Hardware for small business



  • I would like some advise on the hardware for a pfsense firewall for a small business (16 computers wired & wireless + mobiles phones + extra people on network occasionally)

    We have Virgin media business internet with 150Mbps download.

    Will this list bellow be okay with squid/squidguard/snort + antivirus running?

    I have looked at the pre-built units, but they are either out of stock or more expensive than my build.
    Building it seems more fun and future proof  :)

    What are some things I should know when setting up PFSense?

    Also can you confirm that I have the setup right:

    1. Virgin media superhub as modem into PFSense build.
    2. Ethernet from PFSense into switch.
    3. Computers + AP in switch.

    PCPartPicker part list / Price breakdown by merchant

    CPU: Intel - Pentium G4560 3.5GHz Dual-Core Processor  (£46.79 @ Aria PC)
    Motherboard: ASRock - H270M-ITX/ac Mini ITX LGA1151 Motherboard  (£112.99 @ Amazon UK)
    Memory: Crucial - 8GB (1 x 8GB) DDR4-2400 Memory  (£60.17 @ Amazon UK)
    Storage: Corsair - Force LS 60GB 2.5" Solid State Drive  (£37.97 @ Amazon UK)
    Case: CiT - MTX-005B Mini ITX Tower Case w/300W Power Supply  (£35.59 @ Amazon UK)
    Other: Ubiquiti Networks UAP-AC-LITE WLAN Access Point  (£69.00 @ Amazon UK)
    Other: Multi Cable SLIM FLAT 2m Cat6 RJ45 Ethernet Network Patch Lan cable - Multi Coloured "5 Pack" - 2 meter + 15 Cable ties  (£8.39)
    Total: £370.90
    Prices include shipping, taxes, and discounts when available
    Generated by PCPartPicker 2018-03-12 21:41 GMT+0000



  • I'd add a Ubiquity Cloud key and a managed switch that supports 802.1q.

    You'll be able to create multiple VLANS and have normal users and guest wi-fi off the same access-point, the guest wi-fi subnet could be setup to have internet access only.

    Will you actually save much bandwidth installing squid as most of the traffic will be https, you'll need to do a man in the middle.

    Just to give you an idea what you can do with 802.1q :-

    https://forum.pfsense.org/index.php?topic=142930.msg779126#msg779126



  • CPU: TDP 54 W
    That thing burns 54 Watts with only two (physical) cores. Nice heating and not really the top pick in 2018.


  • LAYER 8 Netgate

    I would get an SG-3100 or SG-4860.

    I would also reevaluate whether you want to do antivirus on the firewall. If your users are not encrypting their traffic you should be encouraging them to do so (which renders AV on the firewall next-to-useless). Squid/Squidguard/peek-splice or pfblocker/dnsbl can give you some control/logging of sites visited.



  • @NogBadTheBad:

    I'd add a Ubiquity Cloud key and a managed switch that supports 802.1q.

    You'll be able to create multiple VLANS and have normal users and guest wi-fi off the same access-point, the guest wi-fi subnet could be setup to have internet access only.

    Will you actually save much bandwidth installing squid as most of the traffic will be https, you'll need to do a man in the middle.

    Just to give you an idea what you can do with 802.1q :-

    https://forum.pfsense.org/index.php?topic=142930.msg779126#msg779126

    The reason there isnt a switch is because we already have one.

    Im not sure we need guest wifi either tbh. This is a small business so I dont think its necessary.



  • "extra people on network occasionally" thats what made me mention guest wi-fi.



  • @jahonix:

    CPU: TDP 54 W
    That thing burns 54 Watts with only two (physical) cores. Nice heating and not really the top pick in 2018.

    That doesn't bother me that much as there is a tight budget for this.

    I guess at some point we could always upgrade to a G4560T which only has a TDP of 35 W.



  • @NogBadTheBad:

    "extra people on network occasionally" thats what made me mention guest wi-fi.

    These would be people we trust, so I think for now its fine if they are on the same network.

    I guess at some point we could add a guest network, but I think its an unnecessary expense at this point.


  • LAYER 8 Netgate

    A tight budget should consider the long-term cost of the power bill (firewalls generally run 24x7) vs the up-front cost of the hardware.



  • @johnkeates:

    If you're gonna get one for business use, get a single vendor source. Check netgate, or if you are not afraid for asian vendors, qotom and minisys.
    Other options are business desktop PC's, small servers and perhaps used pre-existing rack mounted network gear that had some other software on it (but you'd luck out on the hardware support right away).

    I agree that a netgate one would be good for business use and I will present that as an option to management.

    We have 2 internet connections so may end up using both a custom solution and netgate one.


  • LAYER 8 Netgate

    pfSense can wrangle two internet connections on one node.



  • @Derelict:

    A tight budget should consider the long-term cost of the power bill (firewalls generally run 24x7) vs the up-front cost of the hardware.

    I will update the list with the G4560T, but by tight budget I meant only for this project.

    You know how it is with management that think of this as an afterthought  :)


  • LAYER 8 Netgate

    I have generally found that management likes when suggestions are made that cost them less money over, say, three to five years.



  • @Derelict:

    pfSense can wrangle two internet connections on one node.

    Im aware of this  :) , but the connections are on opposite sides of the building (because of course they).

    We have our main Virgin Media connection which I intend to use my build for and we have a backup slow sky broadband connection which we will probably end up using a netgate system with.



  • @Derelict:

    I have generally found that management likes when suggestions are made that cost them less money over, say, three to five years.

    Noted! :)


  • LAYER 8 Netgate

    Nothing some ethernet can't fix.

    If you have two routers you have to overcome the inevitable asymmetric routing issues.

    But it sounds like you know exactly what you need to do. I'm out.



  • @oxhey:

    but the connections are on opposite sides of the building

    And that's an excuse for what? Not running a single system with WAN failover/load-balaning or for being lazy and not pulling a cable (copper or fiber)?



  • @jahonix:

    @oxhey:

    but the connections are on opposite sides of the building

    And that's an excuse for what? Not running a single system with WAN failover/load-balaning or for being lazy and not pulling a cable (copper or fiber)?

    Its really no excuse, but Id rather not over complicate this.

    I dont want to be making holes in walls to pass pass cables through.

    I think one pfsense box per connection is fine.



  • @oxhey:

    @jahonix:

    CPU: TDP 54 W
    That thing burns 54 Watts with only two (physical) cores. Nice heating and not really the top pick in 2018.

    That doesn't bother me that much as there is a tight budget for this.

    I guess at some point we could always upgrade to a G4560T which only has a TDP of 35 W.

    The TDP is irrelevant unless you're building something that's cooling constrained. All the TDP number means is "you need to be able to dissipate this much heat". It does not mean "it uses this much power all the time" even though some people act like it does. At idle both CPUs will draw about the same (close to nothing). The main difference is that you pay more for a T series CPU that's throttled to prevent it from getting too hot. What does this mean? If you need more CPU when you're under load, the non-T can give it to you and the T can't. Don't get the T series, you don't need it.



  • @VAMike:

    @oxhey:

    @jahonix:

    CPU: TDP 54 W
    That thing burns 54 Watts with only two (physical) cores. Nice heating and not really the top pick in 2018.

    That doesn't bother me that much as there is a tight budget for this.

    I guess at some point we could always upgrade to a G4560T which only has a TDP of 35 W.

    The TDP is irrelevant unless you're building something that's cooling constrained. All the TDP number means is "you need to be able to dissipate this much heat". It does not mean "it uses this much power all the time" even though some people act like it does. At idle both CPUs will draw about the same (close to nothing). The main difference is that you pay more for a T series CPU that's throttled to prevent it from getting too hot. What does this mean? If you need more CPU when you're under load, the non-T can give it to you and the T can't. Don't get the T series, you don't need it.

    I agree  :)


Log in to reply