Enterprise Solution
-
I run multiple pfsense machines in some schools.
One of them being a highschool with around 200 desktop computers.
-There is a remote access openvpn for staff
-There is a WiFi captive portal linked to the Active Directory, providing students with free wifi, using their AD login. (around 60 simulatanious wifi users at any given time)
-There is also a squid with around 1GB of ram caching.
-We have no layer3 capable switches, so the Pfsense handles all inter-vlan routing.
It runs on a VM on Esxi5 on a Dell R310 system with a 2.2GHZ quad Xeon, 8GBram, a quadport intel-adapter.
The host machine has some other VM's running without too much load (some network monitoring, lamp for development purposes etc etc).The cpu usage (measured in the Esxi console) rarely goes over 25% (this when pushing 1Gbit from one vlan to another).
If you want more performance with lesser hardware then you should run it baremetal instead of virtualized.
-
The nice thing about pfSense is that it runs on standard PC hardware. You can try it out with an "old piece of junk" (just plug in another NIC, or whatever number you think you'll need) - or even cour current PC, using the Live CD. Preconfigure it, ten swap network cables from your 425.
For a 100MBit line, i use an Atom D2500CC with Intel GbE NICs. With 2GB of RAM it can handle lots of concurrent connections…I think the default state table size for this amount of RAM is 197000, but it can be increased (with the deafult setting, total memory usage it at 10%, I think).
I so not know which IPSec/PPTP throughput the D2500CC will achieve - for me, the limit is 10Mbit connection on the other side, CPU load appears to be insignificant at this speed.
There might of course be other requirement on your side which result in increased hardware demands. Do you, for example, need Layer7 filtering?
-
You don't give many details, but pfsense does offer similar functionality to Astaro (and quite a bit more in certain areas). Where pfsense lags compared to most commercial "UTM" offerings is that the latter typically offer an integrated content-filter / antivirus functionality.
Have a look at the following presentations about PF scaling (note: for OpenBSD)
http://www.openbsd.org/papers/lca2011-dlg.pdf by David Gwynne (pf firewalls used at University of Queensland AU)
http://www.alba.st/docs/bakeca_ddos.pdf -
Probably you have found the sizing guide on the pfsense page:
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49It will probably tell you what CPU is needed and how much RAM the firewall state table will consume.
Using any VPN solution will increase the need of a faster CPU.I am sorry that I cannot give you any hints on such an environment but perhaps it will give you a point to start to find the correct hardware.
Perople here are often using Alix Boards to acomplish their needs.Thanks for the information! I did see the table, and I believe anything we put it on that we have currently should be able to handle the load. We'd probably look to purchase a brand new server to house this anyways. Again, thanks for the info!
I run multiple pfsense machines in some schools.
One of them being a highschool with around 200 desktop computers.
-There is a remote access openvpn for staff
-There is a WiFi captive portal linked to the Active Directory, providing students with free wifi, using their AD login. (around 60 simulatanious wifi users at any given time)
-There is also a squid with around 1GB of ram caching.
-We have no layer3 capable switches, so the Pfsense handles all inter-vlan routing.
It runs on a VM on Esxi5 on a Dell R310 system with a 2.2GHZ quad Xeon, 8GBram, a quadport intel-adapter.
The host machine has some other VM's running without too much load (some network monitoring, lamp for development purposes etc etc).The cpu usage (measured in the Esxi console) rarely goes over 25% (this when pushing 1Gbit from one vlan to another).
If you want more performance with lesser hardware then you should run it baremetal instead of virtualized.
I think we'd be looking at a baremetal installation to help with the performance. Does your unit do layer 7 filtering for your sites? Or anything UTM for that matter?
The nice thing about pfSense is that it runs on standard PC hardware. You can try it out with an "old piece of junk" (just plug in another NIC, or whatever number you think you'll need) - or even cour current PC, using the Live CD. Preconfigure it, ten swap network cables from your 425.
For a 100MBit line, i use an Atom D2500CC with Intel GbE NICs. With 2GB of RAM it can handle lots of concurrent connections…I think the default state table size for this amount of RAM is 197000, but it can be increased (with the deafult setting, total memory usage it at 10%, I think).
I so not know which IPSec/PPTP throughput the D2500CC will achieve - for me, the limit is 10Mbit connection on the other side, CPU load appears to be insignificant at this speed.
There might of course be other requirement on your side which result in increased hardware demands. Do you, for example, need Layer7 filtering?
We'd probably want Layer7 filtering, though I'm actually not sure if we have it on the current Astaro setup. It would really depend on if it's currently in our Astaro firewall or not. If it's not, we'd probably look into it, but wouldn't find it necessary if it came to it. Do you use it? If so, how well does it work?
You don't give many details, but pfsense does offer similar functionality to Astaro (and quite a bit more in certain areas). Where pfsense lags compared to most commercial "UTM" offerings is that the latter typically offer an integrated content-filter / antivirus functionality.
Have a look at the following presentations about PF scaling (note: for OpenBSD)
http://www.openbsd.org/papers/lca2011-dlg.pdf by David Gwynne (pf firewalls used at University of Queensland AU)
http://www.alba.st/docs/bakeca_ddos.pdfSorry about that! I just don't wanna get in 'trouble' for saying something I shouldn't I suppose, not that I think any of the information I really would say is 'confidential.' We do have about 3,000 users on the campus split amongst faculty, staff, students, and 'special cases.' I think that there would never be more then 700 people on at any given time, and that's still quite the overestimation in regards to what I believe is actually used. I'm not sure if you have the time, but could you give a brief description of the comparison that a corporate product like Astaro's UTM would have against PFsense? Thank you for the links as well! I shall be looking at them as soon as I get the chance.
-
Ensure your wireless APs are not the bottleneck. Maybe they are part of the problem. I would recommend you do some analysis on the wireless end of your network.
For 700+ concurrent users I presume you are looking for IDS, Squid..etc. Go for a Xeon processor with 16-24GB RAM to start with.
-
Ensure your wireless APs are not the bottleneck. Maybe they are part of the problem. I would recommend you do some analysis on the wireless end of your network.
For 700+ concurrent users I presume you are looking for IDS, Squid..etc. Go for a Xeon processor with 16-24GB RAM to start with.
We'd probably be looking at dual Xeon's with 24 gigs of RAM being the low end of what we would actually purchase, so it's good to hear that it 'should' work for us with those specs. Do you have any suggestions for how to anaylze the wireless portion as you have suggested? I ask because, unfortunately, the wireless solution for this campus is that we have a bunch of WAP's around the campus that are not really connected to each other in any way, they're just sorta there and giving wireless over their own VLAN. We're looking for a better enterprise solution, possibly one completely on our ISP's end that they would take care of, but again money has been the deciding factor here.
-
no, no layer7.
what do you want todo with layer7 ? I gave up trying to block certain apps with layer7, students will find a way to get passed it. (setting up vpn tunnels / paid proxies / …)
what i do is set a fixed bandwidth/user for my student-wifi, so it won't slow down everything else that really matters.on the devices we manage ourself, we restrict the machines themselfs and not try to find a way todo the same with layer7 filtering.
-
We'd probably be looking at dual Xeon's with 24 gigs of RAM….
I'm sorry, I gotta go, but I've seen a turkish admin here on the forum handling 7500 students with a comparable server.
-
U need to deploy Cisco Aironet 1140 or 1240 series APs. You will get them cheap on eBay. You can control them centrally through a WLAN controller and run reports on their activity.
Add in a managed switch for multiple VLANs and provide separate VLANs for students and faculty. This was you can monitor the network activity and control network bandwidth where needed.
-
I agree with asterix. While the Aironet APs are not the most admin-friendly on the market (I vaguely remember issues with setting up roaming correctly), they work reliably. Unlike the "Linksys by Cisco" AP stuff, which reliably fails.
Concerning Layer7 filtering: it increases CPU usage, but does little to increase security. I prefer not to use it, but your bosses might have a different point of view. If management decides that they want Layer7 filtering, your hardware requirements will rise by order of magnitude.
In my opinion, overly restrictive firewalls will only teach better "hacking skills". Especially in an school/university environment, where information about circumvention of restrictions are commnicated very efficiently (among the users, not towards the administration).
Virus scanners on the firewall doesn't make sense if users are allowed to bring their own hardware into the network. If there has to be traffic between the Guest WiFi network and the "production network", you should concentrate you efforts on this interface. However, this access path doesn't really need to be more hack-proof than from the public internet.