Another hardware question - please advise
-
Having weighed the options of all in one vs isolated VMs for Pfsense, etc. I have decided the following configuration. Please have a look and advise if they all look fine. Views and recommendations, as usual, are welcome.
The planned setup :
- Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
- VM1 PfSense / VPN
- VM2 Suricata / Packet Inspection needs.
- I will set up a separate machine to meet other requirements.
PCPartPicker part list / Price breakdown by merchant
CPU: Intel - Core i7-7700K 4.2GHz Quad-Core Processor (£299.94 @ Aria PC)
CPU Cooler: NZXT - Kraken X62 Liquid CPU Cooler (£149.99 @ Novatech)
Motherboard: ASRock - Z270M Pro4 Micro ATX LGA1151 Motherboard (£105.91 @ BT Shop)
Memory: Corsair - Vengeance LPX 16GB (2 x 8GB) DDR4-3000 Memory (£123.56 @ More Computers)
Storage: ADATA - Ultimate SU800 128GB 2.5" Solid State Drive (£52.17 @ Ebuyer)
Storage: ADATA - Ultimate SU800 128GB 2.5" Solid State Drive (£52.17 @ Ebuyer)
Case: Corsair - Air 540 ATX Mid Tower Case (£124.05 @ Ebuyer)
Power Supply: EVGA - SuperNOVA G3 (EU) 550W 80+ Gold Certified Fully-Modular ATX Power Supply (£78.24 @ Aria PC)
Total: £986.03
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-05-29 15:10 BST+0100Questions:
(1) Should I choose intel i350 t4 (£41) or i540-t2 (~£100).
http://www.ebay.co.uk/itm/Genuine-Intel-Quad-Port-Server-Ethernet-Adapter-I350-T4-PCI-Express-I350T4BLK-/302320524446? hash=item4663b51c9e:g:p1gAAOSwX61ZHVV8
or
http://www.ebay.co.uk/itm/Intel-X540-T2-10G-Dual-RJ45-Ports-PCI-Express-Ethernet-Converged-Network-Adapter-/131945268901
(2) I plan to set port mirroring in my Cisco managed switch and use the second VM as a small box for packet inspection / Suricata needs.
Can PI / Suricata be installed / run separately than on the PfSense. I am concerned running packet inspection as a part of PfSense will unnecessarily route all internal traffic through this and reduce the Lan traffic performance.
Thanks,
SSri -
I run a lot of the hardware you are looking at in my home. I have a Cisco SG300-28 switch running in L3mode connected to a pfsense box running on an old Xeon 5148 CPU with a Intel server motherboard with 2 built-in GIG NICs. I have a 300/20 cable connection and I get about 360 to 370 speed using DSLreports speedtest. I have the router setup on a separate VLAN so no local devices can slow down the router. My pfsense box is a simple setup with 1 WAN port and 1 LAN port because the layer 3 switch handles all local VLAN traffic. My CPU never goes above 3% as the L3 switch is doing most of the heavy lifting.
What I don't do any more is run VPN as I am retired and have been for number of years. I am facing the up and coming AES-NI requirement for pfsense 2.5. So old hardware may have it limits.
I believe the L3 switch is the best way to handle local VLANs. I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.
-
I believe the L3 switch is the best way to handle local VLANs. I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.
Thank you Coxhaus. I agree. That' what I plan to do here as well.
In any case,
I am not sure why you need 4 ports for pfsense as 2 should do it using an L3 switch.
Fair point. I have 350/20 at the moment. I understand from my ISP engineers that they are internally testing a gigabit service. So, there is no real need for more than a couple of i350s. Nevertheless, I might remove a couple of IoT devices off the switch and plug it directly on the PfSense router ports. Not sure, if this is a sensible approach. But, the price difference is just a few to 10 pounds. So, I may as well through in the 4 ports card.
I am indeed tempted to grab the 10gig dual cards. I reckon I will buy that for another machine that I plan to build and deploy multiple VMs for media server, nas and home data science lab.
:)
-
I like lean and mean. I still see no reason to carry the baggage in pfsense for all the extra ports incase you might use them. Bridging is a slow process in networking. Create an extra VLAN in the L3 switch for what you want to do. When pfsense fixes drivers for 10GIG ports just switch to 10GIG if you need more.
-
<snip>The planned setup :
- Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
- VM1 PfSense / VPN
- VM2 Suricata / Packet Inspection needs.
- I will set up a separate machine to meet other requirements.
<snip>(2) I plan to set port mirroring in my Cisco managed switch and use the second VM as a small box for packet inspection / Suricata needs.
Can PI / Suricata be installed / run separately than on the PfSense. I am concerned running packet inspection as a part of PfSense will unnecessarily route all internal traffic through this and reduce the Lan traffic performance.
Thanks,
SSri</snip></snip>Seeing that there are only 2 vm, personally I would just put both vm in a promiscuous port group and not bother with port mirror.
-
- Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
In this day and age ESXi can boot from the same partition you use to store VMs. Gone are the days where the hypervisor needs a separate partition just to boot from. No need to split it up.
-
I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run
esxcli storage core device partition list
There are 6 system partitions and a vmfs5 partition for local storage on one drive.
-
Sorry for not replying. I have been away on business.
Thanks every one for valuable advise, which are very helpful.
After a long thought, I have decided to run PfSense FW-Router-VPN on its own. The rest of the requirements starting with Suricata/Packet Inspection to Home Lab clusters will be run on a beefy server via multiple VMs. I will use the port mirror on my switch to inspect packets on the separate server running Suricata/PI as one of the VMs.
I have finalised the following specs for the PfSense-VPN.
PCPartPicker part list / Price breakdown by merchant
CPU: Intel - Core i3-7350K 4.2GHz Dual-Core Processor (£147.80 @ Alza)
CPU Cooler: CRYORIG - M9i 48.4 CFM CPU Cooler (£22.99 @ Overclockers.co.uk)
Motherboard: ASRock - Z270M Pro4 Micro ATX LGA1151 Motherboard (£105.91 @ BT Shop)
Memory: Corsair - Vengeance LPX 8GB (2 x 4GB) DDR4-3000 Memory (£67.35 @ CCL Computers)
Storage: Sandisk - SSD PLUS 120GB 2.5" Solid State Drive (£48.80 @ Amazon UK)
Case: Thermaltake - Core V21 MicroATX Mini Tower Case (£53.99 @ Amazon UK)
Power Supply: Silverstone - Strider Gold 450W 80+ Gold Certified Fully-Modular SFX Power Supply (£79.47 @ Scan.co.uk)
Total: £526.31
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-06-03 18:11 BST+0100- Intel i350 t-2 or t-4.
I will be ordering the parts next week.
Thanks all.
Cheers -
I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run
esxcli storage core device partition list
There are 6 system partitions and a vmfs5 partition for local storage on one drive.
You're right. What I meant to say is that the days of the user having to manually set aside storage for the OS are gone; the installer handles everything now. No need for a separate array just for the install, etc.
-
There was never a requirement for a separate array just a lun. I run esxi 6.5 from a sdcard.
-
https://plugloadsolutions.com/80PlusPowerSuppliesDetail.aspx?id=26&type=2
Consider a used eBay Dell 80+ gold psu. My psu is the L265EM-00 ATX12V form circa 2011. I got it for $15 USD including shipping. A 10% load for a 500W is 50 watts and may not be realistic for a pfSense firewall that predominantly rests at idle. I chose a 265W psu which is closer to my real world idle state. I also tested it on an old mobo for an hour before plugging it into my kaby lake pfSense mobo.
Currently I idle at 18.4W with a G4650T CPU, nc364t, liteon msata ssd and packages: openvpn,suricata, pfblockerng, squid and squid guard.
-
-
No need to buy an over wattage psu. You may need to buy 24 pin & 12V extension cable since Dell cables are usually too short and designed for their mobos.
-
Thanks for the heads up.
Regards
-
I just lowered my idle consumption wattage by adjusting the bios settings for the CPU and system fan from standard cooling to silent cooling. Wattage is now 18.1W
-
Thanks for all help. Cheers