Intel NUC + switch. Is this possible?
-
Hi guys, I´ve been looking for a cheap pfsense box to run my small company network. What I want to accomplish is the following:
set up 6 different VLANs:
VLAN 1: 192.168.10.0/24 - wired to my intel NUC that serves as a apache web server
VLAN 2: 192.168.20.0/24 - wired to my intel NUC that serves as my Asterisk PBX server and IP Phones
VLAN 3: 192.168.30.0/24 - wired to my internal network - no VPN needed
VLAN 4: 192.168.40.0/24 - wired to my axis cameras network
VLAN 5: 192.168.50.0/24 - wired to my WiFi router so my clients can access the internet
VLAN 6: 192.168.60.0/24 - wired to my network - OpenVPN server to connect in the futureI just love intel NUC as they are cost effective and have a pretty small footprint.
I intend to get another intel NUC based on Celeron N2820 2.13 GHz + 4Gb RAM + 32GB HD (total cost on Amazon will be less then $250) to run PfSense in order to get these running.
As the intel NUC have just 1 gigabit NIC I was told to get a 8 port managed switch to connect all my network to as above:
port 1: Apache web server (Vlan 1)
port 2: unmanaged switch (I already have) connected to Asterisk Server + IP Phones (Vlan 2)
port 3: unmanaged switch (I already have) connected to my local network (Vlan 3)
port 4: wired to my Cisco Catalyst 2960C 12-PORT Fe Poe connected to my Axis cameras (Vlan 4)
port 5: wired to my WiFi router (Vlan 5)
port 6: save for the future
port 7: connected to my 50MBit internet provider
port 8: connected to a NUC with PfSense runningMy main idea is to get this PfSense box to control and protect my network, isolate my Asterisk server, Apache server and local networks from each other while sharing the same internet.
In the future I´d like to add a Open VPN server to be able to connect remotely to my network from my home and maybe a second internet provider so I can increase upload/download speeds.PfSense will allow me to do all that, right? Is this setup correct?
I need to get this 8 port switch to connect all of these. Do I need a layer 2 or layer 3 switch? I was told to get a Cisco SG200-08 (arround $85 at amazon). Is this right or do I need a SG300-10 layer 3 switch that will cost me an additional $100 (10ports) ??
I was also told to get a Netgate m1n1wall insted of a intel NUC but it will cost me almost the same ($ 220) but with a way slower processor and a larger power consumption. Am I in the right way over here?
Pls sorry for my broken English…
kind regards
-
You do not need a Layer 3 switch. In fact, depending on how you configure it, that could result in your equipment talking without pfSense isolating everything as you wanted. You want a switch that supports vLANs, that's it. Based on the specs, the SG200 is fine, though I don't have any personal experience with it.
One thing you should note is that by only using a single NIC you are going to limit the throughput between the devices on different networks as everything will need to go through pfSense.
On the m1n1wall, that system will not draw more power than a NUC but it is considerably slower. If you get one of those expect total throughput of about 85Mbit/s.
-
I used to have a Cisco SD2008 switch (not the smart model) and had bad overheating problems with it.
Some ports had random disconnects (like plugging the cable back and forth) and some ports wouldn't connect at more than 100Mbps for certain periods of time. Replugging the cable restored 1Gbps speed for a while. It was rather unreliable - mostly because (I think) it ran pretty hot. Note that I was trying to use most ports at 1G, and one single port at 100M.
I still have a couple of SD208 pieces running, these are only 100M, they work OK, but still tend to warm considerably.I think these small soho Cisco switches are poorly designed in the aspect of cooling. Their chassis is too small and holes are too rare in order for the electronics inside to get a proper ventilation.
-
Hi Jason, thanks for the reply!
One thing you should note is that by only using a single NIC you are going to limit the throughput between the devices on different networks as everything will need to go through pfSense.
even if I get a 2 NIC (or 3 NIC) as Netgate or any other I will get to connect just 1 port of it to my switch and all traffic will need to pass through the other NIC port anyway right? What´s the advantage of that config?
If I understand correctly my setup with a netgate would be:
internet provider connected to first NIC
switch connected to second NICall other devices connected to my switch.
It seems almost the same…. everything will need to route through first NIC....
Am I missing something?
kind regards
-
even if I get a 2 NIC (or 3 NIC) as Netgate or any other I will get to connect just 1 port of it to my switch and all traffic will need to pass through the other NIC port anyway right? What´s the advantage of that config?
If you're only ever going to hook up one NIC for your internal network then it doesn't matter how many NICs your system has.
My point still stands though. If you're using a single NIC with 6 vLAN tags then your MAX throughput will be lower than if you had 6 NICs with 1 vLAN tag each, 3 NICs with 2 tags each, etc. With a single NIC you're limited to 1 Gbit/s in and 1 Gbit/s out aggregated across all vLANs.
-
Would that processor be able to route / filter more than 1Gbps to begin with?
-
How can I measure my routing needs? external connection to the net is just 50Mbits …
-
I just love intel NUC as they are cost effective and have a pretty small footprint.
I intend to get another intel NUC based on Celeron N2820 2.13 GHz + 4Gb RAM + 32GB HD (total cost on Amazon will be less then $250) to run PfSense in order to get these running.
Yes, NUC have a small footprint. It's an intriguing product and I also do believe some (esp. the inexpensive lower-end models) can be cost effective for some tasks. And yes, you should probably be able to make this work. However, I personally believe the NUC is just the wrong device for this job, i.e. as a routing / pfSense machine.
Or, to put it more precisely, $200+ on a NUC seems a lot of money spent on a totally "sub-optimal" tool to me (for this particular use case, mind you).
Just as a heads-up: from what I gathered, the Intel NUC DN2820FYKH uses a Realtek RTL8111G NIC - which I suppose there isn't any support included for in current pfSense builds (though it seems that you can - somehow - compile your own driver and make it work):
https://forum.pfsense.org/index.php?topic=65355.0
-
Or, to put it more precisely, $200+ on a NUC seems a lot of money spent on a totally "sub-optimal" tool to me (for this particular use case, mind you).
what options do you suggest with a small footprint and enough power for less then USD250? PfSesnse store offer a similar product VK-T40E2 Firewall Router Security Appliance
at $449.00!!! Almost the same processor power for twice as much !!! Of course there are Intel NICs and memories but still a lot to pay considering the product differences…kind regards
Gustavo -
I use a NUC (the 4th gen Haswell i5 one) with 16GB ram and a 120GB m-sata drive as my pfSense development station. :-)
I ran a NUC with an i3 in it for a "pfSense box" (booting off USB) for a while (at home). I'm currently using the VK-T40E2, but that's more of a dog-fooding exercise.
-
what options do you suggest with a small footprint and enough power for less then USD250? PfSesnse store offer a similar product VK-T40E2 Firewall Router Security Appliance
at $449.00!!Rebranded PC Engines APU1C.
Alternatively:
http://store.netgate.com/NetgateAPU2.aspxThere might some differences in detail.
Also beware, the linked wall mount bracket is not recommend by manufacturer (for the APU's higher thermal envelope).I know, it's more than $250. But rather closer to it.
-
You really have to define what you're after more closely.
You have only a 50Mbps WAN so, yes, in theory the m1n1wall (ALIX) will pass that no problem. It has ~85Mbps capability. However if you want to run any packages you will soon see a restriction below 50Mbps. More importantly all your inter-VLAN traffic will have to go through the pfSense box and you may well want that to be >50Mbps.Would that processor be able to route / filter more than 1Gbps to begin with?
No I don't believe it could. If you look at the Celeron N2820s single thread performance it's very close to a Pentium-M at 17GHz. I have that chip and it can manage ~650Mbps. The Celeron will be slightly faster since it can offload other processes to other cores. I have to say I'm not sure I can believe that benchmark figure, I expect it to be much faster. ???
Steve
Edit: typo
-
Rebranded PC Engines APU1C.
Alternatively:
http://store.netgate.com/NetgateAPU2.aspxBut these devices also feature Realtek NICs. Are they supported on PfSense?
The 1 GHz Dual Core AMD G Series can handle how much traffic?
-
More importantly all your inter-VLAN traffic will have to go through the pfSense box and you well want that to be >50Mbps.
That's why I wouldn't feel good about having only one NIC, and a Realtek at that. Also, there doesn't seem to be any sensible way of expansion later.
-
Rebranded PC Engines APU1C.
Alternatively:
http://store.netgate.com/NetgateAPU2.aspxBut these devices also feature Realtek NICs. Are they supported on PfSense?
The 1 GHz Dual Core AMD G Series can handle how much traffic?
I think 'rebranded' is a bit strong, but … whatever.
Yes, pfSense supports the Realtek NICs on the APU board(s).
The issue with throughput seems to be limited by the NICs, not the CPU, but as always, YMMV.
-
More importantly all your inter-VLAN traffic will have to go through the pfSense box and you well want that to be >50Mbps.
That's why I wouldn't feel good about having only one NIC, and a Realtek at that.
Huh? If the CPU can't push more than 50mbps to begin with, what do you think you'll gain from having multiple NICs vs. VLANs on a single NIC?
-
More importantly all your inter-VLAN traffic will have to go through the pfSense box and you well want that to be >50Mbps.
That's why I wouldn't feel good about having only one NIC, and a Realtek at that.
Huh? If the CPU can't push more than 50mbps to begin with, what do you think you'll gain from having multiple NICs vs. VLANs on a single NIC?
To differ on this: if you don't need much hocus-pocus between the vlans (traffic shaping, limiting, policy-based routing, extensive acl's, or any other goodie from pfSense) go with a L3 switch, and let that one do the intervlan routing. Way more effective. Then you're less restricted on what to use for pfSense HW?
-
In this case I suppose the better option would be a 4+ port box. Any suggestions with a small size and power requirements gigabit NIC for under USD 300?
Is this product a good offer considering its price target? http://www.amazon.com/gp/product/B00ESMUF7O/ref=olp_product_details?ie=UTF8&me=&seller=
kind regards
-
You could also go for a Layer3 switch, and have routing between VLANs done by it. That will save your NUC from a lot of traffic, it will only handle access between WAN and the VLANs.
-
Huh? If the CPU can't push more than 50mbps to begin with
Why shouldn't it?
Even the (in terms of performance) ancient ALIX' 500MHz Geode can push more than 50mbps.
The Celeron should be capable of multiple times higher throughput.I think shoehorning all traffic through one NIC is definitely not going to help with performance.
Also, I believe there are some practical considerations why a 2- or 3-port device is preferable (management access, dedicated WAN).L3 switch seems a sensible idea as well, if budget allows.
