Which hardware for Site-To-Site VPN



  • Hello to everyone. I need to build some pfSense box to run a Site to site ipSec VPN from our branch to the main datacenter. In the offices we have a maximum 100/50 Mbps connection, in the datacenter 500/500. I need to build only the box for the branch offices. I don't want to spend a lot of money, so, which hardware should I buy?

    Thank you!



  • I don't want to spend a lot of money, so,

    What is your budget directly? $100, $200 or how much?

    which hardware should I buy?

    What is the connection speed in the branch office?
    Which kind of IPSec end is there at the Datacenter side? Also a pfSense firewall?

    Would you perhaps go better with an extra VPN server in the DMZ using the SoftEtherVPN Server?
    More throughput and more power for cheap.



  • @BlueKobold:

    I don't want to spend a lot of money, so,

    What is your budget directly? $100, $200 or how much?

    which hardware should I buy?

    What is the connection speed in the branch office?
    Which kind of IPSec end is there at the Datacenter side? Also a pfSense firewall?

    Would you perhaps go better with an extra VPN server in the DMZ using the SoftEtherVPN Server?
    More throughput and more power for cheap.

    Hello.
    The connection speed in the branch offices is 100 Megabit/s download and 10 Megabit/s upload.
    Yes, at the datacenter there is another pfsense firewall.

    I actually don't have a budget, but if I can spend around €400 per machine it would be perfect.

    I don't want to add an extra server so if possible I want to do everything with pfSense.



  • Datacenter 500/500
    Branch Office 100/10
    Offices 100/50

    I actually don't have a budget, but if I can spend around €400 per machine it would be perfect.

    Sorry but owed to my poor English language skills, I am confused a little bit now.

    I was thinking you want to build only one "machine" for one branch office with 100/10 MBit/s.
    And that hardware will be used to connect to the Datacenter 500/500 via IPSec VPN, is this right?

    And what is then with the offices with 100/50 MBit/s??
    Do they need also new hardware? Are they also connected to the Datacenter?
    Or only Branch Office to Datacenter?

    There are some solutions you could go by.

    Please have a look to the SG-xxxx units available directly from the pfSense store or
    their partners all over the world. But related to the $400 bucks there will be only
    the solution from SG-2220 and SG-2440 units.

    So there is also other hardware to chose for this action.

    ~$250
    Intel Celeron G3260 @3,3GHz dual core
    mini ITX Board with Intel I210 or i217 NICs
    Used Intel Quad Port PT NIC
    mini ITX case & PSU
    8 GB RAM

    ~$300 - $400
    Jetway NF9HG-2930 Intel Celeron Quad Core Fanless PC w/ 4X Intel LAN, 2GB, M350

    ~$400 - $500
    Supermicro A1SRI-2758F-O
    Supermicro-CSE-101I mini ITX case
    M350 mini ITX case

    • 2 x 4 GB ECC RAM & SATA-DOM or SSD

    ~$500 +
    Supermicro Barebone on basis of the C2758

    • 2 x 4 GB ECC RAM & SATA-DOM or SSD

    ~$500 - $700
    Intel Xeon E3-1231v3 @ 3,4GHz 4 Core CPU
    Gygabyte GA-6LILS
    2 x 8 GB DDR3 1866 MHz ECC RAM & SSD
    1U rack mount case

    At this point you should perhaps then also have a closer look to the SG-4860 or SG-8860 units from the
    pfSense store, that would be arriving ready to go and together with a mSATA drive. Tey will do the job
    also really good and with maximum throughput.

    I don't want to add an extra server so if possible I want to do everything with pfSense.

    This might be, but if you offload the entire VPN task from the pfSense firewall, the firewall it selfs
    want to speed up, and the VPN also might be speeding up.

    A refurbished and cheap HP Proliant Microserver with a Dual Core Intel Xeon or Intel Celeron and
    8 GB ECC RAM CentOS & SoftEtherVPN would be a good VPN Server solution.



  • @BlueKobold:

    Sorry but owed to my poor English language skills, I am confused a little bit now.

    Don't worry, I'm Italian and my English isn't so good so your confusion maybe is also my fault.

    @BlueKobold:

    I was thinking you want to build only one "machine" for one branch office with 100/10 MBit/s.
    And that hardware will be used to connect to the Datacenter 500/500 via IPSec VPN, is this right?

    And what is then with the offices with 100/50 MBit/s??
    Do they need also new hardware? Are they also connected to the Datacenter?
    Or only Branch Office to Datacenter?

    We have different offices with different internet connection: at the moment the maximum speed we can achieve is 100/10 but in some offices we have 1/1 Mbits, in another 50/10 (100/50 was a my mistake, here in South of Italy we can't have that speed >:( ). All the offices must be connected to a server hosted in a OVH datacenter with a 500/500 internet connection. The server firewall is also running by a pfsense machine (in a virtual environment).

    My idea was to build "standard" machines with the same hardware for all the offices and use the pfSense to connect them with the datacenter via a IpSec VPN.

    @BlueKobold:

    There are some solutions you could go by.

    Please have a look to the SG-xxxx units available directly from the pfSense store or
    their partners all over the world. But related to the $400 bucks there will be only
    the solution from SG-2220 and SG-2440 units.

    So there is also other hardware to chose for this action.

    ~$250
    Intel Celeron G3260 @3,3GHz dual core
    mini ITX Board with Intel I210 or i217 NICs
    Used Intel Quad Port PT NIC
    mini ITX case & PSU
    8 GB RAM

    ~$300 - $400
    Jetway NF9HG-2930 Intel Celeron Quad Core Fanless PC w/ 4X Intel LAN, 2GB, M350

    ~$400 - $500
    Supermicro A1SRI-2758F-O
    Supermicro-CSE-101I mini ITX case
    M350 mini ITX case

    • 2 x 4 GB ECC RAM & SATA-DOM or SSD

    ~$500 +
    Supermicro Barebone on basis of the C2758

    • 2 x 4 GB ECC RAM & SATA-DOM or SSD

    ~$500 - $700
    Intel Xeon E3-1231v3 @ 3,4GHz 4 Core CPU
    Gygabyte GA-6LILS
    2 x 8 GB DDR3 1866 MHz ECC RAM & SSD
    1U rack mount case

    At this point you should perhaps then also have a closer look to the SG-4860 or SG-8860 units from the
    pfSense store, that would be arriving ready to go and together with a mSATA drive. Tey will do the job
    also really good and with maximum throughput.

    I don't want to add an extra server so if possible I want to do everything with pfSense.

    This might be, but if you offload the entire VPN task from the pfSense firewall, the firewall it selfs
    want to speed up, and the VPN also might be speeding up.

    A refurbished and cheap HP Proliant Microserver with a Dual Core Intel Xeon or Intel Celeron and
    8 GB ECC RAM CentOS & SoftEtherVPN would be a good VPN Server solution.

    I already saw the SG Unit in the pfSense store but I want to buy everything here in Italy and I can't find any partner here. I will have a look at the other solutions.

    Thank you for your time and your very helpful answer! And Sorry again for my mistakes!

    EDIT:
    So, It seems that Supermicro is very very very expensive here in Italy, the xeon solution is out of the budget and I can't find any reseller of Jetway product in Italy.

    I was thinking of buying a Dell T20 (model 3736 with Intel Xeon E3-1225v3 and 4GB of RAM) and add an additional Intel Quad Port NIC (EXPI9405PTL) … what do you think?



  • So, It seems that Supermicro is very very very expensive here in Italy,

    Yes, where I pay ~150 € for a board, you must pay for the same board ~300 € - 400 € for.

    the xeon solution is out of the budget and I can't find any reseller of Jetway product in Italy.

    For sure, but I was first thinking you only want to build one machine for the branch office!
    So with 100/10 you can also easily go with this option, its enough power for 1 GBit/s and 50 MBit/s VPN

    ~$250
    Intel Celeron G3260 @3,3GHz dual core
    mini ITX Board with Intel I210 or i217 NICs
    Used Intel Quad Port PT NIC
    mini ITX case & PSU
    8 GB RAM

    I was thinking of buying a Dell T20 (model 3736 with Intel Xeon E3-1225v3 and 4GB of RAM) and add an additional Intel Quad Port NIC (EXPI9405PTL) … what do you think?

    Thread with Dell T20 named in
    At these days nothing really beats a Intel Xeon but with the intel Celeron G3260 you could get also 1 GBit/s
    WAN speed and ~100 MBit/s VPN speed for around ~250 €



  • @BlueKobold:

    So, It seems that Supermicro is very very very expensive here in Italy,

    Yes, where I pay ~150 € for a board, you must pay for the same board ~300 € - 400 € for.

    the xeon solution is out of the budget and I can't find any reseller of Jetway product in Italy.

    For sure, but I was first thinking you only want to build one machine for the branch office!
    So with 100/10 you can also easily go with this option, its enough power for 1 GBit/s and 50 MBit/s VPN

    ~$250
    Intel Celeron G3260 @3,3GHz dual core
    mini ITX Board with Intel I210 or i217 NICs
    Used Intel Quad Port PT NIC
    mini ITX case & PSU
    8 GB RAM

    I was thinking of buying a Dell T20 (model 3736 with Intel Xeon E3-1225v3 and 4GB of RAM) and add an additional Intel Quad Port NIC (EXPI9405PTL) … what do you think?

    Thread with Dell T20 named in
    At these days nothing really beats a Intel Xeon but with the intel Celeron G3260 you could get also 1 GBit/s
    WAN speed and ~100 MBit/s VPN speed for around ~250 €

    Thank you again for your answer. I'm having some trouble finding a Mini-ITX motherboard with Intel I210 or I217… I could find only some AsRock and Asus Server board but only the mb cost around €250 and both don't show the Intel Pentium G3260 in the CPU Compatibility list...



  • mini itx with socket FCLGA1150
    for Celeron G3260

    GIGABYTE GA-H97N-WIFI, Mainboard ~120 €
    GIGABYTE GA-Z97N-WIFI, Mainboard ~130 €

    You can also buying a board you likes with LGA 1150 and then on top a refurbished
    Intel Dual or Quad Port NIC.