Is this good enough? 20Mbps future proof.
-
Hi all,
New to PFSense. First off, WOW! I'm blown away by this software and wondering why more people don't use it! Great job devs, testers, and community members who devote countless hours, brain cells, and funds to work on this. As my knowledge in this expands, I will definitely be a contributing member.
So, on to my setup and questions:
Cisco 2960 24 port switch
DOCSIS 2.0 cable modem
Linksys WRT54G2 rev1.0 router (running DD-WRT) [b/g wifi]My PFSense firewall is:
Asus EeePC 1005HA (Atom N280)
2GB GSkill DDR2 800 (running at 533) RAM
160GB 5400 RPM Hitachi HDD
Atheros chipset for FastEthernet NIC and WiFi NICI plan on running:
-
Snort
-
HAVP
-
Squid
-
SquidGuard
-
Wireless Access Point (if I can figure out my NIC issue)
-
Captive Portal for WiFi
Is this netbook going to have enough oomph for my network (see diagram below) and allow for Verizon FiOS (20Mbs/10Mbs) in the future? Here is a diagram of my network so far:
Sorry if the picture is too big,
Thank you,
Steve -
-
I'd connect the pfSense box directly to the Internet connection and move the WRT54G2 behind it. If you connect the LAN side of the WRT54G2 to the inside (LAN) port of pfSense, the WRT54G2 should default to operating in bridge mode. You can change that if you want to, but it will complicate your admin a bit. Turn off DHCP in the WRT54G2, use pfSense to setup static DHCP leases for all your devices (including the WRT54G2) and pick a range for the dynamic leases that is outside the one used for your static leases.
-
Well, that was my original intent, except my firewall only has one NIC. I could rework it a little and throw the Linksys on vlan 200 and have the firewall pull an IP directly from SuddenLink, but I wanted WiFi to be seperate from my network until I can fix the WiFi setup in PFSense. This works pretty well, except I found my little EeePC is getting quite warm (57-60 celcius on avg). May just end up buying a D510 or D525 setup with 2+ NICs.
-
You should be able to get VLAN working on the NIC. Coupled with the Catalyst using VLANs, you can "multiply" the NIC.
-
You'll find the official hardware sizing guide here. You're probably at the bottom end of what I'd suggest for running all those packages - particularly with RAM. You'll need to be fairly aggressive in tuning your Snort install.
-
Yeah, I found out the hard way today. I cannot run Squid and Snort at the same time without severely hampering bandwidth. I've been looking at hardware on e-bay and newegg. I thought it would be cheaper to build it myself, but the sellers recommended on this site really do give a good deal once you consider time spent putting it all together. I've been pondering the idea of VPN and curious if there is a CPU that naturally does well with it. I was reading up that the newer Intel chips have AES built in (i3 and newer). Would getting an i3-5xx chip really be worth it in the long run? Going from atom to i3 almost doubles the price for CPU & Mobo. I don't really need VPN though. Having the option would be nice I guess.
Are there any mini-ITX boards out there that support PCI-X (found some cheap intel quad GbE NICs that use this)?
-
The AES-NI extensions are not currently used in FreeBSD and by extension (no pun intended) pfSense. A core-i3 can be more power efficient than the atom if it is constantly under load since it uses vastly less cycles to get the same amount of work done.
My recommendation would be to get the newer AMD Fusion (E350 Zacate) mini-itx boards with an Intel PCI-e PT dual port NIC instead. You can use VLANs with the NIC and your Cisco switch to get more virtual NICs instead of relying on real physical ports.
It is fairly power efficient, faster than the Atom (because the Fusion has out-of-order execution) and features a PCI-e x16 slot (electrically x4).Examples are:
Asrock E350M1
Asrock E350M1/USB3
Gigabyte GA-E350N-USB3
MSI E350IS-E45 (no USB 3.0)
MSI E350IA-E45 (with USB 3.0) -
Is there much community experience with PFsense 2.0RC and the new AMD Fusion boards? I would be interested in assembling a router using the GA-E350N-USB3, but am not too keen on the bleeding-edge guinea pig role :-\