PfSense as ethernet router? versus cisco sg-300….
-
Hi,
I'm currently using a cisco-sg-300 in layer-3 mode. It is very fast but not the best solution for my internal firewalling.
I'd like to use the cisco as a layer-2 switch und I'd like to do my pfSense box the internal subnet routing (much smoother firewalling in pfSense).Would a Atom D525 be sufficient to da gigabit routing?
Have a look at my current layer-2 und layer-3 layout at those links:
http://www.köller.de/pics/layer3.png
http://www.köller.de/pics/layer2.pngthe pfsense box is in subnet 10.1.5.0 aka vlan5 and just doing the outbound traffic…It has 2 NICs...I would just add another dual gigabit card to it...
So the new topology would be:
10.1.2.0 (Servers)---------------> pfSense
10.1.3.0 (cabled clients) ---------------> pfSense
10.1.4.0 (wifi) ---------------------------> pfSensepfSense should do the routing and firewalling; the cisco sg-300 would go to layer-2 mode and host some vans tagged and untagged...
I'd like to abandon the cisco as a router not only because of it's crappy rule setting but also because it doesn't do IPv6 routing, that my ISP will enable soon in native mode...Sure I could use the pfSense for internal ip6 routing and the cisco do the ip4 routing, but I don't want to service two systems...
I hope someone can help me.
Marcus
-
Would a Atom D525 be sufficient to da gigabit routing?
No. ;)
You will get something like ~550Mbps with a D525.
Instead you should use one of the low end Sandybridge CPUs which are similarly priced and only consume slightly more power. E.g.:
http://forum.pfsense.org/index.php/topic,45439.0.htmlSteve
-
But you should ask yourself if it is neccessary that there is an avarage of gigabit bandwidth used or if gigabit is only a peak. But the CPU is to low for that - you are additionally using a proxy and VPN which need CPU power.
-
Thanks for the fast replies.
I think I'll stay with my current setup and use the cisco for ip4 routing…I need the gigabit speed to access my file servers in 10.1.2.0/24 in a proper way.
I'll just add another NIC to my pfsense and let it do the ip6 traffic....
