Looking to build a firewall - recommendations?

Discussion in 'DIY Server and Workstation Builds' started by denisl, Jan 12, 2016.

  1. denisl

    denisl Member

    Joined:
    Dec 20, 2014
    Messages:
    54
    Likes Received:
    6
    I'm a novice slowly building out some equipment in my house and would like to add some security for my network. I have a couple of VM's accessible over the internet one of which is owncloud that I'd like to protect/harden. Is pfsense the way to go? I read about sophos as well and really not sure what's the best for me - although I do enjoy all this, my time is limited so something that has a quick time to setup is preferred. But I don't want to spend $700 on a prebuild pfsense appliance. I was thinking of pfsense with snort for IDS.

    My questions is both HW and SW. Was thinking a 1U ATOM 525 off ebay for $100 and pfsense/snort.

    Any considerations I should be thinking about?
    Thanks
     
    #1
  2. NSKA

    NSKA Active Member

    Joined:
    Nov 17, 2015
    Messages:
    213
    Likes Received:
    25
    #2
  3. denisl

    denisl Member

    Joined:
    Dec 20, 2014
    Messages:
    54
    Likes Received:
    6
    Thanks for the reply. How does that R210 compare to an Atom 1U server in power and fan sound?
    I already have 2 servers in the rack - 1 Dell R710 (running my backups) and 1 Supermicro running vmware.
    I'm looking for something with low noise, reliable and ideally low power but I would sacrifice power consumption for quietness.
     
    #3
  4. NSKA

    NSKA Active Member

    Joined:
    Nov 17, 2015
    Messages:
    213
    Likes Received:
    25
    The R210 is real quiet, I was happily surprised.
     
    #4
  5. MiniKnight

    MiniKnight Well-Known Member

    Joined:
    Mar 30, 2012
    Messages:
    2,836
    Likes Received:
    812
    How much traffic are you pushing? Like do you have a 100Mbps WAN, 1Gb WAN, 10Gb WAN?

    Any VPNs? I'm still a big proponent of using C2558 or C2758's as they're awesome for pfSense. A1SRi-2758F or the like.

    Check out pfSense with suricata as well.
     
    #5
  6. Alfa147x

    Alfa147x Member

    Joined:
    Feb 7, 2014
    Messages:
    99
    Likes Received:
    10
    I would also consider the low power AMD chips for this. They're cheap (especially when on sale) and efficient. I bought the AMD 3850 Kabini + MSI AM1I for my Sophos box.
     
    #6
  7. Churchill

    Churchill Admiral

    Joined:
    Jan 6, 2016
    Messages:
    669
    Likes Received:
    139
    Bought a 1U supermicro xeon server off Mr. Rackables on Ebay for $160 shipped. 8GB RAM, Quad Core, dual intel GB NIC's. Installed PFsense and very happy with teh result.
     
    #7
  8. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    501
    Likes Received:
    114
    bandwidth is a pretty important factor. most of the solutions discussed fall into the category of "overkill" for a typical home network, and the answer is basically "buy anything you like".
     
    #8
  9. Jeggs101

    Jeggs101 Well-Known Member

    Joined:
    Dec 29, 2010
    Messages:
    1,429
    Likes Received:
    206
    Can I add something to this discussion?

    You want low power. This is on 24/7. Quiet is nice but power to run and extra air conditioning will matter.

    You also want reliable.

    Finally, get something with encryption acceleration. It isn't cutting edge tech anymore as even the low end mobile chips have it.
     
    #9
  10. canta

    canta Active Member

    Joined:
    Nov 26, 2014
    Messages:
    958
    Likes Received:
    174
    And a4-5000 quad cores mini itx is cheap.. And uses desktop ddr3. Dual slots.
    I am using it now to replace poor j1800 dual cores miniitx.

    A4-5000 has hardware aes .
    Consume 5w more than j1800..

    BTW. A4-5000 is running proxmox 4.
    With router and 3 vms
    Installed 16g and back to 8 g ramsince more adequate..

    Without sm blower fans and 2 extra fan from lenovo ts140. Consuming 15w averagely.. With router and 3 vm Linux non gui.

    I bought 35$ from jet.com when had 15$ off for first buyer
     
    #10
  11. Alfa147x

    Alfa147x Member

    Joined:
    Feb 7, 2014
    Messages:
    99
    Likes Received:
    10
    Is that AES instruction set for CPUs or another piece? When does encryption acceleration mostly get used when dealing with firewalls? VPN connections?

    Here is a partial list I found. Surprisingly my AMD A8 has AES but I'm not sure if it's being used or not.

    Looks like the AMD added AES with the release of the Jaguar family.
     
    #11
    Last edited: Jan 13, 2016
  12. Jeggs101

    Jeggs101 Well-Known Member

    Joined:
    Dec 29, 2010
    Messages:
    1,429
    Likes Received:
    206
    VPN is the big one. HTTPS is another good use I think.
     
    #12
  13. CreoleLakerFan

    CreoleLakerFan Active Member

    Joined:
    Oct 29, 2013
    Messages:
    461
    Likes Received:
    168
    I put together a pfsense box a little over a year ago. I paired a G2 miniITX board with a 2450M. Added the 4 port Intel GbE daughtercard and put in an 24GB mSATA SSD. Threw in 2x2 GB worth of SODIMMs and put pfsense on it.

    Massive, massive, massive overkill for home use - it averaged about 1-2% utilization. I ended up swapping out the CPU for a 3610M and 16GB from a laptop I wasn't using. I added a Samsung 843T for a datastore and made it my ESXi server. The pfsense VM averages about 5% utilization w/2vCPUs. The whole thing draws ~37W from the wall.
     
    #13
  14. canta

    canta Active Member

    Joined:
    Nov 26, 2014
    Messages:
    958
    Likes Received:
    174
    true, even low-end A4-5000 has AES included in CPU + with extra features are not used as today.

    I recommended A4-5000 for headless workhorse, or N3150 (intel) that has AES...
    J1900 does not has AES (why did you do intel? why hicks)....

    on proxmox, I has to selece CPU access directly to utilize AES on VM since virtualized CPU does not allow acces to HW AES in real CPU.

    for the cheapest is AMD A4-5000 or AM1 :D. P pick SoC mini-itx due on cheap:D, and added i340 dual nic.. since has 4X pcie 2 in 16x slot.

    on router:-> VPN is the damn issue when many connections with encryption. HW AES helps much!!

    or if you need ecc support, you can get some AM1 motherboard that hiddenly support ECC UDIMM :D
    stay away with FM socket.
     
    #14
  15. RobertFontaine

    RobertFontaine Active Member

    Joined:
    Dec 17, 2015
    Messages:
    666
    Likes Received:
    148
    With pfsense et al having such low Cpu requirements doesn't virtualization start to make a lot more sense? You could set up all your miscellaneous servers lamp, mail, FTP... in different environments on the box and the CPU would still never get warm.

    I've been looking at sophos rather than pfsense and even wondering why we mix routers and firewalls in the same environment. With modern virtualization doesn't it make more sense to separate these two functions? Sorry if that's a naive question but if one is using the router for lan as well as wan it seems like it might be a bad idea one day?
     
    #15
    Last edited: Jan 13, 2016
    CreoleLakerFan likes this.
  16. mstone

    mstone Active Member

    Joined:
    Mar 11, 2015
    Messages:
    501
    Likes Received:
    114
    Dealing with a hosed up vm environment without a working network sucks. Yes, you can easily virtualize a firewall on almost any hardware these days, but that doesn't make it a great idea.
     
    #16
    Quasduco likes this.
  17. CreoleLakerFan

    CreoleLakerFan Active Member

    Joined:
    Oct 29, 2013
    Messages:
    461
    Likes Received:
    168
    Lots of folks on STH have virtualized their firewalls. I don't think I'd do it in a large production environment, but for home, lab, or my clients who outsource all of their small business needs it works great.
     
    #17
  18. RobertFontaine

    RobertFontaine Active Member

    Joined:
    Dec 17, 2015
    Messages:
    666
    Likes Received:
    148
    I am unaware of a single instance of anyone breaking out of a type 1'ish hypervisor. KVM, Xen, esxi...

    Why is this a bad idea? I don't see the issue.

    As to hosed up vm... This, is the point of having vms. Instant restore to working state, transfer to other hardware... Virtualization adds a bunch of failsafes that a spare bare metal server has a tough time matching.
     
    #18
    Last edited: Jan 13, 2016
  19. Alfa147x

    Alfa147x Member

    Joined:
    Feb 7, 2014
    Messages:
    99
    Likes Received:
    10

    Whoa this might be a game changer. I did a quick search but didn't find any info about AM1 running ECC memory. Any links?

    Any idea of Sophos UTM or PFsense would benefit from ECC?
     
    #19
  20. RobertFontaine

    RobertFontaine Active Member

    Joined:
    Dec 17, 2015
    Messages:
    666
    Likes Received:
    148
    Any production server has ECC as a requirement. Kind of like avoiding the write hole in raid. In production it is worth while to mitigate your risks. DDR3 ECC is so affordable I don't even consider non error correcting ram. I haven't had to price ddr4 lately and am hoping it keeps dropping.
     
    #20
Similar Threads: Looking build
Forum Title Date
DIY Server and Workstation Builds Looking for suggestions on specific hardware for home lab -ultra quiet build Aug 17, 2018
DIY Server and Workstation Builds Looking for help in building small NVMe storage based system Apr 9, 2018
DIY Server and Workstation Builds Looking at Ghetto-building a caselabs for 2x WS boards Jul 16, 2017
DIY Server and Workstation Builds Looking to build an AI machine like the one on the article Dec 7, 2016
DIY Server and Workstation Builds Looking for a 1U server build that will move data fast Nov 16, 2016

Share This Page