future planning for pFsense and 10Gb

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

mobycl1ck

New Member
Feb 20, 2022
26
2
3
Hello folks,
I would like to hear your opinions on this matter.
I have a HP T620 Plus with a Intel Quad NIC running pFsense. Have a 300 Mbs FTTH connection, the fiber to copper conversion is made by a small Nokia ONTG-010-P.
So far, so good. Set up pFsense just to have a solid connection, only with pfBlocker.

Now, as my ISP informed that they will deploy 10 and 1Gb FTTH connections during the summer, I would like to use that "excuse" to upgrade my networking gear. This includes a switch with SPF+ ports.
So, what device, used enterprise thin/thic client/server can I put on my list, as a solid candidate able to route 10Gb connection on the LAN side and 1Gb on WAN side (still undecided)?
For starters, that device would need a PCI slot to connect atleast 2 SPF+ NIC.
Still learning here, what CPU computinmg power is needed to manage that kind of connection?
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
What CPU is in that T620 Plus? Looks like there are 3 variants. 10G routing isn't really that difficult, but filtering will hit the CPU. I only have gig WAN at home; my opnSense setup is a VM running with 4 cores assigned (host is Xeon E5-2667 V2) and 4 GB of RAM; it's doing routing, basic allow/deny firewall rules, OpenVPN, and some IPSEC tunnels. It passes gigabit traffic no problem, but I don't have a good way to see if it can handle a 10G flow.

Dual 10G cards are quite easy to come by on eBay, at least in the US. The Intel X520-DA2, with LP and standard height brackets is readily available, usually around $90 a card.

Your post reminded me I had disabled Suricata on opnSense, so I'll be turning that back on and testing later today to see what it does to my throughput.

Edit: in IPS mode, Suricata on my setup was doing 940 Mbps in both directions.
 

mobycl1ck

New Member
Feb 20, 2022
26
2
3
My T620 box sports the AMD GX-420CA SOC with Radeon(tm) HD Graphics.

Dual 10G cards are quite easy to come by on eBay, at least in the US. The Intel X520-DA2, with LP and standard height brackets is readily available, usually around $90 a card.
I was under the impression that they were cheaper on eBay. Maybe I am wrong.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
There are Dell branded ones for less, and the price is always going to vary based on availability. There are other dual port cards like Broadcom or Mellanox that can be had for less at times. I believe those also have good driver support under BSD.
 

Sealside

Active Member
May 10, 2019
124
42
28
Stockholm/Sweden
I'm doing 10g routing on my LAN in the switch directly rather than going to my pfsense box. Most enterprise gear will support this, as well as inter vlan routing.
I also have a t620p but I haven't deployed it yet, still running a qotom i5 for my 1G wan.

I don't think the t620p is beefy enough to firewall 10G with pfsense.
 

unmesh

Active Member
Apr 17, 2017
200
55
28
65
@Sealside

Can you say more about your setup? I have a L3 capable core switch in my LAN but could never figure out how to have it play nice with pfsense and am therefore using it as a L2+ switch.
 

LodeRunner

Active Member
Apr 27, 2019
540
227
43
So the syntax will vary based on your switch, but the gist of it is:
  • Each VLAN that will be routed needs an IP address
  • Clients in routed VLANs will use the VLAN IP as their gateway
  • The switch needs a VLAN to the firewall, I typically choose a subnet in a different RFC1918 space for this 'transit' VLAN
  • The switch will have the firewall IP in the transit VLAN as its default route
  • The firewall needs reverse routes set for each VLAN using the transit VLAN IP of the switch as the gateway
  • Since you are using pfSense, I believe you will need DHCP to be handled elsewhere and appropriate DHCP helper statements need to be set if one DHCP server is serving multiple pools.
Here's a Brocade syntax example and screenshots from the Windows DHCP server and pfSense firewall:

Code:
ICX7150-C12 Router#sh run
Current configuration:
!
ver 08.0.95eT213
!
stack unit 1
  module 1 icx7150-c12-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-2-sfp-plus-port-20g-module
  stack-port 1/3/1
  stack-port 1/3/2
!
global-stp
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 11 by port
tagged ethe 1/1/1
untagged ethe 1/1/11
router-interface ve 11
!                                                             
vlan 12 by port
tagged ethe 1/1/1
untagged ethe 1/1/3
router-interface ve 12
!
vlan 20 by port
tagged ethe 1/1/1
router-interface ve 20
!
ip dhcp-client disable
ip route 0.0.0.0/0 172.16.21.2
!

!                                                             
interface ve 11
ip address 10.100.11.1 255.255.255.0
!
interface ve 12
ip address 10.100.12.1 255.255.255.0
ip helper-address 1 10.100.11.2
!
interface ve 20
ip address 172.16.21.1 255.255.255.0
end

Switch IP and route tables:
Code:
ICX7150-C12 Router#sh ip add
        IP Address       Type      Lease Time       Interface
       10.100.11.1       Static    N/A             ve11
       10.100.12.1       Static    N/A             ve12
       172.16.21.1       Static    N/A             ve20
ICX7150-C12 Router#sh ip rout
Total number of IP routes: 4
Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - v:Inter-VRF
        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          172.16.21.2     ve 20         1/1           S    18m57s
2       10.100.11.0/24     DIRECT          ve 11         0/0           D    26m26s
3       10.100.12.0/24     DIRECT          ve 12         0/0           D    28m5s
4       172.16.21.0/24     DIRECT          ve 20         0/0           D    19m28s
ICX7150-C12 Router#
pfSense gateway and routes:
View attachment 21045
View attachment 21046

Windows VM in VLAN 11, IP 10.100.11.2/24, running DHCP server, showing client with IP 10.100.12.2/24:
View attachment 21047
 
  • Like
Reactions: Sealside

unmesh

Active Member
Apr 17, 2017
200
55
28
65
I think I understand at least the network architecture and will need to find time to trial it.

Thanks