Will 533mhz be enough for OpenVPN and Snort on Home Net?
I'm experimenting with pfSense to teach myself a bit more about networking.
Will my old 533mhz Celeron box with 512mb of RAM be able to handing a 35 mbit connection with OpenVPN (one user) and Snort running? The connection will be running over two Intel gigabit ethernet cards in the PCI slots.
Depends on the number of snort rules and how much of that 35Mbit/s is taken by OpenVPN.
The OpenVPN will be a road warrior setup of some kind to allow a secure connection from untrusted wifi hotspots back to the LAN to get on the net and access network resources. So I'm guessing no more than a few megabits.
I'll probably start out with the snort default rules enabled, and fine tune it by turning some on and off depending on how many applications it breaks.
You'd be lucky to get 20 Mbit with OpenVPN, and that's without snort running.
Encryption is very CPU-intensive. You can't get more than 20 or so Mbit on an ALIX (500MHz Geode) and that has a built-in crypto accelerator.
If you're running snort, expect that to go even lower.
Should have been more clear.
The OpenVPN is only coming in from an outside location (i.e I'm in Starbucks connected with my laptop back to my LAN over the OpenVPN for secure access to the net and to access my files). This doesn't need to be super fast, just fast enough for a public WAP (no more than a few mbits).
When I'm at home running the boxes at full throttle the OpenVPN is not being used. My concern at that point is Snort by itself slowing down the 35mbit connection.
In that case, it might be OK, but snort is a pig (pun intended). It hogs ram and cpu, and that increases a lot when you have many rulesets loaded.
Why are you wanting to run snort? What are you hoping it will alert on or prevent?
The main reason is to tinker with it and learn how it works. ;)
The second more useful reason is that I want it to trip if one of the boxes behind gets some malware and starts sending worms, spam or whatnot back out to the net.
Third reason is that eventually I'm setting up a server behind the FW for testing and demoing websites and maybe a Ventrilo or Team-speak server. I want to be aware if one of those services gets compromised.
Well then you'd really need more CPU/RAM. Running in one direction (on LAN to catch things going out) might squeak by with a couple rulesets, but for servers you'd also have to run on WAN another instance.
Otherwise, you lose either the source IP of the local machine (if run on WAN trying to catch outbound) or the remote attacker (if run on LAN trying to catch inbound).
If I shoehorned a 1ghz PIII on it, would that be enough along with the existing 512mb of RAM? (They are going for about $5 on ebay)
the CPU might be, but you'd likely need more RAM. I wouldn't run snort on two interfaces with less than 1GB, but if you are very frugal with the rulesets you choose, it might work with 512.
What would you recommend as minimum specs to do this, scalable up to, say, 100mbit?
I might just turn the Celeron box into a NAS box and get a decent used computer.
Not sure what that would take, but I wouldn't try it with less than ~2GB of RAM and perhaps a dual-core atom (330 or d510).
Even then, snort might still be too much if you enable too many rules.
Thanks! Think I have something in mind.