New firewall, what do you think?
-
Hi!
I have to build a new firewall for a head office (small company +- 40 users in head office). It will have to act as gateway for head office, give vpn service to some employees and two site-to-site vpn to remote fortigates.Connection:
Head office: 2x 100Mb/50Mb optical fiber (failover)
Remote offices: 2x 10Mb/5Mb optical fiber (failover)At the moment I am choosing hardware, and I would like to ask your opinion about this.
Motherboard Jetway NF9H-525 Quad-LAN with INTEL Atom D525
(http://www.jetway.com.tw/jw/ipcboard_view.asp?productid=995&proname=NF9H-525)
Disk mSATA 16GB
2GB RAM
Possible extra nics or vpn accelerator(?) with pci-eMy main concern in all this is to have a good throughput over vpn, at least 50Mb, for near future branch updates.
Do you think I this hardware is good choice?
Thank you very much
-
You need better hardware. At least an Ivy Bridge Pentium or better and server grade NIC's.
-
That Atom will give ~50Mbps of OpenVPN at best. That's without doing anything else at the same time! I'd say your going to need something more powerful. Any Sandy Bridge or better CPU should suffice and I also recommend getting Intel NICs if you can just to avoid unnecessary problems. There are many people using those Realtek NICs without issue but not all. ;)
With modern CPUs there is little point bothering with VPN accelerators. It almost always far more cost effective to just get a faster processor. The only time that might not apply is with very high bandwidth VPN requirements (perhaps >600Mbps, a guess) where you can't do it with raw CPU power. pfSense probably doesn't support specialist hardware like that anyway.Steve
-
Thanks both for replying.
Definitely i will look more advanced hardware…
I have searching but i have not found anything of how estimate this kind of things, for example vpn throughput, based on processor. Could you explain a bit more how that Atom will give ~50Mbps? Or give a link where I can read something about it
Thank you very much
-
Your head office is not important to me. Thats just a simple WAN > LAN routing/firewall and not processor intensive.
I've pulled that much bandwidth through a weak DDWRT on a E2000. For your pfsense, thats light work.
I think your bottleneck will be here: 2x 10Mb/5Mb (thats all the openvpn you have to worry about)
So, with that maximum bandwidth in mind for VPN, your hardware is far more than enough.
If you plan to run snort or some other CPU intensive thing that may change.
In my opinion, your hardware stated is more than adequate.
-
Thanks kejianshi for your reply.
Just now each branch office has, has you say, 2x 10/5 Mb connection in failover mode. So yes, traffic at the moment through vpn tunnels will be less than that. 20Mb as much. But probably in a year it will be upgraded to 50/10 or similar and it's important the the new box can offer enought throughput, 90Mb would be enough. I don't want to change firewall until long time xD.
The hardware I posted is valued in +-270€ ($360) and above all, I don't want pfsense if it is more expensive than, for example, zyxel zywall usb200 (a choice I have), and if I have to buy a sandy bridge like i3/i5/i7 would be so so
-
pfSense developer Databeestje did a nice write up of testing an Atom D510 here: http://forum.pfsense.org/index.php/topic,27780.0.html
The D525 is faster so you may get 65-70Mbps. Your highest load scenario where both your remote sites are downloading at 10Mbps is well within that capability but might leave you wanting with other services on your 100Mbps connection. That would be exaggerated if you choose to load balance your two connections.
It's hard to know quite how this would scale since the limit on the VPN bandwidth might be a single core of the multicore cpu. That might leave more than enough cpu/cores to route the remaining bandwidth.Either way it definitely rules out running Squid or Snort and will leave you short if you upgrade your WAN bandwidth any time in the future.
Steve
-
There are plenty of example Sandy Bridge builds which don't have to cost that much. For example ~$300: http://forum.pfsense.org/index.php/topic,44269.0.html
Steve
-
I also have no idea where this will be. On a rack or on a shelf. Sitting on a table or floor?
If it doesn't need to fit in a 1U rack, I might even consider taking a obsolete quad-core desktop with 4+ GB of RAM and a couple of dirt cheap PCIe gigabit intel NIC card and building it that way. Repurposed old hardware like that costs almost nothing and is very fast for your purposes and reliable.
-
Thanks for your replies, it will be inside a rack but not necessarily in rack chassis, I prefer a small box for this
So, after some serching, what about this?
ASUS P8H61-I
Celeron G1610
4GB RAM ddr3
M350 case
ssd 16gb or other
intel dual nicThis is more or less 280€ +- $370, almost the same than my first approach lol
Thank you very much
-
I'd get a core i5…
For heavy VPN use and a little future proofing, I like the idea of having the AES routines on chip and the extra threads available at about the same power requirement. Since you are beefing up on your original spec, may as well do it up well.
-
Having an AES-NI capable CPU is nice and would be great for high bandwidth VPN but it's overkill here. The great thing about boards like that is the range of CPUs they support. The Celeron is just about the lowest performing processor that fits, if at some later date you have a wide range of upgrade options which will probably all be cheaper by then. :)
That said I notice the support page for that particular board only lists Sandy Bridge CPUs, not the G1610: http://www.asus.com/Motherboards/P8H61I/#support_CPU
Steve
-
Thanks for your replies, it will be inside a rack but not necessarily in rack chassis, I prefer a small box for this
So, after some serching, what about this?
ASUS P8H61-I
Celeron G1610
4GB RAM ddr3
M350 case
ssd 16gb or other
intel dual nicHow are you planning to fit a dual nic in that case+mobo combination?
This is more or less 280€ +- $370, almost the same than my first approach lol
Thank you very much
-
Not to worry… That CPU will make a great E-Bay item. haha
Then an i5 that fits the socket....
-
http://support.asus.com/cpusupport/detail.aspx?SLanguage=en&p=1&m=P8H61-I%20R2.0&cpu=Intel%20Celeron%20G1610%20%282.6GHz,55W,L3:2MB,2C,rev.P0%29&pcb=ALL&sincebios=0804&memo=
Maybe just a bios update if mobo revision is correct.
-
I choosed it because I found mobo + cpu + ram in ebay as bundle pack xd
http://www.ebay.de/itm/ASUS-P8H61-I-mini-ITX-Intel-Celeron-G1610-2x-2-6GHz-4GB-RAM-DDR3-/310674841980?pt=Komponentenbundles&hash=item4855a9e17cYes the motherboard is version 2.0
i5 would be great as well as xeon e5, but the thing here is do more (or the same) for less money so those cpu are not an option. Thanks for suggestion
Then do you think this build would handle the load well (50 users, Firewall, Internet gateway, vpn roadwarriors, vpn to remote offices, high troughput, no snort)
Thank you very much
-
Without Snort or Squid that board/CPU will handle >1Gbps so, yes, I'd say it will be fine.
Steve
