1u rack mount recomendations



  • I'm looking to upgrade my pfsense installation to a 1u rackmount server, and have been looking on ebay in the price range of $0-$250. I've tried looking at Dell Power Edge, Lenovo, and HP boxes.

    I host a WAP, use IDS/IPS, and will be setting up NAS (on a separate box). I would also like the box to have plenty of speed capability.

    What are everyone's recomendations?


  • Netgate Administrator

    Better defined specs please.  :)
    What will your WAN bandwidth be ? You want 1Gbps between internal interfaces? How many NICs do you need?

    Steve



  • WAN bandwidth 50mbit - 100mbit. Yes I would like 1Gbps between internal interfaces. I'm thinking 4 NICs.


  • Netgate Administrator

    Ok, so to get 1Gbps through put you will need something like a Celeron G530 or better, not a particularly tough requirement. However that's just for firewall/NAT and just between two interfaces. Adding IDS/IPS (Snort) to that, either simultaneously on WAN traffic or on internal interfaces, will require considerably more horsepower. Do you need IDS on internal interfaces at 1Gbps?

    Steve



  • not a particular requirement, but I would like to be able if possible.





  • while that looks really promising gonzopancho, its rather expensive. Just quickly looking at eBay I can get some rather capable hardware for considerably cheaper ($100-$300), I just have to make sure the hardware is compatible and configure it myself.


  • Netgate Administrator

    Anything that is 1U rack-mount and that price is probably going to be old enough to be compatible.  ;)
    Things to avoid in server hardware might be rare and expensive disk controllers and NICs with fancy features like LAN-bypass. The current pfSense version is built on FreeBSD 8.3 which is a couple of years old now and FreeBSD hardware support generally lags Linux(for example) anyway. Try to avoid anything super new, thought the Rangley Atoms are now supported as Jim mentioned above.
    Probably easier if you suggest a piece of hardware and we advise you on it.

    Steve



  • http://goo.gl/bTgI01

    You can get away with a server for your budget, you even get a 1 year warranty.

    Too loud for my needs, but might work out for you.



  • Don't the Dell PowerEdge 1950 G2's have broadcom NIC's? I've heard that there are some issues with broadcom.



  • I'm quite happy with my WatchGuard. You can find some good deals on them on eBay.



  • Interesting haven't really thought of that, nor do I know much about them. What are the advantages/disadvantages of using a firebox over a rack unit. What is involved in getting a firebox configured with pfSense?



  • @justsomeone:

    What are the advantages/disadvantages of using a firebox over a rack unit.

    Advantages? I'll speak for myself in this case… ;)
    It was free. It's rack mountable. You can run nano on it, so storage is cheap. Power requirements vs Performance is good. Many interfaces. Can do quite some stuff even if you leave the HW in it's default config.
    Disdvantages?
    It requires some tweaking to get it installed (following instructions), so be prepared for a learning curve.
    You may want to add memory on the stock models, and possibly swap cpu (depending on your needs). Full install is a challenge if you should want that, hd bays and appropriate connectors are not always present. It's loud (but that's less an issue if you want to put it in a rack).

    @justsomeone:

    What is involved in getting a firebox configured with pfSense?

    Euhm… keeping being nice at Steve, he invested heaps of time supporting the community on getting these watchguard boxes going with pfSense ;D
    Other than that, browse through the different threads here (x550, x750, xtm, ...), there is good info to find, and look around for a box...


  • Netgate Administrator

    The different firebox models require various ammounts of tweaking to get pfSense installed. The cheaper and more commonly available X-e boxes will not manage 1Gbps, even after upgrading the CPU. You would need to use an XTM5 to get that and they're not too common, yet.
    The Watchguard boxes offer Atom like performance but with 8 NICs in a nice rack mount box for low cost.

    See: https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox

    Steve



  • @justsomeone:

    while that looks really promising gonzopancho, its rather expensive. Just quickly looking at eBay I can get some rather capable hardware for considerably cheaper ($100-$300), I just have to make sure the hardware is compatible and configure it myself.

    Depends on what your time is worth, and what downtime costs. If it's just a home setup, and you have all kinds of time to mess with it and minimal money, then yeah maybe you're best suited by the ebay route. Lot of old servers that work well, especially Dell and HP used by a lot of folks here, though those boxes are loud, extremely power-hungry, and generate a lot of heat.

    Where you want a combination of hardware that's known-solid, with a custom config out of the box optimized for the hardware including pulling custom updates specific to that hardware so you always have the most optimal settings, have the assurance of new versions being validated on the hardware before release, and get support included, the platforms we offer are really hard to beat.



  • @justsomeone:

    Don't the Dell PowerEdge 1950 G2's have broadcom NIC's? I've heard that there are some issues with broadcom.

    They do have Broadcom NICs, as do quite a few of the other Dell models people use. They're very good NICs, solid performance, reliable. The only issue I'm aware of there is in 8.3 base versions (2.1.x releases), they don't support jumbo frames because of a driver issue. That does work in 2.2 though, and isn't an issue in the majority of firewall use cases.



  • I'd love the known rock-solid hardware with custom updates & support, but from what I see that is a wee bit over my budget.

    Right now I'm looking at the Dell 1950 G3's & G2's (2 port), likely with 16 gigs of RAM and an SSD. Then I'm planning on adding a 4 port Intel GB NIC.


  • Netgate Administrator

    Even running Snort you're unlikely to need 16GB of ram.

    Steve


  • Moderator

    Hey Steve,

    On one of my boxes, I am testing Snort (blocking mode) and Suricata (passive mode) and its using about 8GB of memory for two interfaces with fully loaded rulesets. Not a typical setup but I am also not using Squid.

    btw - I really want to know if thats you in your Avatar! Always been wanting to ask lol…


  • Netgate Administrator

    Well I'm sure you could use 16GB, or at least >8GB, if you try but it shouldn't be necessary IMHO. If I were looking at second hand servers I wouldn't be looking for 16GB specifcally.

    Yes that's me in my avatar.  :)

    Steve



  • So maybe to be on the safe side bump it up to 24 gigs of ram?


  • Moderator

    @stephenw10:

    Yes that's me in my avatar.  :)

    Steve

    Nice!



  • @stephenw10:

    The different firebox models require various ammounts of tweaking to get pfSense installed. The cheaper and more commonly available X-e boxes will not manage 1Gbps, even after upgrading the CPU.

    Hi Steve, Steve here.

    For some time now, and with your help, I have been running WG X550e Fireboxes with pfSense 2.1.5 for my company offices and for my datacenter firewall. We run an MPLS VPN so all our company Internet traffic goes out the datacenter firewall.

    Yesterday, we upgraded our datacenter connection to 40mbps but the speed on this side of the Firebox is 38mbps down and 35 up.

    Can you elaborate a bit on your comment about the X-e boxes not reaching 1Gbps? Is there any reason to think I am losing throughput within the X550e I am using in the datacenter?

    The FB in the datacenter has been upgraded to 2GB memory and the SL7EP chip. My LAN connection on the datacenter FB connects to an Allied Telesis x600 Gigabit router and my test laptop was connected to that.

    Any input is greatly appreciated.
    Steve



  • @justsomeone:

    So maybe to be on the safe side bump it up to 24 gigs of ram?

    Board
    19" dual rack case
    8 GB RAM
    SSD 120 GB
    Intel Quad Port server adapter
    custom holes in the front brackets
    All in all for ~$350 to realize


  • Netgate Administrator

    Hi Steve,
    Those X-e boxes won't reach 1Gbps throughput due to the CPU. If you fit the 2GHz Pentium-M they will hit wire speed or at least some other limit, likely the NICs. I get 5-600Mbps through mine with the 1.7GHz CPU, or course is varies greatly by what traffic you are sending, packet size etc!
    There are some test values shown here: http://www.copyerror.com/2012/10/27/watchguard-firebox-core-x550ex750ex1250e/4/

    Steve



  • @stephenw10:

    I get 5-600Mbps through mine with the 1.7GHz CPU, or course is varies greatly by what traffic you are sending, packet size etc!

    Tom's test results don't appear to claim that kind of speed with that chip as he is using the SL7SM. Are you getting that performance out of the on-board ports or the expansion ports?

    Steve, what firmware are you using? I upgraded some of my boxes from 2.0.3 to 2.1.5 and I'm wondering if the 2.1.5 drivers fully support the hardware.

    I am considering upgrading to 2.2.5. Do you think its worth it?

    I am using WG pfSense routers for all my offices and for our datacenter gw. Should I be looking at other hardware that will run pfSense? Is what I have good enough for a commercial website(s) NAT gateway as well as a VPN portal?


Log in to reply