Recommended hardware
-
Hello,
First of all let me frankly hats off all you developers and community members for the great project.
Well, to get started quickly to the topic we had Friday a chat with a customer that wants us to build him a firewall-cluster using pfSense. We are just delighted to see a company asking us to build them a nice home-made firewall appliance for them.
We aim on building them a firewall appliance that is flexible and based on Intel hardware. We had though we would offer them a Fortinet 310B (http://www.fortinet.com/products/fortigate/310B.html) for this but as we go with pfsense, we need to find a chassis with mutiple gigabit ethernet interfaces.
What supplier/model/brand of chassis would you advice us for a firewall. We need at least 4 GbE port and we would like to have the option to buy 1/2 10 GbE cards if necessary.
We look for to your feedbacks!
Cheers.
Alex
-
There's a link of the pfSense home page about recommended hardware and there are a mountain of posts here. I'd highly recommend that you review all of those to avoid people having to spend their time repeating advice that's already been given ;)
-
Definitely search the forums as this has been covered numerous times in the past. Personally, I've found Lanner (http://www.lannerinc.com/) to make some really compelling systems, but they are a bit more expensive than other options. I have a FW-7520 and it has been a perfect pfSense system for my application.
-
I use IBM Xeries 335/345 hardware with dual xeon and 4gb RAM.
You can find it very cheap on ebay and it has giganic's… Very easy to upgrade with multiple nic's, and very stable.
It can handle very high traffic loads and it runs on 2 73gb SCSI disks in hardware RAID1.
-
Hello.
Thank you all for helpful replies.
Well, I have seen that there are many topics on hardware, that's true. However, I wanted to know what kind of hardware is suitable for large traffic.
So, the question with hardware: in case of (D)DoS syn spoofed packet attack (hping and botnets), what will suffer the most: CPU, RAM or HDD? Also for hardware professional, is SD cards faster than SATA harddrives?
Thank you again for your help!
-
If you want high throughput, do NOT use flash cards…. Use HD install.
CPU, I think, will suffer the most DoS attack.
SATA is the preferred disk, if you do not have SCSI available or SCSI is not an option at all.
-
But, as I've said many times, there's a world of difference between different types of (say) 50 Mb/s traffic. If it's only to a single remote host and all of maximum packet size then that's completely different than if it's all the smallest possible packet size to thousands of different hosts. PPS (Packets Per Second) is a far more important factor than mere bytes per second.
For a pure firewall, the nature of the hard disk is irrelevant - it won't get hit for anything but logging. What will matter most is RAM (for the state table) and CPU (to process interrupts) and the quality of your network card. None of that matters under DDoS conditions however since it's unlikely that anything you do will matter.
-
And what is the average size of a packet???
So the PPS is not an easy size to measure. Cause you have to know the exact composition of your network traffic…..
And you dont.....
-
You can assume an absolute worst case of (say) 64 byte packets and then divide your TOTAL bandwidth (in bytes/second) by that to get a worst case PPS. Best case is for 1500 byte packets. In reality you'll see neither - and no 2 networks are identical so you really, really, need to get an idea of their traffic profile if you want to get something that will perform and not cost you an arm and a leg.
-
How come they do not engulf a traffic analyzer in PFSense???
One that could log the sizes of the packages going through?? And colloct the information, say like a dashboard function.
-
Possibly because it wouldn't help you in specifying your first system ;)
It actually has that if you add netflow reporting (such as the pfflowd package). All you then need is a netflow reciever (flow-tools) and you can generate whatever stats you want. I suspect darkstat (another package) can do something similar for you.
-
If you want high throughput, do NOT use flash cards…. Use HD install.
CPU, I think, will suffer the most DoS attack.
SATA is the preferred disk, if you do not have SCSI available or SCSI is not an option at all.
Routing, NAT, firewalling, and shaping don't touch the disk at all. In fact, you could boot pfSense from the LiveCD and not see a difference past boot time.
DoS attacks come in many flavors. Some of them will be CPU intensive (single host causing an expensive calculation repeatedlt) and some will be memory intensive (lots of hosts all doing a single request will cause the state tables to grow wildly). If in doubt, buy the best CPU/RAM config you can afford and hope for the best. FWIW, I do high-bandwidth, few connection traffic with a 1GHz Celeron M and 1GB of RAM just fine.