Hardware for gbit wan?
-
Serious people on main subnet - All unix/linux/bsd variants. Thats one interface. I hold the admin passwords.
Play Time kiddy crap and windows junk all segregated to another interface. Let it get hacked. Its a certainty. I really don't care. I have to wipe those computers every 6 months or year anyway.
Visitors on third interface/subnet. Who knows what those yahoos get up too either. And who cares?
All of them are fire-walled from each other. No two subnets can communicate.
Only the interface/subnet running unix-like OSs with zero games and standard packages can access the PFsense interface.
I don't need Snort. I like segregation better.
If I was admin for an office environment full of windows computers where the idiot users had admin privileges and kept pressing the "OK - Install" button every time they got a pop-up or were burning through all the office bandwidth with P2P, youtube vids, facetime or skyping their GFs, then I'd need snort. Snort is expensive because hardware is expensive.
-
Ha! .. You therefore have a domain and you control all user privileges :).. the admin is the idiot in my network to leave something on for dumb users to install. I lock down everything.
My network is segregate into 5 subnets LAN, VoIP, Video, HVAC, Servers. No guests… don't want anyone accessing my network.. they can use their smartphones.. hehe
Signing out from this thread.. as its going in a different "Snort" direction ;) The OP has enough info to decide on what he needs to get.
-
thanks for all the answers guys. To sum up, an i3 with a fairly low tdp value along with a compatible motherboard and some intel nics will handle pfsense with gbit wan in/out just fine if it doesnt have the snort package installed?
-
Yeah - Since its going to be your internet we are talking about, I'd try to find a mobo with all solid capacitors and a good solid power supply. Gigabyte makes boards like that and so does Asrock and others. If you keep the CPU power requirements low you can get a very reliable power supply in lower watt rating so less $$$. My reasoning is that by the time you need to upgrade, the hardware people are throwing away will be more powerful than the expensive stuff you would buy today. Do pay attention to the type of slots on the board. If it has built in video thats good. Its better to have your NIC cards in PCIe slots than PCI. An empty PCIe x16 video slot can take a cheap 2 port x4 NIC card. Your simi-useless PCIe 1x slots are great for cheap 1 port NIC cards. If they are all Intel, you should be safe.
-
thanks for all the answers guys. To sum up, an i3 with a fairly low tdp value along with a compatible motherboard and some intel nics will handle pfsense with gbit wan in/out just fine if it doesnt have the snort package installed?
It is just perfect.. I have used an i3 with Snort, Squid, Dans(clamd) and pfBlocker. No hiccups.. runs smoothly. It has enough power for even more resource hungry packages.
-
Yeah - I finally saw my dual core Athlon home router go above 5%. Maxed out to 100% :(
Of course, I had to open 2 terminals and run two separate threads of openssl benchmarks to get there… :P -
On the topic of Snort performance, 100/10 Mbps line topped to max with torrent traffic hits full usage on the core running Snort on my G630T (2.3Ghz), meaning that I'm pushing the CPU to it's max performance with Snort. I haven't tested it with a 1 Gbps link on the WAN side so I can't say where the absolute max is with Snort on that CPU.
Even a faster CPU will cap out at 200-500 Mbps range per Snort monitor (Source: http://mikelococo.com/2011/08/snort-capacity-planning/). Meaning that for a 1 Gbps link you will have to somehow divide the traffic into 3-4 streams and have 4 or more cores to handle the load.
But then again, there's no need to run Snort on your home network.
-
so autumn is around the corner and im gonna start ordering stuff, is it safest to go with z77 or maybe even z67? or is pfsense definetly compatible with z87?
-
I might suggest avoiding z87 if it's LGA1150; according to a post in my thread (whereupon I had hastily purchased hardware to replace failing equipment),
All Haswell boards with intel nics come with i21x, this is still not supported in 2.1.
Ivy/Sandy bridge boards with intel will have either 82574L, 82579V and/or 82579LM which will work.If you were intending to use the onboard NIC anyways… if you planned on slapping some PCIe NICs in there, then knock yourself out. pfSense 2.1 booted just fine on a z87/LGA1150 board for me, it just wouldn't detect the onboard NIC (which I required).
-
I have a intel quad nic iam planning to use but i would like to use the built in nics aswell :/