Re: Hardware (firewall) recommendation
On Thu, May 10, 2012 at 3:28 AM, Predrag Punosevac punoseva...@gmail.comwrote: Dear All, I am resurrecting this thread which I followed carefully because I need some hardware advice for the firewall machine which is going to serve our new scientific computing laboratory. Initially behind this firewall, we will have only two small (16 and 8 nodes) clusters, a GPU based super computer, a CVS/File server and a web-server for PMWiki. They will be accessible to users (15-20 for now) only via SSH(NX X) and HTTP protocols. We are vendor locked due to the contract between DeLL and the University system of Georgia. I would like to hear opinion about: Dell PowerEdge R210 II Ultra-compact Rack Server http://www.dell.com/us/enterprise/p/poweredge-r210-2/pd I am looking at the one with Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4 Does One Dual port Broadcom BCM 5716 work on OpenBSD? What about those Broadcom NetXtremes ? It is not going to have RAID controller. We are looking at the one with Dual-core Intel Celeron G400 and G500 series Thank you so much! Predrag Watch out for onboard bios/firmare of the two native gigabit nics (bnx): anything below 1.3 will cause abundant data loss on at least one of the two... the early bioses were severely buggy!!!
Re: Hardware (firewall) recommendation
On 2012-05-10, Predrag Punosevac punoseva...@gmail.com wrote: I would like to hear opinion about: Dell PowerEdge R210 II Ultra-compact Rack Server These work fine, quite nice machines. I am looking at the one with Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4 I think these are 82576, no personal experience with these (I have usually got second-hand older cards when I've needed multi-port nics), they are listed as supported by em(4), should be alright but they would be better supported by a different driver which might happen sometime. Does One Dual port Broadcom BCM 5716 work on OpenBSD? What about those Broadcom NetXtremes ? It is not going to have RAID controller. We are looking at the one with Dual-core Intel Celeron G400 and G500 series The onboard BCM 5716 a.k.a. NetXtreme II work fine with bnx(4). I include a dmesg from one with PERC H200 raid controller and a Xeon E3 (note that this Xeon E3 cpu has the instructions that can be used to speed up AES, see AES in the cpu0 attach line, the core i3/celerons don't have this - might not be important for you but I thought I'd point it out just in case). Note the cheaper DRACs with shared network port are not supported by OpenBSD, I believe the enterprise DRAC with a separate port should work but I haven't used one myself (I usually prefer a standalone remote power controller and cereal console). OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery real mem = 4283691008 (4085MB) avail mem = 4155494400 (3962MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6730 (57 entries) bios0: vendor Dell Inc. version 1.2.3 date 07/21/2011 bios0: Dell Inc. PowerEdge R210 II acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPMI ASF! HPET APIC MCFG BOOT SSDT SSDT ASPT SSDT SSDT HEST ERST BERT EINJ acpi0: wakeup devices P0P1(S4) GLAN(S0) EHC1(S4) EHC2(S4) PXSX(S4) RP01(S5) PXSX(S4) RP02(S5) PXSX(S4) RP03(S5) PXSX(S4) RP04(S5) PXSX(S4) RP05(S5) PXSX(S4) RP06(S5) PXSX(S4) RP07(S5) PXSX(S4) RP08(S5) PEG0(S5) PEGP(S5) PEG1(S5) PEG2(S5) PEG3(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz, 3100.44 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz, 3100.02 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz, 3100.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz, 3100.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P0P1) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpicpu2 at acpi0: C3, C2, C1, PSS acpicpu3 at acpi0: C3, C2, C1, PSS acpipwrres0 at acpi0: FN00 acpipwrres1 at acpi0: FN01 acpipwrres2 at acpi0: FN02 acpipwrres3 at acpi0: FN03 acpipwrres4 at acpi0: FN04 acpitz0 at acpi0: critical temperature is 100 degC ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca8/8 spacing 4 cpu0: Enhanced SpeedStep 3100 MHz: speeds: 3101, 3100, 2600, 2400, 2200, 2000, 1800, 1600 MHz pci0 at mainbus0 bus 0 pchb0 at
Re: Hardware (firewall) recommendation
On 10.5.2012 3:28, Predrag Punosevac wrote: Dear All, I am resurrecting this thread which I followed carefully because I need some hardware advice for the firewall machine which is going to serve our new scientific computing laboratory. Initially behind this firewall, we will have only two small (16 and 8 nodes) clusters, a GPU based super computer, a CVS/File server and a web-server for PMWiki. They will be accessible to users (15-20 for now) only via SSH(NX X) and HTTP protocols. We are vendor locked due to the contract between DeLL and the University system of Georgia. I would like to hear opinion about: Dell PowerEdge R210 II Ultra-compact Rack Server http://www.dell.com/us/enterprise/p/poweredge-r210-2/pd I am looking at the one with Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4 Does One Dual port Broadcom BCM 5716 work on OpenBSD? What about those Broadcom NetXtremes ? It is not going to have RAID controller. We are looking at the one with Dual-core Intel Celeron G400 and G500 series Thank you so much! Predrag Hello, I have R410 (OpenBSD 5.0) in production with BCM5716 and intel 82599 and everything is working fine. BCM5716 does not support mtu 9000. OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6428266496 (6130MB) avail mem = 6243024896 (5953MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xcf49c000 (78 entries) bios0: vendor Dell Inc. version 1.6.3 date 02/07/2011 bios0: Dell Inc. PowerEdge R410 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ SRAT TCPA SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 32 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.32 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 34 (application processor) cpu1: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 50 (application processor) cpu2: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 52 (application processor) cpu3: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 1 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 1 acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (PEX3) acpiprt3 at acpi0: bus 3 (PEX7) acpiprt4 at acpi0: bus -1 (PEX9) acpiprt5 at acpi0: bus -1 (PEXA) acpiprt6 at acpi0: bus -1 (SBEX) acpiprt7 at acpi0: bus 4 (COMP) acpicpu0 at acpi0: C3, C1 acpicpu1 at acpi0: C3, C1 acpicpu2 at acpi0: C3, C1 acpicpu3 at acpi0: C3, C1 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 5500 Host rev 0x13 ppb0 at pci0 dev 1 function 0 Intel X58 PCIE rev 0x13 pci1 at ppb0 bus 1 bnx0 at pci1 dev 0 function 0 Broadcom BCM5716 rev 0x20: apic 1 int 4 bnx1 at pci1 dev 0 function 1 Broadcom BCM5716 rev 0x20: apic 1 int 16 ppb1 at pci0 dev 3 function 0 Intel X58 PCIE rev 0x13 pci2 at ppb1 bus 2 mpi0 at pci2 dev 0 function 0 Symbios Logic SAS1068E rev 0x08: msi scsibus0 at mpi0: 112 targets sd0 at scsibus0 targ 0 lun 0: Dell, VIRTUAL DISK, 1028 SCSI3 0/direct fixed naa.600508e02a7749fd24f2d10d sd0: 139392MB, 512 bytes/sector, 285474816 sectors ses0 at scsibus0 targ 8 lun 0: DP, BACKPLANE, 1.07 SCSI3 13/enclosure services fixed t10.DP_BACKPLANE00 ppb2 at pci0 dev 7 function 0 Intel X58 PCIE rev 0x13: msi pci3 at ppb2 bus 3 ix0 at pci3 dev 0 function 0 Intel 10GbE SFP+ (82599) rev 0x01: msi, address 00:1b:21:9e:6c:98 ix1 at pci3 dev 0 function 1 Intel 10GbE SFP+ (82599) rev 0x01:
Re: Hardware (firewall) recommendation
Dear All, I am resurrecting this thread which I followed carefully because I need some hardware advice for the firewall machine which is going to serve our new scientific computing laboratory. Initially behind this firewall, we will have only two small (16 and 8 nodes) clusters, a GPU based super computer, a CVS/File server and a web-server for PMWiki. They will be accessible to users (15-20 for now) only via SSH(NX X) and HTTP protocols. We are vendor locked due to the contract between DeLL and the University system of Georgia. I would like to hear opinion about: Dell PowerEdge R210 II Ultra-compact Rack Server http://www.dell.com/us/enterprise/p/poweredge-r210-2/pd I am looking at the one with Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4 Does One Dual port Broadcom BCM 5716 work on OpenBSD? What about those Broadcom NetXtremes ? It is not going to have RAID controller. We are looking at the one with Dual-core Intel Celeron G400 and G500 series Thank you so much! Predrag
Hardware (firewall) recommendation
Hello, I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, * RAID 1 SAS/SATA controller (2 hard drives are enough) * decent dual LAN onboard * at least one/preferably two PCI-X slots to add one dual/couple of single fibre network cards * IPMI 2.0 with out of band management I am pushed towards buying from one of the big vendors (IBM/Dell/HP/?) as one of the requirements is to have 24x7x4h or 24x7x8h support. Machines will be running pf, bgp, relayd (not necessarily all three on a single unit), should handle about 200Mbit of traffic (30K-50K pps). I tried IBM x3550 few years back, but the dumb raid controller was not supported then, not sure if it changed since. Thanks in advance, -- Marcin
Re: Hardware (firewall) recommendation
there is a project that you can install an embedded version of openbsd on. its called the routerboard project. no need for power sapping drives, big screens and all that junk. I don't have the site on hand, but it is out there. -eric On Apr 16, 2012, at 11:58 PM, Marcin wrote: Hello, I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, * RAID 1 SAS/SATA controller (2 hard drives are enough) * decent dual LAN onboard * at least one/preferably two PCI-X slots to add one dual/couple of single fibre network cards * IPMI 2.0 with out of band management I am pushed towards buying from one of the big vendors (IBM/Dell/HP/?) as one of the requirements is to have 24x7x4h or 24x7x8h support. Machines will be running pf, bgp, relayd (not necessarily all three on a single unit), should handle about 200Mbit of traffic (30K-50K pps). I tried IBM x3550 few years back, but the dumb raid controller was not supported then, not sure if it changed since. Thanks in advance, -- Marcin
Re: Hardware (firewall) recommendation
* Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. The processor with its 4 cores should probably be fine handling a few ftp-proxy and relayd. I'd like to put in two 10GB ethernet adapters, CX or fibre is still to be decided. Looking at the amd64.html page, I found the ixgb, ix, xge and tht supported. Looking at the manual pages, I'd probably go for the xge based cards, since they support checksum offload and VLAN tag insertion and stripping, to move some load from the CPU on to the network cards. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. cheers, Sebastian -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
* Sebastian Reitenbach sebas...@l00-bugdead-prods.de [2012-04-17 10:40]: On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. I don't use their ipmi, all hail cereal consoles. The processor with its 4 cores should probably be fine handling a few ftp-proxy and relayd. easily. I'd like to put in two 10GB ethernet adapters, CX or fibre is still to be decided. Looking at the amd64.html page, I found the ixgb, ix, xge and tht supported. Looking at the manual pages, I'd probably go for the xge based cards, since they support checksum offload and VLAN tag insertion and stripping, to move some load from the CPU on to the network cards. CPU cycles are not your problem really. memory bandwidth is another story. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. it should, I think, but this is always a bit hard to predict. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
On Tuesday, April 17, 2012 10:47 CEST, Henning Brauer lists-open...@bsws.de wrote: * Sebastian Reitenbach sebas...@l00-bugdead-prods.de [2012-04-17 10:40]: On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. I don't use their ipmi, all hail cereal consoles. I thought about being able to power cycle the machine when it freezes that hard, when it may not drop into ddb. Otherwise yes, serial console would suffice, even rebooting from within ddb. I hope it may not happen at all, but who knows, hardware may be faulty, and weird things may happen ;) The processor with its 4 cores should probably be fine handling a few ftp-proxy and relayd. easily. I'd like to put in two 10GB ethernet adapters, CX or fibre is still to be decided. Looking at the amd64.html page, I found the ixgb, ix, xge and tht supported. Looking at the manual pages, I'd probably go for the xge based cards, since they support checksum offload and VLAN tag insertion and stripping, to move some load from the CPU on to the network cards. CPU cycles are not your problem really. memory bandwidth is another story. OK good point, thanks. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. it should, I think, but this is always a bit hard to predict. Also here, thanks. I didn't expected to get around of a test, just wanted to get a little bit of confidence, I don't move into a totally wrong direction with my assumptions. Sebastian -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
* Sebastian Reitenbach sebas...@l00-bugdead-prods.de [2012-04-17 11:45]: On Tuesday, April 17, 2012 10:47 CEST, Henning Brauer lists-open...@bsws.de wrote: * Sebastian Reitenbach sebas...@l00-bugdead-prods.de [2012-04-17 10:40]: On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. I don't use their ipmi, all hail cereal consoles. I thought about being able to power cycle the machine when it freezes that hard, when it may not drop into ddb. Otherwise yes, serial console would suffice, even rebooting from within ddb. I hope it may not happen at all, but who knows, hardware may be faulty, and weird things may happen ;) I use seperate power controllers. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. it should, I think, but this is always a bit hard to predict. Also here, thanks. I didn't expected to get around of a test, just wanted to get a little bit of confidence, I don't move into a totally wrong direction with my assumptions. looks like you're right on track :) let us know how it goes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
Henning Brauer(lists-open...@bsws.de) on 2012.04.17 11:52:49 +0200: I thought about being able to power cycle the machine when it freezes that hard, when it may not drop into ddb. Otherwise yes, serial console would suffice, even rebooting from within ddb. I hope it may not happen at all, but who knows, hardware may be faulty, and weird things may happen ;) I use seperate power controllers. i use the ipmi to reboot/power-cycle and monitoring PSUs. The IPMI SOL console on the supermicros has problems here with loosing/not displaying characters when pasting larger chunks of text, so i still use the serial console. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. it should, I think, but this is always a bit hard to predict. Also here, thanks. I didn't expected to get around of a test, just wanted to get a little bit of confidence, I don't move into a totally wrong direction with my assumptions. looks like you're right on track :) let us know how it goes. yes please.
Re: Hardware (firewall) recommendation
On Tuesday, April 17, 2012 12:15 CEST, Sebastian Benoit benoit-li...@fb12.de wrote: Henning Brauer(lists-open...@bsws.de) on 2012.04.17 11:52:49 +0200: I thought about being able to power cycle the machine when it freezes that hard, when it may not drop into ddb. Otherwise yes, serial console would suffice, even rebooting from within ddb. I hope it may not happen at all, but who knows, hardware may be faulty, and weird things may happen ;) I use seperate power controllers. i use the ipmi to reboot/power-cycle and monitoring PSUs. The IPMI SOL console on the supermicros has problems here with loosing/not displaying characters when pasting larger chunks of text, so i still use the serial console. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. it should, I think, but this is always a bit hard to predict. Also here, thanks. I didn't expected to get around of a test, just wanted to get a little bit of confidence, I don't move into a totally wrong direction with my assumptions. looks like you're right on track :) let us know how it goes. yes please. First some other questions also need to get resolved, before even ordering the HW. So an answer may take a month or two. But I'll keep reporting back on my TODO list. cheers, Sebastian
Re: Hardware (firewall) recommendation
On 17 April 2012 09:35, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: What I am after: * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. Fair point. I am also planning to use single inbound and few OpenVPN outbound channels, however with AES-NI it should not be a problem for a single socket server. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. Simply because those machines are going to be several hundreds miles away. It is much easier to ask datacenre stuff to replace hard drive so it rebuilds and machine continues to run, instead of restoring it from a backup when the single harddrive fails. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Thanks for that, this is a failsafe option, although I am looking more towards IBM/HP/Dell so I can fullfill the requirement for support contracts. Regards, -- Marcin
Re: Hardware (firewall) recommendation
* Marcin mig...@gmail.com [2012-04-17 18:11]: On 17 April 2012 09:35, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: What I am after: * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. Fair point. I am also planning to use single inbound and few OpenVPN outbound channels, however with AES-NI it should not be a problem for a single socket server. no, not at all. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. Simply because those machines are going to be several hundreds miles away. It is much easier to ask datacenre stuff to replace hard drive so it rebuilds and machine continues to run, instead of restoring it from a backup when the single harddrive fails. well, as said, you are lowering the reliability and increase the chance of failure here. a good SSD likely lives longer than the computer around it. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Thanks for that, this is a failsafe option, although I am looking more towards IBM/HP/Dell so I can fullfill the requirement for support contracts. my supermicro sulier offers the very same support options. (and as usual it makes much more sense to have spares yourself, at least with a halfway significant number of machines around) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Hardware (firewall) recommendation
On 17/04/2012 08:35, Henning Brauer wrote: I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. +1 Have a pair of X9SCM-F-O with E31230 in production http://www.nycbug.org/?action=dmesgddmesgid=2354 Sevan
Re: Hardware (firewall) recommendation
On Tue, Apr 17, 2012 at 10:39:56AM +0200, Sebastian Reitenbach wrote: On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. The processor with its 4 cores should probably be fine handling a few ftp-proxy and relayd. Get CPUs with as much GHz and as much cache as possible. Since most work will be done by one core the GHz matter and more cache helps a fair bit. I'd like to put in two 10GB ethernet adapters, CX or fibre is still to be decided. Looking at the amd64.html page, I found the ixgb, ix, xge and tht supported. Looking at the manual pages, I'd probably go for the xge based cards, since they support checksum offload and VLAN tag insertion and stripping, to move some load from the CPU on to the network cards. xge(4) is old and AFAIK PCI-X only. You want to go with ix(4) on current systems. There you also get more options of connectors (SFP+, 10G-T, ...) and dual port cards. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. I know quite a few systems using ix(4) adapters, they are solid and a lot of tuning is going into them. -- :wq Claudio
Re: Hardware (firewall) recommendation
On Tuesday, April 17, 2012 21:04 CEST, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Tue, Apr 17, 2012 at 10:39:56AM +0200, Sebastian Reitenbach wrote: On Tuesday, April 17, 2012 09:35 CEST, Henning Brauer lists-open...@bsws.de wrote: * Marcin mig...@gmail.com [2012-04-17 08:59]: I am looking for a hardware recommendation for a new OpenBSD based firewalls. So far I have been using IBM x336s, but they are slowly approaching end of life. What I am after: * 1U i386/amd64 server, * 2 sockets, what for? unless you run extremely heavy userland proxies, you don't get much (any) benefit, especially given that the one-socket machines are all 4core now. * RAID 1 SAS/SATA controller (2 hard drives are enough) what for? that increases complexity and thus chance to fail with no benefit. you have no precious data on those disks and have two machines. I'm very happy with Supermicro X9SC* based systems, with Xeon E3-1220 and an Intel SSD. Check with your local supplier for exact model options. Superior performance, 35W idle, no trouble whatsoever, fair pricing. Sorry for hijacking the thread, but I was going to ask a very similar question later today. I've seen, some of those boards have IPMI interface, which would be one of my requirements. The processor with its 4 cores should probably be fine handling a few ftp-proxy and relayd. Get CPUs with as much GHz and as much cache as possible. Since most work will be done by one core the GHz matter and more cache helps a fair bit. noted. I'd like to put in two 10GB ethernet adapters, CX or fibre is still to be decided. Looking at the amd64.html page, I found the ixgb, ix, xge and tht supported. Looking at the manual pages, I'd probably go for the xge based cards, since they support checksum offload and VLAN tag insertion and stripping, to move some load from the CPU on to the network cards. xge(4) is old and AFAIK PCI-X only. You want to go with ix(4) on current systems. There you also get more options of connectors (SFP+, 10G-T, ...) and dual port cards. I'd like to know if my assumption to the cards are right, and whether this box would be able to handle that kind of bandwidth the cards provide. It actually only needs to handle about 3GB/s, but don't want to start trunking GigaBit interfaces. Or if I'm wrong with my assumptions, if someone has good experience with other 10GbE adapters. I know quite a few systems using ix(4) adapters, they are solid and a lot of tuning is going into them. also noted the nic recommendations. thanks, Sebastian -- :wq Claudio
Re: Hardware (firewall) recommendation
On 2012-04-17, Marcin mig...@gmail.com wrote: * at least one/preferably two PCI-X slots to add one dual/couple of single fibre network cards usually PCIE on anything modern * IPMI 2.0 with out of band management if rs232 isn't enough, you want one with a dedicated nic on a secure management network. I am pushed towards buying from one of the big vendors (IBM/Dell/HP/?) as one of the requirements is to have 24x7x4h or 24x7x8h support. if you're buying a few, spare h/w is probably cheaper (and easier to get hold of when you need it).