Big build hardware suggestions

  • I am looking to build a firewall with pfsense for a larger network. The network will consist of approx. 650 users in a residential setting. I have 100mbps up and down. I have tried pfsense on a smaller testing scale and I am clueless to the hardware requirements. I will run snort to throttle specific traffic. I have a 3k budget and I know I can do this much cheaper but I would like any suggestions you may have! Thank you in advance for your comments!

  • In such a situation, you have to give more details.

    i.e.  Do you need to isolate users?  If this is similar to a service apartment complex then each apartment must be isolated from the others.  You will also need VLAN capable switches with enough ports as to serve all the apartment units.

    Does your budget include this switch cost or is it purely for the firewall/ router only?

    Aside from Snort, will you also be running other services like Squid?  Depending on what you need to block or throttle, Snort may not be your best best.  Limiters with source/ destination masks may actually be better for you to give equal/ fair share amongst the users.

  • I'm not sure it can be "much cheaper" than $3k to offer Snort-filtered Internet services at 100Mbps up/down to 650 users on 24/7 basis.

    For that many users you'll probably want to have two pfsense devices in master/slave configuration.

  • Thank you for your responses. Yes I will be serving Vlans from the firewall and I already have quite a few Cisco 2960's serving current Vlans per unit. I just need the firewall to filter by protocol and possibly host a splash page.

  • Regardless pf budget can you possibly help with with hardware configuration? How much RAM what type of processor/s?

  • Go with an Intel i5 3rd Generation. 16GB RAM should be well ahead of a good start. Typically 8-12GB RAM should be a decent start. Since you mention 650 users and running Snort on it, I recommend 16GB. the i5 should very easily handle 100Mbps routing. It can handle 1GB routing.

    Don't think about going with Atom or Celeron processor for this kind of setup as there will be a lot of routing between WAN and 650 LAN users and the i5 can handle it smoothly. Internal LAN communications don't take much CPU and are handled by the switch.

    Add a compatible quad port Intel gigabit PCIe NIC (if there is one.. I am not sure) OR just add 2 Intel dual port Gigabit PCIe NICs and you should have a good robust UTM. Do the same for a backup and you should be all set.

    I have a 2U setup - 2.0.1-RELEASE 64-bit, Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz and 8GB RAM. Runs the below services with no issues

    Asterisk Services pkg v 0.1
    HAVP antivirus Network Management 0.91_1 pkg v1.01
    Lightsquid Network Report 1.8.2 pkg v.2.32
    pfBlocker Firewall 1.0.2
    RRD Summary System 1.1
    snort Security pkg v. 2.5.1
    squid Network 2.7.9 pkg v.4.3.1
    squidGuard Network Management 1.3_1 pkg v.1.9.1

Log in to reply