View previous topic :: View next topic |
Author |
Message |
Spargeltarzan Guru
Joined: 23 Jul 2017 Posts: 317
|
Posted: Sat Jul 21, 2018 9:30 pm Post subject: Hardware & OS for Firewall-PC |
|
|
Hello Community,
I want to setup a firewall PC, I use a LTE mobile connection (modem + router in one device).
Currently I thought I will continue to use the LTE as a modem and route all traffic to the Firewall PC, a little barebone shown in the Amazon Link. Quad Core Atom - as I read in other threads ARM will be to weak - 4 ports, 4 gb RAM, 32GB SATA. Since I want wifi also to be protected from the firewall I will need a wifi card, the chassis supports it and has holes for the antennas.
Barebone:
https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-AES-NI/dp/B0742P83HY/ref=sr_1_4?ie=UTF8&qid=1532207426&sr=8-4&keywords=firewall+barebone
Wifi:
https://www.amazon.com/Intel-7260-HMWG-R-Wireless-AC-Network-adapter/dp/B00MV3N7UO/ref=sr_1_3?s=electronics&ie=UTF8&qid=1532254961&sr=1-3&keywords=mini+pcie+wifi+card
LTE:
https://www.amazon.com/Huawei-ME909s-120/dp/B01771E8KM/ref=sr_1_1?ie=UTF8&qid=1532254853&sr=8-1&keywords=Huawei+ME909s-120
+ SIM Mount Kit
https://www.amazon.de/Jetway-ADMPESIMB-SIM-Karten-Adapter-Mini-PCIe-Modems/dp/B07DC2DPBC/ref=sr_1_fkmr1_2?s=computers&ie=UTF8&qid=1532262837&sr=1-2-fkmr1&keywords=sim+mount+pcie+lte
-) What do you think about it? Any other (better) options?
-) Would you continue to use the LTE modem or would you embed the LTE modem into the barebone with a card, probably USB or mini pcie, and use only one device as firewall+modem?
-) If you know something cheaper, I will not be sad, but the device should fulfil the requirements. Do you think this is overpowered? (for home office)
I plan to use Gentoo and setup iptables, snort, ...
Prebuild solutions like pfsense, Sophos UTM, etc. draw my attention because of its eye-candy web interfaces, but I guess better to work with config files in Gentoo - what is your opinion about it? _________________ ___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Last edited by Spargeltarzan on Sun Jul 29, 2018 10:20 pm; edited 1 time in total |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Wed Jul 25, 2018 5:11 am Post subject: |
|
|
I think it should be better to use a ITX Mainboard, because
it is unclear, wheter the complete hardware is supported by Gentoo or other Linux distros. |
|
Back to top |
|
|
Spargeltarzan Guru
Joined: 23 Jul 2017 Posts: 317
|
Posted: Sun Jul 29, 2018 10:20 pm Post subject: |
|
|
Thank you!
I started to use my quite old AMD Athlon X2 240e system to build my firewall pc. Tried pfsense for an hour or so, it works, but I am fascinated by the idea to setup a Gentoo for my purpose.
Maybe the lack of a webinterface is even a smaller attack surface. Who uses Gentoo as a firewall solution, any hints or recommendations here? _________________ ___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Mon Jul 30, 2018 6:19 am Post subject: |
|
|
I have assembled a firewall with a Intel ITX mainboard (Gigabyte GA-N3150N-D3V ), 8 GB RAM, 120 GB SSD.
This board has 2 network chips, so it can be setup as firewall easiliy
There are also a ITX for core chips availaible, like the Gigabyte H310M S2H. You can add a multi network card there. |
|
Back to top |
|
|
Spargeltarzan Guru
Joined: 23 Jul 2017 Posts: 317
|
Posted: Mon Jul 30, 2018 9:27 am Post subject: |
|
|
If I realize my X2 240e as a bottleneck I will upgrade the CPU/mainboard. Thanks for suggestions!. Currently I have it on an old mATX AMD Board with 3 PCIe and 1 PCI port. I can put in an wifi, lte and ethernet card.
And which OS are you running on your firewall pcs? And which packages are you using? Iptables, snort, squid? _________________ ___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Mon Jul 30, 2018 9:29 am Post subject: |
|
|
I am running IPFire:https://www.ipfire.org/
With Iptables. |
|
Back to top |
|
|
P.Kosunen Guru
Joined: 21 Nov 2005 Posts: 309 Location: Finland
|
Posted: Mon Jul 30, 2018 1:55 pm Post subject: |
|
|
https://fit-iot.com/web/products/fitlet2/
I am just upgrading my old Supermicro Atom N2800 box to Compulab Fitlet 2. I've become lazy so i switched from Gentoo to Void Linux (musl) this time, Atoms take bit too much time compiling. So far Void Linux with XBPS and runit has been pleasant surprise. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Jul 30, 2018 3:17 pm Post subject: |
|
|
Regarding atom processor, there is the atom that gets sold to your grandma so she can check her email and there's the atom that is designed for enterprise communications appliances. Intel has made big efforts in the past years to develop low-power (consumption) hardware to replace services which are traditionally handled by bigger processes. Networking, for example, is clearly common enough to develop a specialized hardware set, including processors, to deal with.
I have a c2758 board with 7x Intel NICs on-board. My cable-based internet speed is 75 MBPS at the moment. The system can manage a VPN endpoint and firewall easily at my full WAN line rate. For network speed I've done almost 2.5 GBPS without firewall rules, NAT or any other stuff, just pure multiple network cards wired across and each doing a transaction. In that case though I think my hardware at the other end was the limiting factor. Also consider that this was dumping pure data across the wire, not a useful file transfer. That said, while the maximum throughput of a router definitely matters, it's really hard for a small office environment to get that much traffic. You won't do it by normal business use I think.
Here's what I think:
- Research your processor to make sure it's designed for communications tasks.
- Research your board to make sure all the hardware YOU WANT is compatible with Linux.
- Research your task to ensure that you understand everything you will want to do with the device.
- Find benchmarks for your type of task and that device, if you can find them out in the wild.
- Develop a healthy mistrust of benchmarks from the company who builds the product.
IMO the best early detector for linux compatibility is on-board Intel gigabit NICs. IMO those are the best gigabit NICs available. Compared to a budget brand (e.g. Realtek because that's what I personally have to compare with) they generate significantly fewer interrupts and thus let your CPU focus on whatever you think it should be doing. Linux support is fantastic for Intel NICs. Also, IMO if a company is putting those NICs on the board then chances are they aren't cutting many other corners either. In my experience better quality hardware is more likely to get good Linux support than bargain hardware. |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Tue Jul 31, 2018 4:44 am Post subject: |
|
|
Maybe the Supermicro X10SDV-TP8F is a good choice. |
|
Back to top |
|
|
Maitreya Guru
Joined: 11 Jan 2006 Posts: 441
|
Posted: Tue Jul 31, 2018 8:21 am Post subject: |
|
|
Keruskerfuerst wrote: | Maybe the Supermicro X10SDV-TP8F is a good choice. |
Maybe a bit of a overkill for a firewall, but great choice for a fileserver/node! |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Tue Jul 31, 2018 1:26 pm Post subject: |
|
|
Or the Asus P10S-C/4L.
For socket 1151.
With 5 network connectors.
~ 120 €. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Jul 31, 2018 1:28 pm Post subject: |
|
|
Maitreya wrote: | Keruskerfuerst wrote: | Maybe the Supermicro X10SDV-TP8F is a good choice. |
Maybe a bit of a overkill for a firewall, but great choice for a fileserver/node! |
+1 for overkill unless you're doing a corporate site.
That said I'm a big supermicro fan, so things that look interesting to me are here: http://www.supermicro.com/products/motherboard/ATOM/
If I were setting up a firewall today, I'd look at C3000 boards, and pay special attention to the NICs, the SATA slots and if you want M.2 pcie-3 then make sure it has that too.
It has been mentioned that Atom is pretty slow on compile times, but if you do your updates on off hours there will be no slowdown. I've used a C2758 board as a firewall and while it takes an hour or more to do a glibc update I've never had a slowdown due to that. Pick your -J setting conservatively and you should be able to update with nobody noticing. |
|
Back to top |
|
|
P.Kosunen Guru
Joined: 21 Nov 2005 Posts: 309 Location: Finland
|
Posted: Wed Aug 01, 2018 9:56 am Post subject: |
|
|
1clue wrote: | Pick your -J setting conservatively and you should be able to update with nobody noticing. |
Code: | PORTAGE_NICENESS="19" |
Setting niceness from /etc/portage/make.conf should help. |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Sat Nov 17, 2018 4:13 pm Post subject: |
|
|
1clue wrote: | Regarding atom processor, there is the atom that gets sold to your grandma so she can check her email and there's the atom that is designed for enterprise communications appliances. Intel has made big efforts in the past years to develop low-power (consumption) hardware to replace services which are traditionally handled by bigger processes. Networking, for example, is clearly common enough to develop a specialized hardware set, including processors, to deal with.
I have a c2758 board with 7x Intel NICs on-board. My cable-based internet speed is 75 MBPS at the moment. The system can manage a VPN endpoint and firewall easily at my full WAN line rate. For network speed I've done almost 2.5 GBPS without firewall rules, NAT or any other stuff, just pure multiple network cards wired across and each doing a transaction. In that case though I think my hardware at the other end was the limiting factor. Also consider that this was dumping pure data across the wire, not a useful file transfer. That said, while the maximum throughput of a router definitely matters, it's really hard for a small office environment to get that much traffic. You won't do it by normal business use I think.
Here's what I think:
- Research your processor to make sure it's designed for communications tasks.
- Research your board to make sure all the hardware YOU WANT is compatible with Linux.
- Research your task to ensure that you understand everything you will want to do with the device.
- Find benchmarks for your type of task and that device, if you can find them out in the wild.
- Develop a healthy mistrust of benchmarks from the company who builds the product.
IMO the best early detector for linux compatibility is on-board Intel gigabit NICs. IMO those are the best gigabit NICs available. Compared to a budget brand (e.g. Realtek because that's what I personally have to compare with) they generate significantly fewer interrupts and thus let your CPU focus on whatever you think it should be doing. Linux support is fantastic for Intel NICs. Also, IMO if a company is putting those NICs on the board then chances are they aren't cutting many other corners either. In my experience better quality hardware is more likely to get good Linux support than bargain hardware. |
interesting, can you provide an example for such cpu? _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Nov 17, 2018 6:15 pm Post subject: |
|
|
DaggyStyle wrote: | interesting, can you provide an example for such cpu? |
Probably referring to things like hardware AES/SHA1, that allow otherwise low-end chips to keep up with line rate when running legacy VPN software.
`openssl speed aes-128-gcm` tells me my Atom (first gen, single core, no crypto engine) barely reaches 80Mbps for example. Not really a problem for me because chacha20-poly1305 gets over 200Mbps, and that's what wireguard uses. |
|
Back to top |
|
|
Keruskerfuerst Advocate
Joined: 01 Feb 2006 Posts: 2289 Location: near Augsburg, Germany
|
Posted: Sun Nov 18, 2018 7:12 am Post subject: |
|
|
I have assembled a firewall with the following components:
Mainboard: Gigabyte Gigabyte GA-J3455N-D3H
Celeron J3455N
4 core processor 2.3 GHz
and two ethernet connectors
RAM: 8 GB
2 x Kingston HyperX 4 GB
SSD : Samsung 250 GB EVO
Case: LC-Power LC-1370WII
with 90 W power supply
Easy installtion and setup.
As mentioned above Endian firewall |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|