Hardware purchase advice.
-
Hi,
I plan to assemble a new machine to run pfSense on. I need some advice as to how much horsepower I will need for my specific requirement.I have a server network of about 4 servers for our company that needs to be protected with an external perimeter firewall. Currently the servers are located at my home office, and the only things they are running that will connect to the outside world are a web server, and VPN. We have a handful of field staff that will be connecting to the servers via VPN and accessing the intranet website. Since currently it's just a bunch of servers sitting by themselves, there isn't going to be any internet access from the internal network to the outside, except for the traffic back and forth from the web server.
Eventually though, the entire setup could be moved over to a dedicated office, and then we're likely to have a few client computers also added into the mix. Then we'd most likely have some internet traffic to also consider, when our employees try to access the net from the internal network. Also, we need to factor in eventual expansion of the business right now, wherein we could have more branch offices connecting to our servers, and more field staff, all of which would put an added strain on the VPN connectivity. So the hardware we select for the firewall has to be scalable for when our loads increase.I need to run the following things on this machine -
pfSense (as an external perimeter firewall, and as our WAN router)
Snort (for the Network Intrusion Prevention System) (I've been led to believe this software can be installed alongside on the same physical hardware as pfSense, possibly over the pfSense installation. Is this true?)I need advice on whether I can run Untangle (or equivalent free software that can run on the same physical machine as pfSense) on the same machine as a Unified Threat Management tool. Once we have client computers on the internal network, we'd certainly need to add stuff like proxy servers, spam filters, content filters, ad blockers, anti-virus, anti-spyware, anti-phishing, etc. - the works.
Considering all of the stuff I need to run, and the eventual bandwidth/throughput I'd need, is it advisable to purchase and assemble an embedded machine like the Alix platform, or should I go with higher specs?
How much clock speed will I need on the CPU, how much RAM would I need, and how much disc space would be required? Once I have an idea on these figures, I'd be able to take a better decision on which hardware out there would fit my needs.We're gonna be starting with a 2 mbps cable internet connection, and it may be bumped up to 4 mbps in the future.
The internal network runs on gigabit ethernet. -
You have some requirements that are at each end of the spectrum.
A 4Mbps WAN connection can be easily handled by even the lowest powered box. The Alix, which is about the least powerful box that can run pfSense, will firewall/NAT ~85Mbps.
You can add Snort as a package to pfSense but it requires quite a lot of RAM. The Alix has only 256MB. Whilst it's technically possible to run Snort on it I wouldn't recommend it. Probably ~2GB is preferred. The Alix boxes also usually run from a CF card and that makes it more difficult to run snort.
Is your VPN terminating at your internal server or on the pfSense box? That obviously makes a significant difference to the hardware requirement.
You can't run Untangle on the same mahine as pfSense, both are a compete OS. You could run both virtualised. You can add packages to pfSense to get many of those UTM functions: Snort, Squid, Squidguard, HAVP etc.
Will you require any filtering between internal interfaces? Will that need to be at Gigabit speed?
Steve
-
Hi Steve,
I must admit I'm not well-versed with networking concepts, so I'll try to address your questions to the best of my knowledge.I'll ditch the Alix plan if Snort requires more RAM. I would have ended up spending the same amount of money in putting together the embedded system as with a conventional PC based system.
"Is your VPN terminating at your internal server or on the pfSense box? That obviously makes a significant difference to the hardware requirement."
There is a server inside the network that has been reserved exclusively for VPN connections. Our entire network runs on Windows Server 2008 R2, and we'll only be authenticating users via our Windows Domain Controller, so it makes sense for us to use a Windows box for handling VPN.The software packages sound like a better idea. Besides, Untangle is paid software, and we don't have the money for that. Would these packages need additional processing power and memory in addition to the 2 gigs you recommend above for pfSense+Snort?
"Will you require any filtering between internal interfaces? Will that need to be at Gigabit speed?"
We do plan to leave on Windows Firewall on each of the individual machines as an internal firewall though.
Also, I doubt that I'll need to route all my internal network communication through the pfSense box. It's only going to be the gateway device to the internet.
Server 1
Server 2 \ __ Switch ___ Firewall and Router ___ Internet
Server 3 /
Server 4 / -
Ok.
You will be able to do that with an Atom based box. Go for 4GB since RAM is cheap. Since you only need two interfaces you can get a board/box with them built in. For example: http://www.mini-box.com/Intel-D2500CCE-Mini-ITX-Motherboard.
That shouldn't even sweat at 4Mbps.There are a number of alternative free UTM OSes that perhaps offer a more complete set of UTM features. You may want to consider those. ClearOS, Zentyal, IPFire etc
I recommend pfSense though. ;)
Steve
-
So when hardware firewall manufacturers list specifications of their devices on their websites, and state the throughput provided by their boxes for various functions like Stateful, VPN, IPS, etc., and the figures are usually something between 80 to 500 mbps (I've been looking at the lower-end models), is this throughput for the LAN side of the box, or the WAN side?
-
I'd also like to know if my following network plan is correct, or whether it needs modifications. Based on this, I need to determine if I need just two NICs, or should I plan for adding in more NICs in the future (both, in terms of the motherboard I buy, and the enclosure).
Once we move to the office and add client computers, I may need to allow different stuff through the firewall based on the internet usage of employees. For this, I will need to configure different firewall settings for different usages.
One, for the servers, where we only allow traffic on TCP Port 80, and those ports strictly required for the VPN. Everything else needs to be blocked.
Second, we'll need to be a bit more lax for the client computers, and may even allow stuff like bittorrent traffic.
Again, I believe it is possible to configure different sets of rules on the pfSense firewall for different networks connecting to it. But correct me if I am wrong.So the best option for us would be to create two different networks with two different subnets for the two purposes.
And it would look like this -Server 1
Server 2 \ __ Switch 1 (192.168.1.0)
Server 3 /
Server 4 / \ ___
_____Firewall (with different set of rules for each subnet) and Router __ Internet
Client 1 \ /
Client 2 \ __ Switch 2 (192.168.2.0) /
Client 3 /
Client 4 /Is this network design sound?
If it is, I'll need to make sure I can add in more NICs on the hardware in future.Also, do I need Gigabit NICs on the pfSense machine, or can I make do with 10/100, since the WAN interface is only likely to be a few megabits per second at max?
-
Yes, that looks good. Yes you can have separate firewall rules on each interface.
However with that configuration any traffic from your clients to your servers has to go through the pfSense box. Using an Atom it will be limited to ~500Mbps maximum, less if you are running services like Snort and Squid. That may or may not be an issue for you.You might consider using VLANs and a managed switch rather than adding NICs to get more interfaces.
Steve
-
"However with that configuration any traffic from your clients to your servers has to go through the pfSense box."
Yeah, that's the idea. With this bunch of servers, we're only allowing access to them through the webserver and the corporate intranet. We'll treat them as remotely logged in users over VPN. Nobody is allowed to communicate directly with any of those boxes except for a locally logged on administrator."You might consider using VLANs and a managed switch rather than adding NICs to get more interfaces."
Nah. It's a good idea, but managed switches cost a bomb, whereas more NICs won't. But I'll keep this in mind for future expansions for when we do have the budget.I just checked with my local vendors, and it seems they don't have any Atom or Mini-ATX based systems available in the market at the moment. They had a Gigabyte GA-E350N and a Zotac 880G-ITX WIFI a couple of weeks back in the market, but they're all out of stock right now.
I don't want to order over the net, because I'm located in India, and then warranty and servicing becomes a problem.
Plus for me the final cost of putting together any Mini-ATX system or in-built cpu-motherboard system comes to around the same as the target hardware I have in mind.
My target hardware (listed below) is pretty cheap at the moment, and at the same time packs a powerful punch.
Gigabyte GA-78LMT-USB3
AMD Athlon II X2 270
Transcend DDR3 1033 MHz RAM 2GB x 2
(on-board contains only one ethernet port, and I'm yet undecided on which external card to purchase that will be supported with drivers in pfSense. need a two-port gigabit card, need advice on model to buy.)Also, could someone tell me if the motherboard I listed above is supported in pfSense 2.0.3? Does it have drivers?
Because I have the same configuration on another machine right now, and I tried booting the test environment from a pfSense LiveCD, and it kept getting stuck at the 'WAN Interface selection' screen. I'm guessing this could just have been because of lack of presence of two ethernet interfaces as recommended, but I just want to be sure before buying the board. -
Even with a single NIC, you should be able to get through the inital bootup and config, making a "one-armed router".
On newer hardware models you should try pfSense 2.1 as it is based on FreeBSD 8.3 and will have drivers for some newer things. You should be able to try that easily on your "other machine" and confirm if it finds a NIC to use. -
Where can I find 2.1 to download? I just checked the Versions and the Downloads pages on the main website, and they still list only 2.0.3.
Also, is 2.1 a stable release or a beta? -
Where can I find 2.1 to download? I just checked the Versions and the Downloads pages on the main website, and they still list only 2.0.3.
Also, is 2.1 a stable release or a beta?http://snapshots.pfsense.org/
It is BETA but it has been running on a lot of systems for a while now (I have 9 systems running it). If it works on your hardware and 2.0.3 does not, then it has to be better ;) -
I can't say for sure but that board has a Realtek NIC and it's probably an RTL8111E. The more recent revisions of that chip are not supported by the drivers in pfSense 2.0.X but are by 2.1 as Phil suggested.
Steve
-
Let me try out 2.1 then and report back. Thanks for the help, guys.
-
Hi,
I plan to assemble a new machine to run pfSense on. I need some advice as to how much horsepower I will need for my specific requirement.Would be very much surprised if you'd need more than 0.15 horsepower.
-
Ha! :)
-
Hello everyone,
So based on recommendations in the thread above, I tried downloading the beta 2.1 version. This file in particular - pfSense-LiveCD-2.1-RC0-amd64-20130624-0404.iso.gz
I burnt it onto a disc, then loaded it onto my target hardware - (Gigabyte GA-78LMT-USB3, AMD Athlon II X2 270, Transcend DDR3 1033 MHz RAM 2GB x 3). This machine currently serves as my production Web Server, and VPN Server, and is not live currently, but is still under development. But the hardware combination listed above is the cheapest I can get in my city's market at the moment, and is also cheaper compared to some mini-ATX boards and enclosures available. (Which means it will be pretty cost-effective for me if I can manage to run FreeBSD 8.1/pfSense 2.1 on this configuration.)
Please also note that this machine has just one ethernet port - a realtek gigabit port.
Please also note that my server boxes are located in a particular area/enclosure with wiring and everything fixed, so it's not easy to move the boxes around. All of these server boxes are connected via a trendnet USB KVM switch to my workstation computer's console. (which means it's going to be very difficult for me to disconnect all the wires, re-route them, and then reconnect the target pfSense server to the monitor, keyboard and mouse directly, even for testing; forget about doing it permanently.)So I added a DVD drive to this machine temporarily, and loaded the pfSense disc into it.
Tried booting from CD into the boot-from-cd-test version of pfSense. It got stuck again on the WAN Interface Selection setting. Which probably means my ethernet port still isn't supported with drivers.
Tried booting from CD into safe mode and single user mode, but it kept getting stuck at a screen (don't remember what it said since it was yesterday and I forgot to write it down, but it looked like some usb device was not loading, and it said some IRQ could not be assigned. I had a nagging suspicion at that time that it could have had something to do with the fact that the console is not directly connected, but is connected via the KVM). I tried loading both safe mode and single user mode, but it kept giving the same result each time. I rebooted the machine using Alt-Control-Delete, or hard reboot after each try.
Then I brought out an old IDE hard drive I have lying around, disconnected my machine's current hard drive, and connected the old hdd to it.
Then I booted from the CD again, and this time installed pfSense to the test hdd. The installation worked fine. Then it rebooted, and as it was booting, it got back to the familiar screen asking for WAN Interface Selection, and the auto-detection still wasn't working.
Frustrated, I got out a very old Dlink 10/100 single port ethernet card I have, which was surprisingly still in working condition. (It must be about 8-10 years old. 8 at the very least.) Plugged it in.
Tried booting directly from the CD again. This time at the WAN Interface Selection, it was able to detect the card, and I managed to type it in, and the booting process proceeding.
I don't remember what happened here, but for some reason it must not have proceeded further, so I decided to try re-installing to the hard drive.
So I rebooted, and selected the installation option. After the installation, it rebooted, and finally got to the screen where it asks you what you want to do, and lists out some 20 options. After a bit of searching, I figured that the pfSense installation is live by this point, and to access the GUI, I need to type in 192.168.1.1 in a browser from another machine on the network. (That particular IP is free, and has not been assigned to any other machine in the network.) So I went over and did that. But the page never loaded. So I flipped back to the pfSense machine, and I note that it has rebooted by itself while I was gone, and is now showing me a screen that says 'root mount error'. It showed something I could type in to fix it, and I tried to type it in, but this time, the machine had just frozen, and was not accepting any keyboard commands. Not even Alt-Control-Delete. I had to hard-reboot.
Now totally at a loss, I tried randomly repeating for a few times either re-installing, or booting live from CD. But it kept giving the same results. After a few tries however, the machine stopped working altogether. Meaning, the machine used to boot, POST and give the beep, and then shut down.
Now this is new hardware only a couple of months old, and has so far been running perfectly for its intended role (VPN and Web Server under development and testing), so I know there's nothing wrong with the hardware, but something either in the pfSense installation, or my old test hardware is causing this problem. I immediately disconnected the only two pieces of hardware that I knew were capable of causing this problem - the 8+ year old LAN Card and HDD, and tried booting again, hoping to somehow boot pfSense from live CD, but the problem kept persisting. Machine used to POST and die out.Anyway, at this point, I panicked, and I didn't want to risk losing that important machine, so I didn't try any further tests to see if I could install/run/test pfSense on that, or any of my other machines. I don't have any other spare hardware I could test this on (the two pieces of spares I do have, are listed above, and are both ancient relics), and I can't afford to try any more experiments on running machines, because if they go bad because of this, it means days of lost work while I run around getting warranty servicing on the parts that go bad.
Anyway, can anyone tell me if the issue I described above is a known issue, and if so, how to fix it?
-
I suggest you disable USB3 in the BIOS (if possible). Older versions of FreeBSD sometimes have problems with "newer" hardware. It is now almost 2 years since release of FreeBSD 8.3 used in pfSense 2.1.
I suspect you are very unlikely to do any damage to your hardware in your attempts to install and run pfSense BUT your hardware might lock up attempting to deal with hardware the device drivers don't adequately know how to "tickle". In my experience a cold power cycle (disconnect box from power for 20 seconds or more to allow capacitors to discharge then restart) clears those lockups.
-
I tried the cold power cycle, but it didn't really help. Problem persisted.
In the end, I had to disconnect everything from the motherboard, and then reconnect them all back, and put back that machine's native disc drives (instead of the test ones), and it got back to working condition.I'm planning to buy a new ethernet card today, and am gonna test booting into LiveCD again using my 2.0.3 disc, after disabling the on-board ethernet port. I'll try disabling the USB3 as well, as you suggested.
-
Okay, my hardware vendor says he has an Intel PRO/1000 MT 2 port card available. Intel website says it's based on the 82546 chipset.
Is this card supported on 2.0.3?Edit: Alright, thank god, it's supported. I just checked the hardware compatibility list on the main website.
-
What NIC is on that board? I'm surprised it's not seen by 2.1.
Steve