Watchguard Firebox performance



  • Hi,

    I've tried reading through some of the watchguard posts…. :o some are very long anyway wondering if anyone could help me.

    Trying to determine whether i should go down this path and if it is going to work for me. Appart from these I was looking at supermicro 1U cases with the atom CPU.

    The plan is for 2 x firebox in a load balance sync.

    Throughput around 500GB per month, It will need to run Squid and squidguard, ntop usage and a few graphing addons, snort etc etc.

    Will they handle it or should i look for something else?



  • I would say get one of the Firebox X E series, and you shouldn't have a problem.

    I have the X1250e and have throughput of approx 10 gig a day and it is fine.

    I don't run squid/snort but I have in the past and the CPU usage was quite high but it didn't overload it, but for approx £5 you can stick a 1.7Ghz celeron in there which should easy cope or I believe you can go even higher processor wise if you wish.



  • Thanks, i've read somewhere that all firebox's are the same from 500 up to 1100's ? its just the licensing that changes, watchguard of course?

    I'll plan on putting the biggest cpu most ram in these too, figure they are still much cheaper then a new machine.

    Not 100% on how the load balancing will work but i could run a VM with a 3rd pfsense for the squid.



  • Yeah, the ranges are the same hardware:

    X500 X700 X1000 are all the same hardware
    X550e X750e X1250e are all the same hardware

    I would steer clear of the X500, X700, X1000 as they have the rubbish realtek nics the newer e-series boxes have broadcom's IIRC

    So pick up a X550e, X750e or X1250e



  • Great thanks for that, thats going to make thing harder they are like rocking horse shit over here :(

    Will have to search overseas ebay.



  • :( there are usually loads on the UK ebay



  • got one for $1000 and another for $9999 australian ebay  :o decisions decisions.

    Thanks i'll have a look on the UK site and hope someone will post to me.



  • Blimey!! I paid about £200 GBP for mine!


  • Netgate Administrator

    @network1:

    got one for $1000 and another for $9999 australian ebay  :o decisions decisions.

    What!  :o I paid £40 each for mine and one of those was an X5500-E originally far more expensive.
    The value of the Firebox units is entirely in the software licensing, if it comes with a years subscription it's going to be valuable.

    They're Marvell NICs in the X-e boxes and two different types. There is currently a driver problem with the additional 4 NICs found on the X750e and higher boxes that can cause lockups. The other four work perfectly and the driver problem will almost certainly be fixed by the  move to FreeBSD 9 for the upcoming pfSense 2.1.

    Steve



  • Sorry yes Steve is correct they are Marvel, which arnt great but a lot better than the realtek's!



  • @stephenw10:

    @network1:

    got one for $1000 and another for $9999 australian ebay  :o decisions decisions.

    What!  :o I paid £40 each for mine and one of those was an X5500-E originally far more expensive.
    The value of the Firebox units is entirely in the software licensing, if it comes with a years subscription it's going to be valuable.

    They're Marvell NICs in the X-e boxes and two different types. There is currently a driver problem with the additional 4 NICs found on the X750e and higher boxes that can cause lockups. The other four work perfectly and the driver problem will almost certainly be fixed by the  move to FreeBSD 9 for the upcoming pfSense 2.1.

    Steve

    So i should be after the X5500-E is what you are saying? hows this one http://www.ebay.com.au/itm/WATCHGUARD-FIREBOX-X5500E-FIREWALL-W-3YR-UTM-BUNDLE-NEW-/170536869134?pt=AU_Networking&hash=item27b4ca1d0e

    Geez feel like finding me a few for $40 or f?

    I did have a X500 but i had to let go of it…. by let go i mean holding it in two hands and bridging the power supply with the lid open while it was running, the electric shock threw it out of my arms  :D ::) Anyway that was a while ago i haven't touched one since.



  • I forgot to mention there will be about 10-20 IPSEC VPN tunnels hanging off these too.



  • The X5500 is the firebox peak they are better because they have intel nics IIRC but they are expensive, the X550e X750e X1250e should be fine for you.



  • thanks for your help, i'll see if i can't find one.



  • Steve is right with the watchguards the cost is in the software/licences you are best off trying to find a x550e or x750e without any subscriptions as it will be a lot cheaper.

    Quite often they come up pulled working from environments but without any subscriptions or even the passwords, they are the ones you want :)


  • Netgate Administrator

    @network1:

    the electric shock threw it out of my arms

    Well that doesn't sound like fun!

    Like their previous range Watchguard released the X-e boxes in two groups, X-Core-E and X-Peak-E. The two look identical from the outside and use the same motherboard. The peak units have a faster CPU, 2GHz Pentium-M vs 1.3GHz Celeron, more ram and VPN accelerator card.
    Almost none of that is any advantage for pfSense! The VPN card isn't supported, RAM can be had for pennies on Ebay and the CPU (at least under 2.0) doesn't throttle correctly so it runs hot.

    The X-Peak-e boxes are not worth buying for pfSense. Stick to the X-core-e boxes. You can add ram if you find it's not enough, any old DDR2 sticks will work, and swap out the CPU.

    The VPN performance is not great TBH. See my test results here.
    What is your conncetion speed?

    Steve



  • Steve I thought the Peak had intel nics?


  • Netgate Administrator

    The previous generation X-Peak (no E) had 9 all Intel NICs and a 2.8GHz Pentium 4 CPU. Not as fast as the E box and uses more power. They are incredibly rare it seems. I have one, it's great!  ;D

    Steve



  • Ahhh ok, I will stop looking out for a cheap one on ebay then if the newer peaks are the same mobo etc as the cores :D


  • Netgate Administrator

    Yep don't bother. I only bought one because it was really cheap, it had a dead CF card which wasn't a problem for me. I was hoping the vpn card might be interesting but I think it's proprietary. When I connect it I just get an interupt flood and it's not seen by the OS. It is quoted as supporting 600Mbps VPN throughput though, which would be nice.

    Steve



  • How do the cf cards go, wouldn't the logs hammer these?

    These will be in a datacentre.

    Are these a better option with an extra nic, newer hardware should be faster.
    http://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm


  • Netgate Administrator

    The NanoBSD images are specially setup for embedded systems on flash drives. They don't log to the CF card and mount the card RO with noatime. They only write to the card when you change the config.
    I don't know why the Watchguard CF card had failed. It could have been corrupted during a software upgrade or a power failure I didn't spent much time looking into it.

    Actually the performance of the Atom is surprisingly similar to the Pentium-M. See some nice results from a D510, here. It will be slightly faster.
    Although it's dual core a lot of the firewalling components do not multi thread.

    Steve



  • The problem with systems like that is by the time you have added a decent quad NIC they get expensive, if you can pick up a Watchguard for a decent price you cant really beat it.



  • Would i need a quad nic? i think i'll go with the supermicro's can get for $300. Come with Dual GB onboard will put in another 2 x gb card.
    This should let me run load balancing with 3 nics, or any other reasons i should put a 4 port in it? giving a total of 6 NICs?

    Will be buying 2. can put 4GB ram in them too.


  • Netgate Administrator

    No reason.  ;)
    It's just that most of the Watchguard boxes have 6 or 8 NICs so to do a fair comparison you have to add that cost.
    If you need more interfaces, for multiwan or more internal subnets, it usually easier to do it with VLANs and a managed switch.

    Steve





  • OK thoughts on this unit please, would it be supported

    Remove HTTP….. ftp://ftp.arbor.com.tw/pub/datasheet/network_communication_appliances/MBX-1736A.pdf

    Works with the following CPU
    Core 2 Duo Processor E4300 - 1.80GHz / FSB-800 / 2M cache
    Pentium Processor E2160       - 1.80GHz / FSB-800 / 1M cache
    Pentium 4 Processor 651         - 3.40GHz / FSB-800 / 2M cache
    Celeron Processor 440             - 2.00GHz / FSB-800 / 512K cache

    Takes a CF card, 6 nics, and its red.

    Again what would be the pick of the CPU's for performance and utilisation.


  • Netgate Administrator

    @network1:

    and its red.

    Nice.  :D

    Looks expensive. And rare!
    I'd go with the Core2Duo. You can pick those up second hand for next to nothing so why not.

    Steve



  • how do the core2's go with firewall though? will it only use half the cpu etc.

    I'm waiting on price but they look good so far.

    Should be a pretty quick machine, would smoke the firebox performance wise.


  • Netgate Administrator

    pfSense uses a multiprocessor kernel it will run just fine on a Core2Due.
    However you're right that you won't get double the performance since a lot of the firewall processes don't multi-thread.
    Yep it would smoke any of the fireboxes you've talked about. You'd have to step up to the XTM5 series (which is very similar) but they are the current model so you pay a huge premuim.

    Steve



  • Well about $1000 for those boxes…. I'm undecided but may just get one yet.

    maybe i'll get a firebox as a secondary

    Is there any use getting one with the LCM screen? what would pfsense display


  • Netgate Administrator

    If the display is supported by LCDproc then it's very easy to get it running with a variety of display options via the lcdproc package. You can write your own lcdproc client if you want alternative information or use one someone else has written.

    $1000 is cheaper than I thought it would be.

    Steve



  • Well went to order…. they are discontinued  :'(

    They can be made to order, however there is a min order of 100.

    So are their 98 others interested? or maybe someone willing to lend $98,000  ::)

    Such a shame these looked like the best units i could find so far and resonably priced.



  • @network1:

    Well went to order…. they are discontinued  :'(

    They can be made to order, however there is a min order of 100.

    So are their 98 others interested? or maybe someone willing to lend $98,000  ::)

    Such a shame these looked like the best units i could find so far and resonably priced.

    Did you ever find anything else remotely similar to this?  I got my hopes up on page 2 and now I see it's discontinued.  This was perfect for what I was looking for. :(



  • @doofoo:

    @network1:

    Well went to order…. they are discontinued  :'(

    They can be made to order, however there is a min order of 100.

    So are their 98 others interested? or maybe someone willing to lend $98,000  ::)

    Such a shame these looked like the best units i could find so far and resonably priced.

    Did you ever find anything else remotely similar to this?  I got my hopes up on page 2 and now I see it's discontinued.  This was perfect for what I was looking for. :(

    Yes, however decided on using IBM servers after all this.

    This place are the ones that made the boxes for arbor… they will still make them for you too.

    http://www.evoc.com/products/Network-Application-Platform/list.aspx


Locked