Trying to get off cheap, not sure the minimal requirements.

cwesterfield

My wifes work place needs a networking update. Details can be found here.

Many people in the chatroom said that pfsense could easily do what I'm after.
I have attached the diagram of what I'd like to put in place.

Here's what I'd like to run on the device:

20M down | 5 M up at both locations
Monitoring (Nagios?)
Some kind of visual for networking stats
VLANs
VPN P2P for the two sites, routing the sites together as explained in the diagram
VPN for outside access to each site
Content Blocking (Public networks) this is not a certain yet
Captive Portal for wifi
Snort (IDS for public networks and IPS for wan networks)
HAVP
Some sort of directory connection for the captive portal. I'm not yet sure, but I think the circulation server has a ldap server for logins.
Any other features you guys might think would make life easier.

I need to buy some hardware. I want to keep it as cheap as possible, as it's a very rural library with budget concerns. I understand that the amount of packages will need more than super old leftover hardware. I will need two of whatever I get. Currently the libraries have 12M down | 1M up.

I'm thinking TP Link switches, and ubiquiti APs. For the pfsense device, I'm not sure the best bang for the buck.

Would a shuttle build like this be the best choice?
Item Price Link
Shuttle XH61V $184.79 http://goo.gl/mduCpT[3]
Intel Pentium G2130 $72.99 http://goo.gl/LIlbo0[4]
Kingston SSDNow V300 Series SV300S37A/120G $54.99 http://goo.gl/vSBes[5]
WD Blue WD3200LPVX 320GB 5400 $49.99 http://goo.gl/lzgK3w[6]
Crucial 8GB (2 x 4GB) 204-Pin $72.99 http://goo.gl/ZI5pWD[7]
Total $385.76

Should I just buy two of these? http://goo.gl/1RCIe8

On reddit, it was suggested to buy a SuperMicro A1SRi-2758F board. This would be a bit more expensive than the shuttle build, but if its what I need I can slowly get parts.

Rack mount is not necessary, currently there are no racks.

Where's the most bang for my buck that will allow the best experience? What am I not thinking of?

Plan.jpg_thumb

divsys

Depending on where the gear has to live (mainly how close to people that hate noise) you might want to look at some of the decommissioned Poweredge servers that are flooding ebay, craigslist, etc.

Pros

very cheap, I often find Poweredge 850's or 1425's available for $50 or less (especially if you find someone try to dump 5 or so) "Make an offer"
respectable hardware often 2.66-3.2GHz dual core, dual processor or both. RAM easily up to 4GB, some model up to 16.
reliable, designed to run forever
spare parts in abundance
often come w/2 1Gb NICS, take PCI-X expansion cards

Cons
They're huge, designed to fit in 4 post 19" racks, although I've had good success mounting them vertically in a wall mounted Right Angle rack.
They're noisy, and if the room they're in gets warm, the fans can spool up till it sounds like a jet taking off.
They're power hungry for the relative performance they deliver, not really a performance issue for pfSense but it does add to the cost of operation.

Overall I find them a great choice for many environments, enough so that I keep a few around just as cold spares when something eventually dies.

Worth a look…..

cwesterfield

@divsys:

They're noisy, and if the room they're in gets warm, the fans can spool up till it sounds like a jet taking off.

In one location the noise is no problem but the size and heat is.
In the other location, noise if a factor.

I had been looking on servermonkey as well. I also looked at the refurbed desktops on tigerdirect, but aren't really sure of the minimum specs for what packages I want.

divsys

Realistically 20/5 bandwidth should run on just about anything.

The only things in your spec sheet that add any req. beyond a basic 1.5Ghz 1Gb RAM system would be the Snort and (perhaps) HAVP.

For those (especially Snort) the ability to expand RAM would be key, if you can get to 4GB or 8GB in a system, you'll have some breathing room.

A little faster (2.5GHz -3Ghz) CPU will also help, although the dual/quad/etc core processors won't help a heap until we see ver 2.2 of pfSense.

I just saw another post linking to http://unixsurplus.com/products/rackable-servers?pagesize=40 which has some $99 servers with good specs for your application.

You might also talk with the Library's IT dept (if there is such a thing) to see if there are any old workstations being changed out. Craigslist is another good source, very often what people consider a "junk" workstation for running Windows 7 is a great platform for pfsense. The bonus being that you often find those old boxes for next to free.

Just for info, what part of the world are you in?

stephenw10

I agree with what's been said, your requirements are not particularly demanding so a wide variety of hardware will meet them.

The Supermicro boards you linked to will definitely do everything you need without breaking a sweat. Better those same boards (or similar) are used in the boxes shipped by ESF so will be well supported.

I personally wouldn't use a Kingston SSD. Try to get one that has on-board caps to prevent data corruption if you can.

The Celestix appliances would probably meet your requirements and you'll get no argument from me against reusing hardware but those Pentium-Ds are notoriously power hungry and inefficient.

What sort of bandwidth do you need over the VPN? That's likely to be the greatest CPU load if you need 20Mbps.

Steve

cwesterfield

@divsys:

You might also talk with the Library's IT dept (if there is such a thing) to see if there are any old workstations being changed out. Craigslist is another good source, very often what people consider a "junk" workstation for running Windows 7 is a great platform for pfsense. The bonus being that you often find those old boxes for next to free.

Just for info, what part of the world are you in?

I have inherited the role of Library IT dept. :)

I'm in Rural South Central Kentucky.

@stephenw10:

I personally wouldn't use a Kingston SSD. Try to get one that has on-board caps to prevent data corruption if you can.

The Celestix appliances would probably meet your requirements and you'll get no argument from me against reusing hardware but those Pentium-Ds are notoriously power hungry and inefficient.

What sort of bandwidth do you need over the VPN? That's likely to be the greatest CPU load if you need 20Mbps.

Steve

Would a SSD be supremely beneficial? I meant to put that as an OR choice.

I'm happy to stick with the shuttle or even spend a bit more, it just lengthens the timeline.

The P2P VPN is needed for the circulation software and printing between buildings. My guess is 3M would be plenty.

The personal VPN would be for getting to the camera system and circulation servers for maintenance. Screen sharing/remote desktop would be the biggest roll. Not sure how much that uses, but I doubt it would be in the 10M range.

stephenw10

An SSD provides three advantages in a pfSense box, less power, less heat and more speed. Since you are considering large appliances power and heat are probably not a huge issuee for you. Drive I/O speed is only really an advantage if you're running Squid with a large cache otherwise most stuff runs from ram so you only see a reduced boot time.
To give you some sort of idea an Atom D525 can push around 50Mbps of VPN traffic but that's without Snort or HAVP. I would expect it to meet your specs but I've never tested that particular configuration.

Steve

Elludium_Q-36

@cwesterfield:

I have inherited the role of Library IT dept. :)

…

Screen sharing/remote desktop would be the biggest roll. Not sure how much that uses, but I doubt it would be in the 10M range.

If by "Screen sharing/remote desktop" you mean a Zero Client/Thin Client model, either:

"multi-seat" where an instructor can control and interact, remotely with students' sessions/desktop environment, for a classroom setting.

OR

"Multi-User", where each station can be on it's own O.S., or switch between multiple Operating Systems, in segregated user-space & storage.

Then, I've actually done a good amount of the homework, on that.

You, and those controlling the purse strings, should really have a look at the following book, at least chapters one through five.
–------------------------------
Linux Thin Client Networks Design and Deployment: A quick guide for System Administrators
By: David Richards
ISBN: 1847192041 ISBN-13: 9781847192042
Publisher: Packt Publishing (2007 AUG 20 MON) http://www.packtpub.com/
Paperback | 176 Pages | List Price: $39.99 (USD) | Sales Rank: 1512657
Product Dimensions: 9.1 x 7.5 x 0.6 inches

http://www.amazon.com/Linux-Client-Networks-Design-Deployment/dp/1847192041
https://www.packtpub.com/linux-thin-client-networks-open-source/book
–-----------------------------------------

It illustrates how you really need to go Gigabit. MAYBE, just MAYBE, you could squeak by with 100M, but it will eventually bite your tail-feathers. The book recommends going fiber optic. That usually comes withOUT the low distance limits of cat 5/6/7. I'd be willing to bet you can find a box/reel of simple fiber pair that's much cheaper than quality ethernet cable, plus it should be easier and simpler to learn to make patch connections.

You could do it in stages. I'd make sure your pfSense box was fiber ready:
http://en.wikipedia.org/wiki/Small_form-factor_pluggable_transceiver
http://en.wikipedia.org/wiki/QSFP
But, for true thin client/zero client systems, you really need available LAN/VPN bandwidth, for the graphics.

Lower priced Thin Client / Zero Client devices are now available, about the size of a hockey puck. But you can repurpose an old PC.
http://en.wikipedia.org/wiki/Thin_client#Repurposing_a_PC_as_a_thin_client

They did go fully closed source, commercial, but one model to look at is NoMachine's NX implementation.
http://en.wikipedia.org/wiki/NX_technology#Clients
That article mentions open source alternatives, in the works.

If your library needs something "turn key", for the thin/zero client system; there is Userful:
http://www.userful.com/public-computing#view1
http://en.wikipedia.org/wiki/Userful#Software_Products_and_Zero_Client_Software_Products

A book has been published, on the Userful system, compiled mainly from online sourced material:
–--------------------------
Userful

by;
Lambert M. Surhone (Editor),
Mariam T. Tennoe (Editor),
Susan F. Henssonow (Editor).
ISBN 10: 6136400669
ISBN-13: 9786136400662
Publisher: Betascript Publishing http://betascript-publishing.com/
Publication date: 7/8/2011
Pages: 120
Product dimensions: 0.28 (w) x 6.00 (h) x 9.00 (d)

The Barnes & Noble page lists it at $53.36

http://www.barnesandnoble.com/w/userful-lambert-m-surhone/1104216871?ean=9786136400662
–-------------------------------------

Also worth mentioning is LTSP, the Linux Terminal Server Project

If you have a bunch of old PC/desktops around, you could do a do a "fat client system:
http://en.wikipedia.org/wiki/Linux_Terminal_Server_Project#Fat_clients
It's said to be less of a bandwidth hog, if, for nothing else, by reducing the graphics load on the network.

:)

Derelict

Hardware choices notwithstanding, I would like to comment on your IP scheme. To me it doesn't make much sense to have 192.168.1,10,30,50 in one location and 192.168.20,40,60 in the other.

It would make more sense to have 192.168.1,10,30,50 in one location and 192.168.70,80,90 in another. That way you could cover all subnets in the other location from both sides with one route (in OpenVPN, IPsec phase 2, etc.)

Site 1 could reach everything at site 2 with 192.168.64.0/18 and site 2 could reach everything at site 1 with 192.168.0.0/18

Just a thought.