Erm, it's not just a router... the more advanced firewalls are doing SSL/TLS inspection - decrypt/packet inspection/re-encrypt, so the CPU load is way more than just L3 forwarding.Maybe I'm missing something...
I can do any pfSense package you can think of with symmetric gigabit routing, and a tiny system at that, with < $60 worth of hardware. Is it fanless? Nope. So what? It (among other things in my rack) sits in a corner of my basement, away from anything else. Why are we spending 100s if not thousands !! for a router??
Thanks - the Qotom offerings are similar to the Kettop box that I mentioned at the top of the thread. There are a few of these vendors doing cheap 4x1G or 6x1G boxes, specifically for pfsense and similar uses.If the aliexpress.com can ship to UK, the 6-port or 8-port mini pc in Qotom official store may be a good choice.(link)
But since it is using 1Gbps intel NICs, so bonding or LACP with router and switch are needed if involving 1.2Gbps and up.
If only 1Gbps and less, 4-port ones should be good.
Well, $1500 is certainly above my budget.The E302-9D is a comedy option as spending $1500 (Europe tax + other components) for a home router is a bit silly. The Xeon-D motherboard I linked, once you add in an inexpensive chassis, RAM, and SSD is going to be 1/5th the price and even then, it's likely more than you need.
Yeah, the eternal dilemma of IT... buy now or wait for something better. Assuming I buy the 1Gbit/s package from my ISP then I could certainly live with a 1G solution today. That would put me in the Qotom/Kettop price bracket. But the savings is the difference between $550 for the Kettop box and $650 for the X10SDV-4C-TLN2F - it's not really that much more for a Passmark score of 6017 for the Xeon versus 3403 for the Kettop box and 10G interfaces instead of 1G. Even if the performance of the Xeon is only 2Gbit/s, the additional cost is then about 15% for 2x the performance. I'd certainly spend $100 more now to avoid spending $650 in 2 years' time.As computer hardware only depreciates, you might just be better off getting the cheapest option that will fit your needs today and then upgrade further down the line instead of paying a premium for it now.
Thanks! - will take a look. There are loads of options to consider...So given the fact that OP is in the UK, it got me thinking what good options there are for buying gear.
So here are some stray thoughts:
To be honest my personal favorite is the fanless quad core from Jetway (sold by mini-itx), obviously it will not do >1G on one interface, but the price is really nice and as I mentioned before, internal traffic really ought to be handled by a L3 switch.
- Consider looking at mini-itx.com, they have loads of mini PC / appliance style devices, like:
- This Core i5 mini PC from gigabyte with 1x 2.5G LAN and 1x 1G for approx 400 GBP (they have i3 and i7 versions too)
- This fanless quad 1G LAN(Intel) with a N3160 (quad core, I believe it is essentially an "Atom" core) for 330 GBP
- It should be plenty fast for 1G (>1G when aggregating bandwidth on all ports simultaneously), but keep in mind that the N3160 is a bit old (IMO the price offsets this)
- mini-itx also sells various Asrock rack boards, like this C3558 for ~360 GBP, add in a NIC like this one, some cheap 8GB sticks and your case of choice that supports a PCIe slot, and you should still have some change (could be used to upgrade to the C3758 version)
- You may also want to consider some of the UK sellers on eBay.
- Before Brexit I bought a nice board from fixedasset-sales, it may be worth it to keep an eye out for what they have (I believe they have had more than one listing posted on the best deals section)
- Similar to the Asrock C3558, you could also consider this board, while it is only a 2core board, it has a decent amount of ports, ability to take an add-in card, and probably enough CPU performance to route >1G (but probably not 10G)
Your original post says "pfSense hardware". Are you doing "SSL/TLS inspection - decrypt/packet inspection/re-encrypt" with pfSense?Erm, it's not just a router... the more advanced firewalls are doing SSL/TLS inspection - decrypt/packet inspection/re-encrypt, so the CPU load is way more than just L3 forwarding.
What $60 hardware are you using that can do 1G symmetric with firewalling, IDS and IPS enabled ? I'm genuinely interested.
Technically that board does not require a PicoPSU, it accepts 12V in directly (though you will need to buy the proper converter from 12V barrel to the P4 plug)Well, $1500 is certainly above my budget.
I'm just looking at pricing for that SuperMicro X10SDV-4C-TLN2F. A US seller has one on offer 2nd hand and will ship to the UK for $229, $19 shipping and $57 import; total $305.
Case £50, nano 12V PSU and AC/DC adapter block, £79, 2x8GB unbuffered ECC £90, SSD 128GB £25. Total £244 or $344 for the parts, added to $305, call it $650 in total. I haven't added a case fan - this particular ebay seller is including a CPU fan.
Suricata is a nice-to-have. I don't know whether it does the re-encrypt part.Your original post says "pfSense hardware". Are you doing "SSL/TLS inspection - decrypt/packet inspection/re-encrypt" with pfSense?
Thank you. That's exactly the sort of information I was hoping for. Not sure if Passmark is a reliable indicator here, but that CPU gets a Passmark score about 1.3x higher than the Core I5-7200U I was originally looking at. So, given your 70% headroom, the Core I5-7200U would be fine and would see a load of maybe around 50% or so. It also confirms my original suspicion that the Kettop/Qotom/etc offerings based on the Celeron 3865U and similar are underpowered for this task.p.s. The CPU in my $60 hardware is an i5-3570s, a 3.1GHz 4C/4T CPU. Way more than enough. I've yet to see it above 30% usage with a number of things (including 1gb routing) at full tilt.
Thanks! I had a quick look at the Jetway website as well and it's well organised, with drivers, manuals, etc.Technically that board does not require a PicoPSU, it accepts 12V in directly (though you will need to buy the proper converter from 12V barrel to the P4 plug)
You also do not have to buy unbuffered memory, it supports RDIMMs, something like a pair of these should be cheaper (20GBP / each + shipping).
You make some very good points... I've pretty much decided to buy some dedicated hardware, plus I'm fairly unhappy about the thought of connecting ESXi directly to the internet.Ever hear the phrase "happy wife, happy life"? Every time I have virtualized pfsense I regret it. When you have to cancel plans or work on an esxi host for HOURS longer than it was supposed to take, there is something to be said about the internet not being down at the same time.
1. If I had to let any OS connect directly to the internet, ESXI would be one of the few I'll allow. It is hardened, secure, very low attack footprint, and by default, does almost nothing until you tell it to.You make some very good points... I've pretty much decided to buy some dedicated hardware, plus I'm fairly unhappy about the thought of connecting ESXi directly to the internet.
And ESXi is so widely used that it is virtually guaranteed to have a backdoor for some agencies.1. If I had to let any OS connect directly to the internet, ESXI would be one of the few I'll allow. It is hardened, secure, very low attack footprint, and by default, does almost nothing until you tell it to.
Using a switch to terminate the internet connection is a viable solution, a L2 switch with VLANs is sufficient, does not have to be L3.2. This is the kind of situation where a managed L3 switch comes in handy. You terminate your WAN on your core switch, in a dedicated VLAN. From there nothing can access it, unless they are on that VLAN, which is stupid easy to control. Then it doesn't matter if your router/FW is bare metal or virtual.
Ever hear the phrase "happy wife, happy life"?
I didn't realize we were trying to prevent State level actors from getting into your network. If that's the case, ESXi or pfSense is the least of your worries.guaranteed to have a backdoor for some agencies.
My apologies, I was gonna write "managed switch" without the L3 part, but somehow ended up writing that. Probably because L3 routing at the switch makes a lot of sense, is how I run my network, and is quite performant. But yes, L2 would be just fine.a L2 switch with VLANs is sufficient
While agreeing generally with this, it's not black and white. There are commercial FW products that offer VM images for their products and have produced benchmarks validating the design, compared to bare metal, and virtualized works just fine.I strongly disagree with a virtualized firewall. First I would not virtualize anything security related and second nothing that everything else (including your family) depends on should go out of production with the virtualization host: