Firewall Selection 2G WAN (40G/10G/1G LAN)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
All,

I think I'd like to move my PFSense firewall out of it's current virtual environment in preparation for the 2G up/down fiber installation in my home next week (or so they tell me). As usual, this is not my area of expertise.. yet. I was hoping the forum might be able to offer some insight. The lan will be a mix of 40G, 10G, and 1G. As mentioned above, the wan will be 2G up/down.

Thoughts were:
Build a relatively high spec dedicated PFSense box

Look for a great deal on a dedicated.. Any thoughts on the following?

Palo Alto PA-4050 firewall
Fortinet FortiGate 1240B
Juniper Networks NSMXpress NSM NS-SM-A-BSE

It looks like some of these might require a subscription based service?

What would you guys recommend?

Any help/thoughts would be very much appreciated.
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,639
2,053
113
I have no experience with WAN circuits that fast... :confused: jealous of that setup!

Any data cap? or limits, like no servers running 24/7 doing 'stuff', etc... ??? That'd be my concern, if of course you're using it for any of that.


I'd love to swap out my 20Mbit limit/cap for 2Gig and a 20Mbit cap based on 24/7 utilization hehe
 

cliffr

Member
Apr 2, 2017
77
32
18
45
If you're just going WAN, pfSense with Xeon D or E3 will be no probs using Chelsio 10G NIC.

The others I'd worry about subscription costs.

If you aren't price sensitive, and don't care about power then I'd do PAN or Forti.

That Forti I don't see a 10G NIC on. Funny looking. It's like a Supermicro server and a switch had an offspring.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Isn't a 'B' fortunate device very old ? We are up to 'E' so I would expect even used only bey 'D' models, having said that you can check the specs and see the newer Ines have much better performance.

Are you after UTM ? Fortinet license subscription is for UTM , straight firewall is perpetual.

When looking for myself to handle even 1G you start to spend a lot of $$ or use pfsense on good hardware. Or accept less performance with UTM etc, home if you end up some traffic limited to 350M do you care ??
 

namike

Member
Sep 2, 2014
70
18
8
43
How is the provider handing off the circuit to you? Are they providing you with your own CPE equipment? Since 2G speed is not super wide spread, I would assume they will giving you some type of router/FW to terminate the circuit into?
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
I have no experience with WAN circuits that fast... :confused: jealous of that setup!

Any data cap? or limits, like no servers running 24/7 doing 'stuff', etc... ??? That'd be my concern, if of course you're using it for any of that.
If you're referring to a data cap from the ISP, no. 100% contractually unlimited.

I'd love to swap out my 20Mbit limit/cap for 2Gig and a 20Mbit cap based on 24/7 utilization hehe
I was stuck with a 40Mb connection through ATT uverse for years.. It was slow, but they also failed miserably when it came to static IP's. Every single month (like clockwork) my block would be disassociated from my account. They were never able to resolve this and ultimately told me that it was a known, but unresolved bug. I wasted hundreds of hours on this as it coincided with my introduction to servers/server software/management/administration. It was not an insignificant factor in my decision to move.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
If you're just going WAN, pfSense with Xeon D or E3 will be no probs using Chelsio 10G NIC.
Although I hate to admit it, my network design and implementation skills are kindergarten level... but I'm a really fast learner.

While I'm waiting for the 2G to go in, my current network is:
Wan to NIC1 on HyperV PFSense
Internal LAN1 on lab domain
NIC2 for LAN2 to cheap 1G switch for non domain subnet (general personal use)

Soon to be put into service:
T580 from FreeNAS box
T580 from primary virtualization server
T580 from workstation
Gnodal GS7200

I'm all ears here.. the goal is to have an extremely high speed LAN (probably multiple VLANs) that can be reached remotely (both from external field offices and random locations by me). I was thinking this might be accomplished via some combination of RDS and VPN's.

I really couldn't care less about the general use network. I don't have time for Netflix anyway.

The others I'd worry about subscription costs.
What kind of costs are we talking about? How are they calculated?

If you aren't price sensitive, and don't care about power then I'd do PAN or Forti.

That Forti I don't see a 10G NIC on. Funny looking. It's like a Supermicro server and a switch had an offspring.
I'm always price sensitive... I don't have any problem spending money, but it has to be spent on something where my value/$ and/or residual value #'s are favorable.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
Isn't a 'B' fortunate device very old ? We are up to 'E' so I would expect even used only bey 'D' models, having said that you can check the specs and see the newer Ines have much better performance.

Are you after UTM ? Fortinet license subscription is for UTM , straight firewall is perpetual.

When looking for myself to handle even 1G you start to spend a lot of $$ or use pfsense on good hardware. Or accept less performance with UTM etc, home if you end up some traffic limited to 350M do you care ??
What is UTM?

I'd be more than happy to throw together a PFSense box with a pair of 2667v3's or maybe a 1660V4/SSD's/multiple T580's, etc if that will get the job done (and the software can handle it). A few other posts seemed to imply that PFSense was limited when you started trying to push a lot of data.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
How is the provider handing off the circuit to you? Are they providing you with your own CPE equipment? Since 2G speed is not super wide spread, I would assume they will giving you some type of router/FW to terminate the circuit into?
ISP provides a Juniper ACX2100, but the person I spoke with over the phone (of questionable knowledge) said that it was not going to be user configurable.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
UTM is Unified Threat Management
Essentially tools like snort inspecting data, virus checking, url checking against DB of known problem sites etc.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
UTM is Unified Threat Management
Essentially tools like snort inspecting data, virus checking, url checking against DB of known problem sites etc.
Sounds like a handy feature.. I would assume this comes at the expense of greatly increased processor overhead and reduced throughput capability?
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
Alright, looking at the link provided by @spectrumknight it would appear that on a hardware basis, their top of the range XG-1541 1U HA could easily be duplicated or exceeded with parts I mainly have on hand. Is there anything special about the pre-built appliances I might be missing?

Does anyone have any input regarding PFSense & fiber?
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Sounds like a handy feature.. I would assume this comes at the expense of greatly increased processor overhead and reduced throughput capability?
Yes exactly it needs lots of processing power and only things like your Xeon-D rig or very high end firewalls will handle the bandwidth your taking about.
Low end appliances from and provider like Cisco, Palo Alto, fortinet, etc when running the UTM functions the throughput drops dramatically.

In summary for what you need a custom build systems will be better at the lower cost end of the spectrum.

If you just want basic firewall and routing then some lower end devices will do.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
Yes exactly it needs lots of processing power and only things like your Xeon-D rig or very high end firewalls will handle the bandwidth your taking about.
Low end appliances from and provider like Cisco, Palo Alto, fortinet, etc when running the UTM functions the throughput drops dramatically.

In summary for what you need a custom build systems will be better at the lower cost end of the spectrum.

If you just want basic firewall and routing then some lower end devices will do.
Does PFSense have UTM capability provided that the hardware is capable? ...and if so, is it comparable to boxed solutions from big names?
 

Biren78

Active Member
Jan 16, 2013
550
94
28
pfSense free is not as good. There's paid blacklists that help. The real UTMs have nicer features.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Does PFSense have UTM capability provided that the hardware is capable? ...and if so, is it comparable to boxed solutions from big names?
The big names like Cisco actually use their own version of things like snort got IDS/IPS and pfsense is ok but ideal to add some subscription to rule lists, if it's home user there is some cheap personal subscriptions.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
pfSense free is not as good. There's paid blacklists that help. The real UTMs have nicer features.
Yes I would agree with this and things like ASA5506-X and Fortigate 60E look like great functions and not too expensive but when looking at full UTM functions the throughout drops a lot.
 

AJXCR

Active Member
Jan 20, 2017
565
96
28
35
The big names like Cisco actually use their own version of things like snort got IDS/IPS and pfsense is ok but ideal to add some subscription to rule lists, if it's home user there is some cheap personal subscriptions.
This would be initially used in my home office and ultimately moved to our corporate office.... I like to thoroughly "test" all of the interesting new tech I run across/buy/assemble for some period of time before giving it up. Test duration is typically directly proportional to how fun said item is to use :D