Hardware recommendation?



  • I was originally bidding on a Watchguard Firebox X1250e on eBay. I ended up loosing the auction and now I am reevaluating my options for a firewall. The original reason I was going for this firewall in particular was because it had gigabit interfaces and was newer than the x500 - x1000 series firewalls.

    So I thought I would turn to the forums here for some recommendations on other options.

    What I need is a device that can handle a few people (No more than 10) connecting with a VPN (OpenVPN).

    The firewall will be on the perimeter of my Lab Rack which consists of 3 servers (2 VMware, 1 Unused at the moment).

    My network is wired up with gigabit from all interfaces except my current firewall which is an old Sonicwall Pro2040. The sonicwall uses 10/100 interfaces.

    Pretty much my question is if anyone can give my recommendations for a box to run pfSense.

    I want something that is 1U rackmount and has enough power to run a basic firewall but with possibility of running a UTM later on.

    Any ideas? I am starting to think the watchguard box(es) would not be the route to go. Am I wrong?


  • Netgate Administrator

    The X1250e boxes almost always go for more than I would want to pay on Ebay because they have a much higher licensing value. The X750e is identical in hardware terms but restricted by Watchguard's licence, not a problem for pfSense. The X550e has only 4 NICs but if that's all you need that's not a problem.

    In terms of their suitability it depends on how you are using it.
    You say 10 VPN connections, is that simultaneously? What bandwidth is each connection likely to use?
    Most importantly what is your WAN connection speed? Also do you firewall between internal subnets and what bandwidth do you need there? If you need to have wirespeed at Gigabit connections then those Watchguard boxes probably won't cut it.  ;)

    Steve



  • Uh, at any given time there might be more like 3 people simultaneously but as many as 10.

    The bandwidth that each of the connections I am not really sure, I would be the main usage of the VPN. I would mostly use SSH, small amount of SCP, VMware vSphere client, and HTTP for my HP iLO interfaces.

    My WAN connection currently is 10 mbps/2 mbps, but I want the box to handle more bandwidth as an investment.

    As far as firewalling, I don't have many subnets. I have 2 subnets currently but I want to consolidate to 1 and use VLANs on my switch. My firewalling is very basic mostly WAN rules, maybe a few LAN rules.

    I use gigabit wirespeed for my LAN because of VMware but my current firewall is 10/100 and it seems to run "okay".

    At the moment what I mainly need from my pfSense box is DHCP, NTP(server), Firewall and OpenVPN. But I am looking for something that can handle more in case I decide to add more function later like Spam filtering.


  • Netgate Administrator

    I ran some tests on my X750e you may have read the results already. It had a replacement CPU in it, a pentium-M at 1.5GHz.
    It acheived around 50Mbps VPN traffic: http://forum.pfsense.org/index.php/topic,20095.msg166634.html#msg166634
    and could potentially do ~650Mbps between interfaces.

    That would be plenty to max out your WAN connection with VPN traffic but it would restrict your internal traffic between your LAN and, say, a DMZ.

    Steve



  • Yeah that would be as much as I would use.

    So one of the questions I am wondering now is whether I need gigabit interfaces on the firewall.

    The other thing I am wondering is whether a single core is really enough. Based on what you are saying I am thinking I might want to invest in a dual core platform for extra headroom. Plus there are only a few e series fireboxes on ebay and they are just out of my budget which is around $100 to $120.



  • What about a firebox peak x5500e? Would that be enough power?

    What are the specs of the peak e series boxes?

    Update

    I also found an x550e just now.


  • Netgate Administrator

    The peak-e series are almost identical to the core-e series. They have the same motherboard and chassis and hence the same NICs. The differences are they have a faster CPU, 2GHz Pentium-M vs 1.3GHz Celeron-M, more ram 1GB vs 512MB and they have a additional crypto accelerator card with big impressive looking chips on it! Those things are worth almost precisely nothing if you're running pfSense.  ;) The extra ram is useful but memory is dirt cheap these days anyway. The CPU is 533MHz FSB and isn't correctly supported by the est(4) driver so you can take advantage of speedstep. The crypto card is not supported (no surprise there) but worse than that it throws continuous errors if you leave it in.
    On top of all that they cost a small fortune when new and people are reluctant to sell them for a realistic price.
    I have several of these boxes and haven't paid more than £50 and that was the X5500e which probably wasn't worth it.  ::)

    More recently there have been some XTM5 boxes on ebay (in the UK) which sold very cheaply. They are still current though so have real value.

    Steve

    Edit: I just had a look on Ebay.com and people seem to be asking for crazy money, $1000 for an x750e.  :o



  • When you mean the crypto card you are NOT talking about the Nitrox right?

    The reason I ask is I  just made an offer on an X550e and won it on accident so unless I back out I am stuck with it. I would make the upgrades to it. But it would fit my needs as refered to above right? And thinking about it now, the number of VPNs is more like 4 MAX rather than 10.


  • Netgate Administrator

    The x550e should be fine especially if you swap out the cpu.
    The peak-e had an additional and far more powerful encryption accelerator card that I know almost nothing about despite having one right here.

    Steve



  • Will the board in the x????-e boxes take the fastest Pentium M in Dothan series or is it limited to the SL7SM 2.0ghz chip?


  • Netgate Administrator

    I've not tried anything faster than the 2GHz CPU that comes in the peak-e. I believe one user tried a 2.1GHz CPU, you'd have to search for that. There is a huge premium to be paid for the fastest Pentium-M chips, those <2GHz are far cheaper but almost as powerful and I mean FAR cheaper. I think I paid £3 for the 1.7GHz chip I'm running now.
    The problem is this. The bios code in the box does not correctly pass CPU frequency and voltage information via ACPI to the OS. When the est(4) was written, presumably who ever was writing it also has this problem, it had included within it frequency vs voltage values hard-coded for the Pentium-M. However information is only included for those chips with a 400MHz FSB perhaps because they were released first. I've yet to find a way of telling est what values to use at run time. Thus if you want to take advantage of speedstep, save some Watts and keep the CPU cooler you need a 400MHz FSB chip:
    http://en.wikipedia.org/wiki/List_of_Intel_Pentium_M_microprocessors#.22Dothan.22_.2890_nm.29

    Steve



  • I am guessing there is no chance of est(4) getting an overhaul? Maybe is FreeBSD 9?

    Yeah I see what you mean, I can grab a 2ghz chip for around $15 but the 2.1ghz+ are up in the $50 - $60.


  • Netgate Administrator

    It would be more likely that an overhaul of est(4) would actually remove the hardcoded values. They only seem to be there as work around for a bad bios coding. The way this is supposed to work is the bios passes infomation to the OS via ACPI. The bios should contain the information for all the CPUs it supports.
    The other possibility would be to add the values to the module yourself and recompile it. This probably isn't that difficult but would require some time studying the code. I had thought about doing that myself a few times but the performance increase just isn't worth it IMHO.  ;)

    Steve


Locked