New High End Hardware

SatireWolf

As a project for the corporate lan, we are upgrading our bandwidth substantially and I am building a new appliace to meet the demand.

Spec's are as follows:

Tyan GT20 5150 1U Rackserver
(5) 40x40x28mm 1500rpm heavy-duty fans

• Automatic system fan speed control
  (1) ATX 12V, 1U, 350W with PFC
  TYAN Tomcat i7221A (S5151G3NR)
  Intel E7221 (Copper River) chipset
  (1) Intel P4 631 3.0 GHz 2MB Cache 800MHz FSB HT Enabled Processor
  (2) 1GB PC3200 Unbuffered ECC Modules
  (1) 64-bit/133MHz (3.3V) PCI-X slot
  (2) Gigabit Ethernet ports (Broadcom BCM5721 PCI-E interface, connected to MCH), Support teaming feature & ASF2.0
  (1) 10/100Mb Ethernet port (Intel 82551 controller)
  (1) 3Ware 9550SX PCI-X 133MHz SATA-II 4 Port Raid Controller
  (2) Seagate 7200.9 80GB 16MB Cache Sata-II Drives (OS)
  (2) Seagate 7200.9 300GB 16MB Cache Sata-II Drives (Squid Cache)

This server is being built to support 5-10Mbit burstable internet access via a fiber uplink to our provider. I currently have it setup on a test network with squid, spamd, clamav, and trying to get either virolator or havp to work. I'm not sure if setting spamassassin at this point is worthwhile as I haven't seen anyone with a working setup.

In any case it will be protecting an aging Exchange server 5.5 (yes yes, but there's apps built on top of it that will take a herculean effort to port to anything else, but it's being done) as well as 50 or so desktops and half a dozen high end engineering workstations.

The hardware is all supported by FreeBSD 6.1 out of the box, so the system is beautifully simplistic to install.

I would have built it with an opteron but I've built 3 opteron FW's based on Tyan boards and all 3 have failed due to either board or CPU failure (yes AMD opterons fail after 1-2 years of hard operation in a 60 degree year round temp controlled room with 75k worth of line filtering and UPS supplying the server room). These were m0n0wall beasts that could push 50 percent GigE (due too TCP overhead) without breaking 20 percent cpu utilization.

In any case if this system makes you drool, let me know :)

I believe in overbuilding firewalls for the job if you've got the budget. Big iron web application caching speeds up intranet/extranet apps quite a bit. Not to mention caching out every download ever done, saves quite a bit of bandwidth in the long run.

Any questions or comments are welcome. I'm currently fighting the transparent proxy redirecting via the gui. I'm tempted to just manually add the rules from the console as I can't seem to get the GUI to do what I want it to redirecting port 80 to 3128.

If anyone has experience with this, I would be very greatful. I've been trolling the forums for some time as I'm a m0n0wall old hand, and love the changes the pfSense guys have made to improve the scalability and application feature set of the product.

Thanks.

SatireWolf

Just an update…

I've got PFSense RC1a running on the box just fine with transparent proxying working (although it took an act of congress to get the script to work correctly), but no QoS. I'm still fighting the packet scheduler not liking the order in which the port forward rule is tossed into the rule set. I'm not sure if there's a way to make them compatible.

Anyone know of a way to get RC1a to be happy with transparent proxying port 80 and doing QoS? (P.s. I know this is off topic, but nobody replied about this in the addons area either).

Thanks.