Another hardware question - please advise

coxhaus

I like lean and mean.  I still see no reason to carry the baggage in pfsense for all the extra ports incase you might use them. Bridging is a slow process in networking. Create an extra VLAN in the L3 switch for what you want to do.  When pfsense fixes drivers for 10GIG ports just switch to 10GIG if you need more.

gjaltemba

@SSri:

<snip>The planned setup :

• Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs
• VM1 PfSense / VPN
• VM2 Suricata / Packet Inspection needs.
• I will set up a separate machine to meet other requirements.
  <snip>(2) I plan to set port mirroring in my Cisco managed switch and use the second VM as a small box for packet inspection / Suricata needs.

Can PI / Suricata be installed / run separately than on the PfSense. I am concerned running packet inspection as a part of PfSense will unnecessarily route all internal traffic through this and reduce the Lan traffic performance.

Thanks,
SSri</snip></snip>

Seeing that there are only 2 vm, personally I would just put both vm in a promiscuous port group and not bother with port mirror.

whosmatt

@SSri:

• Raid 1, partition a small size, say, 25-30GB, to run ESXi 6.5 and use the remaining ~100GB Raid 1 disk to run two VMs

In this day and age ESXi can boot from the same partition you use to store VMs. Gone are the days where the hypervisor needs a separate partition just to boot from.  No need to split it up.

gjaltemba

I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run

esxcli storage core device partition list

There are 6 system partitions and a vmfs5 partition for local storage on one drive.

SSri

Sorry for not replying. I have been away on business.

Thanks every one for valuable advise, which are very helpful.

After a long thought, I have decided to run PfSense FW-Router-VPN on its own. The rest of the requirements starting with Suricata/Packet Inspection to Home Lab clusters will be run on a beefy server via multiple VMs. I will use the port mirror on my switch to inspect packets on the separate server running Suricata/PI as one of the VMs.

I have finalised the following specs for the PfSense-VPN.

PCPartPicker part list / Price breakdown by merchant

CPU: Intel - Core i3-7350K 4.2GHz Dual-Core Processor  (£147.80 @ Alza)
CPU Cooler: CRYORIG - M9i 48.4 CFM CPU Cooler  (£22.99 @ Overclockers.co.uk)
Motherboard: ASRock - Z270M Pro4 Micro ATX LGA1151 Motherboard  (£105.91 @ BT Shop)
Memory: Corsair - Vengeance LPX 8GB (2 x 4GB) DDR4-3000 Memory  (£67.35 @ CCL Computers)
Storage: Sandisk - SSD PLUS 120GB 2.5" Solid State Drive  (£48.80 @ Amazon UK)
Case: Thermaltake - Core V21 MicroATX Mini Tower Case  (£53.99 @ Amazon UK)
Power Supply: Silverstone - Strider Gold 450W 80+ Gold Certified Fully-Modular SFX Power Supply  (£79.47 @ Scan.co.uk)
Total: £526.31
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2017-06-03 18:11 BST+0100

• Intel i350 t-2 or t-4.

I will be ordering the parts next week.

Thanks all.
Cheers

whosmatt

@gjaltemba:

I seriously doubt that esxi can boot from just one partition without writing a new installer. When I run

esxcli storage core device partition list

There are 6 system partitions and a vmfs5 partition for local storage on one drive.

You're right. What I meant to say is that the days of the user having to manually set aside storage for the OS are gone; the installer handles everything now.  No need for a separate array just for the install, etc.

gjaltemba

There was never a requirement for a separate array just a lun. I run esxi 6.5 from a sdcard.

patrick0525

https://plugloadsolutions.com/80PlusPowerSuppliesDetail.aspx?id=26&type=2

Consider a used eBay Dell 80+ gold psu. My psu is the L265EM-00 ATX12V form circa 2011. I got it for $15 USD including shipping. A 10% load for a 500W is 50 watts and may not be realistic for a pfSense firewall that predominantly rests at idle. I chose a 265W psu which is closer to my real world idle state. I also tested it on an old mobo for an hour before plugging it into my kaby lake pfSense mobo.

Currently I idle at 18.4W with a G4650T CPU, nc364t, liteon msata ssd and packages: openvpn,suricata, pfblockerng, squid and squid guard.

SSri

@patrick0525:

Thank you. I will definitely check out a suitable dell psu.

Cheers.

patrick0525

No need to buy an over wattage psu. You may need to buy 24 pin & 12V  extension cable since Dell cables are usually too short and designed for their mobos.

SSri

Thanks for the heads up.

Regards

patrick0525

I just lowered my idle consumption wattage by adjusting the bios settings for the CPU and system fan from standard cooling to silent cooling. Wattage is now 18.1W

SSri

Thanks for all help. Cheers