Best Hardware for Gateway/VLAN Router/Firewall/VPN
-
Instead of beefing your pfsense to deal with inter-VLAN routing (I assume intra was a typo), why not use a L3 switch. Unless you need firewalls between the VLANs that might be a better and cheaper option.
L3 switches do switching at layer 3 by preserving the source and destination mac and preserving the TTL value of the IP header of the 1st routed packet, so the first packet is routed using normal routing lookup, but after that all packet are switched.
I don't know how pfsense does the routing. Now a days routers do fast switching and can route at wire speed just like L3-switches. Don't know if pfsense does that.
-
Layer 3 switches are not cheap. ;)
I guess it depends on the size of the network/number or users but often the whole point of having VLANs is to filter the traffic between them.You recommend a resonably priced layer3 switch?
Steve
-
I see now that mapdirection already have a switch so I guess that's out of the question. Dell will sell you a 24 port for $1800. I can't recommend it as I have never used one. I've only worked with Cisco and to some degree HP. I don't know what anyone of those cost. Upwards of $4k for the Cisco ones I would think. I thought you could get an 8 port gigabit L3. I guess I was wrong. .
mapdirections feature list didn't include inter-vlan firewalling. If it did an L3 switch wouldn't be much use.
mapdirection: You write home connection. Is this for home, business or pleasure? There isn't much to go on when it comes to solid recommendations here.
-
Mmm, those both fall into the category 'not cheap' for me. ;)
I guess it's relative.Steve
-
I know. I thought you could get an 8 port gigabit L3 and that pfsense was more cpu hungry. I guess I was wrong. Sadly and thank goodness. :)
-
You don't need a full L3 switch. L2.5 should have l3 static routing
you could grab an 8 or 16 port hp 1910. there are probably dell/cisco/whatever equivalents, but I'm not familiar with the model numbers offhandI grabbed a used 16-port 1910 with it's full lifetime warranty for 85$ CAD. it just didn't come with anything, I had to build my own console cable. also the fan is painfully annoying for an apartment, so I disabled it. the price for a used switch is probably cheaper than beefing up pfsense to handle that kind of throughput
-
mapdirections feature list didn't include inter-vlan firewalling. If it did an L3 switch wouldn't be much use.
mapdirection: You write home connection. Is this for home, business or pleasure? There isn't much to go on when it comes to solid recommendations here.
Hi All,
Thanks for the continued discussion and apologies about my absence over the past few days.
In response to the queries that have arisen, I would like to implement inter-vlan firewalling (or at least rules preventing traffic from crossing across some VLANs). For example, I need a VLAN for guest wireless access but that should only have access to outbound internet (WAN) and not be able to route to any other VLANs, to keep those VLANs secure from friends and relatives who may connect their virus infected computers to my guest wireless!
This is for my home network so there's not going to be a huge number of users or devices.
I'm happy to spend the money to get a decent build for the pfSense box, so that it can maximise throughput and also implement things such as inbound VPN and potentially Snort. It's just a matter of what's the best specs.
Thanks!
-
I would build something based on a socket 1155 CPU and use a low end model, such as the G1620. It will almost certainly be sufficient for your needs in a home system but if in the future you want more power you have a huge number of upgrade options.
If you really want to use LACP then don't use more than 2 connections. Personally I don't think you will gain much. Whatever redundancy advantage there is will be outweighed by many other single points of failure.Steve
-
I would build something based on a socket 1155 CPU and use a low end model, such as the G1620. It will almost certainly be sufficient for your needs in a home system but if in the future you want more power you have a huge number of upgrade options.
If you really want to use LACP then don't use more than 2 connections. Personally I don't think you will gain much. Whatever redundancy advantage there is will be outweighed by many other single points of failure.Steve
Thanks for your advice. What do you think about RAM requirements and also motherboards? In particular, I am concerned about choosing the correct NIC to ensure the box doesn't get flooded with interrupts (I have read on the pfSense doco that Intel is generally good, but RealTek is not good is this regard). Assuming that the motherboard has an on-board NIC then I would probably use that for the WAN connection but will also need a PCIe NIC card to uplink to the switch - I would welcome suggestions on that too.
-
RAM is cheap, get lots. ;)
If you're planning to run Snort then 2GB or more would probably be recommended. The standard pfSense install doesn't require much, it will run in 256MB.NIC manufacturer in approximate order of preference are (IMHO):
Intel
Broadcom
Everything else
RealtekNewer Realtek NICs are a lot better though. A lot of people won't touch them after being burned by their older 10/100 NICs
I can't recommend a multiport NIC personally.Steve
-
RAM is cheap, get lots. ;)
If you're planning to run Snort then 2GB or more would probably be recommended. The standard pfSense install doesn't require much, it will run in 256MB.NIC manufacturer in approximate order of preference are (IMHO):
Intel
Broadcom
Everything else
RealtekNewer Realtek NICs are a lot better though. A lot of people won't touch them after being burned by their older 10/100 NICs
I can't recommend a multiport NIC personally.Steve
Thanks Steve, good advice. I'll probably end up going for one of the PCIe Intel NICs on the FreeBSD HCL, if there's no material difference between them all…
