Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intel hardware for pfsense

    Scheduled Pinned Locked Moved Hardware
    20 Posts 6 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      youngadmin
      last edited by

      Hi all. I'm looking to build two firewalls for my production network, and from what I've read, Intel equipment seems to be the way to go. Can anyone recommend a motherboard and NICS? The Intel PRO 100 S Dual Port Server Adapter seem fine for my WAN and OPT connections, and any of the PRO/1000 line seem good for LAN. Can anyone vouch for a motherboard that will support all this?

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Need more info to suggest anything.

        1. How much bandwidth do you need to push?
        2. What features are you planning to use?
        1 Reply Last reply Reply Quote 0
        • Y
          youngadmin
          last edited by

          Sorry, i didn't get back to you before now.

          Let's see, dual internet connections, approx. 2Mbps each.
          One private WAN link for branch office, 1Mbps

          I'll be using CARP and pfsysnc, IPSEC, NAT, static routing, incoming load balancing, WAN failover.

          I'll need about 6 interfaces: One each for the WANs, one for LAN, one for DMZ, and one for pfsync.

          Can I use VLANS to make this simpler? I'm having some troubling understanding the concept, especially as it relates to VLANS vs subnets.

          Thanks again, cmb. If you're ever in Jamaica, I'll buy you a drink ;D

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Basically you can think of vlans like real interfaces, they just run on one wire (think of it as a bunch of networkcables running in the same physical one cable). Now think of one switch (a manageable vlan switch) be broken up virtually into several switches with each of these virtual uplinkcables to the pfSense running to a seperate virtual switch. That is what basically happens when using vlans. You could even only have one physical interface at the pfSense for all needed interfaces this way. However, bandwidth needs determine if this makes sense. As your WAN speeds are quite moderate you could get along with such a scenario. However manageable vlan switches are more expensive and it's more complex to setup (as the switch has to be configured correctly as well).

            1 Reply Last reply Reply Quote 0
            • Y
              youngadmin
              last edited by

              Ah, I'm getting it now. What's the impact on security, since they are still in the same physical wire? It's a financial services institution, so I have to make sure. And what about inter-VLAN routing? Can pfsense do this, say as a one-armed router or something similar?

              Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                If the switch is configured properly it's usually quite secure (depending on the implementation of the switch). Inter-VLAN routing is no problem at all. You can firewall the VLANs against each other if needed just like if they were real interfaces or setup individual DHCP servers or run a captive portal on one of the segments…they just act like real interfaces once assigned in pfSense.

                1 Reply Last reply Reply Quote 0
                • Y
                  youngadmin
                  last edited by

                  Hmm, that's good stuff. As a networking concept, is a vlan the same as a subnet? I'm watching a Trainsignal video trying to figure it out.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Search the forum. Somebody has drawn some networkplans and attached them to a thread showing the same configuration as vlan and how it would looks like when using dedicated equipement for each segment. It was quite easy to understand by looking at those.

                    1 Reply Last reply Reply Quote 0
                    • Y
                      youngadmin
                      last edited by

                      Will do. So, do you have any hardware recommendations?

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        For the relatively minimal bandwidth you're talking about, and the features you'll use, pretty much anything will suffice. I would go with a 500 MHz processor minimum, for future expandability and to make sure you have plenty of power to spare, since if you're going to use that many NIC's you'll probably use PC hardware of some type rather than embedded hardware. If you use VLAN's for some things, you could probably get by with a WRAP with 3 NIC's.

                        You may want to consider a Soekris 4801 with the 4 port add on card, it's the most economical solution you're going to find with that many NIC's and it'll handle the amount of bandwidth you're talking about. It'd be comfortable running a 4801 up to about 15 Mb. 
                        http://soekris.com/Pictures/net4801_E7_Open.jpg

                        1 Reply Last reply Reply Quote 0
                        • Y
                          youngadmin
                          last edited by

                          I see. If in the future, I wanted to use pfsense to route between subnets, at gigabit speed, what should I get, assuming cost is not an option?

                          On the VLAN note, I'm wondering how secure pfsense's Inter-VLAN routing mechanism is, especially in a one armed router scenario. I'm reading some whitepapers on this as a type.

                          thanks.

                          1 Reply Last reply Reply Quote 0
                          • C
                            cmb
                            last edited by

                            For gigabit wire speed, you're going to need server class hardware, or something with PCI-e NIC's. You can't firewall gigabit at true wire speed with a 32 bit PCI bus - the bus isn't fast enough. Any new server class machine with dual onboard gig NIC's should be more than adequate for 1 Gb wire speed.

                            The router on a stick scenario (as Cisco calls it, and I tend to stick with Cisco's nomenclature) is as secure as your firewall rules and your switch configuration. Never use the default VLAN, and adhere to any security recommendations your switch vendor outlines in their documentation. And of course with your firewall ruleset, be as restrictive as possible.

                            1 Reply Last reply Reply Quote 0
                            • Y
                              youngadmin
                              last edited by

                              Thanks cmb. i forgot to mention that I'll be running Snort and doing traffic shaping as well. Some of those packages, like ntop, pfstat and iperf look real nice too…

                              1 Reply Last reply Reply Quote 0
                              • S
                                Snailer
                                last edited by

                                Just out of curiosity: If a NIC is inserted, with a duel connector, like to Intel server nic the topicstarter suggested. Will he see two interfaces at the PfSense-GUI he needs to configure? –> How does this work in practice?  ???
                                (Give that guy of the Firefox spelling checker a huge icecream, I sure do need it!)

                                1 Reply Last reply Reply Quote 0
                                • dotdashD
                                  dotdash
                                  last edited by

                                  Shows up as two interfaces. Just like two separate cards.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cmb
                                    last edited by

                                    Yeah, to the OS, a two port card looks no different than two individual NIC's. A four port card looks no diff than four individual NIC's. etc.

                                    If you want to run Snort, that's one of the (ahem) piggier packages resource-wise, you'll want 512 MB RAM minimum.

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      youngadmin
                                      last edited by

                                      That's no prob, I wanna equip it with 2 GB.

                                      1 Reply Last reply Reply Quote 0
                                      • Y
                                        youngadmin
                                        last edited by

                                        I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          Justinw
                                          last edited by

                                          Load balancing essentially breaks several of the useful packages/services, particularly traffic shaping, just an FYI

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            cmb
                                            last edited by

                                            @youngadmin:

                                            I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?

                                            This is more than I'd suggest running on any single box.

                                            I'd split it out into two machines (or two CARP clusters). One for routing and filtering between internal subnets for gigabit. You'll have to run Snort on a different machine most likely, you're not going to be able to route gigabit speeds and have Snort analyze at the same speeds on any hardware. Routing 4+ Gbps is going to require a new server class machine.

                                            Second, I'd put up another machine or CARP cluster at your perimeter, which could do Snort, load balancing, etc. Not sure how the shaper would work in a multi WAN environment, but I'm guessing not real well.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.