Watchguard XTM510 bandwidth max?

solignis

Okay this might end up long winded…

I bought a new server for myself, I am going to be putting it up in a colo in Michigan. I need a router / firewall to accompany the server for security and port splitting reasons. Basically I will have one drop for the rackspace and I need to make it feed 3 ports. Moving on though.

Originally I was going to use a Juniper SRX240B switch / router / firewall / thing...

Mainly that reason was I work with them at work and they were plentiful and cheap on eBay.

I am not realizing I might have made a bad mistake buying one since Juniper is not allowing me to register to given serial number and other things.

<catches breath="">So... my next idea is to do what I am doing for my home router, I am running pfSense on a PC engines APU. For my home connection which is a 105mbps / 20mbps Comcast this works great.

But I need something rackmount for the colo. Hence why I wanted to buy a Juniper SRX 240B (its the 19" wide version). Now switching gears which finally brings me to the point of topic.

I am looking a couple of XTM510s and I needed to know a few things.

1. What is the max throughput that can be sustained with a port? The colo is going to provide me with 100mbps / 100mbps fast ethernet for my uplink and I need something that can keep up and run that type of a connection.

2. What strange voodoo has to be done to make the XTM series boxes work with PFsense. Do I need a BIOS flash, extra CF card, special cables, etc.

3. What makes the XTM510 differ from the 520 and beyond?

4. Can the interfaces on the XTM be connected into some kind of a switch fabric like Junipers (more of general pfsense question)

5. What kind of load can the XTM handle as far as demand? Router / Firewall load and is there anything I can do to increase the power of the box?</catches>

stephenw10

The 1st generation XTM5 (505, 510, 520 and 530) are all identical in hardware terms and use a single core Celeron 440 CPU. You can very easily upgrade that CPU with almost anything that's up to 65W TDP and socket 775. So that's many Core2Duos some C2Q and even some Xeons.
Even with the original CPU it will easily manage a 100/100 connection of firewall/NAT.
It will run pfSense simply by replacing the CF card. Nothing else is required in terms of bios flashing but it is locked down by default so if you want to tweak anything you would need to flash it.
Do you mean like stacking switches?

Have a look through the XTM5 thread and the wiki page if you haven't already.

Steve

solignis

I mean is there a way to make a switch out of the 6 ports that would LAN designated?

I'm guess that would be a bridge interface?

stephenw10

Oh Ok. Yes you can do that with, as you say, a bridge interface.
It's generally accepted wisdom here that it's a bad idea to create a switch out of multiple interfaces. That's because it's usually much cheaper and much faster to use a real switch.
Do you need filtering between the ports?

Steve

solignis

Not really, what I need is a way to protect my iLO interface from public facing internet.

Then I need ports for my server to get general internet access that is all.

Having a separate firewall ruleset for the iLO interface would be good.

stephenw10

Your iLO interface is in the same subnet as the server NICs? Does it have to be?
I would put it in a separate subnet on a different interface to isolate it properly and then only allow traffic you need.

Steve

solignis

Do all of the watchguards XTMs come with Cavnium PCI card?

Also is it PCIe or PCI. I want to replace it with a Soekris card or something else if I can find one.

stephenw10

I think so, my 505 did so I assume the models higher up the range do also.
It's PCIe BUT the plug-socket arrangement is reversed. The socket is on the card and the motherboard has the 'golden fingers' edge connector which makes it impossible to use without some sort of adapter.

Steve

solignis

Wha?

So the connector for the card is backwards? Its not a little "clip" gizmo.

stephenw10

Nope it's not removable. It's like this:
https://forum.pfsense.org/index.php?topic=75417.msg446389#msg446389

The card looks like this:

Steve

solignis

Why Watchguard? Why do you do this to us!

I still have another idea I looking into so I can use that port. I cannot really tell in the picture but that kind of looks like an 8x PCIe bus. Confirm?

stephenw10

Don't blame Watchguard it's Lanner's board.  :)
Yes it's PCIe 8x. You should be able to use it with a gender changer or some type of riser but I've yet to find one. Which is odd because this arrangement seems common on embedded boards.

Steve