Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps
-
Hi to all,
I plan to build a rack chassis to install pfSense, this workstation will be dedicated to route multiple WAN (for redondancy) to x3 LANs.
On WAN side, two connection (three at end) will be used, on for my fiber connection with true 1Gbps, my adsl connexion and after a 4G connexion.
On LAN side, 3x different LAN, each LAN didn't communicate with other LANs, each LAN will be connected to pfSense workstation with SFP+ (10Gbps), pfSense will be the default gateway to each LANs.Usage :
I would to use NAT/Firewall function of pfSense.
Internet traffic will be Web surf, Torrent, IPTV flow, SMTP, FTP, MEGA, Newsgroup, and cam flow on demand to monitor house.Currently, i have one 10Gbit NIC card, Chelsio T520-SO-CR, and plan to buy Chelsio T6225-SO-CR to have 3x 10Gbps interface.
Please tell me if these card are good for the job.About hardware requirement, a nice to have will be low power and high performance, i will use 3U chassis to avoid any PCI format issue and to have silent fan.
What CPU do you suggest me ?
What motherboard do you suggest ? a motherboard with IPMI compliant pfSense will be a nice to have but not mandatory if it's better to add dedicated card.You find picture to see a preview of my network.
Many thanks for your help.
-
Not really sure why you are going for 3 x 10G as your connection out to the internet will never hit 10G.
Wouldn't you be better creating VLANS on the 3850 ( guessing thats where the 10G port connects ) and moving as much of the other stuff over to that switch and associated VLANS & firewall rules on the router.
The other advantage of this would be that you could have multiple SSIDS on the AP's if they support VLANS.
I'd buy another 3850 and stack them if you need more ports or interlink the 2960.
-
I don't have specific meaning with 3x10G, 10G LAN is only for data transfert from workstation to NAS server only... nothing related with Internet.
Create VLAN ID to reduce number of interface is not important, i prefer make 2x VLAN with tagged port without VLAN trunk.
The most important think is to have isolated LAN physicaly if possible ;)Any hardware suggestion/recommandation about this setup ?
Many thanks.
-
I'm not a hardware guy.
It will be way cheaper doing it how I suggested :)
How many devices are on each of the wired subnets?
-
@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
The most important think is to have isolated LAN physicaly if possible ;)
You can do that with VLANS, don't create a SVI on the 3850.
-
@NogBadTheBad Around 6 to 10 devices on each LAN.
-
Seriously go VLANS and connect everything to the 3850 if you have enough ports, it won't cost you anything.
What speed is the NIC on the NAS?
If you don't create the SVI on the switch pfSense will do the isolation.
Have a look at how I do it, you'd just have a 10 uplink to pfSense.
https://forum.netgate.com/topic/132431/simple-vlan-for-pfsense-unifi-ap-ac-lr
-
All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.
-
@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.Ah :)
-
uP !
-
Supermicro X11SDV-4C-TP8F motherboard.
But the switch will be able to hardware route at wire speed (10G) between VLAN SVIs. You can add ACLs to limit intra-VLAN traffic.
-
@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
Supermicro X11SDV-4C-TP8F
Does all NIC interface has been supported by pfSense as well ?
What CPU do you suggest with it ?Many thanks for your feedback.
-
Did you even look? The CPU is embedded... If you need more cores look at the X11SDV-8C-TP8F model. The Supermicro spec sheet lists the NIC chipsets which you can verify are supported (they are).
-
I hate to burst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.
Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.
Jeff
-
@akuma1x said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
rst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.
Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.
JeffYes it's right, my ISP connection is at 1G, not 10G.
Even if my WAN connexion is 1G, what is the best Motherboard/CPU to handle easyly these connexion bandwidth ?
-
@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
X11SDV-8C-TP8F
What is the best Motherboard/CPU to take into account this bandwidth and wait to see coming ?
-
Elrick, ever used google? I recommend you copy that part number and paste it into a google search. Then reach the specification sheet.
-
@LeeR I didn't notice that this motherboard include CPU !!
D-2146NT has 80w TDP... do you think that it can be possible to have low energy consumming CPU to reach the goal ?
-
You should look for an ATOM based processor then. Here's an example Supermicro kit: https://www.supermicro.com/products/system/Mini-ITX/SYS-E300-9A.cfm
-
@LeeR I'm not sure does it can handle 1Gb traffic.
I have a Dell R230 with Xeon E3-1260lv5, do you think that it can do the job ? It's 1U form.
-
That would be plenty of CPU. Should not have an issue routing between LAN interfaces or pushing Gigabit through the NAT.
-
@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:
@LeeR I'm not sure does it can handle 1Gb traffic.
I'm pretty sure any recent Atom C3XXX series CPU can route traffic at Gigabit speeds.
Some of the higher end/spec'd Atom C2XXX processors can as well. Like the ones in the older SG-4860, the SG-8860, and the XG-2758 1U models. Those processors are at least 3-4 years old already, so I would avoid them if you can.
Jeff
-
@LeeR and @ALL
I hope, due to 1U form i just purchase Chelsio T540-CR (quad 10G PCI card), it answer to my mean to have 3x10Gb SFP+ interface (T520 will provide only two, so i will sale it)
I have 2x1G broadcom NIC interface built-in in R230 but it's not enough, i think also that this brand is not the best choice with pfSense.
It rest me one PCI slot available (low profil bracket) and i would like to purchase 4x1GbE (copper) for the wan side.NIC card Intel i350-T4 seems the only compliant possibility ???
They exist v2 model, better choice i think but i see a lots of discussion related to counterfeit product.
Some person says that some counterfeit are better, some other none... so i'm lost.
Do you have some good/true information about it ?Other possibilities :
-
can be to keep 2x1Gb internal broadcom NIC (for ADSL and 4G connexion) and take a 2x1 Gb or 1x1 Gb NIC card for my fiber connexion.
In fact, i need to be sure that the card chosen will be perfect to handle 1Gbps bandwith at max !! -
can be to keep 2x1Gb internal broadcom NIC (for ADSL and 4G connexion) and use one port from T540-CR with 10GBase-T SFP+ Transceiver module (instead of SFP+), i dunno if this card accept this kind of module ?! So i just send a mail to Chelsio about this.
If someone have compatibility information, i would interested ;)
Many thanks for your help.
EDIT : I purchased a X550-T2, it will be 2x 10GBase-T and Chelsio T540-CR, my R230 will be ready to use with Xeon E31260L v5.
For intel NIC Card, i use the YottaMark* sticker, it is an authentication label. The code on the label allows you to verify the authenticity of your Intel Ethernet Adapter.
Code is entered here > http://verify.yottamark.com
More information here > https://www.intel.com/content/www/us/en/support/articles/000007074/network-and-i-o/ethernet-products.html
I hope that X550-T2 NIC will work properly with pfSense !?
-