High performance hardware

MikeMac 0

We are going to be building up 4 x pfsense servers. These will sit EAST-WEST as we have Palo's on the outside. (Pair at each site)

I would have preferred to have purchased the hardware from netgate but our needs exceed any box currently on offer.

What i am looking for is a recommendation on hardware etc (not whitebox) that would meet our 40gbps firewall throughput requirement

At this stage i am looking at the following;
Dell R450 (we have a contract with dell so its easy to order though open to other vendors)
Intel Xeon Silver 4316 2.3G, 20C/40T, 10.4GT/s, 30M Cache, Turbo, HT (150W) DDR4-2666
16GB x 4 = 64GB
Intel X710-T4L Quad Port 10GbE BASE-T, OCP NIC 3.0
Intel X710-T4L Quad Port 10GbE BASE-T Adapter, PCIe Low Profile
PERC H345 with front load bracket
480GB x 2

My main questions;

How does this look?
Should i go towards Mellanox vs the Intel NICs
Any experience with Perc controllers? seem to be stuck using one of these.
Is there anything you would change?

A Former User

Hello,

should the pfSense firewalls be installed behind the Palo´s?
What services or job exactly the pfSense should do?
I mean something like, squid, pfblockerng, snort,.......

MikeMac 0

@dobby_

Palo's will sit on the gateway side, so Ingress / Egress for external traffic.

The pfSense boxes will seperate security domains (DMZ etc), VLANs etc.
All traffic between VLANs will transverse the pfsense box.

Pretty much expecting to run basic ACL's at this stage

A Former User

@mikemac-0 said in High performance hardware:

Intel Xeon Silver 4316 2.3G, 20C/40T, 10.4GT/s, 30M Cache, Turbo, HT (150W) DDR4-2666

Ok thanks this was not so easily to find out on the first look. I can´t tell you what hardware is making you "happy" or solve your entire "problem", but I would more tending to;

• Install pfSense in one or more VM´s
  Better success for 40 GBit/s cards driver support!
• More looking on CPUs with a ground speed of ~3GHz
  and therefore less Cores/HTs
• 30 M L3 cache is good!
• TurboBoost, Hyperthreading are also good to own here

MikeMac 0

@dobby_
Not an option unfortunately.
We need to physically separate networks for security domains, so dedicating a NIC in our HCI cluster would cause us more problems than benefits.

We have also had a few outages due to the VMware stack, so for firewalls / Load balancers etc we are trying to keep these physical / dedicated.

A Former User

@mikemac-0
HotLava Systems
Be sure that this NICs are supported under pfSense.
They could be an option for your project if you must be
install on bare metall.

q54e3w

@dobby_ x710-T2L working fine here, no reason to suspect quad wouldn’t.

A Former User

@q54e3w Good to know also for me thanks fot sharing this.

q54e3w

Adding some details now I'm at my desktop.

[2.5.2-RELEASE][root@pfsense.local.lan]/root: dmesg | grep 710
ixl0: <Intel(R) Ethernet Controller X710 for 10GBASE-T - 2.3.0-k> mem 0x38bffe000000-0x38bffeffffff,0x38bfff008000-0x38bfff00ffff irq 47 at device 0.0 numa-domain 0 on pci7
ixl1: <Intel(R) Ethernet Controller X710 for 10GBASE-T - 2.3.0-k> mem 0x38bffd000000-0x38bffdffffff,0x38bfff000000-0x38bfff007fff irq 47 at device 0.1 numa-domain 0 on pci7

Syncing up nicely at 2.5gbps to my cable modem, and 10G port to my switch.