Firewall Recommendation
-
I’d like to get a firewall for a charity used as follows. I'd buy from pfsense.org to support the project and to get some support. My current preference is a pair of C2758 for redundancy. Does the hardware match my requirements?
-
WAN throughput: 60 Mbps initially (Multi-WAN) and 250Mbps in 5 years time
-
WiFi users: max 600 of light traffic, like casual 'lounge' use
-
Normal users: max 100
-
VPN users: minimal, up to 5
-
Squid add on for web caching
-
Snort add on for Layer 7 application visibility & control
-
2x SFP ports
Thanks.
-
-
Just looking at the specs, I don't see that these units have any SFP ports (not sure why a firewall/router would need that in the first place), but can add an expansion card to get 10GigE in future if that's your concern. No built-in WiFi so you're also getting an AP. $3000 USD+ for a charity firewall? That seems overkill.
-
Yes, I'll add two SFP ports. Fiber is required because the the DSL lines come into a different building which about 500' from the main building.
We'll have separate Aerohive WiFi access points. -
Not sure what/where the dsl connection comes in has to do with the firewalls requiring fiber for?? Are you saying the dsl connection is fiber and not copper? Put the firewalls where the connection comes in, and then do whatever is you do with your lan to the other building..
Really curious the charity that can spend 3K for firewalls, and has 600 some wifi users??
WiFi users: max 600 of light traffic, like casual 'lounge' use
We'll have separate Aerohive WiFi access pointsThose sure are not cheap.. I show http://www.aerohive.com/calculator $500 for their cheap ones.. 600 Users going take a few of those for sure, even with light use..
Well maybe a typical charity where none of the actual money that gets used for the "charity" ;)
-
The DSL lines will be aggregated into the firewall for now; and when they recover from this bill, the telco will run fiber service into the premise. ;)
2 DSL lines > Firewall >>>>>> f i b e r >>> Building 2 with 2x Cisco 3560 switches
I can get 100+ users on one WiFi access point and it's still snappy. They're not cheap, but where else do you get airtime fairness, band steering, cloud provisioning and enterprise class hardware for < $500? Cheaper consumer grade AP's don't manage airtime very well at all and fringe clients will grab most of the airtime ruining it for everyone else.
I guess I should have worded my question like this: how much strain would Squid and Snort put on the firewall?
-
Put the firewalls where the connection comes in, and then do whatever is you do with your lan to the other building..
Why so negative, johnpoz? Sounds like "why can a charity afford what I cannot" to me.
@painslie:
For the fiber link, wherever it comes from, just use a cheap switch with 1 SPF slot and some Gbit copper ports and you're done.
Doesn't have to be in the pfSense device itself, especially since you want to use a pair of those, probably in failover configuration. -
… with 2x Cisco 3560 switches
or just segment one SFP and 2 copper ports with a VLAN from those
johnpoz, shut-up! ;D ;D ;D
-
Thanks guys.
So the one question that's getting lost in the weeds… Can the C2758 handle a 250Mbps WAN while also running Squid and Snort?
-
"I can get 100+ users on one WiFi access point"
Not with any sort of bandwidth for each user your NOT… What does it matter how many connections you get if they are all sharing the the wifi pipe of shit bandwidth... That 500 model was 2x2 N... so your talking at best PHY 300 so realistic 150 so 150/100 -- wow 1.5mbps -- screaming wifi connection at BEST...
Guess it doesn't matter all that much if you only have 60mbps for 600 users to share anyway.. what .1mbps each.. Pretty sure they will just use their data plan vs that wifi ;)
My question is more to "why" a charity would need to provide wifi for 600 users.. Is it some kind of charity event??
-
Thanks guys.
So the one question that's getting lost in the weeds… Can the C2758 handle a 250Mbps WAN while also running Squid and Snort?
squid = pretty crappy but doesn't use much cpu, it'll eat as much ram as you give it.
snort = cpu & ram intensive.so 250Mbps is no problem without squid & snort. with them it'll depend on lots of factors. maybe someone here has a similar setup with a rangely soc
-
Thanks @heper.
@jahonix these are special events, definitely not day to day use. THe bandwidth hog is an intranet serving video from an internal Wowza server.