Chossing hardware for PFSense

eleanor

Hi,

I would like to upgrade my network with PFSense Firewall and IDS/IPS solution. I'm thinking of buying one of the following hardware components:

• http://www.hacom.net/catalog/phoenix-uno-pfsense-appliance
• http://www.tranquilnet.com/small-business-it-solutions/internet-security-network-security/firewall-router-pricing.html (PFW201)
• http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-ssd-pfsense-appliance.html
• http://www.firewallhardware.it/en/alix_pfsense_embedded.html

I would like to know your opinion on the matter. I need the following:

• Snort IDS/IPS/Firewall
• VPN
• VLAN Trunk (if this is even possible without a switch)
• Minimum Power consumption
• Storage component for logs, statistics
• 1Gbps

My current best bet would be PFW201 (www.tranquilnet.com), but it's rather pricely: around 700$ for international shipping and 160GB of hard drive.

I would also like to know whether you're recommending to have VPN at a firewall/pfsense level or later on in some virtual machine specifically allocated just for VPN.

Can you suggest the best hardware I can buy for my need. I need this for my own home network running 10-20 virtual machines (servers) that need to be accessible from the outside. I would like to introduce PFSense for security reasons.

Thank you

jasonlitka

An Atom N270 isn't going to be able to do anywhere near 1Gbit/s with Snort/VPN. How much bandwidth do you actually have?

eleanor

Hi,

My bandwidth to the internet is 10Mbps download and 2Mbps upload. But there will be an ESXi connected to the PFSense router which needs 1Gbps, because virtual machines need to talk to each other as fast as possible (because a file system is on NAS).

But Atom has 1.6GHz processor speed, isn't that enough for what I need? Anyway, can you suggest a product, which is capable of doing what I need in real time: my preference is low power consumption.

Thank you

biggsy

Could you put together a diagram of what your network would look like?

If your ESXi server isn't stressed you could possibly virtualize pfSense too and save the cost of a machine just to run pfSense. Maybe have to buy a NIC or two though.

eleanor

Hi,

Yes, I've uploaded the picture here: http://postimg.org/image/6y7m16y79/

As you can see the first element is a Wireless Linksys WRTGL router used for my wireless clients … but I want them separated from the ESXi virtual machines, which is why I thought I would introduce a PFSense machine, which would be used for Firewall/IDS/IPS.

If you have a suggestion how I can setup my network like this: http://postimg.org/image/k5m36qfef/ I would greatly appreciate it. This would save me some money.

Thank you

jasonlitka

@eleanor:

Hi,

My bandwidth to the internet is 10Mbps download and 2Mbps upload. But there will be an ESXi connected to the PFSense router which needs 1Gbps, because virtual machines need to talk to each other as fast as possible (because a file system is on NAS).

But Atom has 1.6GHz processor speed, isn't that enough for what I need? Anyway, can you suggest a product, which is capable of doing what I need in real time: my preference is low power consumption.

Thank you

A single core Atom is fine for 10/2 Internet access with Snort. It is NOT fine for analysing 1Gbit/s LAN traffic.  If you want to have snort running internally on your network then you're going to need more power.

The second drawing you proposed is the "correct" one. Run pfSense at the edge, have an access point hanging off of one port, have your VMs on another port, set them as separate networks and filter the traffic as needed.