The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 23, 2019, 10:57:07 AM

Login with username, password and session length


Pages: [1] 2 3
  Print  
Author Topic: Finally bit the bullet. pfsense miniwalls.  (Read 7572 times)
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« on: October 11, 2009, 12:09:23 PM »

Just did it. Or at least just purchased, 2 miniwalls, from netgate http://4sp.in/2m8

1 for home, 1 for rack.

This was a decision that came from a silly thought process, but yet the best answer.

I have a shuttle box, that is currently being underutilized as an IPcop box.
I have a mac mini that is being underutilized (and not cooperating anyway) as an archive machine off site.
I have a cop box in my rack, that I am terrified is going to blow up because its a total piece of shit.
I have a bunch of 1tb drives.
I have 2 external raids.

sooo... both cop boxes get replaced, freeing up the shuttle.
the shuttle replaces the macmini, and becomes the BigAssStorageArchiveThatActuallyWorksRight.
The mac mini comes home and starts doing what it was originally meant for: iPhone App Development.

$400 will be repaid by apple Wink
in theory, lol.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: October 11, 2009, 12:11:42 PM »

I have the pfSense .iso sitting on my desktop awaiting a few spare moments (has been for a couple months now) ... really looking forward to your thoughts and opinions.

Popcorn
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: October 11, 2009, 12:15:07 PM »

since that defcon conference i rethought pf big time. The fact that those little, preloaded, 3 port, no juice, boxes are only $200 bucks, and my recent need, finally clinched it.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: October 11, 2009, 12:29:44 PM »

I'm pretty frustrated with how it seems IPCop has been somewhat abandoned. It's been great for me for ... jeez, almost a decade now, but it really seems like it's time to move on. And you're right... the simply, tiny $200 solution is DAMN attractive...
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
kurdt
Lifer
*****
Offline Offline

Posts: 1153


paha arkkitehti


View Profile
« Reply #4 on: October 11, 2009, 10:57:35 PM »

Just did it. Or at least just purchased, 2 miniwalls, from netgate http://4sp.in/2m8
Dude.. that's 10/100...
Logged

I met god and he had nothing to say to me.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: October 12, 2009, 07:23:34 AM »

Yer point? Do you have 1gbit pipe to a server rack? This is going to be an actual production firewall sitiing on a 100m pipe at least on 1 end. The other is on shitty cox cable @ a whopping 3mbit if I'm lucky. Damn kids in the neigborhood... Lol
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
kurdt
Lifer
*****
Offline Offline

Posts: 1153


paha arkkitehti


View Profile
« Reply #6 on: October 12, 2009, 09:13:18 AM »

Yer point? Do you have 1gbit pipe to a server rack? This is going to be an actual production firewall sitiing on a 100m pipe at least on 1 end. The other is on shitty cox cable @ a whopping 3mbit if I'm lucky. Damn kids in the neigborhood... Lol
No but I have 110Mbit pipe to my server rack Wink
Logged

I met god and he had nothing to say to me.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #7 on: October 12, 2009, 09:33:22 AM »

really? wierd, never heard of that.
Even so though, if I had that connection, I prolly still would go with these anyway.
Are there any cheap 1gbit firewalls with unlimited VPN? I never really paid attention, but guessing no, unless you build your own box and run ipcop or pfsense.

Good point though that is it 10/100.
But frankly, even 100 is overkill for 99% of the servers out there.

internally on the otherhand, i have maxed out my 100mbit switch, and am going to be changing to a 1gbit switch.
(yes perk i maxed out that cisco switch, like the one you have. giant database backups are a bitch. lol)

I am very excited to try these little boxes out though, because, that means its virtually a plug and play solution, for creating a VPN and as a bonus, getting a firewall as well.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #8 on: October 12, 2009, 09:55:14 AM »

There's a little fallacy here.

A 100M card should easily be able to keep up with a 110MB pipe, first off because unless your 110 pipe is a dedicated connection to the spine then you'll be spoked in with other traffic, so it'll fluctuate. Second, are you really, seriously pumping 110MB continuously out of your box? There's no way man.

Unless you're a router for lots and lots of traffic (read, a continual stream of > 100MB data) and your upstream pipe has no one else on it (like, you're optical'd into the spine) you're not getting 110 full time. Bear in mind that "over the NICs" speed will be wire, and no matter how many servers you have on the inside, you have a maximum bursted output of 110MB. So even if you purchased gig cards, you'd never, ever get anything more than 100MB total delivery for a short burst as you actually managed to saturate that pipe.

I have 100/100 Cicso routers for my internal traffic. They beat the shit out of my cheap Gig routers all day long, and by a wide, wide margin. Really man, don't be fooled by that spec.

<edit: small typo>
« Last Edit: October 14, 2009, 03:47:28 PM by perkiset » Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #9 on: October 14, 2009, 03:30:08 PM »

just got them in the mail. two came in 1 fedex small box. 1 inch thick. lol

The yellow BTW is NOT yellow. Its annodized GOLD. Meh whatever. I wanted yellow but WGAS, its a firewall router.

Now to figure out how the hell to set this up...
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #10 on: October 14, 2009, 03:48:39 PM »

Applause  Praise

Popcorn
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
kurdt
Lifer
*****
Offline Offline

Posts: 1153


paha arkkitehti


View Profile
« Reply #11 on: October 14, 2009, 10:53:05 PM »

There's a little fallacy here.

A 100M card should easily be able to keep up with a 110MB pipe, first off because unless your 110 pipe is a dedicated connection to the spine then you'll be spoked in with other traffic, so it'll fluctuate. Second, are you really, seriously pumping 110MB continuously out of your box? There's no way man.

Unless you're a router for lots and lots of traffic (read, a continual stream of > 100MB data) and your upstream pipe has no one else on it (like, you're optical'd into the spine) you're not getting 110 full time. Bear in mind that "over the NICs" speed will be wire, and no matter how many servers you have on the inside, you have a maximum bursted output of 110MB. So even if you purchased gig cards, you'd never, ever get anything more than 100MB total delivery for a short burst as you actually managed to saturate that pipe.

I have 100/100 Cicso routers for my internal traffic. They beat the shit out of my cheap Gig routers all day long, and by a wide, wide margin. Really man, don't be fooled by that spec.
Ok, didn't know that Smiley I'm pumping 110MB one bluray disc at the time.. shit, did I just say that out loud? The connection is surprisingly good. I'm usually getting little over 12 megs per sec from Giganews servers. But it's 20 connections to Giganews server simultaneously, not 1 so that might explain why it's able to get the maximum.
Logged

I met god and he had nothing to say to me.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #12 on: October 15, 2009, 08:05:13 AM »

The other part of that equation is whether your partner in data movement is able to handle a full inbound stream at 100+MBs/sec as well. Consider: if they just hiccup for the tiniest moment and don't handshake you right away, you'll be off peak again. Wasn't a slam K, only a reality check. And a piece of cash advice: just like I say in the Mac/clone market: don't be fooled by specs (ie., gig must be better than 10/100) Wink
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #13 on: October 15, 2009, 12:39:23 PM »

Woot. Im up.
Well at least halfway.
I have the miniwall running at home, with a IPsec VPN running to my rack-ipcop.
This thread at PF got me finished http://4sp.in/2mo

Now to figure out how to block external web access to PF. lol
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #14 on: October 15, 2009, 12:54:25 PM »

Oooo ooo ooooo ... so a standard IPSec hooked up to your GetNet box? (Excited because I could stage through client upgrades rather than a big ol' nasty cutover)

As soon as you tell me the local box is the juice I'm off to get a couple. Specifically interested in: road warrior hookups and standard Windows VPN hookups.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1] 2 3
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!