PfSense on Dell R710
-
Hi!
Contemplating becoming a pfSense user.
So an upcoming upgrade to a Wave cable gigabit connection is prompting me to evaluate options for a fiewwall that can keep up. My current ASA5510 is not up to the task.
My research has led me to either the Ubiquiti USG Pro 4 or pfSense. Although I own Ubiquiti access points and love them, the reviews on the USG pro 4 are mostly either 1 star or 5 which doesn't bode well. At least not for me. :)
At this point I am leaning towards pfSense and installing an a Dell R710. Yes, I realize this is the definition of overkill, but I have a couple from lot buy sitting around doing nothing so I might as well use one. The machine has dual Xeon X5672 processors, so AES-NI is supported. The machine also has quad Broadcom NICs built in.
I have a TON of reading to do to figure out how to set this up and I've already started delving into it.
Knowing all of that are there any "gotchas" to look out for with this hardware choice? From what I have read 4GB of RAM should be plenty. What about hard drive speed? Is this critical? The machine has a PERC that supports SATA-III or SAS-III drives. I have a couple of older SATA-II drives laying around that I plan to set up as RAID-1.
Thanks for any advice/feedback!
-
Pfsense will install on about any standard PC with 2+ NICS. Storage not important unless you are doing logging galore. Enjoy pouring over dump data?
-
Pfsense will install on about any standard PC with 2+ NICS. Storage not important unless you are doing logging galore. Enjoy pouring over dump data?
Not especially.
Actually, if I am being honest, I prefer to "set it and forget it" as I don't have the time I used to have to tinker with stuff constantly. If I get it set up and get everything working that I want to work, it might be months before I even log in to the thing to take a look at what's been going on. That was one of the strengths of the ASA-5510. A pain to configure, but once it's set up it ran forever.
The only reasoning for the RAID-1 is if the primary HD fails, I have a backup ready to take it's place. :)
I guess I was really just concerned about the Broadcom ethernet hardware. I had read that Intel NICs were preferred, but that's not what this machine will have.
Thanks for the feedback. :)
-
It should run like a scalded ape on an R710. Unless you are caching, hard drive speed is pretty much irrelevant. Even if you are caching it is pretty much irrelevant.
I have never had any issues with the broadcom drivers. They seem fine. In fact, a few years ago, pfSense sold some used Dells. Can't remember the model but pretty sure they had bce NICs. Have personal experience running on some old IBM 1Us with zero issues. bce NICs there too.
Nothing wrong with a drive mirror for an install such as this. Though on that hardware you would be a candidate to try leaving the controller in JBOD and running a ZFS mirror if you put 8GB+ into it.
Install it and try it. Don't cost nothin'.
-
Never heard of pfSense requiring constant maintenance, this is matured stuff, and friendlier to work with than I had expected, compared to CLI-only Cisco stuff I used to work with. Go4rit.
-
It should run like a scalded ape on an R710. Unless you are caching, hard drive speed is pretty much irrelevant. Even if you are caching it is pretty much irrelevant.
Excellent! Good to know as the drives I have laying around - while SAS - aren't exactly fast. They were mainly used for file server/media storage duties. Big? yes. Fast? Not so much.
I have never had any issues with the broadcom drivers. They seem fine. In fact, a few years ago, pfSense sold some used Dells. Can't remember the model but pretty sure they had bce NICs. Have personal experience running on some old IBM 1Us with zero issues. bce NICs there too.
Nothing wrong with a drive mirror for an install such as this. Though on that hardware you would be a candidate to try leaving the controller in JBOD and running a ZFS mirror if you put 8GB+ into it.
Install it and try it. Don't cost nothin'.
Good news on the Broadcom hardware.
I am not that familiar with BSD/Linux/Alternative OS so I have quite a bit of a learning curve ahead of me. So please excuse my newbie questions.
I am assuming ZFS refers to the file system / volume manager that runs on these OS? Also assuming it is capable of software raid? Is using ZFS software raid superior to hardware raid? The Dell PERC H700 is a pretty good piece of hardware and fast. 512MB on board cache, etc. Using this controller, if the primary HD fails it will automatically switch to the mirror. Then a replacement drive can be hot-swapped and the controller will automatically mirror the remaining good drive to the replacement.
Edit: Another thought just occurred to me. One of the extra machines I have has a single E5504 processor in it with 6gb of RAM. Very basic server. While these processors do not support AES-NI, do I really need it? The only VPN stuff I will be doing is occasional remote user stuff when I am out and about with my laptop. Otherwise it will basically be used at a UTM device. From what I read though, it looks like AES-NI will be required for future versions of pfSense. Do I understand that correctly?
-
AES-NI is required in future versions indeed. pfSense requires no maintenance except the occasional pain-free security update (just subscribe to the security alerts and you'll get a message when one comes out - not often).
-
Most of the Dell raid controllers will not present the disks unless they are in an array, making them fairly useless for zfs.
You shouldn't have any trouble just creating a mirror with the bios utility and installing on that.
As for AES-NI, I'd guess the processors in a 710 would be modern enough to have it. If not, it's not a showstopper. -
@johnkeates:
AES-NI is required in future versions indeed. pfSense requires no maintenance except the occasional pain-free security update (just subscribe to the security alerts and you'll get a message when one comes out - not often).
Good deal. That's exactly what I need.
Most of the Dell raid controllers will not present the disks unless they are in an array, making them fairly useless for zfs.
You shouldn't have any trouble just creating a mirror with the bios utility and installing on that.
As for AES-NI, I'd guess the processors in a 710 would be modern enough to have it. If not, it's not a showstopper.The drives attached to a PERC controller don't need to be assigned to an array in order to be available to the OS. But yes it's simple enough to set up a mirrored array. It has a little speed penalty but since HDD speed is not important for pfSense that doesn't matter. I was actually thinking of using one of the older PERC 6i controllers I have. They can only do up to SATA-II but as stated previously in this thread the should be plenty fast enough.
Speaking of ZFS. When installing pfSense would that by my preferred file system over UFS? I don't know enough about it to make an informed decision on what to use. From what I have read ZFS seems to be more robust and easier to recover from errors? Not sure if I have that right.
The Dell R710 servers have 2 generations. Generation 1 were available in lower spec with E55xx series Xeon processors. These do not support AES-NI. But, the gen 1 machines are capable of supporting all of the X56xx series processors that have TDP of 95w. None of the 6 core 130w TDP X56xx processors were supported unless you have a Gen 2 R710.
Again, thanks for the info! Please keep it coming, I appreciate it.
-
I have an R710, with X5670's in it, which support AES-NI. But I wanted a separate machine for pfSense so I can play with my server and not affect the internet/network. So I opted for a R210 II, it has an Xeon E3-1230 V2, and 8GB RAM. It's a lot smaller and quieter than the R710 (which is very noisy to have in the house), plus the power consumption is much lower. It has dual gigabit NICs, no RAID controller as such so drives are direct to the OS (I'm using Windows Server 2016, running pfSense under Hyper-V). I've only had it about a week but it's an awesome little machine and pretty cheap. I have a 128GB SSD and 1TB HDD in there. pfSense and Cache are on the SSD, I just use the 1TB drive as an additional backup for some stuff.
-
I have an R710, with X5670's in it, which support AES-NI. But I wanted a separate machine for pfSense so I can play with my server and not affect the internet/network. So I opted for a R210 II, it has an Xeon E3-1230 V2, and 8GB RAM. It's a lot smaller and quieter than the R710 (which is very noisy to have in the house), plus the power consumption is much lower. It has dual gigabit NICs, no RAID controller as such so drives are direct to the OS (I'm using Windows Server 2016, running pfSense under Hyper-V). I've only had it about a week but it's an awesome little machine and pretty cheap. I have a 128GB SSD and 1TB HDD in there. pfSense and Cache are on the SSD, I just use the 1TB drive as an additional backup for some stuff.
That sounds like a nice little box….
The idea to use the R710 is simply because I have extras that are currently going unused. My server rack is behind me and to my ears, it's relatively quiet. Besides, it helps drown out the noise of the household. :D
If you think the R710 is loud you should hear the 1950s and 2950s I used to have in the rack. Now THAT was loud! :D
I've decided to use the machine with the X5667s in it.
So basically the hardware specs will look like this:
X5667 x 2
24GB RAM (I can always cut this in half if I need the ram somewhere else since even 12GB is way overkill)
PERC 6i
Seagate 300GB 15K SAS-II drives x 2 (These are overkill too, but it turns out they are the smallest drives I have laying around. Thought I had some slower/smaller drives but I don't)
And all the built in hardware that is included with a R710. BCE embedded NICs x 4, etc.The only thing I am waiting on to build this machine is hard drive caddies. I am out of them so had to order some from eBay.
Since this machine will be so utterly overpowered for this application, I'm sure pfSense will run effortlessly even at gigabit WAN speeds.
The only thing I am a little unsure about at this point is whether to use ZFS or UFS and I am not sure how to set up a remote VPN for when I am out and about with my laptop and need to access my home network. OpenVPN?
-
The R210 II is definitely a cracking little box, I am very pleased with it!
The R710 isn't too bad I guess, it was a little noisy while I had it inside the house as it was in an enclosed space.
I've heard those old machines are very noisy and power hungry! I was swayed away from them when looking for my first server.
Sounds like a goon plan though, it should run very well. I've seen people running gigabit connections on very low power hardware with no issues.
-
The drives attached to a PERC controller don't need to be assigned to an array in order to be available to the OS. But yes it's simple enough to set up a mirrored array. It has a little speed penalty but since HDD speed is not important for pfSense that doesn't matter. I was actually thinking of using one of the older PERC 6i controllers I have. They can only do up to SATA-II but as stated previously in this thread the should be plenty fast enough.
It will still work alright just setup two RAID0 vdevs and be sure to set them to write through and no read ahead. Its not ideal but your not running a file server with 20+ drives constantly being abused. I'm not sure if pfSense includes the mfip driver at boot but that will still provide some smart data.
Speaking of ZFS. When installing pfSense would that by my preferred file system over UFS? I don't know enough about it to make an informed decision on what to use. From what I have read ZFS seems to be more robust and easier to recover from errors? Not sure if I have that right.
ZFS all the way. There are so many reasons to use ZFS over the old UFS setup.