Which Netgate device for school

dualbrot

In a few weeks our school will get fibre internet so I may have the chance to uprgrade our old router which has PfSense on it. I was looking at the Netgate rackmount options XG-1537, XG-1541 and XG-7100, but I’m not shure which one of them is suited for our needs. We’re a school with 850 students. Normal use is to browse the web and watching (YouTube) videos. Maybe later we will add a plex server. Do you guys have any suggestions which one is the right one for us? Or just what is the difference between those devices besides their different throughput figures? Thanks for your help.

keyser

@dualbrot They are all more than capable of support the load of 850 users / Gigabit so if cost is a big issue go with the XG-7100.

However, the XG-1537 is probably a better fit as it will scale much higher if you ever start moving beyond 1 Gbe.
Besides, you don’t need the switchports of the XG-7100.

Remember to get it with a Raid-kit to make the boot/log drive redundant

The main difference is a much more powerfull CPU in the XG-1537 which allows for more packages/inspection/survaillance/VPN and what not before the device gets exausted.

keyser

@keyser Also: A very important difference is that the XG-1537 has an IPMI port that allows for remote access to the pfSense/Aplliance Console via a Webbrowser- Much easier that having to access it on-site with a serial port if something has gone wrong and it’s hung/won’t boot.

You can full remote administration that way regardless of whether pfSense is actually running on the device.

keyser

@keyser I have several customer that use the XG-1537 specifically because of the built-in IPMI management feature.
They the buy a SG-1100 as a “backdoor” VPN device to allow them to access the IPMI from all over the world regardless if the 1537 is up or down.

SteveITS

@keyser said in Which Netgate device for school:

Remember to get it with a Raid-kit to make the boot/log drive redundant

Alternatively, get two devices and set them up in a High Availability config for redundancy. It costs more, but you'll be able to install updates and reboot during school hours.

Since any device can be set as HA (with matching hardware) I think what that page is trying to say is if you get a 1U device with quantity 2 they'll put them both in the same 1U rack space (1 1U rack, both units). They used to sell them that way for prior models; we have one. (might want to double check with Netgate on that before ordering...)

dualbrot

@keyser Thank you all for your answers. I'm glad to hear that all the devices are capable, because at some point we will have BYOD in our school. I have a little follow up question. You mean 1 Gbe internaly, right? Because our Plex server later will be having QSFP+. I can't really predict how fast devices will be using 10 Gbe in our school or if it would be better to stick with the cheaper option because by that time newer devices will be better.

To the HA argugent: Good point, probably I will use our old router with pfSense for a HA setup (and maybe the old DSL connection as well). IPMI is a strong factor for the XG 1537.

SteveITS

@dualbrot said in Which Netgate device for school:

use our old router with pfSense for a HA setup

Note the states will only sync if the network interfaces are the same.

keyser

@dualbrot said in Which Netgate device for school:

@keyser Thank you all for your answers. I'm glad to hear that all the devices are capable, because at some point we will have BYOD in our school. I have a little follow up question. You mean 1 Gbe internaly, right? Because our Plex server later will be having QSFP+. I can't really predict how fast devices will be using 10 Gbe in our school or if it would be better to stick with the cheaper option because by that time newer devices will be better.

They all have 10Gbe interfaces and can handle way more than 1Gbe - however, they cannot handle 10Gbe @ wirespeed.
My reference to 1Gbe was merely a guess at your WAN speed once Fiber is installed.
If you want a firewall capable of handling QSFP+ (4x10Gbe) wirespeed traffic you need something orders of magnitude more powerfull than pfSense Appliances (and pfSense for that matter).
Also: Are we talking packet inspection or just “simple” firewall’ing? If the latter then look into letting a switch do the routing with an ACL applied on the inside network, and your firewall handle connections to external clients.

To the HA argugent: Good point, probably I will use our old router with pfSense for a HA setup (and maybe the old DSL connection as well). IPMI is a strong factor for the XG 1537.

Unless your old box has exactly the same interfaces/drivers for interfaces, that will not work. The only supported HA systems use two identical boxes.

dualbrot

@keyser said in Which Netgate device for school:

wirespeed

Ok, for the HA setup, do mean the exact same number and designation of interfaces or is it about the physical hardware?

SteveITS

@dualbrot Per the link I posted in the docs, "States in pfSense are bound to specific operating system Interfaces. For example, if WAN is em0, then a state on WAN would be tied to em0"

Diane9K

Thanks for the information!

jamsymaz

@Diane9K I agree with you, the information was helpful

Michael N Rubio

This post is deleted!

Michael N Rubio

This post is deleted!