All in one UTM box at home



  • I want to create a UTM box at home including:

    • IPSEC (when one of the family members aren't at home)
    • Transparent Proxy (squid)
    • Web Content Filter (dansguardian)
    • IP filter (as in large list of known malicious IP's)
    • AV (clamav)
    • IDS (Snort)
    • Firewall between LAN segments.
    • Preferably 3-4 Gigabit ports
    • Optional: WLAN with dual band (2,4 & 5 GHz) supporting guest access only allowed on the internet. I guess this is easier to achieve with a separate access point, so not necessary.
    • The WAN link is 70/25 Mbit. But the specs has to include firewall throughput between different LAN segments.
    • 3-4 concurrent users

    Is it possible to achieve this with:

    • Mini-ITX and a fairly small cabinet
    • Low power consumption
    • Low noise (fan is OK)
    • All supported HW

    Any hardware suggestions is appreciated. Especially if you know about any good 4 Gbit NICs, WLAN cards, motherboard or cabinet's.
    Low power consumption is more important than HW price since power is more expensive than HW cost where i live.
    I'm not sure if there is a big difference in price between a quad NIC and a dual NIC (more than twice the price?). If so does any supported Mini-ITX have dual NIC onboard?


  • Netgate Administrator

    @daffyq:

    • The WAN link is 70/25 Mbit. But the specs has to include firewall throughput between different LAN segments.

    Those two requirements could be wildly different. What throughput do you expect between LAN segments?

    Generally speaking it is possible though. There are several build examples in the forum of gigabit capable systems in a low noise mini-ITX form factor. E.g.
    http://forum.pfsense.org/index.php/topic,45439.0.html

    Steve



  • @stephenw10:

    @daffyq:

    • The WAN link is 70/25 Mbit. But the specs has to include firewall throughput between different LAN segments.

    Those two requirements could be wildly different. What throughput do you expect between LAN segments?

    Good point. The throughput between LAN segments shouldn't be more than 1-1,5 Gbit.


  • Netgate Administrator

    If you actually need gigabit throughput you will need quite a powerful system such as the one I linked to above. As a comparison a box based on an Atom D525 will top out at around 550Mbps.
    Of course with a more powerful processor comes additional heat and hence noise but with a temperature controlled fan and a well designed case it can be very quiet.

    Steve



  • All those features can be found on the SuperMicro ITX boards with embedded Ivy Bridge CPU's, but they are quite expensive.
    RAM is another issue, I think it must be ECC SoDIMM

    X9SPV-LN4F-3LE



  • @tirsojrp:

    All those features can be found on the SuperMicro ITX boards with embedded Ivy Bridge CPU's, but they are quite expensive.
    RAM is another issue, I think it must be ECC SoDIMM

    X9SPV-LN4F-3LE

    That motherboard looks perfect! It's expensive, but you get integrated CPU, 4 Gigabit ports and IPMI. It might be worth it, depending on the price of the RAM. I just have to figure out if there are someone that sells it in Norway and if i can use non-ECC RAM.

    Edit:
    From the manual, it looks like it doesn't require ECC, even if it supports it:

    The X9SPV Motherboard Series supports up to 16GB of ECC DDR3 1066/1333
    MHz, two-way interleaved or non-interleaved SO-DIMM memory

    ECC Support
    Select Enabled to support ECC. The options are Enabled and Disabled.



  • Yeah,  it's not a cheap motherboard!

    http://geizhals.de/819352

    Memory isn't too bad, 4 GB stick from Kingston

    http://geizhals.de/848430

    Similar 8 GB stick from Kingston

    http://geizhals.de/848433



  • @tirsojrp:

    All those features can be found on the SuperMicro ITX boards with embedded Ivy Bridge CPU's, […]

    X9SPV-LN4F-3LE

    Any idea what the power consumption will be?

    But on the other side the high price you pay for the ITX size. If you can go with m-ATX the choice will be bigger and it will be cheaper. Currently I do have in my mind the Supermicro X9SCM-F board with Intel Intel C204 chipset in combination with the low power Xeon Intel E3-1220L or Intel E3-1260L. By having full VT-d and VT-x support it would be perfect for a low power ESXi or Xen system.



  • @Tubs:

    @tirsojrp:

    All those features can be found on the SuperMicro ITX boards with embedded Ivy Bridge CPU's, […]

    X9SPV-LN4F-3LE

    Any idea what the power consumption will be?

    Shouldn't be bad as it uses a laptop CPU with 25W TDP value. Also has VT-d, AES-NI and all the other goodies you might want. Only 2 cores though.



  • @fragged:

    Shouldn't be bad as it uses a laptop CPU with 25W TDP value. Also has VT-d, AES-NI and all the other goodies you might want. Only 2 cores though.

    But very pricy.

    I used the chance to check the results of some reserces I did in the past. Intel S1200KP is an ITX server board suporting Xeon E3-12xx and E3-12xx V2. This combination will be cheaper than the embeded version.

    Originally 4 GBit ports were requested. More NIC usually limits your choise. In most of the cases two Gbit ports and a VLAN capable Switch is a good combination.



  • It has a mobile CPU. Not as fast as a desktop processor.

    For your requirements an i3 processor (maybe i5 if u really need the power) on a mini-ITX mobo should be perfect. I had an i5 system up until last month with all the features you have listed. Ensure you have at least 6 to 8GB RAM with a SSD HDD and you should be all set. If you want to go small form factor then you need to go with a decent mini-ITX case rather than the mini-box case as it wont fit your requirement of 3-4 gigabit ports as there is not much space in it to accomodate anything else than the mobo. Go with a Thermaltake Element Q Mini Tower for your UTM.



  • Thank you all for your input! I appreciate it.

    Regarding power consumption: Since all is on board and a mobile processor, I can probably buy a Pico PSU, which will generate less heat inside the case and lower the noise. I just have to read up on the power consumption to size it correctly.

    Regarding switch with VLAN and two NIC's: That is a good idea, but at the same time, you will limit the bandwidth on the LAN through the firewall to 1 Gbps. I want to have the NAS on a single segment to secure all my data, which means I get 500 Mbps throughput to it.

    I might save some money by buying a m-ATX, but then I need a bigger case, which lowers the WAF. The server has to be visible. (Next time I buy an apartment, i will make sure I get my own server room and my wife doesn't get as large closet as she has ;).)

    Regarding the case, I want as clean as possible design. So the Thermaltake Element Q Mini Tower was a good recommendation, but Lian Li PC-Q16 is what I have in mind. Nothing in front and no colors. It has a cleaner look. If i replace the PSU that comes with the case with a PicoPSU, I will only have one 14 cm fan, so it should be quite silent. The disadvantage is that there are no room for the PCI slot, but I don't think I need it.


  • Netgate Administrator

    @daffyq:

    Next time I buy an apartment, i will make sure I get my own server room and my wife doesn't get as large closet as she has ;)

    Good luck with that.  ;D

    The i7 CPU is more processing power than you need. It seems very expensive. Maybe I'm just cheap!

    Steve



  • @stephenw10:

    The i7 CPU is more processing power than you need. It seems very expensive. Maybe I'm just cheap!

    It's a mobile processor with two cores. I thought that wasn't overkill. Especially with IDS. I had the impression that Snort with a large rule set would require a lot more cpu.


  • Netgate Administrator

    Personally I've found running Snort on a home network to be more trouble than it's worth. It's been a while since I tried it though. I would assume you would only be sniffing traffic on your WAN connection so 70Mbps max. A lesser machine could easily handle that.
    In the build thread I linked to earlier the box was built for a 1000Mbps WAN connection and handled that with ease. Though not with Snort or Squid. That uses a low end Sandy Bridge CPU, Celeron G530. Compare the two CPUs:
    http://ark.intel.com/products/53414 vs http://ark.intel.com/products/65712
    Both are 2 core processors running at ~ 2.5GHz but the i7 is far superior in almost everyway.
    It has double the cache. It supports double the threads. It has 'turbo' up to 3.2GHz. It is built on a 22nm scale. It's way more expensive!
    I can't find any benchmarks for the i7 but I'd bet it's far more powerful than the Celeron.
    The i7-3517UE is a similar cpu but clocked at 1.7GHz. That scores 3817 at cpubenchmark vs 2260 for the G530.

    Steve



  • I will only be sniffing traffic on the WAN, so you are right! It is more than I need. I'll check if i can find any similar motherboards with a smaller CPU. Or else I'll have to convince my wife that we need to invest in a kick ass firewall cause of her reckless web browsing!  :P



  • After reading through the SSD thread, I'm still thinking of buying a SSD. It seems like my installation will take much space, even with logging turned on, so probably a disk that is 64 or 128 GB.


Locked