Re: PowerEdge 850 for a small office firewall
On Wed, 27 Jan 2010 07:54 -0500, "Chris Dukes" wrote: > On Tue, Jan 26, 2010 at 04:38:08PM -0800, mehma sarja wrote: > > I am running an embedded 533 MHz with 256 MB memory and it is woefully > > inadequate for an office setting. Even for a home setting which wants stuff > > like snort running as well. I would WAG atleast a 2 GB memory and the Atoms > > max out at that...? If the firewall will be doing other stuff like snort, > > vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short > > and I'd like to see a beefier CPU as well. So, the question really is what > > all are you going to be doing with it? > > Is it still woefully inadequate if snort, vpn, and DNS are moved > off the firewall? On a busy interface, Snort can use a good deal of CPU consistently: load averages: 0.50, 0.31, 0.24 08:09:25 33 processes: 31 idle, 2 on processor CPU0 states: 4.4% user, 0.0% nice, 0.2% system, 8.8% interrupt, 86.6% idle CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU2 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle CPU3 states: 11.8% user, 0.0% nice, 0.0% system, 0.0% interrupt, 88.2% idle Memory: Real: 180M/542M act/tot Free: 2819M Swap: 0K/518M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 16499 _snort310 171M 158M onproc/1 -24.9H 16.89% snort 5502 root 20 1116K 2080K sleep/1 select0:51 0.00% sendmail 16446 _pflogd40 636K 444K sleep/0 bpf 0:06 0.00% pflogd > I ask because running DNS on the firewall has given me the heebie jeebies > for years. And I have dim memories of a few security exploits for snort. > > > > -- > Chris Dukes
Re: PowerEdge 850 for a small office firewall
On Tue, Jan 26, 2010 at 04:38:08PM -0800, mehma sarja wrote: > I am running an embedded 533 MHz with 256 MB memory and it is woefully > inadequate for an office setting. Even for a home setting which wants stuff > like snort running as well. I would WAG atleast a 2 GB memory and the Atoms > max out at that...? If the firewall will be doing other stuff like snort, > vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short > and I'd like to see a beefier CPU as well. So, the question really is what > all are you going to be doing with it? Is it still woefully inadequate if snort, vpn, and DNS are moved off the firewall? I ask because running DNS on the firewall has given me the heebie jeebies for years. And I have dim memories of a few security exploits for snort. > -- Chris Dukes
Re: PowerEdge 850 for a small office firewall
s.casw...@protocol6.com wrote: > Hi all. > > I'm in the process of planning an upgrade to our office firewall, > and am happy that I get to use OpenBSD -current. :-) > > The hardware I'm considering is a Dell PowerEdge 850 server with > four GbE NICs (two built-in and two on an expansion card) > > We have 25 people on a private IP subnet NATed to a handful of > public IPs > > We'll be using a high-speed cable modem connection - 50 Mbps > down/10Mbps up - as our primary Internet link, with a slower aDSL > link as a backup. *drool* co-worker of mine just stuffed info about that under my nose. not available in my neighborhood. :( > In addition to the PF firewall I want to use the box as an > (bridged) OpenVPN endpoint for 3-5 folks. > > - So I was hoping to learn if others on the list are using a > PowerEdge 850 for this type of firewalling scenario, and to hear > any anecdotes about the 850s in such a dual application. > > Specifically I'm wondering about the Pentium D CPU on the 850. I > know an MP Kernel won't help with PF (and may actually hinder > things), but perhaps an MP Kernel might help with a PF and OpenVPN > combination? Maybe I should run a Generic, rather than Generic-MP, > kernel even though the chip is dual core? heh. I firewalled a full DS3 (45mbps up/down) with about 800 users behind a Dell PowerEdge 350 (Celeron 600MHz proc), and this was several releases ago, before the last couple rounds of PF optimization. By shuttling a lot of data from the internal network to the DMZ and back to the internal network, we were able to make it show some strain, but otherwise, it did great. Granted, no vpn at the firewall, but for three to five users, you aren't going to be generating that many encrypted packets to worry about. You will be quite fine with your hugely more hardware and smaller user base (=fewer states to track), I'm very sure. You can fiddle with the GENERIC vs. GENERIC.MP and you will find no difference, I'm quite confident -- you will go from "mostly idle" to "almost as mostly idle". Big deal. Since everyone else is suggesting their favorite box they want you to buy to tell them how it works, I'll suggest this...if you are a very small operation, you may well not have racks of equipment. The only major benefit a rack-mount server gives you for this application is rack-mounting. Consider using any ol' desktop system you have laying around. I suspect it will do just fine. My favorite thing about desktops for this application is after power-up, they will be passing packets before a "server" has finished POSTing. If you do have equipment racks already, the 850, 860, or other similar systems will do just fine. Avoid the RAID systems, not worth the trouble (two systems, run CARP) or cost. Buy cheap, upgrade later, IF you see reason. One REALLY nice thing about low-end "servers" and desktops is you can move the disk and change your hostname.* files, and things will Just Work on new hardware. Not so easy with RAID systems. Nick.
Re: PowerEdge 850 for a small office firewall
I am running an embedded 533 MHz with 256 MB memory and it is woefully inadequate for an office setting. Even for a home setting which wants stuff like snort running as well. I would WAG atleast a 2 GB memory and the Atoms max out at that...? If the firewall will be doing other stuff like snort, vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short and I'd like to see a beefier CPU as well. So, the question really is what all are you going to be doing with it? Mehma === On Tue, Jan 26, 2010 at 1:46 PM, Martin Schrvder wrote: > 2010/1/26 : > > The hardware I'm considering is a Dell PowerEdge 850 server with four GbE > NICs (two built-in and two on an expansion card) > > > > We have 25 people on a private IP subnet NATed to a handful of public IPs > > > > We'll be using a high-speed cable modem connection - 50 Mbps down/10Mbps > up - as our primary Internet link, with a slower aDSL link as a backup. > > > > In addition to the PF firewall I want to use the box as an (bridged) > OpenVPN endpoint for 3-5 folks. > > I'm curious if this > > http://www.lannerinc.com/Network_Application_Platforms/Desktop-Fanless_Applia nces/FW-7530 > would be enough for this. > > Best > Martin
Re: PowerEdge 850 for a small office firewall
2010/1/26 : > The hardware I'm considering is a Dell PowerEdge 850 server with four GbE > NICs (two built-in and two on an expansion card) > > We have 25 people on a private IP subnet NATed to a handful of public IPs > > We'll be using a high-speed cable modem connection - 50 Mbps down/10Mbps up - > as our primary Internet link, with a slower aDSL link as a backup. > > In addition to the PF firewall I want to use the box as an (bridged) OpenVPN > endpoint for 3-5 folks. I'm curious if this http://www.lannerinc.com/Network_Application_Platforms/Desktop-Fanless_Appliances/FW-7530 would be enough for this. Best Martin
PowerEdge 850 for a small office firewall
Hi all. I'm in the process of planning an upgrade to our office firewall, and am happy that I get to use OpenBSD -current. :-) The hardware I'm considering is a Dell PowerEdge 850 server with four GbE NICs (two built-in and two on an expansion card) We have 25 people on a private IP subnet NATed to a handful of public IPs We'll be using a high-speed cable modem connection - 50 Mbps down/10Mbps up - as our primary Internet link, with a slower aDSL link as a backup. In addition to the PF firewall I want to use the box as an (bridged) OpenVPN endpoint for 3-5 folks. - So I was hoping to learn if others on the list are using a PowerEdge 850 for this type of firewalling scenario, and to hear any anecdotes about the 850s in such a dual application. Specifically I'm wondering about the Pentium D CPU on the 850. I know an MP Kernel won't help with PF (and may actually hinder things), but perhaps an MP Kernel might help with a PF and OpenVPN combination? Maybe I should run a Generic, rather than Generic-MP, kernel even though the chip is dual core? If you are happy with your PowerEdge 850 firewall, perhaps you'd be willing to share your hardware configuration? or perhaps there is another hardware configuration I should consider? (I'll be buying the box on eBay or Craigslist, and have a slight personal bias toward Dell servers) Thanks in advance for any input, advise or opinions. Best regards, :-) Sarah -- "Control your own destiny, or someone else will" - Jack Welsh