01-05-2011, 11:17 AM
|
|
Newbie
|
|
Join Date: Dec 2010
Posts: 22
|
|
I think I managed to read 90% of the posts related to PFsense not just here but on other forums as well. Since I'm fairly new to firewalling I was wondering if you could help me out.
So far, we host about 200 sites and have 100Mbit connection. For this year we planned to host new 800 domains. So far we have APF installed on our servers that work fairly good but we know that in recent future we would need something infront our servers and we hope PFsense can do the job.What is your personal experience with PFsense and can handle this kind of traffic and what hardware is preferable in case of 100Mbit connection.
Thanks in advance
|
01-05-2011, 12:47 PM
|
|
Aspiring Evangelist
|
|
Join Date: May 2010
Location: Toronto, Canada
Posts: 400
|
|
PFsense's web interface is pretty easy to use and they have been around for a while. I'm not sure how actively they are maintaining it currently -- perhaps you can get an idea of that from their site.
Being based on OpenBSD's PF, pfsense can certainly handle your traffic + much more. Alot depends on the hardware obviously, such as the interfaces, cpu and ram, although you wont need anything super powerful by any means. Just enough to handle the # of states/connections.
If you're more comfortable with managing firewalls via the command line, I'd recommend you just build a pair of redundant openbsd/freebsd pf firewalls (carp + pfsync + pf)
You can read more on PF here :
http://www.openbsd.org/faq/pf/
|
01-05-2011, 01:23 PM
|
|
Newbie
|
|
Join Date: Dec 2010
Posts: 22
|
|
Thank you for your fast response and it was something I was hoping to hear. I will make one firewall on Atom 330 and see how it performs.
Thanks 
|
01-05-2011, 01:25 PM
|
|
Web Hosting Master
|
|
Join Date: Aug 2009
Location: Orlando, FL
Posts: 1,055
|
|
My 2 cents:
PFsense is great. It's easy to use, works great and performance is great. However, most network administrators (myself included) don't like the idea of putting a server in front of other servers.
At the end of the day, a PFsense box is another server. Typically it has more parts that could fail compared to traditional hardware firewalls like those from Cisco and Juniper.
Again, I'm not saying it won't work. It will. Food for thought.
|
01-05-2011, 01:29 PM
|
|
Aspiring Evangelist
|
|
Join Date: May 2010
Location: Toronto, Canada
Posts: 400
|
|
Quote:
Originally Posted by skullbox
My 2 cents:
PFsense is great. It's easy to use, works great and performance is great. However, most network administrators (myself included) don't like the idea of putting a server in front of other servers.
At the end of the day, a PFsense box is another server. Typically it has more parts that could fail compared to traditional hardware firewalls like those from Cisco and Juniper.
Again, I'm not saying it won't work. It will. Food for thought.
|
this is why i suggested pf + carp + pfsync. i believe pfsense can utilize CARP (common address redundancy protocol) , but I'm not 100% sure on that.
anything on the edge of your network needs to be redundant. With CARP you can have as many passive firewalls waiting to jump right in if the master fails. Pfsync will keep all the states for minimal packet loss in the event of a failure.
|
01-05-2011, 01:44 PM
|
|
******* Unleaded
|
|
Join Date: Feb 2004
Posts: 3,788
|
|
Quote:
Originally Posted by skullbox
My 2 cents:
PFsense is great. It's easy to use, works great and performance is great. However, most network administrators (myself included) don't like the idea of putting a server in front of other servers.
At the end of the day, a PFsense box is another server. Typically it has more parts that could fail compared to traditional hardware firewalls like those from Cisco and Juniper.
|
Yes it's really nice.
As far as hardware failure goes, it is possible to install pfsense on a CF flash card. And these days, a SSD. At that point you have no more moving parts than a cisco/juniper.
And wasn't junos bsd based?
@OP, you probably want more than an atom, and stay away from realtek nics. See pfsense.org forums for lots of moans and groans about realtek.
|
01-05-2011, 01:48 PM
|
|
Aspiring Evangelist
|
|
Join Date: May 2010
Location: Toronto, Canada
Posts: 400
|
|
Quote:
Originally Posted by plumsauce
And wasn't junos bsd based?
|
juniper is indeed bsd based (freebsd possibly)
|
01-06-2011, 03:04 AM
|
|
Junior Guru
|
|
Join Date: Jul 2009
Posts: 228
|
|
PFsense if a serious contender out there ..with the right hardware design it should be similar to any cisco or juniper platform (caveat non-enterprise level bandwidth)
I've ran Pfsense firewalls that were up 600+ days. As with these firewalls two things you have to take in consideration, your expected pps and amount of states you are expecting to connect on your system. PF is non threaded so investing on multicore CPU probably wont give you any additional performance. CPU speed is probably more what you want to look into rather than number of cores (again this is if you are running in the less than 1 GBps rate).
ONe shortcoming for PF on its stable release (1.2.3) is the implementation of QOS (it uses ALTQ) on multiple interfaces (i.e you have multiple upstream gateways). This is supposed to be addressed in the next major release 2.0, but that is still very beta.
Other than that - all the major components of the system are mature ( CARP, OpenBGPD, OpenOSPF, OpenVPN, IPSec, VLAN 802.1Q support, etc.) plus a slew of packages like Snort, HAVP, HAProxy, Squid and so on.
On a side note ..there was one documented user that was serving Foxnews.com and Foxbusiness.com behind Dell 1950s doing 600-800 Mbps ..so yea, i think its robust enough
and if that doesnt convince you - here's another one (16 ram, 8-core xeon)MTRG provided by the operator
http://i987.photobucket.com/albums/a...gy/pmrtgpl.png
|
01-06-2011, 06:42 AM
|
|
******* Unleaded
|
|
Join Date: Feb 2004
Posts: 3,788
|
|
very impressive.
btw, one of the maintainers publishes a book on pfsense that ought to be a good investment for a serious pfsense user.
|
01-08-2011, 08:27 AM
|
|
Newbie
|
|
Join Date: Dec 2010
Posts: 22
|
|
It seems that pfsense is the best open source firewall.
|
02-19-2011, 01:12 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Feb 2011
Posts: 80
|
|
How do you use pfsense with an entire subnet of IP addresses? Is it not mainly a nat firewall/router?
|
02-19-2011, 03:06 AM
|
|
Junior Guru
|
|
Join Date: Jul 2009
Posts: 228
|
|
NAT can be disabled on any interface and subnet
|
02-19-2011, 09:46 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Feb 2011
Posts: 80
|
|
Could you give some more detailed info? I would really like to know how to configure pfsense to route a subnet. I've been unable to find any resources online. Thx
|
02-19-2011, 10:06 AM
|
|
Aspiring Evangelist
|
|
Join Date: May 2010
Location: Toronto, Canada
Posts: 400
|
|
Your pfsense firewall would act as a gateway for each subnet you posess. Your pass in our out rules would have reply-to rules to route traffic through the proper subnet.
If the subnet is private ips you would need to nat the traffic obviously. Search google for freebsd gateways or freebsd multiple gateways.
pfsense is just freebsd + pf with a fancy web interface.
|
02-19-2011, 10:56 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Feb 2011
Posts: 80
|
|
So, what you are saying is I should be focusing more on bsd + pf instead of pfsense? I need to add some routers to a few sites, but not worth dropping thousands on cisco gear. I'm thinking about building a 1u with dual intel mini-itx motherboards, each with dual gb nics. Seems like this could be a good fault tolerant setup that wouldn't break the bank.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
