Soekris 4801 w/lan1641?
-
I am looking at doing the following:
- 2x WAN connections (combined incoming ~2MBps, outgoing ~1.5MBps)
- 2x pfsense utilizing CARP for failover/redundancy
- DMZ (web/mail/ftp servers)
- lan (nat – 30 person company)
If I understand correctly, I'll need atleast 5 ports on each pfsense unit (2x wan, 1x carp, 1x lan, 1x dmz) to accomplish my goal.
I like the idea of the 4801 w/lan1641 -- 7 ports, small form factor, low power consumption, etc..etc.. but didn't really find too much benchmark/sizing documentation to let me know if it was adequate for my configuration.
Anyways, any feedback on if this will work for this configuration, recommendations on other options I should look into, etc would be appreciated. Also, if the 4801 is the way to go, is getting it direct from Soekris the best option or are there other retailers where I could pick them up cheaper? Thx..
-
The interface to interface traffic of this machine is about 25 mbit/s (I benched a wrap which has the same cpu/ram). It is sufficient for your wan connections but dmz to lan is limited this way too and you have to substract your used wan bandwidth, so you most likely will end up with about 20 mbit/s if your wans are under load.
Also note that you need 3 static IPs at each WAN for CARP to work.
If you need more throughput between the internal networks you might want to look at appliances like these:
http://www.nexcom.com/product/productlist.jsp?iid=Network%20Security%20Appliance
http://shopping.hacom.net/catalog/product_info.php?cPath=39&products_id=76I have made some good experience with Nexcom 1041c (650 MHz Celeron, 4 intel nics, cf-socket onboard)
-
Also note that you need 3 static IPs at each WAN for CARP to work.
I have made some good experience with Nexcom 1041c (650 MHz Celeron, 4 intel nics, cf-socket onboard)3 static IPs at the WANs isn't an issue .. though, if it does a failover, will the secondary carp box retain the same WAN IP address (for incoming connections) or would this simply pass through pfSense (transparent firewall config) and the servers in the DMZ would answer the requests? I'd assume this would be the case, but the tutorial seemed vague (though the winamp simulation tutorial seemed to indicate it would).
Also, how much are the Nexcom 1041c? From my digging it seems like a $500-$600 box? Seems like it would be cheaper to build a box and add a four port 10/100 nic or similar.. just curious.
-
The CARP IPs can be handed over from one firewall to the other. What happens in the background is that the failover node grabs the macadress of the CARP IP after the master has died, so nobody in the network will notece that actually another machine took over. same IP, same MAC. The LAN CARP IP that is used as the gateway will act the same.
The price for the nexcom is right. It has some benefits like serial redirection (you even can access the bios at com1) and a rather short 19" 1U case (many switches are even deeper). I configured a 1U mini ITX system with 4 nics and a via C3 1GHz cpu but ended up around the price of the nexcom, at least when using non crappy hardware. And the nexcom comes completely assembled even with serial cable. Add RAM, a cf-card or a hdd and you are ready to roll.