Thinking about using a firebox, some questions
-
Hi! i'm thinking about using a firebox with pfsense at home.
Today i've a internet connection with Down: 100mbps and Up: 10mbps.
But i've possibiblity to use 4 ip-addresses so i can loadbalance them and get about Down: 100mbps and Up: 50mbps.I was thinking of buying a Firebox x550e but that one only has 4 interfaces, so my thought was do you think its possible to setup a vlan and that would work? or should i go for the x750e instead?
My other question was, should i go with the x550e,x750e,x1250e instead of x700, x1000 series? (I've heard that they have the realtek nics which isnt so good?)
//BR
Patrik -
The four interfaces on the X550e are Gigabit Marvel NICs so you should get reasonable bandwidth for VLAN use. They are PCI NICs however and all on the same BUS so the total bandwidth is limited.
The extra four interfaces in the X750e and X1250e are PCI-E so you get better throughput. However they are supported by the msk(4) driver which has a bug in the FreeBSD 8.1 version that pfSense 2.x is built on. The bug causes the interface to lock up requiring manual intervention of some kind when pushed. I have not had one lock up when connected at 100Mbps. This bug has been fixed and pfSense 2.1 which will be based on FreeBSD 9 will contain that fix. Though it is unproven.
The X-e boxes are easily upgradable and swapping out the Celeron for a Pentium-m makes a big difference in both processing power and power consumption which are both better.
The X500, X700 etc boxes are Pentium 3 era and, as you say, have Realtek NICs which can cause problems. Particularly it seems they don't like packet fragmentation and using a nicer upstream switch can help.
Any of the boxes should be able to handle 100/50 NAT and firewalling.
Steve
-
Thanks for your answer! so probably i would manage with a x500 or x700 but its a little better to go with the x550e since its newer hardware? Which CPU socket do they have?
and what about the noise, do you think they sound much?
is there any possibility to change the fan/heatsink to one with less noise.Should i look on ebay to get one or where is the best place to find a x550e?
//BR
Patrik -
They are socket 479, pretty much any Celeron-M or Pentium-M will fit. The standard CPU is a 1.3GHz Celeron. Everything I have fitted has worked but I've had best results with the 400MHz FSB Pentium-M chips. These are fully supported by the version of powerd that ships with pfSense 2.0.X so you get full advantage of Speedstep with it's reduced heat and power consumption.
The fans that are fitted are loud but the good news is that they are software controllable and I wrote a little program to do it. http://forum.pfsense.org/index.php/topic,32013.0.html
The cooling that Watchguard provide is sufficient for running the box at maximum power in a hot rack. I, and others, have found that running the fans at <20% speed is fine in normal conditions.I realise that the thread for these boxes is now getting into 'too long didn't read' size. However it's worth reading through it to familiarise yourself with it. Specifically you need to know that you will have to alter a bios setting to get the box to boot and to do that you need to either make a keyboard connector and use a PCI-e graphics card or flash the bios with a modified version (which is what I did).
Ebay is your best bet. It's worth waiting and watching for a while if you can, the price these boxes go for varies a LOT! I paid £30-40 for my boxes but they are regularly for sale for £1000+. ::)
There's every reason to think the X750e and X1250e will be a great box when pfSense 2.1 arrives and until then you still have four usable interfaces.
Steve
-
Ok nice :) yeah i'm reading that thread right now, saw that you had contributed pretty much to it.
I'll guess i'll keep my eyes open for a x750e then :) if you find one please send me a pm :) I live in sweden but will be happily pay the shipping cost.The only thing that conserns me is that the x550e/x750e, etc seems to be pretty deep(size) when comparing to the x700 for example.
-
It is deeper. 35cm vs 25cm. Still not very deep by rack mount server standards, it would probably fit in wall mount switch cabinet. Of course then you are reducing the ventilation…
Steve
-
Ok! maybe i can hang it on the wall or something, (its going to be in my wardrobe) :)
Will post pictures later when the project begins. Need to find a box first :) -
The four interfaces on the X550e are Gigabit Marvel NICs so you should get reasonable bandwidth for VLAN use. They are PCI NICs however and all on the same BUS so the total bandwidth is limited.
The extra four interfaces in the X750e and X1250e are PCI-E so you get better throughput. However they are supported by the msk(4) driver which has a bug in the FreeBSD 8.1 version that pfSense 2.x is built on. The bug causes the interface to lock up requiring manual intervention of some kind when pushed. I have not had one lock up when connected at 100Mbps. This bug has been fixed and pfSense 2.1 which will be based on FreeBSD 9 will contain that fix. Though it is unproven.
The X-e boxes are easily upgradable and swapping out the Celeron for a Pentium-m makes a big difference in both processing power and power consumption which are both better.
The X500, X700 etc boxes are Pentium 3 era and, as you say, have Realtek NICs which can cause problems. Particularly it seems they don't like packet fragmentation and using a nicer upstream switch can help.
Any of the boxes should be able to handle 100/50 NAT and firewalling.
Steve
'
Hi again Steve!
and happy new year!
One more question, would a x500 be able to handle 100/50 NAT, firewalling and loadbalancing?
Can't find any x750e @ a good price, and i found out that i cant use vlan's since my internet provider haven't enabled it so i would need 4ports+
//BR
Patrik -
It should handle 100/50 firewall and NAT no problems. I have to admit I've never actually done any throughput testing on an X-Core personally but I an see no reason why it wouldn't. You will, of course, be limited to 100Mbps as it only has 10/100 NICs.
So you will have 4 WANs?
It should be fine as long as you don't have trouble with the Realtek NICs. :-
Some users have no problems. Others have problems!Happy New Year!
Steve
-
It should handle 100/50 firewall and NAT no problems. I have to admit I've never actually done any throughput testing on an X-Core personally but I an see no reason why it wouldn't. You will, of course, be limited to 100Mbps as it only has 10/100 NICs.
So you will have 4 WANs?
It should be fine as long as you don't have trouble with the Realtek NICs. :-
Some users have no problems. Others have problems!Happy New Year!
Steve
Ok! yeah i need 4 WANs enable:d with loadbalancing, dont know if loadbalancing is very cpu demanding?
Or would it be a neather solution for me the build a pfsense box on a itx motherboard or maybe a thin client with pci-e slot?
The problem is that i dont think i have the physically room for a x550e/x750e series… -
Outbound load balancing is not very CPU intensive it should not cause a problem.
It depends on how cheaply you can get a Firebox. If it is very cheap then you should try it. Bare in mind however that if you have trouble with the Realtek NICs you may have to try something else.If you decide not to go that route I would use a small 8 port VLAN capable switch, a Netgear GS108T for example, and a low power miniITX board. That will allow you to have up to 7 separate interfaces at the switch. E.g. 4 WANs and 3 LANs. Your ISP will not see the VLANs so that is not an issue.
Steve
-
Outbound load balancing is not very CPU intensive it should not cause a problem.
It depends on how cheaply you can get a Firebox. If it is very cheap then you should try it. Bare in mind however that if you have trouble with the Realtek NICs you may have to try something else.If you decide not to go that route I would use a small 8 port VLAN capable switch, a Netgear GS108T for example, and a low power miniITX board. That will allow you to have up to 7 separate interfaces at the switch. E.g. 4 WANs and 3 LANs. Your ISP will not see the VLANs so that is not an issue.
Steve
True! was at first unsure how VLAN work but if I've got it right now, i can use one NIC to "simlulate" like there was 4 nics in the computer? giving me access to more networks?. So if i got a x550e and there wasn't enough ports then i could buy a vlan switch and put it infront of it? to get vlans working?
//BR
Patrik -
Yes you could do that. The number of interfaces you can have is limited only by the number of ports on the switch. However all the traffic has to travel along the 'trunk' connection back to the pfSense box so that can also be a limitation. Not a problem with gigabit NICs though.
Steve
-
Yes you could do that. The number of interfaces you can have is limited only by the number of ports on the switch.
Not even limited to that really, you can have multiple vlans per port so long as whatever else you're talking to can trunk as well :-)
-
Just bought 2x firebox x5500e peak for $200 think it was kinda resonable price?
-
Considering you could have paid $6674 for one that seems very reasonable! :D
I had few problems with the X5500e I have. The CPU is not recognised by the est(4) driver so powerd doesn't work. You may have to swap it out. The VPN card is not supported but whilst it was in the box it caused huge interrupt load. You should remove it.
Steve
-
Considering you could have paid $6674 for one that seems very reasonable! :D
I had few problems with the X5500e I have. The CPU is not recognised by the est(4) driver so powerd doesn't work. You may have to swap it out. The VPN card is not supported but whilst it was in the box it caused huge interrupt load. You should remove it.
Steve
Haha true :)
But just changing the cpu should make it work?
My biggest concern right now is that i may be to big for my "server closet" :) -
Considering you could have paid $6674 for one that seems very reasonable! :D
I had few problems with the X5500e I have. The CPU is not recognised by the est(4) driver so powerd doesn't work. You may have to swap it out. The VPN card is not supported but whilst it was in the box it caused huge interrupt load. You should remove it.
Steve
Ok! some questions steve, hope you have the time.
#In my opionion it should be better to use a compact flash 4gb instead of a 2,5" drive, since i'm guessing the HDD would be using more power?
#Do you think i should flash my bios? if you do, with what version?
#When installing to a CF card how to i reach the configuration of pfsense?//BR
Patrik -
It will work with the 2GHz cpu that is fitted as standard to the X-Peak-e.
However you won't be able to turn on powerd which means it will run hotter and you won't be able to slow the fans as much and hence it will be louder.
Replacement CPUs that will work (any Pentium-M with a 400MHz FSB) are very cheap.I am using a CF card, it's an easier option. The only reason to go for a hard disk is if you need a specific package that needs the storage space.
You need to access the bios because a bug in the bios code stops the box booting from anything larger than 256MB. To work around it you need to set the IDE channel to manual and CHS and then set the heads to 2.
You can do this either by getting a PCI-E graphics card and some sort of adapter to make it fit the slot and making up a keyboard connector to go on the header. Alternatively you an flash the bios with the modified version that enables serial port access to the bios. Probably easier! ;)
All the boxes I've seen or spoken to others about had the same buggy bios labeled either 2005/12/21 or X017. If you had anything different it would be great.The NanoBSD install to a CF card uses the serial port for it's console so you need a null modem cable and a computer with a serial port. You'll need this for the initial install and setup but after that it's all web based.
Steve
-
It will work with the 2GHz cpu that is fitted as standard to the X-Peak-e.
However you won't be able to turn on powerd which means it will run hotter and you won't be able to slow the fans as much and hence it will be louder.
Replacement CPUs that will work (any Pentium-M with a 400MHz FSB) are very cheap.I am using a CF card, it's an easier option. The only reason to go for a hard disk is if you need a specific package that needs the storage space.
You need to access the bios because a bug in the bios code stops the box booting from anything larger than 256MB. To work around it you need to set the IDE channel to manual and CHS and then set the heads to 2.
You can do this either by getting a PCI-E graphics card and some sort of adapter to make it fit the slot and making up a keyboard connector to go on the header. Alternatively you an flash the bios with the modified version that enables serial port access to the bios. Probably easier! ;)
All the boxes I've seen or spoken to others about had the same buggy bios labeled either 2005/12/21 or X017. If you had anything different it would be great.The NanoBSD install to a CF card uses the serial port for it's console so you need a null modem cable and a computer with a serial port. You'll need this for the initial install and setup but after that it's all web based.
Steve
Ok thank you! so if i find a cf with 256mb of space then i could use that without making changes to the bios? (with the nano bsd?)
I guess the best solution is to flash the bios then :) but where do i find it? and to access the bios i do with the nullmodem cable right? is this still buggy? or will it be pretty easy to change the settings?Btw is it possible to use a serial to usb adaptor?
//BR
Patrik -
The minimum CF card size is 512MB for the NanoBSD images so you need to access the bios.
Instructions for doing that are here.Yes you can use a USB serial adapter. Make you know it is working before you start or it's easy to get confused. Connect up your serial cable/usb adapter/terminal program and boot the Watchguard OS. You should see the boot up at 115200 8N1.
Steve
-
The minimum CF card size is 512MB for the NanoBSD images so you need to access the bios.
Instructions for doing that are here.Yes you can use a USB serial adapter. Make you know it is working before you start or it's easy to get confused. Connect up your serial cable/usb adapter/terminal program and boot the Watchguard OS. You should see the boot up at 115200 8N1.
Steve
Ok cool!
So the things i need before starting is:#Firebox (doh!)
#Nullmodem cable
#cf card with 16mb+ (maximum 256mb)
#cf card for the OS (4gb) -
Yes.
You can use the CF card that comes in it if you don't want the Watchguard OS (or back it up first).
There is almost no point in using a 4GB over a 2GB card and there is absolutely no point in using a super fast card. pfSense won't use UDMA and it only reduces boot time slightly anyway.Steve
-
I just received a message from the post office that finally they have arrived.
Just came up with a question.
Do i need to flash the bios or just enable these things? (for larger cf cards).If i understand everything right i need a nullmodem cable to access the bios? and a cf card 512mb+ to use with pfsense.
Do i need anything else?
//BR
Patrik -
Recently some other users have had great trouble getting a 512MB card to boot. It seems that at least some 512MB cards will not boot with the bios set either at 'auto' or heads=2 so to be safe get a card at least 1GB. I have personally used 2GB and 4GB cards with no problems.
Steve
-
Recently some other users have had great trouble getting a 512MB card to boot. It seems that at least some 512MB cards will not boot with the bios set either at 'auto' or heads=2 so to be safe get a card at least 1GB. I have personally used 2GB and 4GB cards with no problems.
Steve
Ok! then i'll buy a 1-2gb card.
But i dont need to flash the bios or? Can you tell me the steps in short… :)
//BR
Patrik -
Yes you will need to flash the bios.
To do that you need the serial cable (and usb adapter if you need it) and a very small CF card. You can use the card from the box if you don't want to keep it.
Instructions to do it are here.Steve
-
Haven't picked it up from the post office yet, but i found a Intel T5500 SL9U4 (Core2duo 1,66ghz 667bus) do you think it will work in the firebox?
//BR
Patrik -
-
No it won't. We are still talking about the x5500e?
Only Pentium-M and equiavalent Celerons will work. Of those only 400MHz FSB are supported by the est driver giving the best power savings.Steve
Ok! i see, i also have a Pentium M 750 1,86ghz but since its a 533 bus it won't work with the eist driver either i guess?
-
Hi! just picked the fireboxes up from the post and i just opened one of them up.
And the motherboard doesnt look like yours, i think it look exactly the same as the x750e but this one has one more card with ports.
But when i boot it up it says x5500e.Here are some pcitures: https://picasaweb.google.com/108726448953608241540
What do you think i should do with flashing etc.?
//BR
Patrik -
LOL I think I've may have been a little confused reading all these threads.
The x5500e and the x6000e is not the same hardware (which i thought)
Will i be able to use the other four interfaces or should i wait for pfsense 2.1? (I think you told me earlier that people had some problems with them because of a bug in freebsd).
-
Looks exactly the same as the X5500e I have here. It's an early model (I think) as it has all the headers populated which is nice. :)
The X6000 (no e) is an X-Peak model which is different.
Write the bios flashing CF card and get the bios info. It will almost certainly be the same as mine (all have been so far).
The bug for the further 4 interfaces exists in 2.0.1 as it's still built on FreeBSD 8.1. That said I have run it with no problems, it only ever showed up for me when I was testing the throughput. I've never had a problem with it when connected to 100TX device.
There are some early builds of 2.1 (now based on FreeBSD 8.3) available if you do have problems. Though these are snapshots for testing only, here: http://iserv.nl/files/pfsense/releng83/
Steve
-
Looks exactly the same as the X5500e I have here. It's an early model (I think) as it has all the headers populated which is nice. :)
The X6000 (no e) is an X-Peak model which is different.
Write the bios flashing CF card and get the bios info. It will almost certainly be the same as mine (all have been so far).
The bug for the further 4 interfaces exists in 2.0.1 as it's still built on FreeBSD 8.1. That said I have run it with no problems, it only ever showed up for me when I was testing the throughput. I've never had a problem with it when connected to 100TX device.
There are some early builds of 2.1 (now based on FreeBSD 8.3) available if you do have problems. Though these are snapshots for testing only, here: http://iserv.nl/files/pfsense/releng83/
Steve
Now i've flashed the bios and everything just the intall left.
I cant get it to boot my Kingston 4gb cf card (elite pro 133x)
Which image should i use?
And can you check my uploaded file if my settings are correct.
//BR
Patrik
-
Try the 2.0.1 image first. I use:
pfSense-2.0.1-RELEASE-1g-i386-nanobsd.img.gz
This works fine on a 4GB card (and takes a lot less time to write!)Remember that the bios appears at 115200 baud but the serial output from pfSense is at 9600 so you have to change your serial terminal settings.
I have no idea what the settings for your card should be, the card geometry is defined by the manufacturer. However if you first auto detected it and then set it to manual changing only the heads to 2 it should work.
Steve
-
Lol My bad :) i had it connected at 115200 :) then that was the problem since I saw the LEDs goinging crazy :) will try it tomorrow! Your help is very much appreciated.
Nite!
BR
Patrik -
They are socket 479, pretty much any Celeron-M or Pentium-M will fit. The standard CPU is a 1.3GHz Celeron. Everything I have fitted has worked but I've had best results with the 400MHz FSB Pentium-M chips. These are fully supported by the version of powerd that ships with pfSense 2.0.X so you get full advantage of Speedstep with it's reduced heat and power consumption.
Hi,
can both be used: sl8ba or sl6n5. Bothe are Pentium M 1,7 GHz…. with 400 MHZ FSB and 479 socket.
Matthias
-
Yes.
If you have the choice go for the SL8BA, it's a Dothan core which runs cooler and twice the amount of on board cache.In case you didn't realise you have to set the jumpers (both sets) on the motherboard to select between Banias or Dothan.
Steve
-
Yes.
If you have the choice go for the SL8BA, it's a Dothan core which runs cooler and twice the amount of on board cache.In case you didn't realise you have to set the jumpers (both sets) on the motherboard to select between Banias or Dothan.
Steve
I assume that this is discribed here in the forum, isn't it? You mean the jumpers an the side of the cpu socket?
OK, found the trhead. But what do you mean with "both sets"?
-
There are two sets of (actually DIP switches) on the board. Both have to be set if you put a Dothan CPU in the box. One set is next to the CPU socket and the other is in the centre of the motherboard.
Steve