hardware suggestions (again i know)
-
The XG-7100 or the XG-7100 1U.. if you plan on going to 10ge..
-
Seconded what John said...you'll have fun with this puppy!
-
Anyone would have fun with that! I would go with the desktop version for my home setup.. But I have not been able to tax my 4860 as of yet.. So it would be just overkill - but yeah it would be nice to have! ;)
If I was seriously considering going to 10ge, other than my wishful thinking I would for sure go with the 7100..
-
Hello guys :) thank you for your replies.
A portuguese IT supplier told me one thing I though weird. They told me that till 3 simultaneous remote connections I could go with SG-3100 with no problem even if I need OpenVPN, at full throttle like I said, pfBlockerNG, etc.
I think I'll have serious trouble if I go that way, not to mention I cannot upgrade the SG-3100 appliance. Am I right?
I know this is a Netgate forum but since people talk freely here about other hardware besides Netgate may I ask: any DIY hardware suggestions?
Netgate appeals to me as a proved solution. DIY appeals to me because of the flexibility, easy to upgrade and escalate.
Thanks in advance
-
While others might talk about it - I just stay stick with what works! There is one thing if you have some hardware laying about you can leverage. But going to buy something for work... Go with actual appliance.. 3100 while sure it can prob push gig.. Not going to be able to do 10ge if that is on near future roadmap for you.
-
I understand your point perfectly but having options to choose from is always a good thing, I think
-
@thething If it's for a business, I would recommend Netgate appliances just because it comes with support...maybe the SG4860 for the future requirements. I can share my DIY, which is in my signature. I am an Apple person and already had hardware setup with the future in mind. So I used a 2011 Apple mini server with thunderbolt2 enclosure that I can easily add a 10Gbe later.
-
Well pretty much anything will work with pfsense.. Just get good nics, and you should be fine.. Problem is boxes like that like to suck a lot of juice.. So while you might save a bit of $ up front - you will loose it all just creating heat while the thing sits idle.
Electricity in Portugal is pretty expensive is not... So something that uses minimal would be best. Not some best of a PC sucking 100watts idle ;)
Isn't your electric like 3rd highest cost in all of the EU?
-
If something goes wrong with Netgate hardware how will I solve it?
Since Netgate does not have any representation in Portugal my downtime would be just huge, no?
Isn't it possible to get a diy appliance done without it sucking too much juice?
ok good NICs (the best 4 port), like?
sorry about all this questions but I'm no an IT guy and questions arise. ohh and the "client" is my wife's accounting office, so you see my problem ;) :) -
@thething said in hardware suggestions (again i know):
I'm no an IT guy
That's the problem recommending DIY although being one is unnecessary as long as you're at least computer literate. For the peace of mind, I would go with Netgate...you could always get SG-4860 and SG-3100 as a backup...that way, you're not too far from the nearest Netgate Europe support center should one goes down. The two appliances would be about the same cost as the XG-7100IU or pretty close.
-
Why would an accounting office need 10ge? Just curious.. Must be some really large spreadsheets ;)
How many people in this office?
-
@NollipfSense I'm literate enough to understand I'll be probably be in trouble with 3 simultaneous remote OpenVPN (AES256 encrypted) connections (and I need 6), pfBlockerNG, Suricata, Squid, SquidGuard and so on with the SG-3100 even when the IT guy is telling me it will be ok. I do not "buy" it. and they want me to pay 470 plus VAT for the 3100.
I even doubt the 4860 can do it at full speed without a glitch. They both lack processing power specially if we put pfBlockerNG running. Internet reports about this issue are abundant. Besides I hate underpowered hardware causing me trouble oe slowing things down.
@johnpoz it probably doesn't.
-
@thething said in hardware suggestions (again i know):
Besides I hate underpowered hardware causing me trouble oe slowing things down.
And what are you using now? ;)
-
@thething said in hardware suggestions (again i know):
I'm literate enough to understand I'll be probably be in trouble with 3 simultaneous remote OpenVPN (AES256 encrypted) connections (and I need 6)
Good...honestly, I believe the Netgate XG-7100IU in this case would be the best five-year business investment in terms of a robust hardware that comes with support. You can modify what you currently have, like upgrade processor and memory, to use as a backup. A DIY, I am a little bias on using Apple Mac Mini because of the lovely form factor...a used 2012 Mac Mini quad core i7 16GB RAM about $550/eBay in the U.S. Coupled with a used thunderbolt two PCI enclosure and a quad port i350 NIC for around $200. Power consumption with the Mac Mini is not much...I run two Mac Mini servers 24/7/365. Adding the 10gbe NIC would be easy as removing the i350 later.
-
@thething said in hardware suggestions (again i know):
They both lack processing power specially if we put pfBlockerNG running.
Not sure why you think that is going to be process intensive - other than parsing through the lists, which is done every now and then when they update - it doesn't do anything after that..
You can do lots of openvpn vpns connections - its just not going to be at wire speed.
-
What exactly do you mean by 'full speed' here?
The SG-3100 will pass at or close to 1Gbps if it's just clients behind it downloading.
But if you want, say, 1Gbps OpenVPN that's a whole new level of processing required. More than even the XG-7100 will provide.
The total number of VPN remote users is not that important it's the total encrypted bandwidth that counts.
Steve
-
@stephenw10 I mean as close as possible to 1Gbps OpenVPN
-
@NollipfSense thank you so much for your suggestions
-
Then you need as much CPU power as possible. OpenVPN is single threaded, you likely won't get 1Gbps with any single connection unless you have a very fast device but you probably will with several connections at ~200Mbps each.
The 3100 will pass ~125Mbps OpenVPN total so not even close for what you're trying.You might consider using mobile IPSec instead if you really need that encrypted throughput.
Steve
-
Doubt they "need" it ;) this is an accounting company - how freaking big could the spreadsheets be ;)
Good luck getting wire speed with ipsec even.. You do understand all vpn's add overhead, so its not actually possible to get wirespeed. Even if you take the extra compute out of the equation, you are inside a tunnel - so there will be some downgrade..
If your connection is server bandwidth is X, and your slower client speed is Y.. Then your vpn speed will be Y - Z, where Z is the overhead in compute and tunnel hit.
Do all your remote users have gig? Its pointless to worry about vpn throughput when your user is coming in on some slow connection.. The client is amost always going to be the slower connection.
