Installation on Intel D2500CC (atom with dual NIC board)

stephenw10

You will have a lot more takers if you keep it 1U. Many people will be paying per 'U'.

Something that may be of interest, it's been suggested by several users, would be a 1U 19" enclosure that contained an Atom based board and a 5-8 port vlan capable switch. Not sure how you'd arrange that though.

Steve

MMacD

@moxyspirit:

The goal is to build 3. 1 to replace the via box I have at home (want to be more green on my energy bill) and 2 for work (1 for the office and 1 for the owners house). Also installing a freenas box at each location. Need some redundancy and offsite backup. Yes, I have some of this in place already, but want to make a transition to FreeBSD (free,at least for the software, and good support).

As far as putting together a fNAS box, unless you need rackmount setups, you might combine the firewall, router, and nas functionality on the same 2500 board in an Antec 300 or 302 case, unless the bandwidth through your firewall isn't going to leave any spare clocks.

I bought a 300 for my firewall/snort/open-vpn/tele application because the 2500 apparently gets quite hot unless it has adequate air space, and the 300 was the cheapest well-made box with elbow room at a useful price.  I no longer even consider putting form above function: too much hardware lost to heat through the years.

And the 300 is actually very well made, especially for a low-price box ($50 at Newegg), and supports 3x5.25 drives, 6x3.5, and even a 2.5 bolted directly to the floor.  Room for 5x120mm fans toto (a 120 and a 140 come with).

moxyspirit

Steve, is that simple as adding more LAN cards? Or adding a completely different board? I did search this and found www.bsdcan.org/2012/schedule/events­/330.en.html. Not sure exactly what they are saying. Does pfsense have a package to add an internal switch? I know free switch, but thought this only only for voip phones and PBX.

MMacD, I was looking or I was asking that very question. Can I bundle nas and router/firewall together using FreeBSD (in the FreeBSD forum)? The answer I received was that could be a security issue and not good security/networking practice. I do like the idea of bundling.

I also forgot to mention that the phones are VoIP at the office. My plan is to add an additional nic to handle the VoIP. Someone said why not just do a vlan for the VoIP. Maybe in the future.

MMacD

@moxyspirit:

The answer I received was that could be a security issue and not good security/networking practice.

hmmm…I wonder why that would be.  Did they say?

Neither networking nor security is my field (I've been doing human-factors systems architecture since '74), but it seems to me that the whole point of the firewall and snort is to keep the bad guys from tricking their way into the LAN.  So if they can reach your disc farm when it's living in the box with the firewall, they can reach it no matter where it is in your LAN since nodes are logical locations rather than physical, and ready access is the whole point of running a LAN rather than a sneakernet.  As long as you don't expose the logical location of the farm to the inet, I can't imagine what problem there could be with physical colocation.  Perhaps someone will explain.

moxyspirit

MMacD, I agree w/ you.

Quote from FreeBSD forum….....

Hello,

It's a good security practice to separate the file server from the "router/firewall". However, you can achieve easily all of the above using OpenVPN which is flexible and easy to implement, or IPSEC if you feel ready to dive into a less flexible but probably more secure implementation of VPN.

For the backups I'd use rdiff-backup or duplicity (if for additional security if needed). Not sure how are they gonna run with Cygwin under Windows. I'm pretty sure though you can achieve scheduled backups under windows with rdiff-backup, although a solution like DeltaCopy might seem more suitable for windows as it runs natively.

I get that what needs to be backed up are windows files that will be channeled through VPN.

What does it mean exactly 'more green' Green like that?

stephenw10

The purpose of a firewall is security. Every time you add services to your firewall you open a potential avenue of attack reducing security. The more stuff you are running on your box the more likely it will have exploitable bugs.

There are many threads about this on the forum because, like you, many people want to do it. pfSense was originally devised to take the place of router/firewalls in medium to large networks. It has evolved into a product that fits in many more scenarios including soho where you want to minimise the number of boxes and power usage.

If you want to do this it is recommended to use virtualisation. Run pfSense in a VM and freeNAS (or whatever) in a separate VM.

@moxyspirit:

Steve, is that simple as adding more LAN cards? Or adding a completely different board? I did search this and found www.bsdcan.org/2012/schedule/events­/330.en.html. Not sure exactly what they are saying. Does pfsense have a package to add an internal switch? I know free switch, but thought this only only for voip phones and PBX.

Adding multiple NICs is expensive. If you have only one PCI slot, as many Atom boards do, you have to use a quad port card and that can be very expensive. A cheaper option is to use VLANs and a VLAN capable switch. You can then have as many interfaces as you have ports on the switch. This is how small soho routers work, a switch and a router on one pcb. That's what the package you linked to is for, not useful for us.
I don't know how you would do this, you'd have to add a switch PCB to the enclosure but I don't know where you'd get one. There would be very small market for this though since it would be cheaper to get a separate rack mount switch and it wouldn't be appropriate in a co-location situation. I only mentioned it

Steve

MMacD

Reading up just now on the hardware requirements for fNAS, I'd say the more important issue is address space and bandwidth.  I've read, tho never seen verified (have you?), that a D2500CCx does have more than 32-bit address space implemented on the board, and I know there are some 8GB parts available, but fNAS's requirement of 1GB per TB to get anything like good performance would make me want to experiment before deciding to host both Snort and fNAS on the same board.

stephenw10

You can use nas4free instead. I believe that has a lower hardware requirement. There are other similar projects.

Steve

moxyspirit

Thanks for the replies. I am currently running nas4free, booting from a thumb drive, at home.  I think I am going to focus on building my pfsense boxes and setting up VPN.

o1121708

Hi kids, bugs got fixed in latest 2.1-snapshot.
Installed 64bit version on d2500cc flawlessly.

cibomato

Good news! I'm new to FreeBSD/pfsense and ran into this problem right at the start… Since I don't want to wait for 2.1 release nor using a unstable snaphot version, I'll go with the 'install 32bit first and write down the inputs' method first.
Hope it'll install smoothly on my Samsung 830 SSD (64GB) and it'll detect and work with my miniPCIe WLAN Card (Compex WLE200NX).
BTW, I'm using this case: http://mini-case.com/pi37/pd332.html, totally fanless and hopefully ok when running pfsense 24/7….

Cheers,
cibomato

tesna

I'm has similar board JW Minix Mini HD PC http://www.jwele.com/motherboard_detail.php?1140 with 128GB SSD and 2GB ram. Since I need to set up several VLAN interfaces in the console so I had trouble using writing down the inputs method. Therefore I use the i386 version instead. Is there any downside using i386 version apart cannot using more than 4GB RAM?

stephenw10

No not really.
There may be some marginal performance increase using 64bit but its small enough you'd have to setup a test to see it. I've seen people argue both ways on this.

Steve

neztik

I just picked up a new board. It was listed on ebay as the Intel2500CCE. When I received the board it shows Intel D2500CC. Is there an actual difference between the two?

From what I could find :

The 'E' suffix in the model name (e.g., D2500CCE vs D2500CC) signifies that this product is an Intel Extended Life Product (ELP). ELP products will be available for extended production times (3 years) and are perfect for project use.

So do you think I have the same thing? I dont see anywhere on the board the "E" just D2500CC.

Not sure if I should send it back and find one that has "e" listed.

Any help would be greatly appreciated.

-Neztik

matguy

@neztik:

I just picked up a new board. It was listed on ebay as the Intel2500CCE. When I received the board it shows Intel D2500CC. Is there an actual difference between the two?

From what I could find :

The 'E' suffix in the model name (e.g., D2500CCE vs D2500CC) signifies that this product is an Intel Extended Life Product (ELP). ELP products will be available for extended production times (3 years) and are perfect for project use.

So do you think I have the same thing? I dont see anywhere on the board the "E" just D2500CC.

Not sure if I should send it back and find one that has "e" listed.

Any help would be greatly appreciated.

-Neztik

I would think that would only matter if you were expecting to order an (or many) exact replacement as new stock through a standard distributor sometime in the next couple years.  Those designations often are important for system integrators or manufacturers that need to be able to plan their supply chain for a particular product over the next few years.

Think of it this way, if you were building these as appliances and you needed to make sure each and every one was exactly the same for the planned release of your product, then I'd worry about it.

For a one off, no, probably not assuming it's otherwise identical, hardware wise.

neztik

Great! Thanks matguy. I can start building my new router this weekend without having to wait. I am currently running an older i386 system. The plan is to install 2.1 AMD64 and use the 2 onboard nics to VLAN tag.

matguy

Since that board only supports 4GB of RAM anyway, I would probably stick with x86 (32 bit) pfSense.  The main reason for going with x64 support is to be able to address more than 4GB of RAM, otherwise x86 may be more supportable for you.

t3h0th3r

@matguy:

Since that board only supports 4GB of RAM anyway.

actually, the board supports at least 8GB ram, despite the claims of Intel:

# uname -rsp;dmesg|grep CPU;dmesg|grep memory
FreeBSD 9.1-RELEASE amd64
CPU: Intel(R) Atom(TM) CPU D2500   @ 1.86GHz (1866.78-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0: <acpi cpu="">on acpi0
cpu1: <acpi cpu="">on acpi0
p4tcc0: <cpu frequency="" thermal="" control="">on cpu0
p4tcc1: <cpu frequency="" thermal="" control="">on cpu1
SMP: AP CPU #1 Launched!
real memory  = 8589934592 (8192 MB)
avail memory = 8217665536 (7836 MB)</cpu></cpu></acpi></acpi> 

they are probably trying to make it look less attractive than it is…

car2010

@t3h0th3r:

actually, the board supports at least 8GB ram, despite the claims of Intel:

# uname -rsp;dmesg|grep CPU;dmesg|grep memory
FreeBSD 9.1-RELEASE amd64
CPU: Intel(R) Atom(TM) CPU D2500   @ 1.86GHz (1866.78-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0: <acpi cpu="">on acpi0
cpu1: <acpi cpu="">on acpi0
p4tcc0: <cpu frequency="" thermal="" control="">on cpu0
p4tcc1: <cpu frequency="" thermal="" control="">on cpu1
SMP: AP CPU #1 Launched!
real memory  = 8589934592 (8192 MB)
avail memory = 8217665536 (7836 MB)</cpu></cpu></acpi></acpi> 

Hello t3h0th3r, I am going to use the same board for a new
pfsense installation.

As I am going to include Snort, Squid + havp and OpenVPN,
I was looking for a board with more than 4GB Ram, but the
2 Intel Nics convinced me :)

Are you running the Intel D2500 or the newer D2500CCE revision?

What Ram do you have installed?
If possible could you provide the serial number for the memory.

Thank you very much!

dquant

Today I installed the D2500CCE. I selected the Jetway JC110-B case which allows for adding two PCI cards, and has two internal fans. It is not very noisy at this moment. The case comes with a wall mount which is very useful as well. The Intel board fits without moving the fans's (which I read somewhere else). The BIOS has a setting for "always on"  on power failure which is useful in my case because the firewall will be installed quite remote. I burned "pfSense-memstick-2.0.2-RELEASE-i386-20121207-1630.img" on a memory stick and installed pfsense from the stick on a harddrive. The display output was a little corrupted but good enough for a "simple" installation (I could read most of the words). The monitor isn't needed after the install, so it is good enough to me.

To answer the question above:

• board: Intel D2500CCE
• Memory: Transcend SO-DIMM DDR3 1333 2Gb

Later on I installed Squid proxy. The firewall will be used by a maximum of 75 users and a bandwidth of 60Mbit.

Dirk.