Hardware options for new build?
-
I did a search for fan less hardware recommendations and found nothing recent so figured I would put this out to the group especially since availability, supplies and pricing are not what they were 2 years ago.
What I need is a new SoHo build that has sufficient memory, throughput and cpu HP to run PFS as well as PFBlockerNG, a traffic monitoring package like NTOP (or maybe another brand), Squid, VPN (open vpn or wireguard), and some spare muscle left over for future expansion.
I am running on a legacy x86 that is about 12 years old with 4gb mem and 2ghz dual core cpu by Intel. So far this setup has been great (except for the fan noise which at times is soothing) but I am looking for something that is quieter (prefer fan less but not married to the idea...yet) and has more punch.
I can build something or buy prebuilt but would definitely need the ability to expand if necessary (mem and or storage) but something I can setup, stash away and not have to worry about until the next upgrade. I have some leftover hardware from prior builds like WD 500gb 3.5" Blue HDD, an SSD 500gb HDD so would like to use these up if possible even if as a second or external drive but again not married to the idea...yet.
As for nic's 3x1Gb interfaces would be the min (1 wan 2 lan) and likelihood need more is small but having redundancy in the case of a failure is always a good idea.
Now for the topper...I do not want to break the bank. Recalling prior searches for platforms I seem to remember that $300-400 seemed like the sweet spot but again not sure what the market is like now or if they would be overkill. Given the requirements I cant help but feel that there may be an option out there that is more affordable especially since I am not building/buying a high performing desktop.
All recommendations and advice is welcomed.
PS.. I do not see the need for this to have WiFi, not sure of any use case where wifi would be a plus for the firewall but am open to alternate schools of thought.
-
What's your available WAN bandwidth or future upgrades?
I assume you need to pass at Gigabit rates between internal interfaces?
Steve
-
@stephenw10 Hi, my WAN BW is 300/300 and yes my wired devices such as desktops, switches and APs are Gb.
Future enhancements are unknown at the moment, trying to achieve current needs (listed in my post) and have some horsepower leftover to expand over time as needed and accommodate updates to PFS and the various packages.
The device would be specific to PFS so would not be running anything else on it. I have done some searching and am seeing fanless pc's with celeron, pentium, dual core, quad core, i3, i5, 4gb, 8gb mem, 64gb, 128gb SDD, etc and trying to make a choice to balance cost, needs and equipment types.
Thanks for your time. Look forward to your input.
-
@stephenw10 I have been doing some playing this weekend and had Squid, Squidgard, Lightsquid running and CPU and Mem went through the roof, I think I am not going to find a fanless device to meet needs. I was also thinking of using the box as a log server and use graylog for reporting since local logs are lacking in detail. I have set my specs at 2.0 ghz quad core cpu (i3 or i5) 8gb mem and min 256gb SSD. A search of ebay yielded a number of possibilities but since having AES-NI supported by the processor is a must I am not sure if buying from ebay or refurbished amazon will be an option. I started looking at Dell as I bought a Vostros for our security and automation which has been running strong and a similar box will cost around $550. They also have a Precision 3420 SFF with similar specs and refurbished for $360 but cant tell if my NIC will fit, they say the 3420 supports half height cards but the NIC specs says it is a low profile card, not sure if it will fit. The FW is running fine (with the above services stopped) so I have time to search but my goal of having a fanless pc (no noise, small footprint) that can run what I need now and have room for future seems like it may not be an option.
-
If you just enable everything in Snort or Squid etc they can use a lot of ram but that doesn't mean they have to. I run a 3100 as my edge here with Snort and pfBlocker I just choose exactly what I need to block carefully. Currently using ~25% of it's 2GB RAM.
I can't really recommend anything but our own hardware. The 4100 would be fine for those speeds. You could exhaust the 4GB RAM there by just enabling everything in packages though.
Steve
-
@stephenw10 I didnt go crazy with loading up on all the bells and whistles, with squid proxy above base settings I setup man in the middle and for squidgard I enabled logging, a black list with 6 category types set to deny and clean advertising, I also have PFBlocker running with only a handful of feeds selected, I believe they were the ones that were set by default as I dont recall adding any as I wanted to do more research before enabling anymore.
My system is a 12yo Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz, 2 CPUs: 1 package(s) x 2 core(s) with 3.2gb mem available. Most of the netgate gear if I recall has quad core cpus and 4 or 8gb mem and 256gb SSd and larger drives and was taking my queue as a starting point from there.
I have plenty of old parts, boards and such and was thinking before I pull the trigger on a new system seeing what "monster" I can make from what I have on hand if I can get a performance bump and being able to run with more features.
This is what I have running at the moment:
This is what I have loaded for PFB:
And here is where my current utilization is at:
Not sure if the above is useful but if it leads to better performance without dropping $400 to 500 on a new system then thats always a good thing.
Thanks for the feedback.
-
Well it doesn't seem to be having any problems with just those lists loaded in pfBlocker.
I would expect to be able to run Squid there as well with mostly default settings.
Adding Snort/Suricata to that might be a problem though.
Steve
-
@stephenw10 Thanks for taking a look at that. I realized that I need to do this incrementally and with specific purpose so I will be able to devote more time next month and will probably build a VM for testing purposes. I may still have to look at HW options, if I recall I think the FW PC is maxed out in ram (4gb), I need to check on that. Would additional ram make a difference or is it CPU that is the bottleneck? Since its running FreeBSD I cant use a system reporting tool to get system information to look up the specs online, gonna have to take it apart. This will be a good time to clean it out and replace a couple of fans.
-
For a 300Mbps WAN I wouldn't expect the CPU to limit throughput unless you loaded up ever list and signature you could find. And you would exhaust the RAM trying to do that.
Steve
-
@stephenw10 So if I add more ram (if possible) I should see an improvement in system performance and resource utilization as I restart services?
I am not looking to load everything only those which reduces/eliminates ads, allows me to restrict access to certain sites and provides for protection from external threats.
Knowing what to load such as lists and such is the key, need to get up to speed on the various options.
While on the subject of lists, why have so many squid proxy blacklists disappeared? I read one guy who use to publish a pretty popular list say that due to the political and social environment he had to stop publishing and it seems like all of the other lists I could find were also no longer active.
Are these lists a good tool to have? Do you know of any good one(s) that are still active?
Cleaned out the PC, replaced CMOS battery so it boots up without my having to press F1, and installed new fans to keep things cool, it sounds like a mini turbine now. I am going to have to unplug one of the fans to bring down the noise, I am sure people can hear it when I am on conf calls. They have helped drop the normal op temp by 2+ degrees C which is a good thing.
PS...Just confirmed that the MB only supports 4gb of mem so will have to start loading stuff carefully and see where it settles out. Good thing that I dont have to buy new HW right now, I can wait and see how it works out and wait for a good deal on refurbished or new equipment.
-
If it exhausts the RAM and starts SWAPing you will see performance tank! So much so that I often just disable SWAP at install. That can prevent crash reports being stored though.
So keep an eye on the usage. You'll probably be fine though, 4GB is still quite a lot.Steve
-
@stephenw10 I started the proxy server and have been holding steady at 24% and load averages are in the 0.9x's. I noticed that amazon product images were not displaying and office 365 was having server connectivity issues, I went and disabled man in the middle filtering and the issues resolved. I was under the impression from what I read that this would need to be configured to be able to restrict web sites that use encrypted DNS. I guess now would be a good time to back up the config...again. Thanks for the input.
-
The system did a reboot all on its own last night, I have the crash report but dont know enough about the contents to even take a guess at what happened. I shutdown the squid proxy server and so far has been running stable. I am going to restart the service later to see if it happens again. Would be nice to have some sort of cipher or something to see if the report can shed light onto what happened.
-
You can pm me a link to it if you upload it somewhere if you like.
-
All recommendations and advice is welcomed.
NETGATE 4100 BASE
Would be nice to your setup but is not matching the
price range.NETGATE 6100 BASE
Offers more options, able to activate more services
but on the other end more away from your price
range wish.But please don´t forget that electric power is here in both cases low as it can be! And you might be also able to safe money over the years I mean, to get something more back than horse power.
PC Engines APU4D4
Offers not that hard power like the both Netgate devices
but also low electric power using and silent on top! It
offers the ability to install a mSATA, WiFi and Modem
card if needed.Others may love the option for a procom or protectli
directly from the internet, may be an option also but
if electric power may be also a point to keep an eye
on it is not that real thing for home installment. -
@dobby_ Appreciate the input. I was looking a the netgate devices but dont have a rack and want to maximize ROI by maybe leveraging for other uses like a log server or to run everything virtually. I have not yet decided but am leaning towards an i5 processor and 8-16gb mem (depending on planned uses). I have a new Dell for automation and am impressed with the quality and price so am keeping an eye on deals to see what pops up. I would like fanless due to size but when all is said and done I can get a mid tower PC with its expansion capabilities for the same cost as a comparable fanless unit. I am testing PFS as a VM and if it works as expected I may use VM for most of my needs so a PC would almost be a must.
-
@stephenw10 Will do, appreciate it. I will get it uploaded and send you the link.
