Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardware & OS for Firewall-PC
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Spargeltarzan
Apprentice
Apprentice


Joined: 23 Jul 2017
Posts: 293

PostPosted: Sat Jul 21, 2018 9:30 pm    Post subject: Hardware & OS for Firewall-PC Reply with quote

Hello Community,

I want to setup a firewall PC, I use a LTE mobile connection (modem + router in one device).

Currently I thought I will continue to use the LTE as a modem and route all traffic to the Firewall PC, a little barebone shown in the Amazon Link. Quad Core Atom - as I read in other threads ARM will be to weak - 4 ports, 4 gb RAM, 32GB SATA. Since I want wifi also to be protected from the firewall I will need a wifi card, the chassis supports it and has holes for the antennas.

Barebone:
https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-AES-NI/dp/B0742P83HY/ref=sr_1_4?ie=UTF8&qid=1532207426&sr=8-4&keywords=firewall+barebone

Wifi:
https://www.amazon.com/Intel-7260-HMWG-R-Wireless-AC-Network-adapter/dp/B00MV3N7UO/ref=sr_1_3?s=electronics&ie=UTF8&qid=1532254961&sr=1-3&keywords=mini+pcie+wifi+card

LTE:
https://www.amazon.com/Huawei-ME909s-120/dp/B01771E8KM/ref=sr_1_1?ie=UTF8&qid=1532254853&sr=8-1&keywords=Huawei+ME909s-120

+ SIM Mount Kit
https://www.amazon.de/Jetway-ADMPESIMB-SIM-Karten-Adapter-Mini-PCIe-Modems/dp/B07DC2DPBC/ref=sr_1_fkmr1_2?s=computers&ie=UTF8&qid=1532262837&sr=1-2-fkmr1&keywords=sim+mount+pcie+lte

-) What do you think about it? Any other (better) options?
-) Would you continue to use the LTE modem or would you embed the LTE modem into the barebone with a card, probably USB or mini pcie, and use only one device as firewall+modem?
-) If you know something cheaper, I will not be sad, but the device should fulfil the requirements. Do you think this is overpowered? (for home office)

I plan to use Gentoo and setup iptables, snort, ...
Prebuild solutions like pfsense, Sophos UTM, etc. draw my attention because of its eye-candy web interfaces, but I guess better to work with config files in Gentoo - what is your opinion about it?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen


Last edited by Spargeltarzan on Sun Jul 29, 2018 10:20 pm; edited 1 time in total
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Wed Jul 25, 2018 5:11 am    Post subject: Reply with quote

I think it should be better to use a ITX Mainboard, because
it is unclear, wheter the complete hardware is supported by Gentoo or other Linux distros.
Back to top
View user's profile Send private message
Spargeltarzan
Apprentice
Apprentice


Joined: 23 Jul 2017
Posts: 293

PostPosted: Sun Jul 29, 2018 10:20 pm    Post subject: Reply with quote

Thank you!
I started to use my quite old AMD Athlon X2 240e system to build my firewall pc. Tried pfsense for an hour or so, it works, but I am fascinated by the idea to setup a Gentoo for my purpose.

Maybe the lack of a webinterface is even a smaller attack surface. Who uses Gentoo as a firewall solution, any hints or recommendations here?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5861

PostPosted: Mon Jul 30, 2018 3:21 am    Post subject: Reply with quote

My personal opinion is that Atom cpus are also too weak, but then again Cisco is selling SOHO stuff with them so ymmv.

I have an i7 7700 (non-K) as a router. Works great. One problem with mini-ITX is the lack of PCI slots for addon cards like wifi cards, a fast lan uplink port, a fast dmz uplink port, etc etc etc.

A couple wiki articles for pointers... https://wiki.gentoo.org/wiki/Home_router https://wiki.gentoo.org/wiki/Iptables https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls#Iptables

If you really need some sort of interface, you might also be interested in fwbuilder. (it also works on freebsd's pf and a few other firewall packages)
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Mon Jul 30, 2018 6:19 am    Post subject: Reply with quote

I have assembled a firewall with a Intel ITX mainboard (Gigabyte GA-N3150N-D3V ), 8 GB RAM, 120 GB SSD.
This board has 2 network chips, so it can be setup as firewall easiliy

There are also a ITX for core chips availaible, like the Gigabyte H310M S2H. You can add a multi network card there.
Back to top
View user's profile Send private message
Spargeltarzan
Apprentice
Apprentice


Joined: 23 Jul 2017
Posts: 293

PostPosted: Mon Jul 30, 2018 9:27 am    Post subject: Reply with quote

If I realize my X2 240e as a bottleneck I will upgrade the CPU/mainboard. Thanks for suggestions!. Currently I have it on an old mATX AMD Board with 3 PCIe and 1 PCI port. I can put in an wifi, lte and ethernet card.

And which OS are you running on your firewall pcs? And which packages are you using? Iptables, snort, squid?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Mon Jul 30, 2018 9:29 am    Post subject: Reply with quote

I am running IPFire:https://www.ipfire.org/

With Iptables.
Back to top
View user's profile Send private message
P.Kosunen
Guru
Guru


Joined: 21 Nov 2005
Posts: 309
Location: Finland

PostPosted: Mon Jul 30, 2018 1:55 pm    Post subject: Reply with quote

https://fit-iot.com/web/products/fitlet2/

I am just upgrading my old Supermicro Atom N2800 box to Compulab Fitlet 2. I've become lazy so i switched from Gentoo to Void Linux (musl) this time, Atoms take bit too much time compiling. So far Void Linux with XBPS and runit has been pleasant surprise.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Jul 30, 2018 3:17 pm    Post subject: Reply with quote

Regarding atom processor, there is the atom that gets sold to your grandma so she can check her email and there's the atom that is designed for enterprise communications appliances. Intel has made big efforts in the past years to develop low-power (consumption) hardware to replace services which are traditionally handled by bigger processes. Networking, for example, is clearly common enough to develop a specialized hardware set, including processors, to deal with.

I have a c2758 board with 7x Intel NICs on-board. My cable-based internet speed is 75 MBPS at the moment. The system can manage a VPN endpoint and firewall easily at my full WAN line rate. For network speed I've done almost 2.5 GBPS without firewall rules, NAT or any other stuff, just pure multiple network cards wired across and each doing a transaction. In that case though I think my hardware at the other end was the limiting factor. Also consider that this was dumping pure data across the wire, not a useful file transfer. That said, while the maximum throughput of a router definitely matters, it's really hard for a small office environment to get that much traffic. You won't do it by normal business use I think.

Here's what I think:

  1. Research your processor to make sure it's designed for communications tasks.
  2. Research your board to make sure all the hardware YOU WANT is compatible with Linux.
  3. Research your task to ensure that you understand everything you will want to do with the device.
  4. Find benchmarks for your type of task and that device, if you can find them out in the wild.
  5. Develop a healthy mistrust of benchmarks from the company who builds the product.


IMO the best early detector for linux compatibility is on-board Intel gigabit NICs. IMO those are the best gigabit NICs available. Compared to a budget brand (e.g. Realtek because that's what I personally have to compare with) they generate significantly fewer interrupts and thus let your CPU focus on whatever you think it should be doing. Linux support is fantastic for Intel NICs. Also, IMO if a company is putting those NICs on the board then chances are they aren't cutting many other corners either. In my experience better quality hardware is more likely to get good Linux support than bargain hardware.
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Tue Jul 31, 2018 4:44 am    Post subject: Reply with quote

Maybe the Supermicro X10SDV-TP8F is a good choice.
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 421

PostPosted: Tue Jul 31, 2018 8:21 am    Post subject: Reply with quote

Keruskerfuerst wrote:
Maybe the Supermicro X10SDV-TP8F is a good choice.


Maybe a bit of a overkill for a firewall, but great choice for a fileserver/node!
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Tue Jul 31, 2018 1:26 pm    Post subject: Reply with quote

Or the Asus P10S-C/4L.
For socket 1151.

With 5 network connectors.

~ 120 €.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Tue Jul 31, 2018 1:28 pm    Post subject: Reply with quote

Maitreya wrote:
Keruskerfuerst wrote:
Maybe the Supermicro X10SDV-TP8F is a good choice.


Maybe a bit of a overkill for a firewall, but great choice for a fileserver/node!


+1 for overkill unless you're doing a corporate site.

That said I'm a big supermicro fan, so things that look interesting to me are here: http://www.supermicro.com/products/motherboard/ATOM/

If I were setting up a firewall today, I'd look at C3000 boards, and pay special attention to the NICs, the SATA slots and if you want M.2 pcie-3 then make sure it has that too.

It has been mentioned that Atom is pretty slow on compile times, but if you do your updates on off hours there will be no slowdown. I've used a C2758 board as a firewall and while it takes an hour or more to do a glibc update I've never had a slowdown due to that. Pick your -J setting conservatively and you should be able to update with nobody noticing.
Back to top
View user's profile Send private message
P.Kosunen
Guru
Guru


Joined: 21 Nov 2005
Posts: 309
Location: Finland

PostPosted: Wed Aug 01, 2018 9:56 am    Post subject: Reply with quote

1clue wrote:
Pick your -J setting conservatively and you should be able to update with nobody noticing.


Code:
PORTAGE_NICENESS="19"


Setting niceness from /etc/portage/make.conf should help.
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Sat Nov 17, 2018 10:16 am    Post subject: Reply with quote

Now I am using Endian firewall.

Here: https://sourceforge.net/projects/efw/files/Development/EFW-3.2.5/

I recommend version 3.2.5 and then updating to verison 3.3.0.


Last edited by Keruskerfuerst on Sat Nov 17, 2018 7:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5385

PostPosted: Sat Nov 17, 2018 4:13 pm    Post subject: Reply with quote

1clue wrote:
Regarding atom processor, there is the atom that gets sold to your grandma so she can check her email and there's the atom that is designed for enterprise communications appliances. Intel has made big efforts in the past years to develop low-power (consumption) hardware to replace services which are traditionally handled by bigger processes. Networking, for example, is clearly common enough to develop a specialized hardware set, including processors, to deal with.

I have a c2758 board with 7x Intel NICs on-board. My cable-based internet speed is 75 MBPS at the moment. The system can manage a VPN endpoint and firewall easily at my full WAN line rate. For network speed I've done almost 2.5 GBPS without firewall rules, NAT or any other stuff, just pure multiple network cards wired across and each doing a transaction. In that case though I think my hardware at the other end was the limiting factor. Also consider that this was dumping pure data across the wire, not a useful file transfer. That said, while the maximum throughput of a router definitely matters, it's really hard for a small office environment to get that much traffic. You won't do it by normal business use I think.

Here's what I think:

  1. Research your processor to make sure it's designed for communications tasks.
  2. Research your board to make sure all the hardware YOU WANT is compatible with Linux.
  3. Research your task to ensure that you understand everything you will want to do with the device.
  4. Find benchmarks for your type of task and that device, if you can find them out in the wild.
  5. Develop a healthy mistrust of benchmarks from the company who builds the product.


IMO the best early detector for linux compatibility is on-board Intel gigabit NICs. IMO those are the best gigabit NICs available. Compared to a budget brand (e.g. Realtek because that's what I personally have to compare with) they generate significantly fewer interrupts and thus let your CPU focus on whatever you think it should be doing. Linux support is fantastic for Intel NICs. Also, IMO if a company is putting those NICs on the board then chances are they aren't cutting many other corners either. In my experience better quality hardware is more likely to get good Linux support than bargain hardware.

interesting, can you provide an example for such cpu?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5855

PostPosted: Sat Nov 17, 2018 6:15 pm    Post subject: Reply with quote

DaggyStyle wrote:
interesting, can you provide an example for such cpu?

Probably referring to things like hardware AES/SHA1, that allow otherwise low-end chips to keep up with line rate when running legacy VPN software.

`openssl speed aes-128-gcm` tells me my Atom (first gen, single core, no crypto engine) barely reaches 80Mbps for example. Not really a problem for me because chacha20-poly1305 gets over 200Mbps, and that's what wireguard uses.
Back to top
View user's profile Send private message
Keruskerfuerst
Advocate
Advocate


Joined: 01 Feb 2006
Posts: 2288
Location: near Augsburg, Germany

PostPosted: Sun Nov 18, 2018 7:12 am    Post subject: Reply with quote

I have assembled a firewall with the following components:

Mainboard: Gigabyte Gigabyte GA-J3455N-D3H
Celeron J3455N
4 core processor 2.3 GHz
and two ethernet connectors

RAM: 8 GB
2 x Kingston HyperX 4 GB

SSD : Samsung 250 GB EVO

Case: LC-Power LC-1370WII
with 90 W power supply

Easy installtion and setup.

As mentioned above Endian firewall
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum