Would this server work great for a pfsense firewall?

Eddles

Would a Dell PowerEdge R610 server with dual Xeon E5620s & 8GB RAM work great for pfsense on a gigabit internet connection, please? I believe the Xeon E5620 has AES-NI capabilities. I'm a bit concerned about the power consumption of such a server, however. Many thanks.

bingo600

@eddles

I'd expect tThat server is "wildly overspec'ed", for a "home" 1Gbit box. I haven't checked the network cards in it, make sure they're supported. Usually Intel netcards is good.

My Qotom (Mobile Core-i5) w. 4 x Intel netcards , can do 1Gbit wo problems. Guess it uses 8..20W , depending on load.

My guess is your server would be noisy & power hungry.
And be idling 90% most of the time.

/Bingo

Eddles

@bingo600 thanks for this. Does that stand even if I use IDS/IPS?

Would this NUC with dual NICs be a better option, would it be able to deal with gigabit fibre Internet with IDS/IPS? Many thanks again!

stephenw10

That's almost certainly a better choice unless you need something rackmount.
Again though it depends on the NICs used.

Steve

bingo600

@eddles said in Would this server work great for a pfsense firewall?:

@bingo600 thanks for this. Does that stand even if I use IDS/IPS?

Would this NUC with dual NICs be a better option, would it be able to deal with gigabit fibre Internet with IDS/IPS? Many thanks again!

I would go for a unit with at least 3 Gbit Intel NIC's.
Or a unit that can take a 4-port Intel 340/350 NIC Card.
Watch out for fake cards from china, better to buy a used (pulled server card).

It could be a "Mini server" (my choice would be a Mini-ITX) , with room for an intel 4-port card.

A Dual (Less power) / Quad Core i3/i5/i7 with 2.4+ Ghz and 8GB Ram is adequate.
Disk : depends a bit (32GB min), but with Intrusion detect , i'd go for 128 or 256 GB SSD.

Remember a super small cabinet ==> High fan pitch
Large fan(s) ==> less noise

Chose cpu power according to usage (snort/suricata), i can't help there (Make sure CPU is 64bit and can do AES-NI).

Example of units w, built in netcards (Fanless)
https://www.ebay.co.uk/itm/133643463675
https://www.ebay.co.uk/itm/133877899545
https://www.aliexpress.com/item/1005002747355032.html
https://www.aliexpress.com/item/32920921042.html

I'd also consider the Netgate 5100 or the new 6100 , if they can deliver.

Think i read the Dell T310/T320 tower isn't loud , and mega powerhungry , maybe investigate.

/Bingo

Eddles

@bingo600 Thank you for your reply! I was hoping for a rackmount solution, as I already have a rackmount server. It's in the garage, so noise, heat & space isn't a problem. My issue is that I can't really find anything that has a significantly lower power consumption than a Dell PowerEdge R200.

You say 2 NICs aren't enough - I should have at least 3, why? I'm curious.

I'm a bit wary of Chinese made computers, especially when they're run 24/7 and are a fairly important part of the network, which is why I'm looking at more well established manufacturers.

Thanks for your time!

Patch

@eddles said in Would this server work great for a pfsense firewall?:

You say 2 NICs aren't enough - I should have at least 3, why? I'm curious

To consistently saturate a 1G WAN you may need more that a 1G LAN bandwidth.

Also you may benefit from more than on LAN interface but that depends on the details of your network architecture.

stephenw10

Having 3 NICs available gives you far more choice in your network setup. You can add a separate subnet for a DMZ for example. Or add a 2nd WAN. Or create a LAGG to a switch and run VLANs over it.

bingo600

@eddles

Re: 3+ interfaces
As mentioned above

With 2 interfaces and more than 2 "inside lan/vlan"
IF-1 : Wan
IF-2 : Inside Lan(s)

Depending on your Lan/Vlan structure , every packet traversing from Inside Lan1 to Inside Lan2
would pass IF2 , to be routed.
Now you have shared your IF2 BW with 2 lans.

Might not be an issue for "normal use" , but heavy Xfer's would (might) saturate IF2.
Then again if you're just planning on one IF to connect to the switches , you would have same issue.

You could try with 2 , but make sure you can put more in.

But by all means go for a PizzaServer

Dell 210/211 does not seem that "Overspec'ed"

Supermicro has nice rewiews (Watch out for Atom CPU ... Intel bug)
https://www.ebay.co.uk/itm/154747206773

I'd still make sure to get a 4 x Intel 340/350 card in it , and min. 8G Ram

/Bingo

bingo600

@eddles

Maybe ??

https://www.ebay.com/itm/185168618080

https://forum.netgate.com/topic/124734/watchguard-firebox-m400-m500/399

stephenw10

If you're going to go that route you should install it yourself so you know how to do it if at some point in the future you need to re-install. You are paying someone else to do the fun bit there.

Also that seller is violating our trade mark doing explicitly what is not allowed. It is not a 'pfSense firewall':
https://docs.netgate.com/pfsense/en/latest/general/sell-pfsense.html#using-the-pfsense-name-and-logo

Steve

bingo600

@stephenw10
Couldn't he just "reinstall it" , i'd never trust an externally installed vers anyway.

I specifically showed that box , due to the i3 + 8G Ram

Seems like he should have left out the word firewall

/Bingo

stephenw10

Yeah, anyone buying anything like that should absolutely re-install pfSense themselves. It's probably a (relatively) clean install but you should always assume it isn't.

That particular seller has violated a number of things but IANAL so I'll not comment on specifics

Steve