Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Recommended hardware

    Scheduled Pinned Locked Moved Hardware
    12 Posts 4 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexg
      last edited by

      Hello,

      First of all let me frankly hats off all you developers and community members for the great project.

      Well, to get started quickly to the topic we had Friday a chat with a customer that wants us to build him a firewall-cluster using pfSense. We are just delighted to see a company asking us to build them a nice home-made firewall appliance for them.

      We aim on building them a firewall appliance that is flexible and based on Intel hardware. We had though we would offer them a Fortinet 310B (http://www.fortinet.com/products/fortigate/310B.html) for this but as we go with pfsense, we need to find a chassis with mutiple gigabit ethernet interfaces.

      What supplier/model/brand of chassis would you advice us for a firewall. We need at least 4 GbE port and we would like to have the option to buy 1/2 10 GbE cards if necessary.

      We look for to your feedbacks!

      Cheers.

      Alex

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        There's a link of the pfSense home page about recommended hardware and there are a mountain of posts here.  I'd highly recommend that you review all of those to avoid people having to spend their time repeating advice that's already been given ;)

        1 Reply Last reply Reply Quote 0
        • K
          kc8apf
          last edited by

          Definitely search the forums as this has been covered numerous times in the past.  Personally, I've found Lanner (http://www.lannerinc.com/) to make some really compelling systems, but they are a bit more expensive than other options.  I have a FW-7520 and it has been a perfect pfSense system for my application.

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            I use IBM Xeries 335/345 hardware with dual xeon and 4gb RAM.

            You can find it very cheap on ebay and it has giganic's… Very easy to upgrade with multiple nic's, and very stable.

            It can handle very high traffic loads and it runs on 2 73gb SCSI disks in hardware RAID1.

            1 Reply Last reply Reply Quote 0
            • A
              alexg
              last edited by

              Hello.

              Thank you all for helpful replies.

              Well, I have seen that there are many topics on hardware, that's true. However, I wanted to know what kind of hardware is suitable for large traffic.

              So, the question with hardware: in case of (D)DoS syn spoofed packet attack (hping and botnets), what will suffer the most: CPU, RAM or HDD? Also for hardware professional, is SD cards faster than SATA harddrives?

              Thank you again for your help!

              1 Reply Last reply Reply Quote 0
              • S
                Supermule Banned
                last edited by

                If you want high throughput, do NOT use flash cards…. Use HD install.

                CPU, I think, will suffer the most DoS attack.

                SATA is the preferred disk, if you do not have SCSI available or SCSI is not an option at all.

                1 Reply Last reply Reply Quote 0
                • Cry HavokC
                  Cry Havok
                  last edited by

                  But, as I've said many times, there's a world of difference between different types of (say) 50 Mb/s traffic.  If it's only to a single remote host and all of maximum packet size then that's completely different than if it's all the smallest possible packet size to thousands of different hosts.  PPS (Packets Per Second) is a far more important factor than mere bytes per second.

                  For a pure firewall, the nature of the hard disk is irrelevant - it won't get hit for anything but logging.  What will matter most is RAM (for the state table) and CPU (to process interrupts) and the quality of your network card.  None of that matters under DDoS conditions however since it's unlikely that anything you do will matter.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned
                    last edited by

                    And what is the average size of a packet???

                    So the PPS is not an easy size to measure. Cause you have to know the exact composition of your network traffic…..

                    And you dont.....

                    1 Reply Last reply Reply Quote 0
                    • Cry HavokC
                      Cry Havok
                      last edited by

                      You can assume an absolute worst case of (say) 64 byte packets and then divide your TOTAL bandwidth (in bytes/second) by that to get a worst case PPS.  Best case is for 1500 byte packets.  In reality you'll see neither - and no 2 networks are identical so you really, really, need to get an idea of their traffic profile if you want to get something that will perform and not cost you an arm and a leg.

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned
                        last edited by

                        How come they do not engulf a traffic analyzer in PFSense???

                        One that could log the sizes of the packages going through?? And colloct the information, say like a dashboard function.

                        1 Reply Last reply Reply Quote 0
                        • Cry HavokC
                          Cry Havok
                          last edited by

                          Possibly because it wouldn't help you in specifying your first system ;)

                          It actually has that if you add netflow reporting (such as the pfflowd package).  All you then need is a netflow reciever (flow-tools) and you can generate whatever stats you want.  I suspect darkstat (another package) can do something similar for you.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kc8apf
                            last edited by

                            @Supermule:

                            If you want high throughput, do NOT use flash cards…. Use HD install.

                            CPU, I think, will suffer the most DoS attack.

                            SATA is the preferred disk, if you do not have SCSI available or SCSI is not an option at all.

                            Routing, NAT, firewalling, and shaping don't touch the disk at all.  In fact, you could boot pfSense from the LiveCD and not see a difference past boot time.

                            DoS attacks come in many flavors.  Some of them will be CPU intensive (single host causing an expensive calculation repeatedlt) and some will be memory intensive (lots of hosts all doing a single request will cause the state tables to grow wildly).  If in doubt, buy the best CPU/RAM config you can afford and hope for the best.  FWIW, I do high-bandwidth, few connection traffic with a 1GHz Celeron M and 1GB of RAM just fine.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.