Looking for hardware recommendations

jammcla

Looking at pfSense as an option to become the main firewall/Gateway into the office and as link to our other offices through a IPSEC VPN tunnel.

What kind of hardware would I need to fit the following packages/other items?:

-1Gb internet connection
-IPSEC VPN tunnel to 3 other sites(2 of the other sites have 1Gb internet as well)
-Captive portal for external wireless network authenticating to radius server on Domain Controller
-Snort or Suricata
-SquidGuard
-Squid3
-Sarg
-OpenVPN Client Export Utility
-OpenVPN Clients connected (allowing for expansion 75 devices if everyone was connected, probably normal connection of 5-10)
-Working as router with 15 separate networks(multiple will only have a laptop in them for Port NATing based on location)
-Allow for 8 or more network ports(will probably vlan the less used ones if needed)
-Carp for failover
-dual wan(much slower than primary only used if main goes down)

Was thinking of comparing a Dell Server and a custom build but not sure how much power I need put put behind it to run all of it.

How big do I need to go?  Could I just virtualize it on Hyper-V and be fine?

Thanks for taking the time to read this.

jammcla

Keljian

You can virtualise anything provided you take into account the overhead.

I would simply try virtualised first if you already have the hardware. 2 cores and about 6 gig of ram should get you going depending on the host and how much memory you want to give squid.

You can always back up the config file and reinstall on metal if you need to

jammcla

Looking around the offices I was unable to find enough resources to virtualize the box in all offices.  I decided to start looking though hardware and start pricing some gear out.

Case:                Rosewill RSV-L4000
Motherboard:    GIGABYTE GA-Z170X-Gaming 5
CPU:                  Intel Core i7-6700
RAM:                  G.SKILL Ripjaws 4 Series 32GB F4-2400C15Q-32GRK
HDD:                  SAMSUNG 850 PRO 2.5" 256GB
HDD Mount:        Rosewill RDRD-11004
PSU:                    ENERMAX REVOLUTION X't ERX730AWT 730W
Network Cards:  Intel E1G44HT Server Adapter

Looking at 2 of the network cards and all prices on Newegg(Some prices were cheaper on Amazon but I did all price quotes on Newegg to keep same vendor) the price came out to $1580.

Would this work(little worried due to the newness of some the gear and support of it driverwise)?  If we decided we needed more throughput than 1gb and got a 10gb connection and I added a 10gb network card should we be able to push more than 1gb out as long as it is coming from more than 1 1gb interface?

chris4916

@jammcla:

How big do I need to go?  Could I just virtualize it on Hyper-V and be fine?

I'm really looking for someone able to explain to me why and how virtualization solves hardware sizing questions.
I do understand why it help to define smaller virtual machine (and therefore the potential benefit of having multiple small VM hosted on same hardware) but when it comes to discuss something potentially large requiring significant amount f resources, virtualization as technical answer means that your host server has potentially "no limit" or, at the end, that it will host only one VM.

I'm not saying here it has no added value, although VM for FW is very strange to me.

Keljian

I would be looking at server grade hardware:

3.8ghz broadwell xeon : http://ark.intel.com/products/88046/Intel-Xeon-Processor-E3-1285-v4-6M-Cache-3_50-GHz
16 Gig of ram (1866Mhz - speed matters only when you're pushing multi gigabit)
2x Samsung 850 pro drives (128 gig would be more than sufficient)
Supermicro X10SAT ATX mainboard
Chelsio 10 GB nic (2 port - eg t420 or t520)  - if you want to go 10GB

As for why to virtualise:
1. Live migration - Less downtime
2. Snapshots - to test new settings with the ability to revert
3. Backups of virtual machines are easier than full machines in general.
4. Capitalise on hardware investment (more running on the same machine)
5. Capitalise on bandwidth/networking hardware - multiple vms on the same machine means they can all share the same virtual switch, which typically is very fast, and they can all share a single connection to a switch.
6. Upgrades/migrations are easier
7. Ability to work out how much power/memory to devote, and then use the rest elsewhere..

Guest

I'm not saying here it has no added value, although VM for FW is very strange to me.

Me too, but in some rarely cases, companies or their networks are growing up rapidly so that you
are able then to let the Firewall grow up also fast as you might must be doing it. As an example:
The Lanner FW-8896 Series is capable to handle many VMs and also sort them with many different
LAN Port configurations.

• Your case
• Upgrade set
• ATX Dual PSU
• Diamond Head 12G6CB or Shasta 12G6S
• SSD
• RAM

-Working as router with 15 separate networks(multiple will only have a laptop in them for Port NATing based on location)
-Allow for 8 or more network ports(will probably vlan the less used ones if needed)

??? I really don´t know why not setting up a switch stack with some Layer3 Switches?
Or some little, small or bigger MikroTik routers, for doing this job right.