NEED ADVICE: Planning to run pfsense on a real s**t server



  • I am working for a startup company , budget is very limited.

    Here is the thing , we are building a server rack with 10G fiber connection , firewall is the biggest headache , because as far as I know , I should go with Cisco firewpower 4110 ( I used cisco a lot before) , while it's way too expensive (> $60k).

    What I am looking for are:
    1. 10Gbps firewall throughput
    2. powerful enough to drop tons of packets in a short time ( we got dns amplification attack  a while ago)
    3. Port forwarding only , no NAT or vpn or dhcp ….

    And my hardware list is :
    cpu: e5-1650v4 , 6 cores @3.6ghz
    barebone: supermicro  5028R-WR
    Ram: 64gb ddr4 2400 ecc
    Nic : Intel x710da2

    The plan is , I will build a server running pfsense first , once we start making money on it , or at least seeing the sign of getting revenue ,  we will go get firepower 4110 , and convert this server into a database/file server .(that's why I can not get XG1541 , lack of hd slots)

    Does that sound crazy to you?



  • 1. 10Gbps firewall throughput
    Then better a Linux based Router distro then pfSense, or? Or perhaps OpenBSD or FreeBSD might be sounding also good for me.

    2. powerful enough to drop tons of packets in a short time ( we got dns amplification attack  a while ago)
    Then you should be getting a security option at the ISP or datacentre site and don´t try it to stop with pfSense.

    3. Port forwarding only , no NAT or vpn or dhcp ….
    NAT is a process of pf (packet filter) on a later stage so if it is turned off you may be better of using other stuff such
    native BSD or Linux based routers. Its not a must be, but would be my first choice here.

    OpenBSD as a router
    FreeBSD as a Router

    Or as said anything based on Linux that comes with a better support and might be running a little bit more agile
    to push real 10 GBit/s.


  • Netgate Administrator

    @powerrc:

    3. Port forwarding only , no NAT

    Do you mean routing only?

    Doesn't seem that crazy. I would expect to get close to 10G, packet size depending of course.

    Blocking a DOS attack at the firewall is the wrong end of the connection though, I agree.

    Steve



  • You wont get anywhere near 10gbe with firewalling enabled



  • @heper:

    You wont get anywhere near 10gbe with firewalling enabled

    NAT process later in pf, and so if the NAT or entire pf is turned out he ís only able to use flat Routing, so @stephenw10
    could perhaps by right with the 10 GBit/s and routing.