Intel hardware for pfsense



  • Hi all. I'm looking to build two firewalls for my production network, and from what I've read, Intel equipment seems to be the way to go. Can anyone recommend a motherboard and NICS? The Intel PRO 100 S Dual Port Server Adapter seem fine for my WAN and OPT connections, and any of the PRO/1000 line seem good for LAN. Can anyone vouch for a motherboard that will support all this?

    Thanks



  • Need more info to suggest anything.

    1. How much bandwidth do you need to push?
    2. What features are you planning to use?


  • Sorry, i didn't get back to you before now.

    Let's see, dual internet connections, approx. 2Mbps each.
    One private WAN link for branch office, 1Mbps

    I'll be using CARP and pfsysnc, IPSEC, NAT, static routing, incoming load balancing, WAN failover.

    I'll need about 6 interfaces: One each for the WANs, one for LAN, one for DMZ, and one for pfsync.

    Can I use VLANS to make this simpler? I'm having some troubling understanding the concept, especially as it relates to VLANS vs subnets.

    Thanks again, cmb. If you're ever in Jamaica, I'll buy you a drink ;D



  • Basically you can think of vlans like real interfaces, they just run on one wire (think of it as a bunch of networkcables running in the same physical one cable). Now think of one switch (a manageable vlan switch) be broken up virtually into several switches with each of these virtual uplinkcables to the pfSense running to a seperate virtual switch. That is what basically happens when using vlans. You could even only have one physical interface at the pfSense for all needed interfaces this way. However, bandwidth needs determine if this makes sense. As your WAN speeds are quite moderate you could get along with such a scenario. However manageable vlan switches are more expensive and it's more complex to setup (as the switch has to be configured correctly as well).



  • Ah, I'm getting it now. What's the impact on security, since they are still in the same physical wire? It's a financial services institution, so I have to make sure. And what about inter-VLAN routing? Can pfsense do this, say as a one-armed router or something similar?

    Thanks for your help.



  • If the switch is configured properly it's usually quite secure (depending on the implementation of the switch). Inter-VLAN routing is no problem at all. You can firewall the VLANs against each other if needed just like if they were real interfaces or setup individual DHCP servers or run a captive portal on one of the segments…they just act like real interfaces once assigned in pfSense.



  • Hmm, that's good stuff. As a networking concept, is a vlan the same as a subnet? I'm watching a Trainsignal video trying to figure it out.



  • Search the forum. Somebody has drawn some networkplans and attached them to a thread showing the same configuration as vlan and how it would looks like when using dedicated equipement for each segment. It was quite easy to understand by looking at those.



  • Will do. So, do you have any hardware recommendations?



  • For the relatively minimal bandwidth you're talking about, and the features you'll use, pretty much anything will suffice. I would go with a 500 MHz processor minimum, for future expandability and to make sure you have plenty of power to spare, since if you're going to use that many NIC's you'll probably use PC hardware of some type rather than embedded hardware. If you use VLAN's for some things, you could probably get by with a WRAP with 3 NIC's.

    You may want to consider a Soekris 4801 with the 4 port add on card, it's the most economical solution you're going to find with that many NIC's and it'll handle the amount of bandwidth you're talking about. It'd be comfortable running a 4801 up to about 15 Mb. 
    http://soekris.com/Pictures/net4801_E7_Open.jpg



  • I see. If in the future, I wanted to use pfsense to route between subnets, at gigabit speed, what should I get, assuming cost is not an option?

    On the VLAN note, I'm wondering how secure pfsense's Inter-VLAN routing mechanism is, especially in a one armed router scenario. I'm reading some whitepapers on this as a type.

    thanks.



  • For gigabit wire speed, you're going to need server class hardware, or something with PCI-e NIC's. You can't firewall gigabit at true wire speed with a 32 bit PCI bus - the bus isn't fast enough. Any new server class machine with dual onboard gig NIC's should be more than adequate for 1 Gb wire speed.

    The router on a stick scenario (as Cisco calls it, and I tend to stick with Cisco's nomenclature) is as secure as your firewall rules and your switch configuration. Never use the default VLAN, and adhere to any security recommendations your switch vendor outlines in their documentation. And of course with your firewall ruleset, be as restrictive as possible.



  • Thanks cmb. i forgot to mention that I'll be running Snort and doing traffic shaping as well. Some of those packages, like ntop, pfstat and iperf look real nice too…



  • Just out of curiosity: If a NIC is inserted, with a duel connector, like to Intel server nic the topicstarter suggested. Will he see two interfaces at the PfSense-GUI he needs to configure? –> How does this work in practice?  ???
    (Give that guy of the Firefox spelling checker a huge icecream, I sure do need it!)



  • Shows up as two interfaces. Just like two separate cards.



  • Yeah, to the OS, a two port card looks no different than two individual NIC's. A four port card looks no diff than four individual NIC's. etc.

    If you want to run Snort, that's one of the (ahem) piggier packages resource-wise, you'll want 512 MB RAM minimum.



  • That's no prob, I wanna equip it with 2 GB.



  • I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?



  • Load balancing essentially breaks several of the useful packages/services, particularly traffic shaping, just an FYI



  • @youngadmin:

    I've done a bit more planning, and now realize that I may want to use pfsense to route and filter between 4 subnets….@ gigabit speed...or faster (using LACP)....while running Snort....and terminating an IPsec tunnel...and doing traffic shaping (esp for SIP)...while load balancing 2 or 3 WANs...and CARP. What will it take?

    This is more than I'd suggest running on any single box.

    I'd split it out into two machines (or two CARP clusters). One for routing and filtering between internal subnets for gigabit. You'll have to run Snort on a different machine most likely, you're not going to be able to route gigabit speeds and have Snort analyze at the same speeds on any hardware. Routing 4+ Gbps is going to require a new server class machine.

    Second, I'd put up another machine or CARP cluster at your perimeter, which could do Snort, load balancing, etc. Not sure how the shaper would work in a multi WAN environment, but I'm guessing not real well.


Log in to reply