Best choice for new set-up

  • Hey all, been using PFSense for a while now, but on a non commercial scale, and am ready to move it on up  ;D , What I am wondering is, what would be the best setup for the following scenario..

    2 WAN connections of cable (10x2) would like them both active, so I guess the load balance choice would be good, will have a constant VPN from this branch office back to our corp, so i would thing a VPN accelerator would be great, unless it is felt that a NEW p4 dual core with like 512 or 1 GB of ram would be enough,, It seems that we need four network interfaces, and would like a SMALL form factor.. any one have some suggestions of something that would not cost more then 500$ would be great.. I don't mind building it out of a regular PC and using a M-ATX board/case combo but it seems hard to find something that would be able to handle the four NIC plus a VPN accelerator card (if needed)… thanks!

  • I would build an inexpensive 1U server with a low-end C2D or Pentium Exxxx processor. Maybe something based on the SUPERMICRO MBD-PDSBM-LN2+-O mobo and SUPERMICRO CSE-503-200B chassis with a Pentium E2200 (beware of CPU support with this mobo, it doesn't support the newer cores). Then use a managed GigE switch to handle getting 'extra' NICs like the Procurve 1800-8G. Could be done for just about exactly your target budget of $500 I think.

    Your alternative is to go with something more 'embedded'. I think an ALIX board with a crypto accelerator (vpn1411) could be done for a bit less money, but there are more complications and the setup is trickier, and you're limited to 3x100mbit NICs. I've also never used the crypto accelerators so I don't know what their limitations are. Atom with a crypto card would be something of a middle ground as far as flexibility, but even more limited for network connectivity unless you can get that elusive MSI board.

    I don't think you need a VPN accelerator if your maximum VPN throughput is likely to be 10mbit and you're using a modern CPU. It might be an issue if you were using, say, Atom, but I think even an Atom might be able to keep up with 10mbit of Blowfish or AES128.

  • If you want small with four interfaces, and possible VPN accelerator, and <$500, the Soekris boxes are nice. You could add an Intel PCI GB card if you wanted to expand it. The vpn1411 cards are helpful on the Alix and Soekris boxes, but any modern CPU will be able to run IPSec faster than the card can. Just to pull some rough numbers out, on 1.2 I could do about 8mb 3DES or 15mb AES on a stock Alix. The vpn1411 got it to around 40mb 3DES or AES. A PC-based box with a mobile CPU ran about 50mb 3DES and 85mb AES. YMMV.

Log in to reply