I want to turn a refurb Dell server into a DIY firewall. Is it realistic to expect anything even close to 10G port-to-port throughput when transferring big zip files through ipfire (assuming the other end is capable of delivering that)? What sort of hardware spec should I aim for? Any special 10G NICs?
@geekprophet , welcome to our community.
It depends on the HW you want to ârecycleâ.
What sort of NICs are built in and how are they connected to the system?
About 10G port-to-port throughput ( I think port-to-port means server â client ), you must consider that transfer speed isnât determined by capabilities of the end points only, but the whole transmission way has to be observed.
I have not purchased the refurb server yet. I can obtain whatever is required in terms of power. Iâm thinking an R640. I would add whatever NICs are required to it.
âPort-to-portâ speed is a term I borrowed from the OPNsense sales literature.
@geekprophet sorry for asking⊠in your setup you have access to cheap power?
According to specs, the PSU range for R640 goes from 500W to 1600W. So⊠using that powerhorse for âsimplyâ a firewall well⊠needs some considerations.
Ipfire CPU consumption depends a lot from services enabled, so âsimpleâ network switching with rules might a 2nd generation Xeon Scalable CPU a little overkill.
Last but not least: Iâm assuming youâre considering for the task âinnerâ network transfers betwen Green/green and/or green/blueâŠ
Google something like âpcie speedâ and youâll get refs like PCI Express - Wikipedia which has a comparison table for PCIe version and maximum speed with various configurations. Youâll then need to determine which version PCIe slots the Dell has and how wide they are (x1, x4 etc) and remember for throughput youâll need 2 NICs.
Keep in mind that the used slot for a nic must have at least 2.5x pcie speed because there is some overhead and the nic is bidirectional and the pcie not. Also the pcie root of the cpu must around 5x because it has to hande two ports at the same time. So this can also the bottleneck. Off course you need aösp plenty of cpu power for packet handling.
So for 10G you need 25G pcie per slot and 50G on the cpu.
50G on the CPU? That canât be CPU speed, but lane bandwidth? Where do you see that figure? I would assume that if the PCIx can handle the bandwidth then the CPU can.
Yes the speed that the cpu can handle via PCIe. I donât know where you find this in datasheets but i know that for example an Intel N3160 cannot handle the 5Gbit needed for two 1G Lan Ports.
I mentioned the R640 because we already have a bunch of them, and they are fast and reliable workhorses. Ours have 25G NICs and iperf shows 22G throughput from server to server. Iâm assuming they would work well for a firewall, and I can get a refurb one for cheap. However, if they are overkill, we could also go will something less powerful and cheaper. The other part of my question is about ipfire itself. Iâm wondering if it can be expected to provide 10G throughput (ingress one interface and egress the other) on a server like that?
-Eric
Regarding âinnerâ transfers (green/green or green/blue), no, Iâm planning to use ipfire at the edge, so itâs outside interface would be Internet facing and its inside interface would connect to a DMZ VLAN. Is this a bad idea for some reason?
-Eric
If it works well for 1 x 25G NIC, then I would assume it would work well for 2 x 10G NICs. It would would be fine but probably overkill for a firewall. Even if the PSUs are rated between 500w and 1600w it does not mean the system will be drawing that much especially if it only has 1 SSD or HDD and you wonât need much memory either. The CPU is well OTT
TBH, with something like that you could get quite cute and run an o/s like Proxmox. Then give 2-4 cores to a VM running IPFire and use the rest of the power for something else.