1u rack mount recomendations
-
WAN bandwidth 50mbit - 100mbit. Yes I would like 1Gbps between internal interfaces. I'm thinking 4 NICs.
-
Ok, so to get 1Gbps through put you will need something like a Celeron G530 or better, not a particularly tough requirement. However that's just for firewall/NAT and just between two interfaces. Adding IDS/IPS (Snort) to that, either simultaneously on WAN traffic or on internal interfaces, will require considerably more horsepower. Do you need IDS on internal interfaces at 1Gbps?
Steve
-
not a particular requirement, but I would like to be able if possible.
-
http://store.pfsense.org/c2758/
-
while that looks really promising gonzopancho, its rather expensive. Just quickly looking at eBay I can get some rather capable hardware for considerably cheaper ($100-$300), I just have to make sure the hardware is compatible and configure it myself.
-
Anything that is 1U rack-mount and that price is probably going to be old enough to be compatible. ;)
Things to avoid in server hardware might be rare and expensive disk controllers and NICs with fancy features like LAN-bypass. The current pfSense version is built on FreeBSD 8.3 which is a couple of years old now and FreeBSD hardware support generally lags Linux(for example) anyway. Try to avoid anything super new, thought the Rangley Atoms are now supported as Jim mentioned above.
Probably easier if you suggest a piece of hardware and we advise you on it.Steve
-
http://goo.gl/bTgI01
You can get away with a server for your budget, you even get a 1 year warranty.
Too loud for my needs, but might work out for you.
-
Don't the Dell PowerEdge 1950 G2's have broadcom NIC's? I've heard that there are some issues with broadcom.
-
I'm quite happy with my WatchGuard. You can find some good deals on them on eBay.
-
Interesting haven't really thought of that, nor do I know much about them. What are the advantages/disadvantages of using a firebox over a rack unit. What is involved in getting a firebox configured with pfSense?
-
What are the advantages/disadvantages of using a firebox over a rack unit.
Advantages? I'll speak for myself in this case… ;)
It was free. It's rack mountable. You can run nano on it, so storage is cheap. Power requirements vs Performance is good. Many interfaces. Can do quite some stuff even if you leave the HW in it's default config.
Disdvantages?
It requires some tweaking to get it installed (following instructions), so be prepared for a learning curve.
You may want to add memory on the stock models, and possibly swap cpu (depending on your needs). Full install is a challenge if you should want that, hd bays and appropriate connectors are not always present. It's loud (but that's less an issue if you want to put it in a rack).What is involved in getting a firebox configured with pfSense?
Euhm… keeping being nice at Steve, he invested heaps of time supporting the community on getting these watchguard boxes going with pfSense ;D
Other than that, browse through the different threads here (x550, x750, xtm, ...), there is good info to find, and look around for a box... -
The different firebox models require various ammounts of tweaking to get pfSense installed. The cheaper and more commonly available X-e boxes will not manage 1Gbps, even after upgrading the CPU. You would need to use an XTM5 to get that and they're not too common, yet.
The Watchguard boxes offer Atom like performance but with 8 NICs in a nice rack mount box for low cost.See: https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox
Steve
-
while that looks really promising gonzopancho, its rather expensive. Just quickly looking at eBay I can get some rather capable hardware for considerably cheaper ($100-$300), I just have to make sure the hardware is compatible and configure it myself.
Depends on what your time is worth, and what downtime costs. If it's just a home setup, and you have all kinds of time to mess with it and minimal money, then yeah maybe you're best suited by the ebay route. Lot of old servers that work well, especially Dell and HP used by a lot of folks here, though those boxes are loud, extremely power-hungry, and generate a lot of heat.
Where you want a combination of hardware that's known-solid, with a custom config out of the box optimized for the hardware including pulling custom updates specific to that hardware so you always have the most optimal settings, have the assurance of new versions being validated on the hardware before release, and get support included, the platforms we offer are really hard to beat.
-
Don't the Dell PowerEdge 1950 G2's have broadcom NIC's? I've heard that there are some issues with broadcom.
They do have Broadcom NICs, as do quite a few of the other Dell models people use. They're very good NICs, solid performance, reliable. The only issue I'm aware of there is in 8.3 base versions (2.1.x releases), they don't support jumbo frames because of a driver issue. That does work in 2.2 though, and isn't an issue in the majority of firewall use cases.
-
I'd love the known rock-solid hardware with custom updates & support, but from what I see that is a wee bit over my budget.
Right now I'm looking at the Dell 1950 G3's & G2's (2 port), likely with 16 gigs of RAM and an SSD. Then I'm planning on adding a 4 port Intel GB NIC.
-
Even running Snort you're unlikely to need 16GB of ram.
Steve
-
Hey Steve,
On one of my boxes, I am testing Snort (blocking mode) and Suricata (passive mode) and its using about 8GB of memory for two interfaces with fully loaded rulesets. Not a typical setup but I am also not using Squid.
btw - I really want to know if thats you in your Avatar! Always been wanting to ask lol…
-
Well I'm sure you could use 16GB, or at least >8GB, if you try but it shouldn't be necessary IMHO. If I were looking at second hand servers I wouldn't be looking for 16GB specifcally.
Yes that's me in my avatar. :)
Steve
-
So maybe to be on the safe side bump it up to 24 gigs of ram?
-
