The best way to install a small UTM?
We need to prepare a small firewall for a remote office (3-5 users). We would like to use a small box like Alix 2D13. Our problem is the installation of SQUID/SquidGuard. It seems that the temporary filesystems created in memory are too small to be used by this software. What install options should we use? Is it possible to use a 'classic' installation on a flash card? If yes - how can we proceed to install (this box cannot boot from USB)?
Thanks for your advice.
You can run squid/squidguard in the 256MB Alix, just to do content filtering. No caching and no serious amount of logging. But yes, if you also have an OpenVPN site-to-site link back to a main office and… it will get really tight on memory.
I am waiting for the "new" Alix http://forum.pfsense.org/index.php/topic,59555.0.html with lots more memory and SSD. It will be interesting to see what actually comes, when it comes and the cost.
Unfortunately there is no "small UTM" product afaik. To justify the "UTM" title an appliance would need to do AV + proxy + IDS and that requires certain minimum hardware specs (I know there are certain commercial offerings, but they're stretching it).
For very small setups (3-5 users) I'd try to virtualize it, but if it isn't possible and you absolutely positively need to do "UTM"-type filtering of traffic, I'd consider tunneling it via VPN to the main office and do the filtering there.
dhatz & phil.davis, thanks for your answers.
We do not need IDS, but we do need antivirus scanning (ClamAV), IPsec VPN and URL filtering.
If we consider to forget about local logging and caching - is it still too short in RAM? Can swapping help?
Anyway, I would like to know how to install the 'classic' version of pfSense on this type of hardware…
Can swapping help?
Swapping is the last thing you want to occur on a router appliance …
Internet –- pfSense ---- Untangle
I've looked at Untangle in the past. Don't love it. Firewall is weak and the free packages are limited. It's the 1st stop before pay/commercial offerings.
In above diagram it does off load and simplify your firewall. The less that runs on this device the better. Less overhead, less chance of exploits, fewer chances of misconfiguration that weakens its main purpose. etc.
Seth, the OP was looking for a small 256MB Alix2D13-type appliance for a remote office with 3-5 users.
How can Untangle possibly fit into his usage scenario, when it requires a rather "beefy" server to do pretty much anything beyond simple packet filtering ?
Peter2121 - to answer your specific question (Anyway, I would like to know how to install the 'classic' version of pfSense on this type of hardware…) - yes you can install the full version of pfSense on a 2 1/2" hard drive in the Alix board, have a look here:
I have actually got a small laptop drive already prepared to try this on my 2d13 - just need to find the time to experiment further.
This would at least give space for logs and cache - albeit slower than memory. Whether this would allow you to run all the extras you are looking for - I have no idea - someone more qualified / experience would need to comment.
You haven't said what your WAN bandwidth is but this will also be limited with an Alix especially with those packages running, what is it?
A Soekris net6501 has significantly more power and RAM than the ALIX gear… they have similar small cases for them too.
At the net6501-70 price-point I would be looking at something like SuperMicro SYS-5017C-LF instead. Not saying the Sokeris is overpriced, I think it's a decent price-point considering what it is.
In terms of running an embedded system once you overcome the partition size limitation (I have posted previously how to increase them, or use 2.1 RC) you will have problems with the squid blacklists and clamav definitions not persisting between reboots. This is a problem because the code expects a hard drive instead of a RAM drive. It shouldn't be too hard to work around this, however you may instead wish to evaluate an industrial SSD (8 to 32GB should be more than enough) with a full install.
My take so far is that lots of people want to have a form factor similar to a 4 port netgear router but capabilities that really need serious processing horsepower. I'd bet most people would be more happy with the performance of a cheap micro atx barebones computer with a real hardrive and a couple cheap intel gigabit lan cards. Scanning and filtering can max out atom and other imbedded processors faster than you can say "I will never see gigabit throughput on this tiny box".
For my use case, it is in remote places in Nepal. Solar powered. A system that takes 12V DC (10-15V as the solar charger comes in and a night when the battery gets low). Willing to give it up to 10W power for 24/7 operation. Speed doesn't matter - in big centres we can now get 1-5Mbps. In these remote places it it 192Kbps and the town phones and internet goes via satellite - latency is typically 800-1000ms.
The Alix can handle plenty of speed for home users in the 5-20+Mbps range. It just needs more memory! If I could get Alix2D13 boards with 1GB memory soldered on them (rather than 256MB) I would be very happy, and I suspect it would suit a lot of others for home and small office.
They have you on a energy diet do they?
These can fill the bill getting you down to about 5W-8W and enough memory and processor for you.
If you were in a building mood.
The Alix can handle plenty of speed for home users in the 5-20+Mbps range. It just needs more memory!
Is that due to running out of swap space at startup? My pfSense runs fine on 256MB RAM and almost always has over 100MB free but I guess you are running nanoBSD pfSense while I'm running the full variant.
I am OK with 256MB for a vanilla install with 2 OpenVPN instances (to/from 2 other offices), sometimes an OpenVPN server for a few road warriors, and the usual set of firewall rules. But if I want to monitor usage (e.g. bandwidthd, gradually the data files get bigger in mem disk and real available memory drops) or try content filtering (Squid+SquidGuard with no cache) or… then things get tight. When OpenVPN instances lose their connections and re-establish there is a high transient memory use (both OpenVPN itself and the various bits of PHP that run in the background responding to the WAN/gateway event...).
If memory use on the dashboard stays around 45-60% all is good. If memory use is already 80%, then the transient events don't always complete properly, and there can be a killed OpenVPN instance, due to "out of swap space" (= "out of real memory").
So yes, 512MB or 1GB memory on the board would remove this issue for only a few dollars. Unfortunately the Alix boards were designed a long time ago when it was more than a few dollars for the memory. And it is not possible to have them do a production run with just more memory. Eventually the "new Alix" will come with everything changed - more CPU, Gb ethernet and more memory. That is nice, but I just want memory now :(
P.S. I might also be able to help out on the solar power issue. I have about 20 years now in that also.
Whats your specs on that system?
[The Alix 2d13 supposedly has a 44pin IDE connector. In theory that should be able to take a DOM such as Transcend TS1GDOM44V-S (see [url=http://www.transcend-info.com/industry/products_details.asp?ModNo=26&Func1No=1]http://www.transcend-info.com/industry/products_details.asp?ModNo=26&Func1No=1) available from http://www.memoryc.com for about US$25. You could use "full install" pfSense, swap to the DOM (which should fix your transient event problem) and recover RAM by writing logs to the DOM. RAM recover might even remove the need to swap for the transient events.
I have used the 1GB 40pin IDE module in my home pfSense (plugged directly into the motherboard IDE connector) for over 4 years without any problem. Of course, "your mileage may vary."
If you can find deals on thin clients with proper spec, that is an option. I found some that were better priced than the Alix boards I've used. These were also new.
See this post. I have 2 of them with upgraded disks of 4 GB, and run offices which averages 5 GB-10GB daily using Squid, Snort, etc.