Need help with sizing home office network with complications.
-
OK so to get some things out of the way:
First, if the 7551 is actually the best fit for something I need to do then I'm certainly game for it. This is for my work, and by the time I build a box and install pfSense on it it's going to be that much anyway. The only reason I would choose to build is if building gets me something I need but that box does not have. If I build I will no doubt need to get a support service separately since I really have no idea how this all works.
pfSense does deep packet inspection and intrusion detection/prevention? Does the 7551 fit that bill? I certainly want that in the mix and forgot to put it in. I'm having a hard time believing that a single appliance can do all this at several hundred mbps. Does somebody have benchmarks for the 7551? Interested in benchmarks with and without VPN duties, and with intrusion detection/prevention.
Yes, I'm super paranoid. One decent firewall between my public-facing and normal home stuff is fine, but I need more for the data I'm bound to protect.
I guess I could start out with one device and see how it goes.
I browsed Intel chips yesterday, it seems I can get an i5 or e3 quad core for not much more than an i3. Processing power matters greatly here right? And memory, and good nics? I would much rather have extra ability and not need it than not enough ability and want it.
Speaking of nics, I have a 4-way 4-lane PCIe Realtek card still in the box. Another one just like it shows up like this in Linux:
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 02)
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 02)
05:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 02)
06:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 02)Is there a real need for the Intel nics? Or is it preference from the poster?
I also have a 1st generation i7 sitting around with 12g RAM, but it doesn't have aes hardware acceleration. And uses a lot of power.
OK let's get back on target here. What actually needs to be at the front door? I think:
-
Firewall
-
Deep packet inspection/intrusion detection & prevention
-
Logging
-
6to4
-
NAT
Things I need, but could be on the second router:
-
OpenVPN
-
VLAN support
-
Multifactor authentication (don't really know how to do this, probably part of vpn?)
For the moment I won't be getting more than 200 mbps for awhile, so I might try just the one box until I get it set up and then split duties later.
-
-
Ok Let's start by answering the last question first.
1. Yes. One pfSense box with adequate ports and adequate grunt will be able to handle all of this.
2. Feature needs
OK let's get back on target here. What actually needs to be at the front door? I think:
Firewall
Deep packet inspection/intrusion detection & prevention
Logging
6to4
NAT
OpenVPN
VLAN support
Multifactor authentication (don't really know how to do this, probably part of vpn?)Firewall, logging, 6to4,Nat, vlan support, openvpn and Multifactor authentication (Captive portal) are part of the default install of pfsense
Deep packet inspection/IDS etc duties are provided by Suricata or Snort packages, or both.
Keep in mind there is a learning curve with this stuff. - This is why I recommended a subscription, as there is a manual that comes with it.
3. Hardware needs
Intel nics are significantly better supported than the competitors and generally are faster. They also allow offloading of some of the network processing required which relieves the processor, unlike the realtek series. I personally wouldn't run realtek nics on core infrastructure unless I had to.
VPN, Snort and suricata are going to be the things that hit memory and processor, the rest is relatively benign.
You need about 1 gig for Suricata (on a medium sized ruleset) and about 2 gigs of ram for snort on the same ruleset, allow 1 extra gig of ram for each interface you want these on (typically you only have it on your WAN or upstream port)
Processor wise is a bit trickier as the 7551 has quickassist which is custom hardware for running snort type packages. That said, broadly speaking every i3+ from the last 3 generations of intel processors will be able to handle snort and suricata running at the same time with plenty of throughput. More is better, naturally.
AES-NI speeds up AES-128 and AES-256 in openvpn. There is a list of processors with aes-ni support here: http://ark.intel.com/search/advanced/?s=t&AESTech=true but it is lengthy, you are better off using the wikipedia entry on it here : http://en.wikipedia.org/wiki/AES_instruction_set
Based on that your i7 (westmere) does actually have AES-NI
If you have AES-NI and choose to use it, you can expect immense throughput for VPN, in the order of 5-10gbps per core.
If you are building, priority wise, I would go nic, memory, processor.
Nic - the i350 is my choice, it's a solid performer and supports everything under the sun, while consuming little power. You need 1 port for each network, and one for uplink/wan. You can get the i350-T4 (4 ports) from ebay for $100-150 used.
Memory - you need about 4 gig, more is gravy. I run 6 and barely touch it (15%) but I don't run snort or captive portal, even if I did run snort I guess I'd only hit about 25-35%.
Processor- you need aes-ni, but you don't need an i7 to do it. if the budget allows, go with a new-ish i5, but an i3 should still be more than capable. -
Keljian,
You're being incredibly helpful. I hear you, I'm just trying to work toward some compromise between what I have in mind and what you have in mind.
Everyone insists I only need one box, but I'm trying for defense in depth. Do you think it doesn't make that much difference? One bigger box would certainly be cheaper than two smaller ones.
My free i7 box does not have AES. It's this one: http://ark.intel.com/products/37147/Intel-Core-i7-920-Processor-8M-Cache-2_66-GHz-4_80-GTs-Intel-QPI
So going with the single router idea, I'm coming up a port short of what I had in mind. If those nics can be had for $100 (I checked, there are several) then two of them is no big deal for me. A QuickAssist adapter, on the other hand, is a completely different deal. An Intel QuickAssist 8950 adapter is for sale at exactly one place I found, for $958.66. On the other hand, it will evidently do just about every cipher I've ever heard of and promises 50gbps while doing it. There's supposedly a 8920 out there somewhere but as far as I can tell nobody sells it.
-
Thanks happy to help!
Ok you do not need a quick assist card.
You will not need to push 50gbps. I mean, 10gbps+ nics exist but you will not be pushing that over vpn. At most you will push 2gbps, 1 up and 1 downNow that that's sorted, if you want to support higher levels of encryption than aes-256, then I question what you are doing and wonder whether file based encryption as well as VPN encryption might be better…. That said my answer would be to throw brute force at it, so an i7-4790 or even an i7-5xxx 6 core would not be unreasonable. The latter would require a graphics card though, as it doesn't have one integrated.
You only need one box. A second is only needed if you need redundancy.
-
Sorry it's been so long for a reply. Life intrudes, need to continue even while researching.
I've been questioning a lot of what we do and how we do it. We definitely need a high security firewall and vpn, and the 7551 is definitely in the top 5 possibilities.
Unfortunately I don't think I can accelerate things in the places we most need the acceleration. A hosted db server, for example, especially a VM, is not going to have access to AES-NI or any of that. We don't generally control that provisioning in any case.
Ideally, we would have acceleration on the remote server hardware which could zip and encrypt the file before sending it. Zipping alone often takes 3 hours or more. If we had one giant VM host I could see putting a QuickAssist card in that and then making it available to all the VMs, if that were possible. It would certainly be cost effective in that scenario, especially considering the hours we've spent waiting for a file to finish zipping before pulling it off the remote server. But that's not really possible here, since we have several remote sites and no control over the hardware.
Even so, if there were built-in hardware acceleration for any of this process, even a zip that takes advantage of some hardware compression, that would help a lot.
Is it feasible with a 7551 to have a site-to-site vpn which not only has encryption but compression as well?
Just for clarity, QuickAssist hardware would allow rapid encryption even with some command-line tool like gpg, right?
In my personal case, I still see an attraction for a second firewall which could easily be cheaper hardware or even a VM. For the purposes of this discussion I don't need to talk about it. I've set up quite a few Linux firewalls before, and this one would be pretty simple.
Thanks again.
-
Again I'll resort to points, due to time constraints:
1. I don't know enough about QuickAssist in linux et al to help you. I do know there are gzip cards that can compress stuff on the fly when attached to networks, I don't know if they will work for pfsense. I do know that quickassist on the 7551 and C2758 platforms will be supported (if it is not already) by pfsense
2. While you can't change the hardware of the target systems, you may be able to change the software… If zipping is taking that long to do, it might be worthwhile looking into recompiling a half decent open source zip program from source using the Intel compiler (which is about $600 from memory), You could save half of that time if it is compiled specifically for the platforms you are running on.
There is a 30 day trial you could do to experiment with this option.
$600 may save you hours if not days of transfers if this is a critical sticking point. A cheaper option if you're on linux is to use GCC with some platform specific flags, while this is not optimal it may net you a 25% speed gain (or more).All of this would require testing.
3. Remember that openvpn includes LZO compression if enabled - so it might help with the data, depending on what it is and how it is packed. This may mean that you are better off sending uncompressed files across the vpn, to be compressed on the fly by the tunnel. You might lose out on compression ratio, but you would get time back by sending across the tunnel immediately.
There is also the next system up from the 7551 - http://store.netgate.com/Firewall/C2758.aspx - Just FYI.
-
I did some googling and found this:
https://01.org/packet-processing/intel-quickassist-technology-drivers-and-patchesI suggest some more research is in order for the command line stuff you were talking about
Quickassist in the 7551 and the other pfsense c2758 is capable of 50gbps throughput, with the right hardware hooked up, this will utterly obliterate the fastest i7-4790 in crypto, once it is finished and baked into pfsense. No timeline on that though.
The thing that may stop that from happening for openvpn is that it is single threaded, which I am guessing is the reason IPSec is being given priority at the moment for high performance vpn support in pfsense.
-
Gonzo posted these results for IPSec on the 7551
https://forum.pfsense.org/index.php?topic=81862.0
I'm seeing between 729mbps and 891mbps throughput in the below.
At a guess I would think openvpn would be the same ballpark…(and this is without quick assist!)
-
OK thanks guys, I have some thinking to do.
I've found some motherboards based on the chips in these routers, they have quickassist and everything. Doing some checking on that end.
Thanks.
-
I just bought one of these:
http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm
Reviewed here:
http://www.servethehome.com/Server-detail/supermicro-a1srm-ln7f-2758-review-awesome/
I bought 16g ecc registered memory and an ocz vector 150 240gb ssd. Nobody had msata that I liked.
My intent is to put Gentoo 64-bit hardened on the bare metal as a minimal KVM host, and use PCI passthrough to one or more router VMs. One will be pfSense at least as a trial, and if I get serious about it I will probably pay support.