Hardware purchase advice.
-
Ok.
You will be able to do that with an Atom based box. Go for 4GB since RAM is cheap. Since you only need two interfaces you can get a board/box with them built in. For example: http://www.mini-box.com/Intel-D2500CCE-Mini-ITX-Motherboard.
That shouldn't even sweat at 4Mbps.There are a number of alternative free UTM OSes that perhaps offer a more complete set of UTM features. You may want to consider those. ClearOS, Zentyal, IPFire etc
I recommend pfSense though. ;)
Steve
-
So when hardware firewall manufacturers list specifications of their devices on their websites, and state the throughput provided by their boxes for various functions like Stateful, VPN, IPS, etc., and the figures are usually something between 80 to 500 mbps (I've been looking at the lower-end models), is this throughput for the LAN side of the box, or the WAN side?
-
I'd also like to know if my following network plan is correct, or whether it needs modifications. Based on this, I need to determine if I need just two NICs, or should I plan for adding in more NICs in the future (both, in terms of the motherboard I buy, and the enclosure).
Once we move to the office and add client computers, I may need to allow different stuff through the firewall based on the internet usage of employees. For this, I will need to configure different firewall settings for different usages.
One, for the servers, where we only allow traffic on TCP Port 80, and those ports strictly required for the VPN. Everything else needs to be blocked.
Second, we'll need to be a bit more lax for the client computers, and may even allow stuff like bittorrent traffic.
Again, I believe it is possible to configure different sets of rules on the pfSense firewall for different networks connecting to it. But correct me if I am wrong.So the best option for us would be to create two different networks with two different subnets for the two purposes.
And it would look like this -Server 1
Server 2 \ __ Switch 1 (192.168.1.0)
Server 3 /
Server 4 / \ ___
_____Firewall (with different set of rules for each subnet) and Router __ Internet
Client 1 \ /
Client 2 \ __ Switch 2 (192.168.2.0) /
Client 3 /
Client 4 /Is this network design sound?
If it is, I'll need to make sure I can add in more NICs on the hardware in future.Also, do I need Gigabit NICs on the pfSense machine, or can I make do with 10/100, since the WAN interface is only likely to be a few megabits per second at max?
-
Yes, that looks good. Yes you can have separate firewall rules on each interface.
However with that configuration any traffic from your clients to your servers has to go through the pfSense box. Using an Atom it will be limited to ~500Mbps maximum, less if you are running services like Snort and Squid. That may or may not be an issue for you.You might consider using VLANs and a managed switch rather than adding NICs to get more interfaces.
Steve
-
"However with that configuration any traffic from your clients to your servers has to go through the pfSense box."
Yeah, that's the idea. With this bunch of servers, we're only allowing access to them through the webserver and the corporate intranet. We'll treat them as remotely logged in users over VPN. Nobody is allowed to communicate directly with any of those boxes except for a locally logged on administrator."You might consider using VLANs and a managed switch rather than adding NICs to get more interfaces."
Nah. It's a good idea, but managed switches cost a bomb, whereas more NICs won't. But I'll keep this in mind for future expansions for when we do have the budget.I just checked with my local vendors, and it seems they don't have any Atom or Mini-ATX based systems available in the market at the moment. They had a Gigabyte GA-E350N and a Zotac 880G-ITX WIFI a couple of weeks back in the market, but they're all out of stock right now.
I don't want to order over the net, because I'm located in India, and then warranty and servicing becomes a problem.
Plus for me the final cost of putting together any Mini-ATX system or in-built cpu-motherboard system comes to around the same as the target hardware I have in mind.
My target hardware (listed below) is pretty cheap at the moment, and at the same time packs a powerful punch.
Gigabyte GA-78LMT-USB3
AMD Athlon II X2 270
Transcend DDR3 1033 MHz RAM 2GB x 2
(on-board contains only one ethernet port, and I'm yet undecided on which external card to purchase that will be supported with drivers in pfSense. need a two-port gigabit card, need advice on model to buy.)Also, could someone tell me if the motherboard I listed above is supported in pfSense 2.0.3? Does it have drivers?
Because I have the same configuration on another machine right now, and I tried booting the test environment from a pfSense LiveCD, and it kept getting stuck at the 'WAN Interface selection' screen. I'm guessing this could just have been because of lack of presence of two ethernet interfaces as recommended, but I just want to be sure before buying the board. -
Even with a single NIC, you should be able to get through the inital bootup and config, making a "one-armed router".
On newer hardware models you should try pfSense 2.1 as it is based on FreeBSD 8.3 and will have drivers for some newer things. You should be able to try that easily on your "other machine" and confirm if it finds a NIC to use. -
Where can I find 2.1 to download? I just checked the Versions and the Downloads pages on the main website, and they still list only 2.0.3.
Also, is 2.1 a stable release or a beta? -
Where can I find 2.1 to download? I just checked the Versions and the Downloads pages on the main website, and they still list only 2.0.3.
Also, is 2.1 a stable release or a beta?http://snapshots.pfsense.org/
It is BETA but it has been running on a lot of systems for a while now (I have 9 systems running it). If it works on your hardware and 2.0.3 does not, then it has to be better ;) -
I can't say for sure but that board has a Realtek NIC and it's probably an RTL8111E. The more recent revisions of that chip are not supported by the drivers in pfSense 2.0.X but are by 2.1 as Phil suggested.
Steve
-
Let me try out 2.1 then and report back. Thanks for the help, guys.
-
Hi,
I plan to assemble a new machine to run pfSense on. I need some advice as to how much horsepower I will need for my specific requirement.Would be very much surprised if you'd need more than 0.15 horsepower.
-
Ha! :)
-
Hello everyone,
So based on recommendations in the thread above, I tried downloading the beta 2.1 version. This file in particular - pfSense-LiveCD-2.1-RC0-amd64-20130624-0404.iso.gz
I burnt it onto a disc, then loaded it onto my target hardware - (Gigabyte GA-78LMT-USB3, AMD Athlon II X2 270, Transcend DDR3 1033 MHz RAM 2GB x 3). This machine currently serves as my production Web Server, and VPN Server, and is not live currently, but is still under development. But the hardware combination listed above is the cheapest I can get in my city's market at the moment, and is also cheaper compared to some mini-ATX boards and enclosures available. (Which means it will be pretty cost-effective for me if I can manage to run FreeBSD 8.1/pfSense 2.1 on this configuration.)
Please also note that this machine has just one ethernet port - a realtek gigabit port.
Please also note that my server boxes are located in a particular area/enclosure with wiring and everything fixed, so it's not easy to move the boxes around. All of these server boxes are connected via a trendnet USB KVM switch to my workstation computer's console. (which means it's going to be very difficult for me to disconnect all the wires, re-route them, and then reconnect the target pfSense server to the monitor, keyboard and mouse directly, even for testing; forget about doing it permanently.)So I added a DVD drive to this machine temporarily, and loaded the pfSense disc into it.
Tried booting from CD into the boot-from-cd-test version of pfSense. It got stuck again on the WAN Interface Selection setting. Which probably means my ethernet port still isn't supported with drivers.
Tried booting from CD into safe mode and single user mode, but it kept getting stuck at a screen (don't remember what it said since it was yesterday and I forgot to write it down, but it looked like some usb device was not loading, and it said some IRQ could not be assigned. I had a nagging suspicion at that time that it could have had something to do with the fact that the console is not directly connected, but is connected via the KVM). I tried loading both safe mode and single user mode, but it kept giving the same result each time. I rebooted the machine using Alt-Control-Delete, or hard reboot after each try.
Then I brought out an old IDE hard drive I have lying around, disconnected my machine's current hard drive, and connected the old hdd to it.
Then I booted from the CD again, and this time installed pfSense to the test hdd. The installation worked fine. Then it rebooted, and as it was booting, it got back to the familiar screen asking for WAN Interface Selection, and the auto-detection still wasn't working.
Frustrated, I got out a very old Dlink 10/100 single port ethernet card I have, which was surprisingly still in working condition. (It must be about 8-10 years old. 8 at the very least.) Plugged it in.
Tried booting directly from the CD again. This time at the WAN Interface Selection, it was able to detect the card, and I managed to type it in, and the booting process proceeding.
I don't remember what happened here, but for some reason it must not have proceeded further, so I decided to try re-installing to the hard drive.
So I rebooted, and selected the installation option. After the installation, it rebooted, and finally got to the screen where it asks you what you want to do, and lists out some 20 options. After a bit of searching, I figured that the pfSense installation is live by this point, and to access the GUI, I need to type in 192.168.1.1 in a browser from another machine on the network. (That particular IP is free, and has not been assigned to any other machine in the network.) So I went over and did that. But the page never loaded. So I flipped back to the pfSense machine, and I note that it has rebooted by itself while I was gone, and is now showing me a screen that says 'root mount error'. It showed something I could type in to fix it, and I tried to type it in, but this time, the machine had just frozen, and was not accepting any keyboard commands. Not even Alt-Control-Delete. I had to hard-reboot.
Now totally at a loss, I tried randomly repeating for a few times either re-installing, or booting live from CD. But it kept giving the same results. After a few tries however, the machine stopped working altogether. Meaning, the machine used to boot, POST and give the beep, and then shut down.
Now this is new hardware only a couple of months old, and has so far been running perfectly for its intended role (VPN and Web Server under development and testing), so I know there's nothing wrong with the hardware, but something either in the pfSense installation, or my old test hardware is causing this problem. I immediately disconnected the only two pieces of hardware that I knew were capable of causing this problem - the 8+ year old LAN Card and HDD, and tried booting again, hoping to somehow boot pfSense from live CD, but the problem kept persisting. Machine used to POST and die out.Anyway, at this point, I panicked, and I didn't want to risk losing that important machine, so I didn't try any further tests to see if I could install/run/test pfSense on that, or any of my other machines. I don't have any other spare hardware I could test this on (the two pieces of spares I do have, are listed above, and are both ancient relics), and I can't afford to try any more experiments on running machines, because if they go bad because of this, it means days of lost work while I run around getting warranty servicing on the parts that go bad.
Anyway, can anyone tell me if the issue I described above is a known issue, and if so, how to fix it?
-
I suggest you disable USB3 in the BIOS (if possible). Older versions of FreeBSD sometimes have problems with "newer" hardware. It is now almost 2 years since release of FreeBSD 8.3 used in pfSense 2.1.
I suspect you are very unlikely to do any damage to your hardware in your attempts to install and run pfSense BUT your hardware might lock up attempting to deal with hardware the device drivers don't adequately know how to "tickle". In my experience a cold power cycle (disconnect box from power for 20 seconds or more to allow capacitors to discharge then restart) clears those lockups.
-
I tried the cold power cycle, but it didn't really help. Problem persisted.
In the end, I had to disconnect everything from the motherboard, and then reconnect them all back, and put back that machine's native disc drives (instead of the test ones), and it got back to working condition.I'm planning to buy a new ethernet card today, and am gonna test booting into LiveCD again using my 2.0.3 disc, after disabling the on-board ethernet port. I'll try disabling the USB3 as well, as you suggested.
-
Okay, my hardware vendor says he has an Intel PRO/1000 MT 2 port card available. Intel website says it's based on the 82546 chipset.
Is this card supported on 2.0.3?Edit: Alright, thank god, it's supported. I just checked the hardware compatibility list on the main website.
-
What NIC is on that board? I'm surprised it's not seen by 2.1.
Steve
-
I believe some clarification is in order.
I will admit that at first I was daunted by all the command line messages, and did all my testing the other day with my brain half-shut. So I didn't understand what was going on, and mistook a few things to be errors.
Since I had also posted the previous message one day AFTER I had experienced those problems, my memory was a bit hazy, and I must have jumbled up the chronological sequence of events that took place.I did some more testing with the LiveCD today, and began to understand how things work.
So I finally figured out how to use the WAN Interface Selection prompt, and the LAN Interface Selection prompt that follows it. What I thought was the machine getting stuck on an error, turned out to simply be a prompt asking me to type in the device ID for the WAN and LAN interfaces, based on the list of device ids displayed above.
As it turns out, the realtek ethernet port on my Gigabyte motherboard is not detected at all by 2.0.3, but is detected by 2.1.I also posted earlier that 2.1 didn't work on my older workstation either. That is not correct. I tried again today, and got both 2.0.3 and 2.1 to run fine on my workstation. Since I do have two on-board ethernet ports on this machine, and both versions detected both ports fine, getting it to work was a cinch.
Then I tried both versions on my target hardware (the web server), and 2.0.3 got stuck because it didn't detect the onboard ethernet port (and I wasn't going to risk putting in the old LAN Card again), and 2.1 detected it alright, and I was able to get it to run with just the WAN port configured.
2.1, however, had a problem with my Toshiba 500 GB hdd on the web server machine, and wouldn't move past the "BIOS drive C: is " screen right after booting from CD begins. I don't know the model of the hdd, but it was purchased a couple of months ago, and is most likely recent. Surprisingly, 2.0.3 did not have any issues with this.
(Before I started any testing today, I did disable USB3 first thing on the machine, as per Bob's suggestion. So I don't know if this could have been one of the causes of the issues I faced three days ago.)In my last post, I also reported two other errors I faced that day, but was unable to describe them in detail.
Well, one of them was the 'root mount error', and it could have been due to the older hdd attached. I didn't do any installations today (because I have no more spare hdds to try it out with), only LiveCD testing, so I didn't run into this again today.
(But as mentioned above, 2.1 did fail to proceed even getting to the Menu Screen when my new hdd was connected to the machine. But if I can get 2.0.3 to work on my target hardware after I buy the 2-port ethernet card, I guess I can ditch the 2.1 idea for the time being till a stable release is released.)The second issue I reported was when I said something about seeing an IRQ not assigned related message and it being to do with my KVM switch. I was able to reproduce it today, and wrote down what it said. And I need some clarification on this from the experts.
This 'issue' happens when the entire thing has booted into pfSense, and the software is up and running. If at that point, I use my KVM switch to flip over to another machine (to open a browser window to log into pfSense), I noticed that every time I flipped out of the pfSense machine into another machine using the KVM switch's buttons, it used to refresh the screen, and do what appeared to be reload the list of devices attached to port. The text on the screen came to an end at this paragraph -
ums1: 3 buttons and [XYZ] coordinates ID=1
ugen1.5: <no brand="">at usbus1
ukbd1: <keyboard>on usbus1
kbd3 at ukbd1
uhid0: <mouse>on usbus1
device_attach: uhid0 attach returned 12Now I didn't know what this was the other day, and I assumed the machine had restarted, was rebooting, and that it was getting 'stuck' on this screen during the rebooting process. Also, hitting Alt+Control+Delete to force the machine to restart didn't seem to have any effect, so it was normal for me to assume the machine had frozen. (I can attest it had genuinely frozen during the root mount error issue the other day).
Today I encountered this again, and was wondering what to do when I accidentally hit Enter, and it proceeded a few lines and brought me back to the 'select what you want to do with pfSense' screen. So I assumed this was okay.
I had someone hit the buttons on the KVM switch back and forth a few times to switch between this machine and another, while I went over to a laptop plugged into the network, and tried to continue pfSense operations in the browser, and it didn't seem to be affected by this 'refreshing of devices'. But I just want a confirmation that this behavior is expected and normal, and that I am not to worry over this. Because, like I said before, the KVM switch is an essential part of my setup, and I can't ditch it. If pfSense doesn't work with the KVM switch, then I can't use pfSense.
I'm just looking for some assurance that this won't be an issue with the operations of pfSense.I still don't know what caused the machine to die out after POSTing the other day, but it could have been due to the older hardware attached that day for testing, because I didn't see it repeated today. I just steered clear of those two pieces for today (they're already in the garbage bin).</mouse></keyboard></no>
-
The text on the screen came to an end at this paragraph -
ums1: 3 buttons and [XYZ] coordinates ID=1
ugen1.5: <no brand="">at usbus1
ukbd1: <keyboard>on usbus1
kbd3 at ukbd1
uhid0: <mouse>on usbus1
device_attach: uhid0 attach returned 12</mouse></keyboard></no>I guess it is FreeBSD reporting disconnect of USB mouse and keyboard as you switch the KVM FROM pfSense and then (shown here) connect of USB keyboard and mouse as you switch the KVM TO pfSense and so shouldn't be cause for alarm.
The
device_attach: uhid0 attach returned 12
could be an indicator of trouble if you wanted to use the mouse.
Probably a more reliable test of the system freezing would be: Do the keyboard indicators Num Lock or Caps Lock (if present)
change state if the corresponding key is pressed? No => frozen system.Thanks for the extensive documentation of your adventure.
-
The
device_attach: uhid0 attach returned 12
could be an indicator of trouble if you wanted to use the mouse.
Probably a more reliable test of the system freezing would be: Do the keyboard indicators Num Lock or Caps Lock (if present)
change state if the corresponding key is pressed? No => frozen system.No, but I just discovered that hitting the Num Lock key toggles the KVM Switch buttons instead. :D
Anyway, mouse being unusable is hardly a concern, given that pfSense doesn't allow you to use a mouse anyway at the command prompt.
So I guess we're okay.
Now, we'll find out tomorrow if my entire target hardware is cut out for 2.0.3, after I get the ethernet card and put it on that machine. If yes, we can safely close this thread, and I'll go out and buy a new machine with the same specs.
