PfSense with 1 NIC + managed switch = ?
-
@pf2.0nyc:
That laptop + switch idea is a disaster waiting to happen. It'll be more headache than its worth in my opinion.
For reference…
I have been using a Dell Optiplex GX520 to run the latest x86-RELEASE since 1.2.3-RELEASE without hiccup or issue. Yes they use a bit more power but in reality it probably isn't much more than your laptop + switch... You are probably going to use a switch regardless so the power consumption differential is between the laptop and the PC. My business partner and I have a small company with a few employees and I host two 25-u racks in my basement behind this setup. The family also uses the wifi and internet bandwidth as well. I have a second machine on cold standby but not in HA Failover.Specs:
Either 3.0 or 3.2ghz Pentium 4 single core CPU (With HT)
2.0GB of RAM
80GB WD Raptor HDD (came OEM with the machine)
1x Broadcom 57xx Gigabit Ethernet on motherboard (for LAN + VLANs)Add-in cards: (All PCI)
2x Intel Pro 1000 GT NICs (for WAN1 and WAN2)
1x Cisco/Aironet AIR-PI21AG-A-K9 a/b/g Wireless adapterThe machine has a fairly small footprint and gives me everything I need to run squid + snort + two SSID's and five VLAN's.
I've spent far too much time on this post but for further reference I went on eBay and priced it all out...
++Optiplex GX520 (desktop, not to be confused with the Mini-Tower form factor) machine: $40 shipped (there are active buy-it-now listings for $39.99 + free shipping)
++Wireless adapter: $15 shipped
++Intel Pro 1000 GT NIC: Less than $15 shipped, some go for as low as $6. (priced below at $30 for two)$85 (or less) shipped to your door
You could use the Small Form Factor chassis (two Low Profile PCI slots vs. two full-height and one LP in the Desktop chassis) and look for one without a floppy or CD/DVD drive (less power consumption and cheaper). Those look like they can be had on eBay for closer to $20 shipped so if you get a good deal on the PCI cards you could reasonably pull it off for <$50 shipped. You would then have a proper setup AND trust me, it would be money well spent in the long run compared to the headaches of a laptop + switch. You will probably spend more than $50 mucking around with those Express Card/USB >> Ethernet adapters than buying what I listed above.
Also, it was unclear as to whether or not you own the Cisco SG300 switch currently or not. You can get a Dell PowerConnect 2816 switch on eBay for closer to $75. Dell's management GUI is a bit of a PITA and in my opinion the Dell is inferior to the Cisco you listed... but to my knowledge that switch does support trunking (something I assume you will want for your ESXi host --2700 series DOES NOT support trunking).
All in, for the same or less cost of the Cisco SG300 switch and the adapters you may end up with... you could have a much better setup.
Good Luck!
However not everybody lives in NA…
I do adore the idea of using an old desktop but I do not have one nor can I easily get one cheap. Well if I spend some time looking around I can find one cheap, but that probably will not be a good looking case, and the power consumption on old desktop PC is always a concern...in short, it is too much randomness.
And I have the laptop already, it is going to retire anyway, so why would I bother to buy another piece of equipment which is likely to die in another 2 or 3 years, makes more noise, takes more place and consumes more power? Plus the time spent online hunting for a good deal...
Anyway, thanks for the advice and I am considering buying an adapter for my laptop to have one more NIC. Probably will use a USB3.0->RJ45 adapter and connect that one to modem. Even though I do not have USB3.0 on my laptop, USB2.0 should be fast enough just for the internet connection(no affordable 1Gbps intgernet here lol). Then the native RJ45 will be connected to the switch...hmm sounds like a plan.
As for the switch, I choose to go with Cisco because they are sort of the standard in networking world and I want to get hands on such a switch in real life.
-
Hairpinning with a switch is better than USB NICs.
-
Hairpinning with a switch is better than USB NICs.
The reason being?
I never played with a USB NIC before…
-
usb nics pretty much blow, and its a OLD laptop you ay - so highly doubt usb 3 ;)
Why can you not leverage your esxi box?? Would make it cleaner, would make it less power, etc.. You can get a dual or quad nic for it cheap..
While I love my sg300, keep in mind it is not the typical enterprise ios that runs on their enterprise line - this ios is different. While many of the commands are the same - there are differences to be sure.
-
USB NICs, under FreeBSD at least, are unpredictable. A quick look through the forum will show the many, many threads with people having problems with USB. I would choose a router-on-a-stick setup over USB.
There are people running both types of setup without any issues.There are several reasons not to use a router-on-a-stick configuration:
If you're completely unfamiliar with VLANs then setting it up may prove frustrating depending on what switch you use.
The bandwidth through pfSense will be reduced as all your traffic has to travel in both directions along a single ethernet connection. However if your WAN connection is relatively low speed and the connection to the switch is gigabit this is unlikely to be a restriction.
There's a security risk. If your switch should forget its settings for some reason you could end up with the WAN connected directly to the LAN. This is a pretty minimal risk in my opinion, i've never seen of heard of it happening, but you need to consider it yourself.There are much cheaper switches you can use.
Steve
-
usb nics pretty much blow, and its a OLD laptop you ay - so highly doubt usb 3 ;)
As I said, I do not have USB3.0 but USB2.0 should be enough for WAN. Then the native GbE connection can be used to route intranet traffic.
Why can you not leverage your esxi box??
Because I want to run pfSense in a separate box.
it is not the typical enterprise ios that runs on their enterprise line - this ios is different. While many of the commands are the same
Hmm that could be a deal breaker. Will keep it in mind.
-
USB NICs, under FreeBSD at least, are unpredictable. A quick look through the forum will show the many, many threads with people having problems with USB. I would choose a router-on-a-stick setup over USB.
There are people running both types of setup without any issues.There are several reasons not to use a router-on-a-stick configuration:
If you're completely unfamiliar with VLANs then setting it up may prove frustrating depending on what switch you use.
The bandwidth through pfSense will be reduced as all your traffic has to travel in both directions along a single ethernet connection. However if your WAN connection is relatively low speed and the connection to the switch is gigabit this is unlikely to be a restriction.
There's a security risk. If your switch should forget its settings for some reason you could end up with the WAN connected directly to the LAN. This is a pretty minimal risk in my opinion, i've never seen of heard of it happening, but you need to consider it yourself.There are much cheaper switches you can use.
Steve
Is it a compatibility issue or something?
I am still considering which switch to buy and watching for good deals.
-
Is what a compatibility thing? USB?
-
Yes, its a compatibility thing. Drivers.
BSD and Linux doesn't work well with manufacturers who change chipsets like people change underwear.
And even when you get lucky, its still USB, so still not great compared to everything else.
-
we've build a pfsense on a old desktop ( HP sf5000 or something) only one nic.
in our case we were able to install the free version of ESXi on the desktop and installed Pfsense as an vm.
connected the NIC to a managed switch (HP procurve 1810-24g)
added 3 vlans
vlan 4 ( WAN)
vlan 10 (LAN) ip 192.168.17.254
vlan 20 (OPT1) ip 10.0.10.254connected a switch port to hour modem and untagged it vlan4
the desktop connected to the switch port, tagged vlan 4, 10 and 20other switch ports untagged vlan 10 or vlan 20
all works fine using 2 different dhcp scopes on vlan 10 and 20
hope this helps.
-
Exactly.
-
we've build a pfsense on a old desktop ( HP sf5000 or something) only one nic.
in our case we were able to install the free version of ESXi on the desktop and installed Pfsense as an vm.
connected the NIC to a managed switch (HP procurve 1810-24g)
added 3 vlans
vlan 4 ( WAN)
vlan 10 (LAN) ip 192.168.17.254
vlan 20 (OPT1) ip 10.0.10.254connected a switch port to hour modem and untagged it vlan4
the desktop connected to the switch port, tagged vlan 4, 10 and 20other switch ports untagged vlan 10 or vlan 20
all works fine using 2 different dhcp scopes on vlan 10 and 20
hope this helps.
I am still not quite clear about how the router talks to the modem via a switch, just put them in the same VLAN and things just magically work?
-
Yes. ;)
There's nothing special about the modem-router connection it's standard ethernet.
Steve
