Proper NIC, and microSD support?
-
Had you considered just making a pfSense VM?
The 3.1 GHz quad core DL320 does seem a bit like overkill.
I read here somewhere that using pfsense in a vm is a bad idea perfomance vise, plus i think physically splitting things up makes it all "better", it feels more right.
Do you think the 3.4 Ghz dualcore is a better solution?
-
Ah, 100MBps is a different matter then. :)
I would expect the disk controller to work in some mode may you may not be able to use all of its raid features for example. As you say that problem goes away if you're booting from SD.
A little extra headroom is always a good thing but this could be a lot of overkill. You haven't mentioned if you want to run packages, Snort Squid etc, but those will significantly increase the hardware requirement if you do. For just plain firewall/NAT the dual core CPU would be more than enough for 1Gbps throughput. In fact a 3.4GHz dual core CPU will probably be faster than a 3.1GHz quad core because the pf process runs as a single thread.
Intel NICs are always prefered but Broadcom are considered second best and I would have no worried using the on-board NICs if they're supported.
There is some overhead to running virtualized but not too much. There are people here running firewalls at >5Gbps virtualized because currently the drivers under ESXi are able to work with newer 10GbE hardware.
Steve
-
Sorry for the confusion :-(
That is exactly what i mean, currently i will only need very basic NAT'ing but as soon as i start poking around in there i will learn about other exciting things which may require more resources. I just want to be absolutely certain that i will not have to upgrade the machine anytime soon.
FYI: the quad core has intel turbo boost which goes up to 3.5 Ghz.
I just want a good, know, supported, 1Gb NIC thats my only interest.
Obviously i would like a 10Gb network at home, but as far as i know 10G equipment is relatively expensive so my goal is to utilize the 1G network to it's max.Any suggestions regarding a widely supported not too expensive 1G nic?
Thanks for your time so far :)
Ah, 100MBps is a different matter then. :)
I would expect the disk controller to work in some mode may you may not be able to use all of its raid features for example. As you say that problem goes away if you're booting from SD.
A little extra headroom is always a good thing but this could be a lot of overkill. You haven't mentioned if you want to run packages, Snort Squid etc, but those will significantly increase the hardware requirement if you do. For just plain firewall/NAT the dual core CPU would be more than enough for 1Gbps throughput. In fact a 3.4GHz dual core CPU will probably be faster than a 3.1GHz quad core because the pf process runs as a single thread.
Intel NICs are always prefered but Broadcom are considered second best and I would have no worried using the on-board NICs if they're supported.
There is some overhead to running virtualized but not too much. There are people here running firewalls at >5Gbps virtualized because currently the drivers under ESXi are able to work with newer 10GbE hardware.
Steve
-
If you go with the more powerful machine and the find that even after adding various things you're still only using 10% of its resources you can always switch to running as a VM and run other VMs on the same hardware.
I've still got sections of 100Mb ethernet here at home (don't think I have any 10base2 left….) and the fastest connection I could get is ~100Mbps if I wanted to pay for it. 10Gb is way way off! ::)
Go with Intel NICs. Pretty much any Gigabit NIC i350 or older should be good. The newer, cheaper i210 is not supported currently. Search the forum to make sure. The Pro/1000 PT is widely used.
Steve
-
What is your WAN speed? 1Gigabit symmetrical? Or do you mean you want the LAN network to be 1gigabit or 10 gigabit.
-
OK i think i'll just buy the quad core version, it's only $800 anyway. i wont use it for VM's though, i have two nice DL380's with better supported hardware and better specs :)
And i think i'll give the PT card a chance and see how it performs it is an old card after all.
I only have 30/30 Mb/s connection on the wan side so that is not a problem, it's only between machines on the LAN i need high speeds.
Thank so much for your help,
-
If you are only planning to have a single internal interface, LAN, then the traffic through the box can only ever be 60Mbps total. In that case your hardware will be way way overspecified. You could easily pass that traffic with an Atom.
Since you clearly have a fair collection of hardware and services going on you may well want to segregate your network into, say, servers, clients, VoIP, wifi etc in which case it would be slightly more justified.Steve
-
The PT guard will do just fine. Right now, I'm using it in my poweredge 1950 which is currently servicing 1,400 college students they're pushing it to a steady 400 Mbps and 40,000 PPS without it dropping a packet. I got 960 Mbps out of it for a sustained 5 minutes of testing using iperf before I deployed it in production.
-
If you are only planning to have a single internal interface, LAN, then the traffic through the box can only ever be 60Mbps total. In that case your hardware will be way way overspecified. You could easily pass that traffic with an Atom.
Since you clearly have a fair collection of hardware and services going on you may well want to segregate your network into, say, servers, clients, VoIP, wifi etc in which case it would be slightly more justified.Steve
Oh i think i might have overlooked the most obvious problem with this setup.
So if device A was downloading data from server A
while device B was downloading data from server B then the 2 devices would each download with 31.25 MB/s?If so i might have to ask a new question, can i do it here or should i make a new topic?
I honestly don't know how to solve this problem, but couldn't i buy a 1Gb switch which had a single 10Gb port (optical?) which i hook up to my router and thus up to 5 devices at a time would be able to draw the max 125MB/s?
Or is there some other option?@vman: Thanks! :)
-
I don't totally understand your question. Where are devices A and B and servers A and B?
If you have only two interfaces in the firewall, WAN and LAN, then traffic between devices in the internal network does not flow through the firewall at all. Only traffic that flows in or out of the WAN goes through the firewall and with your 30/30 Mbps connection that means the total firewall throughput, in both directions simultaneously, can be 60Mbps.
If you have multiple internal networks separated by multiple interfaces on the firewall then traffic between those networks obviously has to go through the firewall. That traffic could be at Gigabit wirespeed in both directions and you could have many connections between many interfaces so firewall hardware requirements are significantly higher.
So really it depends how many interfaces you're planning to have.
Steve