Hello Guys,
I need some advise regarding Firewall Hardware:
I am looking for a new firewall in a HA setup for approx. 200 Users.
It should be able to handle a 10Gbit backbone network and do some IDS/IPS as well as maybe 10+ simultan IPsec VPN Connections.
Here is a picture of the planned topology (https://cloud.nett.media/s/NGj64EDb6ByCqMQ).
Since the firewall should also be able to utilize a future 10Gbit uplink, at least 3x 10Gbit SFP+ Interfaces should be possible (eg with extension cards).
I am not aware if upgrading the DEC3850 with more 10Gbit Interfaces is possible, but i guess it is not..
My first idea was to buy two Netgate D1537 as i am a long time pfSense User. But then i found out the CPU is already 8 years old and so i started to look around some alternatives.
This C3958 Platform (https://www.servershop-bayern.de/Supermicro-Server-CSE-505-A2SDi-16C-TP8F-16-Core-32GB-ECC-512GB-NVMe-2x10GbE-2x10G-SFP-4xGbE-IPMI-pfSense-OPNsense-compatible) for example has 4x 10Gbit Interfaces, but only a CPU Mark of 4281 which is maybe not beefy enough for IDS/IPS, what do you think?
The Xeon D-1700 CPUs, like on the Supermicro SYS-510D-8C-FN6P (https://smicro.eu/supermicro-sys-510d-8c-fn6p-1), are more power hungry than the D1500, and the SFP28 ports are not supported with pfsense 2.6 i read somewhere (this way i came across OPNsense)
And as far as i understand, the D17xxNT CPUs support Intels Quick Assist (QAT), which is mainly useful for faster VPN bandwidth, correct?
And since VPN is not our main goal, it is maybe also feasible to use a cheaper model without QAT, like the Supermicro SYS-510D-4C-FN6P (https://smicro.eu/supermicro-sys-510d-4c-fn6p-1) with a D-1718T CPU?
I created a list of features with the Hardware from the tile (https://cloud.nett.media/s/iBsx8GCZaNZsosF) for comparison, but i still dont know which hardware i should buy..
Another Question: is it possible to buy a Desico Support for the mentioned hardware?
Any insights to my questions would be highly appreciated,
Kind Regards,
Stif
I did had an error in my thoughts. the firewalls are in a High Availability Cluster, but not part of the Multi Chassis Link Aggregation. Thats why 2x SFP+ Ports for 10Gbit Backbone and 10Gbit Uplink should be enough - no need for a extension card in case of a 10Gbit uplink..
But the main question is still valid: Is the SYS-510D-8C-FN6P (https://smicro.eu/supermicro-sys-510d-8c-fn6p-1) Board overkill for my use case and is it even supported by OPNsense? Or am i better off with a DEC3850 or any other hardware i mentioned?
Thanks
doh, there was no error in my thoughts, i do need 2xSFP+ ports for my network backend ::)
(https://cloud.nett.media/s/NGj64EDb6ByCqMQ/preview)
the firewall is not part of the Multi Chassis Link Aggregation, true.
but from the perspective of the firewall it just sees one core switch and has a ordinary Link Aggregated connection to it (with LACP).
so every firewall still needs to be connected to both core switches, in order to be as fault tolerant as possible.
in that case i do need a extension card when i get a 10Gbit uplink :-\
FYI: i was writing with an employee from deciso and wanted to share me findings (which many of you might already know anyway)
- there is no way to put a extension cards into the DEC3850 (Netgate A20 Board without PCIe Header)
- if you want to stick with OPNsense Hardware, for 3 SFP+ Ports you need a DEC4040
- they have no experience with a Xeon D1700 board
- in theory the Xeon D1700 Boards should be ok (there are drivers for FreeBSD, so also for OPNsense) and its also possible to buy business support for them from deciso (but maybe needs some paid extra effort, if there are any quirks)