Hello guys. In my company the old admin use IPCop as a firewall and proxy - MS AD authentication. Now i want to move on PFSense. My boss give me nice server machine with 2x intel xeon, 12GB RAM and SAS 6x73GB. I will run firewall,proxy with MS AD authentication, IDS, Snort, SquidGuard, OpenVPN for about 15-20 users.
Can anyone suggest what configuration should i use for RAID and HDD partitioning and sizing.
I thinking about RAID 10 . What is your opinion guys ???
I would say it depends on what support your raid hardware has in pfSense. If it's real raid hardware that presents a single drive to pfSense then you can do what you like. If it requires drivers etc then it may be supported in which case check the capabilites of the driver. If it's not supported then you may be better off disabling any raid features in your hardware and using a geom mirror (software raid).
My opinion is that the machines are totally overheaded ;)
Seriously, I have 8GB in our DataCenter cluster and even that isn't needed. Of course, running IDS like Snort and SG will use quite a bit of it, but 12G are massive. As for the HDD, 6x73GB? What will you do with ~200-300GB of HDD space? I'd be more afraid that I have 6 spinning drives in my FW that could possibly go bad. We are running a RAID-1 on 2x240GB SSDs. And I still don't know what I'll do with ~220GB of that space ;)
To be careful, if your controller is a hardware one (real hardware, not those onboard software thingies), then I'd set those 6 drives into a RAID-6 configuration to be safe for a double failure. Did I read correctly, that this is a dual CPU machine or are those 2 machines with one CPU? As for the XEONs, their multi-core potential will not be not that important until pfSense goes to 2.2 or higher and migrating to FreeBSD 10.x as the main part - the filter - isn't able to use multi cores (if I'm not mistaken). But the other cores are nice for running those other apps like snort and squid.
What is your WAN bandwidth? With that hardware it could be pretty much anything available and not have problems.
So guys. Finaly. I make RAID10 and use quick install :) Then i turn the hole machine in a little UTM system with squid3+squidguard, snort, HAVP. Everything run very well, for now in transperant mode for proxy server. I successfuly try LDAP authentication also NT doman authentication. But the problem is there is no singl-sign on future. Even if i log in a user pc with a user account who is in a group with internet access IE or Mozilla or Chrome ask me everytime for a user and pass.
I ream somewhere in the forum about pfsense + samba4 with option on squid but the website from where to download the pagacke is not working.
I will apritiate every idea about how to resolv this. The other way i thinkig about is to put 1xLan MS ISA server as a proxy just for authentication the user - but mine reason to migrate to pfsense was to fuckoff MS ISA 2004 pc from my server room :)
With the kind of resources you seem to have, I would recommend two different systems. One dedicated to pfsense - firewall with IPS/IDS and HAVP, and other would be a Linux machine (Debian to or CentOS) dedicated to Squid and SquidGuard. You will have more freedom which will be necessary to implement single sign-on.
In fact you should have two firewalls for fail safe. One pfsense and other IPTables maybe.
Nahh. I think the IBM server i have is strong to have everything on him. Also i dont need HAVP cose ClamAV is integrated to Dansguardian already.