Help seeking to use pfsense in front of a server farm in a colo
-
Dear all, I've been thinking of getting an ebay server with dual-socket xeon 56xx and around 72GB ram, they have dual-port Intel
82576 Gbe on-board to act as the hardware firewall and load balancer (and dhcp) for a web service.Do you think they will do the job?
I will also need a switch since I'll be connecting a number of rack servers to it, is there any recommendation on switches or will any old dumb gigabit switch do? I don't believe I need a smart switch since all the features they would provide presumably can be done using the pfsense box, though I don't know any better as I'm a total newbie to servers, colos and pfsense ;D.
Latency is a consideration factor for both the hardware and switching, and it's important that the firewall be able to handle the full gigabit without any issue including potential DDOS attacks scenarios. I'm also looking to run a large list of permanent ip bans (a number of countries' ip ranges), and possibly snort (not sure yet, but it should be able to handle it if needed) on the box
Any help, advice, recommendations would be gratefully received.
-
Do you mean 72gb hdd?
I don't think that an "old dumb" gigabit switch is what you need. You might need features like LACP/VLANs and if latency is that important you really need a good switch.
Also be aware that pFsense core components won't benefit from that many CPU's.
-
72GB ram :).
I'm really quite confused on the switching front, and it doesn't help I'm new to all these networking features and terminology. But I don't have the budget to spend on a switch that will cost over 500 USD. I don't need VLAN or LACP, not for quite a while :), by then I might have the budget to get some Cisco Nexus switches but that will have to remain a dream for now.
So if anybody know a plain-old Gbit switch suitable for racks and are super reliable with good latency (and is within budget) that'd be great (unless there are other reasons I shouldn't use a dumb switch?)
On the comment on pfsense core, doesn't seem like I have to worry: http://forum.pfsense.org/index.php?topic=26244.0
-
You do not need 72GB or ram. ;)
You are probably going to have 8 cores and you probably won't use them either.
I would be surprised if you managed to use 8GB. With a server of that spec you could run pfSense as a VM and use the spare cpu cycles and RAM for something else.You can use an unmanaged switch but it limits your options quite severely, you don't know what tweaking you might have to do in the future once you're up an running.
You will have no problems passing 1Gbps through that box but trying to run Snort at that speed a different matter. It will require careful setup and tweaking. Not my area of expertise though. There have a been a number of threads about this recently.
Steve
-
We have an old Dell Power Edge 1750 with a 3 ghz processor and 2gb ram in front of our equipment that we have at a colo. We also have a Cisco 2960 switch. It does the trick just fine and is able to push nearly 90mbps over VPN across our 100mbps link at about 20% CPU usage. Unless you are really going to be running a lot of other services (i.e. Snort) or pushing huge VPN bandwidth, I would cut back on the server budget and bump your switch budget instead. Having a switch fail at a colo is a pain to say the least.
-
Makes sense, but to be honest, not sure if you guys have seen the prices lately, a lot of HQ rack servers out there for cheap, I'll probably stick with the processors and get a smaller 32GB ram version per your advise (I know it's probably still overkill), you can easily get one of these for a couple of hundred bucks.
Besides, I'll probably run some sort of IPS so since everybody's saying it's gonna use up a lot of CPU, I guess I'd rather be safe than sorry.
For the switches I guess the Cisco 2960 looks good. Might try that myself and prices are ok. Though I have to ask, how come you're not able to get 100 mbps over 100 mbps link if your server is under utilized? What's the bottleneck holding it back?
