hardware suggestions (again i know)
-
@thething said in hardware suggestions (again i know):
I'm literate enough to understand I'll be probably be in trouble with 3 simultaneous remote OpenVPN (AES256 encrypted) connections (and I need 6)
Good...honestly, I believe the Netgate XG-7100IU in this case would be the best five-year business investment in terms of a robust hardware that comes with support. You can modify what you currently have, like upgrade processor and memory, to use as a backup. A DIY, I am a little bias on using Apple Mac Mini because of the lovely form factor...a used 2012 Mac Mini quad core i7 16GB RAM about $550/eBay in the U.S. Coupled with a used thunderbolt two PCI enclosure and a quad port i350 NIC for around $200. Power consumption with the Mac Mini is not much...I run two Mac Mini servers 24/7/365. Adding the 10gbe NIC would be easy as removing the i350 later.
-
@thething said in hardware suggestions (again i know):
They both lack processing power specially if we put pfBlockerNG running.
Not sure why you think that is going to be process intensive - other than parsing through the lists, which is done every now and then when they update - it doesn't do anything after that..
You can do lots of openvpn vpns connections - its just not going to be at wire speed.
-
What exactly do you mean by 'full speed' here?
The SG-3100 will pass at or close to 1Gbps if it's just clients behind it downloading.
But if you want, say, 1Gbps OpenVPN that's a whole new level of processing required. More than even the XG-7100 will provide.
The total number of VPN remote users is not that important it's the total encrypted bandwidth that counts.
Steve
-
@stephenw10 I mean as close as possible to 1Gbps OpenVPN
-
@NollipfSense thank you so much for your suggestions
-
Then you need as much CPU power as possible. OpenVPN is single threaded, you likely won't get 1Gbps with any single connection unless you have a very fast device but you probably will with several connections at ~200Mbps each.
The 3100 will pass ~125Mbps OpenVPN total so not even close for what you're trying.You might consider using mobile IPSec instead if you really need that encrypted throughput.
Steve
-
Doubt they "need" it ;) this is an accounting company - how freaking big could the spreadsheets be ;)
Good luck getting wire speed with ipsec even.. You do understand all vpn's add overhead, so its not actually possible to get wirespeed. Even if you take the extra compute out of the equation, you are inside a tunnel - so there will be some downgrade..
If your connection is server bandwidth is X, and your slower client speed is Y.. Then your vpn speed will be Y - Z, where Z is the overhead in compute and tunnel hit.
Do all your remote users have gig? Its pointless to worry about vpn throughput when your user is coming in on some slow connection.. The client is amost always going to be the slower connection.
-
@johnpoz accounting in Portugal is not done in spreadsheets. It uses dedicated certified software. You have a lot of them to choose from but when you choose some of the best you’ll need speed, trust me.
Every remote user has at least, 500Mbps connections. some have 1G. The upgrade is on the run since everybody had 200Mbps it it was tedious to work and complicated to meet a mountain of deadlines that this country‘s ridiculous legislation imposes.
You are right about one thing: we don’t need 1Gbps today but we want to be able to plan ahead, be ready to upgrade and come close when we might need it. And when it will be needed, it it will no so far away, i don’t want to be stuck with underpowered, overpriced, no upgradable hardware.If someone can help and drop some suggestions, links, etc, it would be great.
If not, thank you anyway :)
-
@stephenw10 thank you for your input. I’m learning with it
-
Access to a dedicated software that moves numbers - would be less overhead then moving spreadsheets... I think you misunderstanding how things work over the internet.. And how much bandwidth required to manipulate numbers..
Unless you were moving large FILES... bandwidth is not your issue.. Manipulation of numbers is not bandwidth intensive.. Remote desktop to some machine in the office that manipulates the numbers, again not bandwidth heavy... What is heavy need is when you are moving large files.. Say a graphic company, or video editing company..
I am having a hard time understanding why an accounting company would need large speed vpn..
Users saying they are not getting X while they move a file from their machine to the file server at work, and their internet speed is X is not a work related problem... They will never see X, no matter how big of a BOX you put in for your vpn..
The recommendation for any WORK setup would be an appliance from a company you can get support from... I would also suggest a support contract... The sg3100 would prob be your best bet.. If you need to go to 10ge at some future date down the road and not say in the next year then you upgrade then!
Throwing together some DIY PC to run as your firewall/vpn is not how you do business... Might be fine for home - but this is company that needs shit to work... Then buy something that works, and has support and the ability for 24x7 call someone on the phone.. And not have to wait in a 10 hour on hold, waiting for bob to figure out how to delete a file.. and needs help.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@thething said in hardware suggestions (again i know):
@NollipfSense thank you so much for your suggestions
A cheaper alternative to the Mac Mini is the Intel NUC...small form factor that has thunderbolt interface to use the thunderbolt PCI enclosure for your future upgrade. You can find new ones with i7 processor and DDR4 RAM (max 32GB) on Amazon for under $500 in the U.S...anticipate you might fine it in Amazon-Europe $700-800.
-
@johnpoz I get the feeling that the accounting firm is doing outsourcing work with companies in Europe and connecting via VPN...that way the ledger and books stay at the companies...that's why VPN speed is critical despite the overhead.
-
How would that openvpn, if they are doing business with another company that would normally be ipsec site to site. If its their clients in the office doing vpn to somewhere else then the router vpn capabilities have nothing to do with.
So you have road warriors logging to do what exactly?
If he wants advice - he really needs to break down the actual use cases vs saying they are going to 10ge... For why - to spend money? Why do they even need gig, how much data are they moving for business?
-
@johnpoz I said that with hope he'll give us more use case info to help us sell him on the XG-7100IU puppy!
-
I would really have a hard time suggesting any "company" do with anything other than an appliance - all that is in question is which one for the specific use.
Sure you could do fortinet, juniper, cisco, palo, there are plenty of companies to choose from - but you will be hard pressed to do what you can do on a small budget that pfsense appliance can do.
unifi is another company at the smb/enterprise break over point.. So there are choices for sure - build it yourself is ma and pop shop with 1-2 employee's selling hotdogs on weekends sort of company.. If your saying your internet connection is key to the business.. Then I say put in cisco - nobody ever gets fired for buying cisco ;) Its going to cost you 10X more and do less..
If you want to run pfsense, then run pfsense - if your going to do it for a business.. I have to say appliance is really the only way... Any DIY thing while it might rock, and work great - when it fails, who is there to blame but the guy that built it ;) If the appliance fails - its netgates fault ;)
-
If it's business critical, and it sounds like it definitely is, then at least consider getting two of whatever you get and running them in HA to minimise downtime.
Steve
-
Exactly... Even if you don't put them in HA - have one on the shelf as spare.. And support contract would be a given.. It minor cost of doing business when your edge device becomes critical to business.
There is play, and there is non critical where you might do a build your own box sort of thing to save a few bucks. But when it comes to mission critical to the business.. Put in an appliance, have back up plan, have support.. Its cost of doing business.
Example we have multiple appliances on non sla connections for guests and play internet for users in the locations. I don't have support contract - partly because I have been running pfsense for 10+ years and pretty sure I could handle anything that might happen ;) And another if it was down for a few days it wouldn't effect the business.
