Will this hardware run pfSense and support 300 Mbps with IDS/IPS, DNS over TLS and pbBlockerNG
-
I have been SA for years but I have never dug into network security (never needed to) and I am new to pfSense. Please go easy on me.
I have been wanting to implement a whole house FW to protect my server and everything else at home. I was going to buy Netgate's SG-3100 but I have a spare desktop PC lying around that I thought I could put pfSense on.
Before I do, I wanted to make sure it can handle my use-case, specifically maintaining 300+ Mbps. My internet is 200/35 but I might upgrade it soon. I'd actually love to know the max throughput this setup should be able to handle.
- Motherboard: Intel Desktop Board DG33BU
- CPU: Intel Core 2 Duo E7500 @ 2.93 Ghz
- Memory: 8 GB DDR2 SDRAM 800 MHz DIMMs
- HD: 640 GB
- Video: EVGA GeForce 210 Passive 1024 MB DDR3 PCI Express 2.0 DVI/HDMI/VGA Graphics Card
- Chipset: Intel G33 Express Chipset, consisting of:
- Intel 82G33 Graphics and Memory Controller Hub (GMCH)
- Intel 82801IH I/O Controller Hub (ICH9DH)
- LAN Card: Gigabit LAN subsystem using the Intel 82566DC Gigabit Ethernet Controller
I would, of course, buy one more LAN card so I have one for my cable modem input and one for my existing router output. Not sure which LAN card to get so if there is any advice/recommendation on that please let me know. Or, if the onboard LAN card is no good, I can get two since the MB has 2 conventional PCI slots and 1 PCI Express x1 slot.
At minimum these are the things I know I'll be configuring:
- IDS/IPS with Snort or Suricata (haven't yet figured out which is better) (https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html)
- DNS over TLS (https://www.netgate.com/blog/dns-over-tls-with-pfsense.html)
- pbBlockerNG
So, two questions I am hoping the community can help me with:
- Is my hardware powerful enough to do what I want?
- Are there other packages/configurations folks recommend/advise?
Thanks in advance!
-
The current CPU doesn't support AES-NI though. :(
-
pfSense 2.5 will not require AES-NI in case you missed it: https://forum.netgate.com/post/823904
That hardware will be fine for your 200Mbps connection. It will pass 1Gps but possibly not with Snort/Suricata, it depends at lot on what ruleset you have loaded and how it is tuned.
You have it already, try it and see. It will be good experience either way. I would pull that graphics card in favour of the on-board graphics to free resources and reduced heat in the box
Steve
-
@stephenw10 Thanks. To test it I would need one more LAN card. I want to avoid buying things I don't need. I'm caught between using this desktop, buying an SG-3100, or holding out for Ubiquiti's Dream Machine (https://www.reddit.com/r/Ubiquiti/comments/b0s5ig/unifi_dream_machine_added_to_earlyaccess_store/).
-
Well you could test the throughput with just the two cards you have. Add a third interface once you know it will handle that.
Steve
-
@stephenw10 Two cards? I only have one ethernet port right now. I have a wifi adapter I can plug into it just to see what the pfSense experience is like and to see if its too complex/confusing for me. Thanks!
-
Ah, sorry I thought that board has integrated Ethernet and you had a card in there also. I assume those are same thing then.
Using wifi is not going to help your experience! Especially if that's not as an optional interface. Better to use VLANs and a managed switch or even a USB NIC (which also isn't recommended). But Gigabit Intel NICs are common and cheap grabbing one of those would be best.
Steve
-
@stephenw10 Agreed. Plan is to install pfSense just to get a feel for the OS/experience. My networking knowledge is not great so if I can't figure it out then I want to know before I buy a new LAN card. I've seen some videos online with screenshots and those screenshots had many terms I don't know so I'm a little worried. Just created the USB installer so I'll see how it goes.
