pfSense Router Build Log Part 3

[nicklmg]

iStarUSA

Amazon: http://istarusa.com 

iStarUSA Group Facebook: https://www.facebook.com/iStarUSA 

iStarUSA Group Twitter: https://twitter.com/istarusagroup 

iStarUSA Group LinkedIn: https://www.linkedin.com/company/istarusa-inc-

[Rohith_Kumar_Sp]

3rd time's is the charm

[Snadzies]

No cutting, drilling, fabricating or destruction of hardware?

I think The Institute got to Linus and replaced him with a Synth.

[blu4]

How is the stability of this system? I'm looking into deploying this into my school environment and I need to know how stable and reliable the software is. Also, the ISP for LMG provides a completely unmanaged modem?

[HungryPanda]

How is the stability of this system? I'm looking into deploying this into my school environment and I need to know how stable and reliable the software is. Also, the ISP for LMG provides a completely unmanaged modem?

 

It is very stable and runs without any hassle. I have deployed this at work, after our cisco router failed. Got to say I am really impressed and runs without any reboots except the ones that updates require for 2 years.

 

Also people say it's overkill. IT'S NOT if you are running in a crowded network. At first it uses 125 MB of ram, very little CPU. But once you start logging everything, install snort, filters, add rules, block IP's based on regions, vlans, VPN  and a lot more, you get with 1.5-2gb of ram used and a dual core CPU stays at 50% in high traffic.

[blu4]

It is very stable and runs without any hassle. I have deployed this at work, after our cisco router failed. Got to say I am really impressed and runs without any reboots except the ones that updates require for 2 years.

 

Also people say it's overkill. IT'S NOT if you are running in a crowded network. At first it uses 125 MB of ram, very little CPU. But once you start logging everything, install snort, filters, add rules, block IP's based on regions, vlans, VPN  and a lot more, you get with 1.5-2gb of ram used and a dual core CPU stays at 50% in high traffic.

So, for about 30-40 users using a VPN you're suggesting to get 4GB and a quad core PC?

[felixbrucker]

@Staff: your should look into your mbuf usage, https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#mbuf_.2F_nmbclusters for reference

[crow782]

So, for about 30-40 users using a VPN you're suggesting to get 4GB and a quad core PC?

It hangs most on the througput of the internet connection and the number of concurrent vpn.

Here you see the recommended spec

https://www.pfsense.org/hardware/#requirements

[blu4]

It hangs most on the througput of the internet connection and the number of concurrent vpn.

Here you see the recommended spec

https://www.pfsense.org/hardware/#requirements

That's alright then, we have a 100Mbps connection so a quad core is more than enough.

[crow782]

That's alright then, we have a 100Mbps connection so a quad core is more than enough.

It should do the trick!

[Tilaron]

Did Berkel make it to his desk in time? Did he spill a drop of that coffee? Can we get a follow-up video?

[LAwLz]

Also, the ISP for LMG provides a completely unmanaged modem?

If it is what I think it is (a 906G) then it's a managed layer 3 switch. It's probably just that Telus won't let LMG touch it in case they break it. It's kind of a shame because if they were allowed to use it then they wouldn't need the pfSense router.

I think Linus said they rented it.

[cyberjunkee]

Hello LMG!

 

Redundant PSU? Check!

 

But what about redundant storage? You guys mentioned in the video about one SSD. Due to the fact that we are not talking about enterprise grade storage devices, would you risk a drive failure for...let's say...another (at most) 300 bucks? I know, I know, that kind software can run from a MicroSD card, but imho I would prefer to pay a little more for the company's network reliability and therefore revenue.

[iTedJansen]

Hello LMG!

 

Redundant PSU? Check!

 

But what about redundant storage? You guys mentioned in the video about one SSD. Due to the fact that we are not talking about enterprise grade storage devices, would you risk a drive failure for...let's say...another (at most) 300 bucks? I know, I know, that kind software can run from a MicroSD card, but imho I would prefer to pay a little more for the company's network reliability and therefore revenue.

 

Hi,

 

It's relatively easy to reinstall and reconfigure this setup from a backup, but redundant storage is always nice and handy when the time comes.

[EricX2]

Why so many network interfaces? Sounds like you only have one for the WAN and one for the LAN yet you have 4 gbic ports and 8 copper... are you teaming them together or what?

[blu4]

Why so many network interfaces? Sounds like you only have one for the WAN and one for the LAN yet you have 4 gbic ports and 8 copper... are you teaming them together or what?

It's just overkill man No need to team anything if the DL is 1Gbps.

[Downloadski]

@Staff: your should look into your mbuf usage, https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#mbuf_.2F_nmbclusters for reference

Fully agree, i had issue with the 4 intel gigabit ethernet cards on my mainbord. Even when not using them you still run out of memory buffers.

I used this thread on the pfsense forum for built example: https://forum.pfsense.org/index.php?topic=94399.0 and have like 40% load on 546 mpbs download speed. (Snort, squid)

[pravarth]

What adapter did he use to mount the 2 PCI-E expansion cards?

[Feather]

So, for about 30-40 users using a VPN you're suggesting to get 4GB and a quad core PC?

 

Just get this http://www.ncix.com/detail/supermicro-5018a-tn4-1u-atom-c2750-03-95608.htm

 

8GB of SODIMM and a low capacity Intel SSD.  Important thing is to get a CPU that supports Intel's Intel® AES New Instructions for efficient VPNs.

[blu4]

Just get this http://www.ncix.com/detail/supermicro-5018a-tn4-1u-atom-c2750-03-95608.htm

 

8GB of SODIMM and a low capacity Intel SSD.  Important thing is to get a CPU that supports Intel's Intel® AES New Instructions for efficient VPNs.

I can ghetto something at work No need to buy new stuff

[Feather]

I can ghetto something at work No need to buy new stuff

 

Well like the only reason is because you do want something relatively reliable as well.  If you have a host server already running you can run it on that as well if it has two NICs.

[ShakataGaNai]

I love this build, especially when Linus starts talking about it being overkill. Surely it is, but you could do worse, much much worse... and in fact I have. My "overkill" edition was actually very similar to Linus' with iStarUSA case and everything. Except it was dual Xeon's, 32GB RAM, RAID 1 SSDs and 10gigabit NIC's. For those curious: https://snowulf.com/2015/04/14/project-falcon-the-diy-router-server-experiment/

 

As others have said though, once you start doing heavy VPN traffic, IDS/IPS and basically turning on all the security (or recording all the info)... it's not as stupidly over the top. Plus it cost only ~$4k at the time and replaced a $30k router that _wasn't_ performing.