Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps

Elrick75

Hi to all,

I plan to build a rack chassis to install pfSense, this workstation will be dedicated to route multiple WAN (for redondancy) to x3 LANs.

On WAN side, two connection (three at end) will be used, on for my fiber connection with true 1Gbps, my adsl connexion and after a 4G connexion.
On LAN side, 3x different LAN, each LAN didn't communicate with other LANs, each LAN will be connected to pfSense workstation with SFP+ (10Gbps), pfSense will be the default gateway to each LANs.

Usage :
I would to use NAT/Firewall function of pfSense.
Internet traffic will be Web surf, Torrent, IPTV flow, SMTP, FTP, MEGA, Newsgroup, and cam flow on demand to monitor house.

Currently, i have one 10Gbit NIC card, Chelsio T520-SO-CR, and plan to buy Chelsio T6225-SO-CR to have 3x 10Gbps interface.
Please tell me if these card are good for the job.

About hardware requirement, a nice to have will be low power and high performance, i will use 3U chassis to avoid any PCI format issue and to have silent fan.
What CPU do you suggest me ?
What motherboard do you suggest ? a motherboard with IPMI compliant pfSense will be a nice to have but not mandatory if it's better to add dedicated card.

You find picture to see a preview of my network.

Many thanks for your help.

NogBadTheBad

Not really sure why you are going for 3 x 10G as your connection out to the internet will never hit 10G.

Wouldn't you be better creating VLANS on the 3850 ( guessing thats where the 10G port connects ) and moving as much of the other stuff over to that switch and associated VLANS & firewall rules on the router.

The other advantage of this would be that you could have multiple SSIDS on the AP's if they support VLANS.

I'd buy another 3850 and stack them if you need more ports or interlink the 2960.

Elrick75

I don't have specific meaning with 3x10G, 10G LAN is only for data transfert from workstation to NAS server only... nothing related with Internet.
Create VLAN ID to reduce number of interface is not important, i prefer make 2x VLAN with tagged port without VLAN trunk.
The most important think is to have isolated LAN physicaly if possible ;)

Any hardware suggestion/recommandation about this setup ?

Many thanks.

NogBadTheBad

I'm not a hardware guy.

It will be way cheaper doing it how I suggested :)

How many devices are on each of the wired subnets?

NogBadTheBad

@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

The most important think is to have isolated LAN physicaly if possible ;)

You can do that with VLANS, don't create a SVI on the 3850.

Elrick75

@NogBadTheBad Around 6 to 10 devices on each LAN.

NogBadTheBad

Seriously go VLANS and connect everything to the 3850 if you have enough ports, it won't cost you anything.

What speed is the NIC on the NAS?

If you don't create the SVI on the switch pfSense will do the isolation.

Have a look at how I do it, you'd just have a 10 uplink to pfSense.

https://forum.netgate.com/topic/132431/simple-vlan-for-pfsense-unifi-ap-ac-lr

Elrick75

All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.

NogBadTheBad

@Elrick75 said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

All PC and NAS use 10G NIC interface.
i prefer use at least two switch, separate flows on each link is more secure i figure and optimize traffic issue between VLAN.
Other reason is that i plan in a near futur to replace curent C3850 to 12XS-S (full 10G fiber switch), and C2960XR to C3850.

Ah :)

Elrick75

uP !

LeeR

Supermicro X11SDV-4C-TP8F motherboard.

But the switch will be able to hardware route at wire speed (10G) between VLAN SVIs. You can add ACLs to limit intra-VLAN traffic.

Elrick75

@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

Supermicro X11SDV-4C-TP8F

Does all NIC interface has been supported by pfSense as well ?
What CPU do you suggest with it ?

Many thanks for your feedback.

LeeR

Did you even look? The CPU is embedded... If you need more cores look at the X11SDV-8C-TP8F model. The Supermicro spec sheet lists the NIC chipsets which you can verify are supported (they are).

akuma1x

I hate to burst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.

Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.

Jeff

Elrick75

@akuma1x said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

rst your bubble, but you technically don't need 10Gbps links on your firewall, unless in the near future you will be able to get greater than 1Gbps internet connection speeds. Nothing on your 172.16.1/24 and 10.0.1/24 networks will be able to speak at 10Gbps speeds, so therefore you don't need to route thru pfsense anything connected at that speed.
Understand what I'm saying? If your only 10G capable devices are desktop PCs and your NAS box, which I'm assuming are all on the same subnet and switch in your illustration, you don't need ANY 10G connections on your firewall.
Jeff

Yes it's right, my ISP connection is at 1G, not 10G.
Even if my WAN connexion is 1G, what is the best Motherboard/CPU to handle easyly these connexion bandwidth ?

Elrick75

@LeeR said in Hardware recommandation to create pfSense 3U rack chassis | Multiple WAN 1Gbps | 3x LANs 10Gbps:

X11SDV-8C-TP8F

What is the best Motherboard/CPU to take into account this bandwidth and wait to see coming ?

LeeR

Elrick, ever used google? I recommend you copy that part number and paste it into a google search. Then reach the specification sheet.

Elrick75

@LeeR I didn't notice that this motherboard include CPU !!
D-2146NT has 80w TDP... do you think that it can be possible to have low energy consumming CPU to reach the goal ?

LeeR

@Elrick75

You should look for an ATOM based processor then. Here's an example Supermicro kit: https://www.supermicro.com/products/system/Mini-ITX/SYS-E300-9A.cfm

Elrick75

@LeeR I'm not sure does it can handle 1Gb traffic.
I have a Dell R230 with Xeon E3-1260lv5, do you think that it can do the job ? It's 1U form.