions on a wide range of systems, including gateways. But not necessarily the most optimal solution for just one particular case. This statement would also fit Debian and BSD systems as well, but they are not so easy to used compared to Ubuntu.I completely agree with you Brazen that it is not good to recommend only one tool for a job. It is better to point at a toolbox and help people to develop the best solution for that case. Given all the complications and limitations on time, resources, skills, pre- and post-conditions, etc.
Anyway, here is a question:
Veloce, Does pfsense works out of the box?PS: Just for the record, have you tried Ubuntu 6.06 LTS with FireHOL? I personally like it as a basic Firewall on any server. It is much more intuitive to configure than IPtables and allows administration exclusively through ssh, for increased security.
-
As far as needing gigabit, to my understanding, i'll be more likely to be able to fully utilize the 100mbit line using gigE, that way i know my nic isn't the bottle neck but rather the circuit.
Good 100mbit gear can come very close to the theoretical maximum performance. It's not difficult to get 95+mbit TCP throughput with decent 100mbit NICs. Besides, your CPE probably has a 100mbit NIC in it anyway, so you're going to link at 100mbit. The GigE NICs add some features that can reduce CPU load a bit (like segmentation and checksum offload), but it's certainly not necessary for performance in the 100mbit range.
In my experience the Atom 230 is capable of about 300mbit throughput with the junky Realtek 8111 that comes on the Intel-branded board. My own home setup consists of this board (Intel BOXD945GCLF) with a low-profile Intel PCI GigE NIC, the Realtek disabled in a cheap HTPC-style case. I use a Dell fully managed switch and VLANs to create 4 virtual interfaces in pfSense. I'm sure you could use a similar configuration with a PCI riser in a 1U or 2U case. I haven't done any serious performance testing, but it can do well over 100mbit.
I find the VLAN configuration is very convenient and makes it trivial to segment your network for security at a very fine-grained level. With tagging you can even put each VM on its own network, for example. If you go this route you might want to consider upgrading your whole network to managed switches, the HP gear is fairly inexpensive and excellent.
-
Virtualization allows you to assign phyisical interfaces to virtual machines. That creates seperation. Now you can assign for example the LAN inteface of the firewall to the lan interface of your internal server. It works great because you never fully utilze the full potential of the nic.
RC -
http://www.lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/FW-7872
I've got one of these on the way (should be here in two weeks or so). It's got more than enough power, even with a Celeron, and comes with nice Intel Gig-E NICs. They're not cheap though at close to $800 w/o a CPU or RAM.
I'm going to be testing this out as a replacement for my current Atom systems at work (I've got two in a single 1U case that run CARP for failover, plus a cold spare) because I'm not sure that the Atom + Realtek NICs will be able to handle the increase in bandwidth I'm planning (4xT1+3.0/768 DSL to DS3 + 20/2 Cable).
As an update, I installed one of these to replace my master system about an hour ago. Seems to be running OK. The DS3 SRD is tomorrow morning so we'll see how it goes. I've still got one of the older Atom systems with the Realtek NICs as the slave so I'll probably fail it over at some point to see if I was right about the Atom not hacking it.
-
Does anyone have an idea of how much power the Lannerinc box takes? Or better yet, one of the Atom based boxes? (Like using a Kill-a-watt?)
Does anyone have throughput numbers for those too? 'Just trying to make an informed decision. :)
-
Atom info:
http://forum.pfsense.org/index.php/topic,14050.msg77639.html#msg77639As to the Lanner box I bought, I never tested the power consumption, though I'd expect that it's in the mid-to-high 30s at idle because of the Intel vs Realtek NICs, the IPMI port I'm not using, the (probably) less efficient PSU, and the Celeron 440 & 4GB of RAM I installed. Under load I'd expect it to jump into to the 40s, if not the low 50s if you really throttle it.
EDIT #1: Forgot to mention throughput. The Atom boxes I have will do about 240Mbit/s TCP with iperf (I believe this is NIC restricted, not CPU) but real-world performance is significantly lower as I was unable to get more than 50Mbit/s through them using two boxes with a cross-over cable and FTP. IPSec performance between them is 10-15Mbit/s. I haven't tested the Lanner + Celeron 440 but I'd expect it to do a lot better, probably on the order of 400 Mbit/s through the firewall and 40-50Mbit/s through IPSec, if not more. The system supports a Mobile C2D so with one of those it would absolutely scream.
EDIT #2: Oh, and these are a lot cheaper if you don't need the rackmount kit. Figure on taking around $200 off the price I mentioned earlier.
-
I have a Lanner FW-7520 which is a bit different (not rack-mountable, different processor, different chipset, etc). For my home network, I have an 802.11n AP running 3 VLANs (one for each SSID) and a separate wired gigabit segment. There are some fairly complex firewall rules setup on each of the wireless VLANs and a minimal set on the wired side. With that, I can pull 300Mbps from a machine connected to the wired side to a laptop on one of the SSIDs. I've done that numerous times when copying files via FTP or SFTP. Given that I have nearly zero CPU usage when doing those transfers, I expect IPsec would hold up nicely. Being a home network though, I haven't tested it.
-
Hi, I'm a bit of an eccentric nut. I'm a 'home user' with a full height rack in his basement. All my telco is properly terminated in the rack, along with a half dozen rack mount systems, a 16 port switch (i have cat5e drops in most rooms of the house), all with meticulous wire management.
Wait a second - how do you tease all of us other eccentric nuts with a description of your in-house telco room like that without posting any pics? :P
About your search for decent, inexpensive, low power 1U hardware for pfSense, looks like the other guys have it covered. It's not easy to find 1U systems that fit all those criteria.
-
I can pull 300Mbps from a machine connected to the wired side to a laptop on one of the SSIDs. I've done that numerous times when copying files via FTP or SFTP. Given that I have nearly zero CPU usage when doing those transfers, I expect IPsec would hold up nicely.
How'd you do that? I have FW-7520 also….
-
I can pull 300Mbps from a machine connected to the wired side to a laptop on one of the SSIDs. I've done that numerous times when copying files via FTP or SFTP. Given that I have nearly zero CPU usage when doing those transfers, I expect IPsec would hold up nicely.
How'd you do that? I have FW-7520 also….
It very much depends on the capabilities of the Wireless AP and the Wireless-N adapter on the notebook.
-
I can pull 300Mbps from a machine connected to the wired side to a laptop on one of the SSIDs. I've done that numerous times when copying files via FTP or SFTP. Given that I have nearly zero CPU usage when doing those transfers, I expect IPsec would hold up nicely.
How'd you do that? I have FW-7520 also….
My exact setup is the FW-7520 using only the 4 gigabit ports. One of the ports connects to a Netgear PortSafe 16-port gigabit switch which then connects to a Mac Pro. Another port connects to a D-Link DAP-2590 AP. A MacBook Pro is the sole device on the wireless network.
The AP is serving three SSIDs that map to 3 VLANs. The SSID/VLAN I've used when testing bandwidth is running WPA2 and is bridged to the wired network. I have no traffic shaping turned on and the firewall rules for this particular scenario are fairly lightweight. I don't expect that the lack of rules or shaping is key, just that I haven't measured the bandwidth on the other SSIDs.
-
Someone asked about power consumption. I use the Via Nano which is a bit more power hungry than the Atom. But the Nano has the padlock encryption acceleration engine in hardware.
But 30 to 40 watts depending on load.
Via Nano 1.6ghz
2gb ram
5400 rpm drive
intel pci-e dual gigabit card. -
Someone asked about power consumption. I use the Via Nano which is a bit more power hungry than the Atom. But the Nano has the padlock encryption acceleration engine in hardware.
But 30 to 40 watts depending on load.
Via Nano 1.6ghz
2gb ram
5400 rpm drive
intel pci-e dual gigabit card.Are you using the VB8001? I'm considering switching over to the VB8001 and already have the Intel PT Dual-port adapter.