Initial Hardware Considerations

  • While I am not a total routing dummy, this is my first "soiree", as it were, with a Linux/BSD based configuration.  In my situation, we have an ISP that provides us with a block of IP addresses (8).  ..239.96 - ..239.103.  I am assuming that 2 of these addresses will be used by the ISP (one network and one broadcast) leaving 6 useable IP's.  So far, so good.  As a company we use multiple internet connectable services in order to operate [mail server(s), web server(s), etc. etc.].  Currently our configuration consists of multiple firewalls/routers connected [via their WAN ports] to a switch that is connected directly to the ISP's equipment.  Each of the firewalls/routers has a connection on their LAN side that connects to the network that the appropriate services are attatched to.

    So initially I am asking, am I going to need to have a computer that has 2 NIC's for each [a maximum of 12] for each external IP that I need to forward requests from?  Well after reading it seems as if I really do not and may be overcomplicating things (go figure, a network admin overcomplicating things  ::)).  So let me ask, what would any of you do?  What kind of hardware would you purchase and how would you set it all up.  Bear in mind that I am more attuned to SOHO routing [iow, Wizards] than Cisco IOS configurations so rattling off with "redir ne0 etc. etc. etc" essentially makes no sense to me.  In other words, please keep it simple but not too condescending…  ;)



  • There should be no need to run multiple firewall/routers for the scenario you describe (unless you really want to).  A single pfSense box can handle network access for all your various internet services (SMTP, HTTP, etc.) and serve up the required IP addresses using virtual IP addresses and 1:1 NAT mapping.  Mind you, I just browsed your post and may have missed something specific, but the scenario you describe isn't particularly challenging.

    As far as hardware, that will depend largely on how much traffic you intend to be pushing through the system.  I recently did a couple of installs using quad core servers with 4G of memory to handle a pretty saturated 100mbit line as a high-availability cluster and the machines are considered wildly overpowered for the task.

  • First thank you for your response.

    So if I am understanding you correctly.  I would really only need two NIC's in the pfsense box (one for WAN and one for LAN).  In the software I would add Virtual IP's for each of the external IP addresses.  If that is so, what kind of performance can I expect (I assume that realistically, unless you are on a huge internet pipe, you will never completely use the bandwith on a 100Mbps/1Gbps NIC).


  • It all depends on a bunch of different variables, so there is no one-size-fits-all answer to this question.  In the scenario I described, there were multiple interfaces with lots of inter-interface routing happening, something like 50 virtual IP addresses and a ton of complex firewall rules, and those boxes were still way overpowered for the application.  Chances are that you could get away with using an Alix or low end server hardware to do what you need.  The virtual IP addresses won't impact your performance in any noteworthy way.

  • Thanks for your continued assistance.  I'm just trying to visualize the setup.  I'm trying to ensure that we make the best use of our bandwith without adding any additional delay in the response to and from us and our clients.


Log in to reply