Any Pfsense Gurus in here?

T

timreichhart

Gawd
Joined
Feb 22, 2009
Messages
928
Hey
Is there any pfsense gurus in there? if there is I need some help on sizing up a pfsense for hardware requirements for a wisp core router what kind of hardware I would need if I plan on doing this:

bringing in 50 meg connection
QoS
Firewalling
Handling Block of /24 IP's
WAN Fail Over. ----> Back up connection will be DSL connection once the primary connection goes down.
Load Balancing

I am hoping to have 200-300 customers and My packages I plan giving out is from 1meg to 8meg.
 
i would think an i3 or i5 with 4G of ram with any old SATA HD on it and good solid Intel nics?

but that is just a guess, i have an i3 with 4G running pfsense on a 50Mb line protecting some websites that get a few thousand hits a day.
 
What's your stake in this? Current WISP looking to upgrade? Startup WISP? Outside contractor for WISP (new/existing?)

I'd look into CARP + pfSync and go with some server hardware e.g. a set of HP Proliant DL360 would be nice for the application. If I were managing a WISP I would run SNORT or similar, proxy capable of caching video and depending on the CPE use PPPoE.

Personally I would figure out the entire network architecture, buy a pfSense support subscription and ask them.

Background: Many years ago I did some planning/development for a rural WISP using Motorola Canopy gear.
 
It's not the horsepower that will be the issue....you don't need to go crazy there...yeah i5 w/4 gigs, good Intel NICs will be great.

What you'll want is good server grade hardware with redundancy. Redundant power supplies going to different APCs, generator backup on one, hardware RAID, enterprise class disks.
 
I would look at say a used Dell Poweredge 1950 or something similar.
 
Its a start up WISP by the way and I will be using powercode BMU and then at each tower be running routerboards and using all Ubiquiti stuff.
 
I been over there and that forum was about not useful let me tell you when it comes to asking how much hardware you need for wisp core router. Trust me I already asked.

I am going try it with P4 3.0+ HT with 4G of memory and 120 sata hard drive with good intel nic cards.
 
Probably can push 50 megabit or near it without any qos or other services with those specs depending on how many states.

Thing is you don't provide much details about your setup.

What are you going to do when a customer uses bittorrent and saturates your connection?
How are you going to shut off a customer when they don't pay their bill?
CALEA compliance.... what if your customer is trading kiddy porn and you get a subpena for their information? Will you be able to track them down? I.e. what steps are you taking to keep your service up and not get raided/shut down due to your customer's actions.
How are you handling RPC, SMB, MSSQL, SMTP and other ports that should be commonly blocked?
What steps are you taking to prevent your network from becoming a giant botnet?
etc, etc, etc. Maybe you have the best plan in the world to mitigate these situations, be how would we know, we can't read minds.
 
Unless some of there stuff is different the Ubiquiti equipment we have won't let you set priorities to anything for QOS.
 
athlon1.2 said:
Probably can push 50 megabit or near it without any qos or other services with those specs depending on how many states.

Thing is you don't provide much details about your setup.
Click to expand...

Agreed.

But, I don't think he was asking for that bit of information. I do support your feelings that a dirty network from another person can be a headache for you also. But truthfully, I don't know if we need to go down that road yet.

Hardware wise. I don't know why you're trying to run anything off ancient hardware. Stop it, you're making a mistake there from Step #1.

Buy something newer. If your goal is to be successful. Lay the groundwork to do so from the get go. I think thats the same thing that Athlon is getting at with his questions, and I would clearly clearly support that thinking. If you're cutting corners on the startup, you will do it long term, and you'll always be chasing your tail to get the feeling of on base / ahead.
 
If you want to know so much about this. simple word powercode bmu will take care of this problem if the customer dont pay there bill they will get redirected to a page saying there account been shut off and they can pay online to get turned back on. I will be giving customers there own IP address public real world IP. I will be blocking ports at the tower via routerboard with rules. Also about bit torrent stuff it would be either stopped at the tower via routerboard with rules or at the powercode bmu will kick there speeds down.

if you would read post 6 I told you what kind of equipment I was going to use if you did a search on the web on the powercode and routerboard you would know what these 2 devices would do.

The powercode can do router/qos also and routerboard can do same thing as router/qos so pfsense will be the last router encase these 2 dont do very well of firewalling/qos stuff and crap if I wanted to ubnt product I can do full router setup and block ports at the CPE if I wanted 2.

Trust me man I know what I been working on here.

I dont want to spend 400+ dollars on a hardware for pfsense man if I was going to do that I can just buy me routerboard 1100ah for 400 dollars.


athlon1.2 said:
Probably can push 50 megabit or near it without any qos or other services with those specs depending on how many states.

Thing is you don't provide much details about your setup.

What are you going to do when a customer uses bittorrent and saturates your connection?
How are you going to shut off a customer when they don't pay their bill?
CALEA compliance.... what if your customer is trading kiddy porn and you get a subpena for their information? Will you be able to track them down? I.e. what steps are you taking to keep your service up and not get raided/shut down due to your customer's actions.
How are you handling RPC, SMB, MSSQL, SMTP and other ports that should be commonly blocked?
What steps are you taking to prevent your network from becoming a giant botnet?
etc, etc, etc. Maybe you have the best plan in the world to mitigate these situations, be how would we know, we can't read minds.
Click to expand...
 
Last edited:
timreichhart said:
If you want to know so much about this. simple word powercode bmu will take care of this problem if the customer dont pay there bill they will get redirected to a page saying there account been shut off and they can pay online to get turned back on. I will be giving customers there own IP address public real world IP. I will be blocking ports at the tower via routerboard with rules. Also about bit torrent stuff it would be either stopped at the tower via routerboard with rules or at the powercode bmu will kick there speeds down.

if you would read post 6 I told you what kind of equipment I was going to use if you did a search on the web on the powercode and routerboard you would know what these 2 devices would do.

The powercode can do router/qos also and routerboard can do same thing as router/qos so pfsense will be the last router encase these 2 dont do very well of firewalling/qos stuff and crap if I wanted to ubnt product I can do full router setup and block ports at the CPE if I wanted 2.

Trust me man I know what I been working on here.

I dont want to spend 400+ dollars on a hardware for pfsense man if I was going to do that I can just buy me routerboard 1100ah for 400 dollars.
Click to expand...

So you want to cheap out on your core router? Not a good idea......
 
FWIW, I pushed 100 megabit symmetric, dozens of torrents, QoS, and generally ran pretty hard with an Atom 330 board, 512 MB RAM, and a dual PCI-X Intel NIC. I have also run load balancing on the same hardware with 3x10 mbit lines. Given that this setup performed just fine, I'd say pick something inexpensive and redundant. Or buy two inexpensive machines with dual Intel NICs and handle failover manually.

If you want to get some cheap test hardware, the whole shebang can be yours for cheap: I'd probably let it go for $100. Just add a power supply and a case.

An important note: the board that I used also has two onboard Realtek "gigabit" NICs. They suck a ton of CPU, and absolutely fail to perform. Do not use them.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
A higher end RB would be decent, but running PFSense on an old P4 I wouldn't do. Either maybe have 2 RB's, one for swapping out quickly, or having a server with dual everything for high uptime would be better. You can get a used PowerEdge 1950 for under 400 bucks easily and it would have a lot of horsepower for a router.
 
With a Poweredge or something similar you have dual PSUs, Dual NICs, a RAID array, server-grade hardware. ECC RAM, (maybe) dual CPUs. I mean you'd probably be fine on an Atom D525. I think the P4 would have the horsepower, just the hardware for it would be consumer grade. I'm not discouraging you at all. Just giving you a suggestion. I'm interested in your setup and wanna see how it goes for you.
 
I know that you will be pushing far more traffic than I deal with, but I am running pfsense on a via 1Ghz CPU with 512MB of ram and the CPU and memory are usually idle most of the time. I think that the P4 would probably work ok for your situation and you might just need some kind of backup in case it goes down. Another option that might work for you is to get one of the AMD APU setups and then just buy a better NIC for it.
 
You must log in or register to reply here.
Back
Top