Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps

Elrick75

I don't have specific meaning with 3x10G, 10G LAN is only for data transfert from workstation to NAS server only... nothing related with Internet.
Create VLAN ID to reduce number of interface is not important, i prefer make 2x VLAN with tagged port without VLAN trunk.
The most important think is to have isolated LAN physicaly if possible ;)

Any hardware suggestion/recommandation about this setup ?

Many thanks.

NogBadTheBad

I'm not a hardware guy.

It will be way cheaper doing it how I suggested :)

How many devices are on each of the wired subnets?

NogBadTheBad

@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

The most important think is to have isolated LAN physicaly if possible ;)

You can do that with VLANS, don't create a SVI on the 3850.

Elrick75

@NogBadTheBad Around 6 to 10 devices on each LAN.

NogBadTheBad

Seriously go VLANS and connect everything to the 3850 if you have enough ports, it won't cost you anything.

What speed is the NIC on the NAS?

If you don't create the SVI on the switch pfSense will do the isolation.

Have a look at how I do it, you'd just have a 10 uplink to pfSense.

https://forum.netgate.com/topic/132431/simple-vlan-for-pfsense-unifi-ap-ac-lr

Elrick75

All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.

NogBadTheBad

@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.

Ah :)

Elrick75

uP !

LeeR

Supermicro X11SDV-4C-TP8F motherboard.

But the switch will be able to hardware route at wire speed (10G) between VLAN SVIs. You can add ACLs to limit intra-VLAN traffic.

Elrick75

@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

Supermicro X11SDV-4C-TP8F

Does all NIC interface has been supported by pfSense as well ?
What CPU do you suggest with it ?

Many thanks for your feedback.

LeeR

Did you even look? The CPU is embedded... If you need more cores look at the X11SDV-8C-TP8F model. The Supermicro spec sheet lists the NIC chipsets which you can verify are supported (they are).

akuma1x

I hate to burst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.

Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.

Jeff

Elrick75

@akuma1x said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

rst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.
Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.
Jeff

Yes it's right, my ISP connection is at 1G, not 10G.
Even if my WAN connexion is 1G, what is the best Motherboard/CPU to handle easyly these connexion bandwidth ?

Elrick75

@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

X11SDV-8C-TP8F

What is the best Motherboard/CPU to take into account this bandwidth and wait to see coming ?

LeeR

Elrick, ever used google? I recommend you copy that part number and paste it into a google search. Then reach the specification sheet.

Elrick75

@LeeR I didn't notice that this motherboard include CPU !!
D-2146NT has 80w TDP... do you think that it can be possible to have low energy consumming CPU to reach the goal ?

LeeR

@Elrick75

You should look for an ATOM based processor then. Here's an example Supermicro kit: https://www.supermicro.com/products/system/Mini-ITX/SYS-E300-9A.cfm

Elrick75

@LeeR I'm not sure does it can handle 1Gb traffic.
I have a Dell R230 with Xeon E3-1260lv5, do you think that it can do the job ? It's 1U form.

LeeR

That would be plenty of CPU. Should not have an issue routing between LAN interfaces or pushing Gigabit through the NAT.

akuma1x

@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

@LeeR I'm not sure does it can handle 1Gb traffic.

I'm pretty sure any recent Atom C3XXX series CPU can route traffic at Gigabit speeds.

Some of the higher end/spec'd Atom C2XXX processors can as well. Like the ones in the older SG-4860, the SG-8860, and the XG-2758 1U models. Those processors are at least 3-4 years old already, so I would avoid them if you can.

Jeff