Check my PFSense build please...

C

ChrisJohnson00TA

2[H]4U
Joined
Jul 28, 2005
Messages
2,836
Hello all - looking to build my first PF appliance (3 of them actually).

My goal is a FW/Router that will allow me to do content filtering and snort for about 70 users over 2 different locations/subnets.

I'll have an internet connection (20/10), local lan (GB), and a site to site lan (10/10) plugged into the box. Up to 10 VPN users at a time.

Here is my config:

Supermicro MDB-X9SCL-O
http://www.newegg.com/Product/Product.aspx?Item=N82E16813182252
Intel Pentium G620 Sandy Bridge 2.6ghz
http://www.newegg.com/Product/Product.aspx?Item=N82E16819116399
SuperMicro CSE-503-200B
http://www.newegg.com/Product/Product.aspx?Item=N82E16811152107&Tpk=CSE-503-200B
Sansung 4gb 240 pin DDR3 - M391B5273CH0-CH9 (This seems out of stock now, I'll have to find something else - suggestions?)
http://www.newegg.com/Product/Product.aspx?Item=N82E16820147097
Dynatron P199 low pro cooler
http://www.newegg.com/Product/Product.aspx?Item=N82E16835114075

RSC-RR1U-E16 Riser
Intel GB adapter
And a "Random" 5400 RPM hard drive.


Does anyone see a problem with the above config?

Thanks for the help!
 
Depending if you want cache on the FW/Router i would even go with a simple USB Thumb drive for boot or worst case a small SSD which will cost you as much as any small 5400rpm at the current market.

Also the motherboard is for E3 Xeon and SandyBridge i3 (i3-21xx) so forget the G620.
For Pfsense you could just go with regular motherboard + 2 Intel NIC + G620 + Regular RAM.

I don't think ECC Memory for routing will make a huge difference.


If you want to go "high-end" route:
SUPERMICRO SYS-5017C-LF 1U Rackmount Server Barebone LGA 1155 (low profile cooler included).
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101383
359.99$

Intel Xeon E3-1220 Sandy Bridge 3.1GHz LGA1155
http://www.newegg.com/Product/Product.aspx?Item=N82E16819115084
209.99$

Kingston 8GB (2 x 4GB) 240-Pin DDR3 SDRAM ECC Unbuffered DDR3
http://www.newegg.com/Product/Product.aspx?Item=N82E16820139262
69.99$

Corsair Force CSSD-F40GB2-A 2.5" 40GB SATA II MLC Internal Solid State Drive (SSD)
http://www.newegg.com/Product/Product.aspx?Item=N82E16820233177
79.99$ (cheapest 5400rpm are 72.00$ anyway!)

SUPERMICRO RSC-RR1U-E8 1U PCI-E x8 Slot to PCI-E Slot Riser Card
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101390&Tpk=RSC-RR1U-E8
12.99$

Intel PWLA8391GTL Desktop Adapter PRO/1000 GT Low Profile 10/ 100/ 1000Mbps PCI 1 x RJ45 - OEM
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106122
29.99$

Total each: 762.94$ + taxes & shipping
 
Last edited:
Cheaper option:
SUPERMICRO SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN w/ IPMI Server Barebone + Memory + HD
http://www.newegg.com/Product/ComboDealDetails.aspx?ItemList=Combo.839558
419.99$

RSC-RR1U-E16 (Out of Stock)
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101014
Price: ???? (Let's say 15.00$)

Intel PWLA8391GTL Desktop Adapter PRO/1000 GT Low Profile 10/ 100/ 1000Mbps PCI 1 x RJ45 - OEM
http://www.newegg.com/Product/Produc...82E16833106122
29.99$

Total each: ~ 465.00$/each
 
Is that Atom D525 going to handle my network load? I've been chicken shit to look at that based on my desire for content/snort filtering with VPN...

I like the first option you presented.. it's not out of budget, but I think overkill for what my client will ever use.

If I go back to my config - just swap out the processor for this - http://www.newegg.com/Product/Product.aspx?Item=N82E16819115077 and find memory.. thoughts?
 
Last edited:
Atom for the web will be more that enough for 10/20 when a ARM Router base is good for 100.... but if there content filtering then it might be out of juice but am not even sure.....

Sonicwall TZ210 with all filtering turn on can let though 35/40Mb/sec without a problem and it only have a ARM processor with 256Mb or RAM.

Do the unit need to be 1U or rack-mountable ? With regular MB and Case you could end-up real cheap on the budget.
 
On a side note i use to have as VMware esxi cluster i3-2100.

I was running the following VM on one host with 16Gb RAM:
- pfSense for a 60/10 connection with FW (no content filtering)
- Trixbox for (avr. 4 active line)
- W2008 Enterprise + Exchange 2010 CAS/MB/HT
- W2008 Enterprise + Exchange 2010 Edge Transport + Forefront for Exchange + Forefront TMG
- W2008 Enterprise for ActiveDirectory + DNS Master
- W2008 Core for DNS Slave

RAM and HP were saturated way before my CPU.

Tell me your limitation in:
- Budget
- Space/Size fitting
- Do you absolutely need 3 NIC ?

I'll see the best "power/$$$" bundle i can do.
 
I have 2 different configs that I really need - I'll just modify 2 to reflect no second network and no need for a 3rd card.

I have no budget - Really, $1k is what I had planned on - per config. I'd prefer the cheap good and proper method. (yes, I know what they say about that :p )
I have a full rack available at one location - probably 1/2 open and probably 1/2 of a 24u rack in the other 2 locations. Doesn't need to be rack mount, but would be nice.
If I can get away with 2 nic's on my "big" config, I will be happy to try.

Here is the (big) network config I'm dealing with.

Office 1 has a 20/10
Office 2 has a 10/10 site to site to Office 1.

Obviously, I need to send all traffic from both offices to and from the internet. There are also Exchange, DB and file servers in Office 1.

I *could* set both offices onto one IP subnet, but that becomes less efficient - I think. My concern is sending crap over the 10/10 that doesn't need to be there.

The idea of a virtual box doesn't work for me - if I take the whole network down to reboot the host - that's stupid. Best I could manage at this client is a hyper-v server.
 
I just finished setting up a pfsense box for our local office. It has 30+ users/workstations all using VOIP. 1- 3/3 Dedicated WAN and 1- 30/30 shared WAN (looking to get our own 50/5 line installed to replace). This was built around an atom 525 w/ 5 intel NICs, 4GB ram and an CF card for the HDD.

The best deal I found is the jetway D525 board, as it has 2 intel NIC's and the ability to connect a daughter board for 3 more Intel NICs. So you have 5 total without even touching the PCI slot. I haven't setup our site-site VPN or squidguard yet, but the setup has been working great for 3 weeks now. It's also the same setup that is sold as a PFSense appliance here: http://www.hacom.net/catalog/mars-ii-pfsense-1u-server They also have throughput numbers for that setup that you can take a look at.
 
Either you go Atom or Xeon E3 i would say. don't bother with the i3-2100 u'll save maybe 100$/each setup.

E3-1220: Full price
i3-2100: -100.00/$ (CPU/RAM)
Atom: -200.00$ (CPU/Motherboard)

For the Atom the only thing is filtering/VPN... it might push the CPU to the limit but again never tested it.
If it was in your budget just go with the Xeon E3, 200$ more for ~3y = 66$/years..... is it even worth loosing time ?

Let's just say you are paid 20$/h and you loose 4h figuring out Atom vs i3 vs Xeon E3.... first year difference is already paid!

Supermicro have a great support, JetWay have great product but can't compare their support to Supermicro. With the E3-1220 and the extra RAM u'll have plenty of room in the future for what ever you might need or what software might require then.

Since it's for business, rack would optimize the space, etc..... stop wasting time and go with the first suggestion with the E3-1220.
 
altivec said:
Since it's for business, rack would optimize the space, etc..... stop wasting time and go with the first suggestion with the E3-1220.
Click to expand...

I'm seeing it this way as well..

Only issue/question I have with the config you have listed out.. NE says in the MB description " *Note: supports CPUs with max. TDP <= 45 Watts."

The E3-1220 is a 80w processor - as far as I can tell the E3-1220L isn't released yet.

Problem?

edit: that means with your listed config, I'm still back to something like this - i3-2100T http://www.newegg.com/Product/Product.aspx?Item=N82E16819116394
 
Last edited:
Go with this one instead then (50$ more)
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101384

It's funny cause on the other one some people have E3-1220 and it work.
Motherboard also fully support the CPU without a problem, maybe it's because it's 200w PS but if you go SSD then power draw will be less that regular disk.

So you could always go with higher model for bigger Power Supply or go with a E3-1220L (20w) or E3-1260L (45w) instead.
 
When I looked into sandy bridge processors and realised that I'd be idling most of the time (remember, idle is still 1600mhz per core! i3 has 2x this) , I did some research into idle power consumption and found that you're really looking at a max idle of 15W even with 4 active cores - on the i5.

Sure you may spike higher but that being the case do you really need to worry about max power consumption when you'll rarely be hitting that with pfsense?
 
altivec said:
SUPERMICRO RSC-RR1U-E8 1U PCI-E x8 Slot to PCI-E Slot Riser Card
http://www.newegg.com/Product/Product.aspx?Item=N82E16816101390&Tpk=RSC-RR1U-E8
12.99$

Intel PWLA8391GTL Desktop Adapter PRO/1000 GT Low Profile 10/ 100/ 1000Mbps PCI 1 x RJ45 - OEM
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106122
29.99$
Click to expand...

I'm going to go ahead and call myself a dumb ass for not catching this...

PCI-E riser does't work with a PCI card :(

Looking for a PCI-E nic...

This looks like it would be perfect...

http://www.amazon.com/Intel-Gigabit...0P7G/ref=sr_1_1?ie=UTF8&qid=1331251422&sr=8-1
 
Last edited:
As an Amazon Associate, HardForum may earn from qualifying purchases.
As an Amazon Associate, HardForum may earn from qualifying purchases.
i've used G620 in supermicro server boards w/ 0 issues

i usually get the board that has matching NICs in it...

but anyway, i've built that exact system you're building out (cooler, case, cpu) for a couple builds, worked out great...

i used SSDs and a pci slot->2.5" thing for the drive... didn't need any more than 2 NICs
 
You must log in or register to reply here.
Back
Top