Best Hardware for Gateway/VLAN Router/Firewall/VPN
-
Hi All,
I am building a pfSense box which needs to have the following features:
- Internet gateway (100Mbps fibre to the home connection)
- Firewall (potentially with Snort and IPS)
- Intra-VLAN router
- DHCP server for each VLAN
- Inbound VPN server
It will need at least 5 Gigabit Ethernet ports. One will connect to the WAN, and the other (4?) will be bound (via LACP), set as a trunk, and connected to my managed switch so that 802.1q traffic can flow along the trunk to be routed by pfSense.
Not having run pfSense before, can someone advise regarding the best hardware specifications for this setup? I am most interested in motherboard and CPU.
My main concern is about CPU, since it seems that this box will be fairly CPU intensive (with intra-VLAN routing, Snort, etc).
I asked in another thread (http://forum.pfsense.org/index.php/topic,67331.0.html) about the best quad NIC to use, to avoid the CPU being taxied with interrupts all the time. It seems like the Intel ones are much of a muchness. I would also need at least one NIC on the motherboard (although would be happy with dual NICs, if available) and would be interested in the best motherboard for the job.
As an alternative, I am looking at the Netgate FW-7541- would that be powerful enough for my purposes, given the Atom 1.8 Ghz processor, or would it be better to build my own box with an i3 or i5 instead?
Thanks in advance for any help!
-
A 1.8GHz Atom won't be able to route anywhere near 4gb/s, so I'm not sure what you think the 4-way LACP would buy you in that case. In fact, I'm not sure even a fairly beefy CPU would get you that kind of routed throughput, but maybe somebody with more experience can chime in.
-
Is there a reason why you don't do 802.1q on your switch?
-
Is there a reason why you don't do 802.1q on your switch?
I am running 802.1q tagging on the switch, but there needs to be a router involved to route the traffic between the different VLANs.
-
A 1.8GHz Atom won't be able to route anywhere near 4gb/s, so I'm not sure what you think the 4-way LACP would buy you in that case. In fact, I'm not sure even a fairly beefy CPU would get you that kind of routed throughput, but maybe somebody with more experience can chime in.
(a) Trying to maximise throughput, as I assume that having a larger pipe between the router and switch will at least allow me to maximise the flow (even if it is not at the maximum capacity).
(b) Redundancy.
-
Well, that Atom you mentioned won't even let you saturate a single gigabit link (routed), so at least in that case LACP will probably hurt more than it helps from a performance perspective (distributing traffic = extra work to do for the pfSense host). Also, keep in mind that even in the ideal case, LACP will only increase your aggregate throughput across a set of concurrent flows; your maximum throughput for any single flow is still going to be limited to 1gpbs. That said, if you have the ports to spare, might as well I suppose.
-
^That exactly. I would think anything more than two links in LACP is going to slow things down with no advantage to you. Consider that the connections are between the same two pieces of hardware. Both of those are a single point of failure. Are your cables routed in a particularly vulnerable location?
If you need to route quicker then consider stepping up to a low end Celeron. Such a system can be built for the same cost as an Atom and can often draw around the same power.Steve
-
Hi All,
Thanks for the advice. Would an i5 or i7 be a better option, if I really wanted to try and get routing throughput happening faster?
-
Better than an Atom? Certainly. Better than, say, a G1620? Not necessarily. That will route >1Gbps, run Snort at 100Mbps and OpenVPN at 100Mbps. Maybe not at the same time though.
I would suggest you better define your requirements.An i7 is almost certainly overkill though.
Steve
-
I haven't seen the info on the number of users and network devices on the network. For 10-15 users even an i3 will fly. All depends on how much data will be routed by the number of connections … basically more the users/network devices utilizing the network more is the CPU power required to route the data.
-
Did you mean "[…] required to filter the data"? I don't see how the number of connections would matter for routing (which happens on a packet-by-packet basis anyway) at all. (Tho your point obviously stands, since pfSense will filter the traffic that's routed between LANs.)
-
Yeah I'm with razzfazz on this. It's true that in general a larger network with more users is going to require a more powerful firewall/router and you could average out the bandwidth requirements to a per user number. However if we assume that you want a cpu that can, at the very least, saturate the upstream connection the determining factor is the available bandwidth. You could argue in packets per second at very high speeds. You need to have enough ram to hold the firewall states for each connection though. Approximately 1K per state IIRC.
Of course as soon as you introduce Snort your requirement go way up. ;)Steve
-
Instead of beefing your pfsense to deal with inter-VLAN routing (I assume intra was a typo), why not use a L3 switch. Unless you need firewalls between the VLANs that might be a better and cheaper option.
L3 switches do switching at layer 3 by preserving the source and destination mac and preserving the TTL value of the IP header of the 1st routed packet, so the first packet is routed using normal routing lookup, but after that all packet are switched.
I don't know how pfsense does the routing. Now a days routers do fast switching and can route at wire speed just like L3-switches. Don't know if pfsense does that.
-
Layer 3 switches are not cheap. ;)
I guess it depends on the size of the network/number or users but often the whole point of having VLANs is to filter the traffic between them.You recommend a resonably priced layer3 switch?
Steve
-
I see now that mapdirection already have a switch so I guess that's out of the question. Dell will sell you a 24 port for $1800. I can't recommend it as I have never used one. I've only worked with Cisco and to some degree HP. I don't know what anyone of those cost. Upwards of $4k for the Cisco ones I would think. I thought you could get an 8 port gigabit L3. I guess I was wrong. .
mapdirections feature list didn't include inter-vlan firewalling. If it did an L3 switch wouldn't be much use.
mapdirection: You write home connection. Is this for home, business or pleasure? There isn't much to go on when it comes to solid recommendations here.
-
Mmm, those both fall into the category 'not cheap' for me. ;)
I guess it's relative.Steve
-
I know. I thought you could get an 8 port gigabit L3 and that pfsense was more cpu hungry. I guess I was wrong. Sadly and thank goodness. :)
-
You don't need a full L3 switch. L2.5 should have l3 static routing
you could grab an 8 or 16 port hp 1910. there are probably dell/cisco/whatever equivalents, but I'm not familiar with the model numbers offhandI grabbed a used 16-port 1910 with it's full lifetime warranty for 85$ CAD. it just didn't come with anything, I had to build my own console cable. also the fan is painfully annoying for an apartment, so I disabled it. the price for a used switch is probably cheaper than beefing up pfsense to handle that kind of throughput
-
mapdirections feature list didn't include inter-vlan firewalling. If it did an L3 switch wouldn't be much use.
mapdirection: You write home connection. Is this for home, business or pleasure? There isn't much to go on when it comes to solid recommendations here.
Hi All,
Thanks for the continued discussion and apologies about my absence over the past few days.
In response to the queries that have arisen, I would like to implement inter-vlan firewalling (or at least rules preventing traffic from crossing across some VLANs). For example, I need a VLAN for guest wireless access but that should only have access to outbound internet (WAN) and not be able to route to any other VLANs, to keep those VLANs secure from friends and relatives who may connect their virus infected computers to my guest wireless!
This is for my home network so there's not going to be a huge number of users or devices.
I'm happy to spend the money to get a decent build for the pfSense box, so that it can maximise throughput and also implement things such as inbound VPN and potentially Snort. It's just a matter of what's the best specs.
Thanks!
-
I would build something based on a socket 1155 CPU and use a low end model, such as the G1620. It will almost certainly be sufficient for your needs in a home system but if in the future you want more power you have a huge number of upgrade options.
If you really want to use LACP then don't use more than 2 connections. Personally I don't think you will gain much. Whatever redundancy advantage there is will be outweighed by many other single points of failure.Steve
