[email protected] wrote: > Hi all. > > I'm in the process of planning an upgrade to our office firewall, > and am happy that I get to use OpenBSD -current. :-) > > The hardware I'm considering is a Dell PowerEdge 850 server with > four GbE NICs (two built-in and two on an expansion card) > > We have 25 people on a private IP subnet NATed to a handful of > public IPs > > We'll be using a high-speed cable modem connection - 50 Mbps > down/10Mbps up - as our primary Internet link, with a slower aDSL > link as a backup.
*drool* co-worker of mine just stuffed info about that under my nose. not available in my neighborhood. :( > In addition to the PF firewall I want to use the box as an > (bridged) OpenVPN endpoint for 3-5 folks. > > ----- So I was hoping to learn if others on the list are using a > PowerEdge 850 for this type of firewalling scenario, and to hear > any anecdotes about the 850s in such a dual application. > > Specifically I'm wondering about the Pentium D CPU on the 850. I > know an MP Kernel won't help with PF (and may actually hinder > things), but perhaps an MP Kernel might help with a PF and OpenVPN > combination? Maybe I should run a Generic, rather than Generic-MP, > kernel even though the chip is dual core? heh. I firewalled a full DS3 (45mbps up/down) with about 800 users behind a Dell PowerEdge 350 (Celeron 600MHz proc), and this was several releases ago, before the last couple rounds of PF optimization. By shuttling a lot of data from the internal network to the DMZ and back to the internal network, we were able to make it show some strain, but otherwise, it did great. Granted, no vpn at the firewall, but for three to five users, you aren't going to be generating that many encrypted packets to worry about. You will be quite fine with your hugely more hardware and smaller user base (=fewer states to track), I'm very sure. You can fiddle with the GENERIC vs. GENERIC.MP and you will find no difference, I'm quite confident -- you will go from "mostly idle" to "almost as mostly idle". Big deal. Since everyone else is suggesting their favorite box they want you to buy to tell them how it works, I'll suggest this...if you are a very small operation, you may well not have racks of equipment. The only major benefit a rack-mount server gives you for this application is rack-mounting. Consider using any ol' desktop system you have laying around. I suspect it will do just fine. My favorite thing about desktops for this application is after power-up, they will be passing packets before a "server" has finished POSTing. If you do have equipment racks already, the 850, 860, or other similar systems will do just fine. Avoid the RAID systems, not worth the trouble (two systems, run CARP) or cost. Buy cheap, upgrade later, IF you see reason. One REALLY nice thing about low-end "servers" and desktops is you can move the disk and change your hostname.* files, and things will Just Work on new hardware. Not so easy with RAID systems. Nick.
