BurntToast
2[H]4U
- Joined
- Jun 14, 2003
- Messages
- 3,677
Looking at building a Pfsense box with a D2500CC but would like to build one on a newer chip. I just don't see any ETA.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Pfsense, Jump on D2500CC or wait for new Atoms?
- Thread starter BurntToast
- Start date
BurntToast
2[H]4U
- Joined
- Jun 14, 2003
- Messages
- 3,677
Yeah I've been recommended that a few times.
If I went the Pfsense route, I would start off with Darkstat, Snort, country block and go from there. No use for Squid.
If I went the Pfsense route, I would start off with Darkstat, Snort, country block and go from there. No use for Squid.
There are some interesting threads in Ubiquity's forums on blocking countries, using some different blacklists, etc, for safer internets usage. You could probably load Snort on it. The software on it is Debian-based IIRC, and is pretty customizable.
I am pretty sure I even read a thread over there that someone successfully installed pfsense on an ERL. It might be worth checking out.
I am pretty sure I even read a thread over there that someone successfully installed pfsense on an ERL. It might be worth checking out.
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
it's based on vyatta which is a specialized debian...
pfsense will be officially supporting the ERL in 2.2 i think... i read somewhere the head pfsense dev has already distributed them to all the top contributors... their plan i think is to sell them in the pfsense store preloaded...
pfsense 2.2 is based on freebsd10 and somebody in the community already has that working on the ERL....
other thing to keep in mind with that, they havn't figured out the hardware acceleration... so you won't get the 1 million packets per second performance out of the ERL w/ pfsense on it... at least not yet...
VanFanel89
2[H]4U
- Joined
- Apr 21, 2004
- Messages
- 2,931
While I can't comment on the DC2500CC, I am running my pfSense box on a SUPERMICRO MBD-X7SPE-H-D525-O board with 4 gigs of RAM and an SSD. It kills; no wait - it murders... wait no, it's like a star destroyer! It's incredibly potent and I can barely scratch 10% of CPU utilization.
For what its worth - I had a similar build at work servicing about 50 people and a site-to-site VPN - again, barely scratched the surface of utilization.
It's basically this: http://store.pfsense.org/FW-7541/ only with more RAM, a drive, and about 1/2 the cost.
For what its worth - I had a similar build at work servicing about 50 people and a site-to-site VPN - again, barely scratched the surface of utilization.
It's basically this: http://store.pfsense.org/FW-7541/ only with more RAM, a drive, and about 1/2 the cost.
BurntToast
2[H]4U
- Joined
- Jun 14, 2003
- Messages
- 3,677
I hear that logs kill SSDs in a matter of months.
FreeBSD runs on the ERL so in theory pfsense should be portable too, I don't see why you would need the WebUI just for firewalling though...
If you're "just" going to do firewalling and routing an Atom box is most likely overkill compared to a decent MIPS/PPC-system.
//Danne, who runs several ERLs with FreeBSD
If you're "just" going to do firewalling and routing an Atom box is most likely overkill compared to a decent MIPS/PPC-system.
//Danne, who runs several ERLs with FreeBSD
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 21,797
get an i3...or have Atom chips and the northbridge finally got their power under control?
I recall before you could get an i3 that ran with less power and you get more out of it.
Correct, I was mentioning that in another thread, but it can depend on how much logging your doing and how much traffic is going through your box. I did weeks of research on using some Dell 50G SSD's i had for a new pfsense box, but others had their SSD dieing in weeks/months with heavy traffic and logging.
For an enterprise, i would say no, for home usage you can likley get away with it.
I recall before you could get an i3 that ran with less power and you get more out of it.
Correct, I was mentioning that in another thread, but it can depend on how much logging your doing and how much traffic is going through your box. I did weeks of research on using some Dell 50G SSD's i had for a new pfsense box, but others had their SSD dieing in weeks/months with heavy traffic and logging.
For an enterprise, i would say no, for home usage you can likley get away with it.
VanFanel89
2[H]4U
- Joined
- Apr 21, 2004
- Messages
- 2,931
My personal setup has an SSD and I haven't had any issues for the past year+ it has been in there... Though I doubt I'd have an SSD in there again if it ever craps out.
^ What he said, I've run pfSense boxes for YEARS on CF to IDE adapters. It all depends on How much/what you log and the traffic passed that applies to those logging rules. If you log everything on a saturated pipe, yes, you'll hit the failure point of flash memory faster. But, are you?
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
SSD for OS/config, HDD for logs. Or syslog?
I wouldn't mess with that, there's no compelling reason to make storage for a firewall that complicated. Just use a laptop HDD. Small, quiet, and a fraction of the power of a desktop hard drive. I have one as the main drive in my firewall, and as the OS drive in my file server.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
The reason for SSD is reliability, (as long as you're limiting writes, hence the other HDD). Of course you could also do hardware raid 1 but that's more expensive. I don't build any machines without a SSD for the OS drive now.
I don't know you'd add much reliability by using a SSD+HDD combination. You also now increase your parts count and complexity, and increased parts count equals decreased reliability in many cases. I have systems running regular disks (like my firewall on its laptop drive) literally for years without issue.
I'd agree, a fault-tolerant RAID (say a mirror) would be worth consideration if you need reliability, but doing a HDD and SSD on a firewall sounds like a pain in the rear. pfsense might have it readily built in, but it's not a standard feature of the firewall distros I've used.
I'd agree, a fault-tolerant RAID (say a mirror) would be worth consideration if you need reliability, but doing a HDD and SSD on a firewall sounds like a pain in the rear. pfsense might have it readily built in, but it's not a standard feature of the firewall distros I've used.
I did the same, killed the CF card in about a year. The box would boot and work for a bit, then stop handling DHCP requests, admin panel would stop loading etc. There were some errors, but it was over a year ago so I don't remember specifics. At the time I did search about the issue, and everything pointed to the CF card dying as the issue. So I moved back to HDD, which didn't make much difference since pfsense wasn't doing much IO to the disk.
timreichhart
Gawd
- Joined
- Feb 22, 2009
- Messages
- 928
The stock firmware for the ERL is based on Vyatta/Debian, but people have successfully loaded FreeBSD on it. There is also a project to get OpenBSD running on it as well. It is close, but last I read they are still working on getting the storage controller working.
I'd actually like to build an all-in-one server box with a little ERL running OpenBSD and pf in front of it, just because I don't like the idea of running a virtual firewall. The ERL is supposed to use a max of 7W power, so pretty light for a transparent firewall.
I'd actually like to build an all-in-one server box with a little ERL running OpenBSD and pf in front of it, just because I don't like the idea of running a virtual firewall. The ERL is supposed to use a max of 7W power, so pretty light for a transparent firewall.