Looking to build a firewall - recommendations?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

mstone

Active Member
Mar 11, 2015
505
118
43
46
Also, I don't think four AMD Jaguar "cores" is like 4 of the Intel cores. AMD Athlon 5150 Benchmarks and Review – AM1 APU is quad core 1.6GHz so the 1GHz would be 38% lower performance?
It will have more than enough power for a home firewall, and draw <6W in a box with no moving parts for ~$150. Sweet machine if they manage to recover from the support failures with the APU1. It's just a sign of intel's market dominance that they get to define and redefine "real" for the fanboys; note that intel just doesn't have a product for that niche, so the best they can do is claim that it isn't valid. Until they have a product, then they will have invented that niche.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
My understanding of the issues with the BIOS was that it was mostly due to an external contractor, Sage or something, have you or anyone else for that matter seen anything as to whether or not they have been hired to do the APU2 BIOS?
After some number of years they own the failure, whether it was because they did a lousy job of outsourcing or because they couldn't figure out how to get it done themselves.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Close call but my 2016 resolution is - always IPMI.
IPMI is certainly awesome, but for a firewall I am personally inclined to think of it more as a liability than a useful feature.

I consider a firewall a security appliance where security (obviously) and uptime are both very important.

IPMI implementations are known to have had many vulnerabilities, I am guessing probably because they are small embedded systems that vendors don't update frequently, and users expect the IPMI to have many different abilities. I personally think we will see more attacks on IPMI/BMC interfaces, where attackers will pivot from host to IPMI to management network to other IPMI interfaces to other hosts.

The reason why I mention uptime, is because I personally expect my firewalls to be stable enough to pretty much never require a reboot, ie. if the reboot function from the IPMI is required, you have a bigger problem than a non responsive firewall.

Now all the security reasons may be irrelevant in a home network or overkill, so of course you should do what you think is right for you, this is just my 2 cents :)
 
  • Like
Reactions: CreoleLakerFan

canta

Well-Known Member
Nov 26, 2014
1,012
216
63
43
No stock on those. The nice bit is that they come with memory but no IPMI.

Also, I don't think four AMD Jaguar "cores" is like 4 of the Intel cores. AMD Athlon 5150 Benchmarks and Review – AM1 APU is quad core 1.6GHz so the 1GHz would be 38% lower performance?

Close call but my 2016 resolution is - always IPMI.
this depends on you assumption

Jaguar is ok for low end server and low power consumption.

I has j1800 ( bay trail -d) and A4-5000 (jaguar). I disabled 2 cores on jaguar via BIOS for comparison
A4-5000 is pretty good output during peak processing, compared with J180.
the good thing on J1800 is 5W less than A4-5000
J1800 hits 15W overal system and A4-500 hits 20W. this is 99% busy cpu....

AM1 is low entry processor... can be compared with intel J.....

I assume intel newer N low power has more features than intel J baytrail D,..

IPMI is nice, but this is a perk that much $$ compared with low entry SoC A4-5000 mini-itx or AM1 motherboard.
as I said, new $35 for J1800 mini-itx and $36 for A4-5000 mini-itx.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
IPMI is nice, but this is a perk that much $$ compared with low entry SoC A4-5000 mini-itx or AM1 motherboard.
as I said, new $35 for J1800 mini-itx and $36 for A4-5000 mini-itx.
The IPMI chipset also costs some extra money, consumes a non-trivial amount of power and generates a non-trivial amount of heat given the application. If you want all that, it's already available, but not at this price & form factor.
 

canta

Well-Known Member
Nov 26, 2014
1,012
216
63
43
The IPMI chipset also costs some extra money, consumes a non-trivial amount of power and generates a non-trivial amount of heat given the application. If you want all that, it's already available, but not at this price & form factor.
sure everything have cost

for simple low end baremetal of fireware/router, simple/desktop mini-itx or macro-atx is very good pick since running 24/7, without a major issue.


if you are talking about filer server or important "thing" server or something 24/7 remotable , yeah IPMI is the first priority.

on my some systems, ipmi pools 5-10W for sure. this is reasonable due on monitoring and add sensors.
if you factor low-end power intel 10W rated or less, consumption is trivial.

I just throws some thoughts that desktop mini or micro atx with low power cpu is a good candidate for low end baremetal or firewall/router, Need to ad extra Intel Nic too (add $10 for a used dual 1G ethernet).

honestly, my first build server was desktop AMD Athlon and pentium 4 :D and move to dell T series pentum 4 and AMD socket F. I am moving back and forward to adjust my needs and save $$$

once again, I totaly agree that IPMI is important for trivial server or for people whom is lazy/prefer remote access 99%.
 

denisl

Member
Dec 20, 2014
54
6
8
49
Below is how I am envisioning setting up pfsense as a dedicated box.
Am I missing any key concepts? Is pfsense in the right spot in the network?

Thanks

pfsense-lab.png
 

denisl

Member
Dec 20, 2014
54
6
8
49
Oops not my intention. 10G only for camera traffic to esx host. That line should be on a regular port. Otherwise am I planning correctly? Thanks
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Unless you've got about 50 cameras I don't think you really need that on a 10G link either. But there is certainly nothing wrong with it.
 

denisl

Member
Dec 20, 2014
54
6
8
49
I'm either going to pick up a 3com poe switch with 10g support or a planet without. I certainly don't need 10g but would be fun to setup. I'm leading towards the planet with it's advanced POE features like scheduled power recycle and power windows.
 

canta

Well-Known Member
Nov 26, 2014
1,012
216
63
43
@denisl
My suggestions,

Put your cams on vlan, if you are super paranoid...

Poe cam is the best pick.

Stay away with passive poe. I got nightmare with that. Good for Short distance only.
 

Markus

Member
Oct 25, 2015
78
19
8
As canta suggests - Put at least the zoneminder-VM and the cams in a different VLAN.

The attack-vector is that an opponent can use the cables of the IP-CAMs to take over your network.
I am super paranoid so I would put the CAMs into a so called "private VLAN", where they only communicate with the zoneminder VM (and not between each other). Also I would put the zoneminder VM in a separate VLAN to use the / a firwall between the two vlans to just allow the single port for communication between cam and zoneminder.

Regards
Markus
 

denisl

Member
Dec 20, 2014
54
6
8
49
Also I would put the zoneminder VM in a separate VLAN to use the / a firwall between the two vlans to just allow the single port for communication between cam and zoneminder.
Thanks for the guidance. I can see how I can setup a pivate vlan or DMZ between the IP cams and the zoneminder vm - but how do I plumb in the pfsense firewall for just the private VLAN? Do I need to add another 2 interfaces (in/out) on the pfsense box from the switch to a dedicated IP cam interface on my ESX host? Just trying to visualize the physical aspects of having pfsense protect me from the internet as well as a physical breach internally (not that I'm worried someone will plug into a cable outside my house by I'm good with over-engineering things!)
 

shoguneye

Member
Jan 21, 2016
38
6
8
61
I am unaware of a single instance of anyone breaking out of a type 1'ish hypervisor. KVM, Xen, esxi...

Why is this a bad idea? I don't see the issue.

As to hosed up vm... This, is the point of having vms. Instant restore to working state, transfer to other hardware... Virtualization adds a bunch of failsafes that a spare bare metal server has a tough time matching.
 

shoguneye

Member
Jan 21, 2016
38
6
8
61
Hypervisors have exposure, one I'm aware of is the "Blue Pill" which basically adds an adulterated hypervisor to the hypervisor, even reboots are faked.