I'm looking for some kind of appliance like box, maybe something like this:http://www.soekris.com/net5501.htm on which I could deploy iptables based firewall/openvpn/DNS and other local network services in a wide area network. I would probably install on a flash device. I would prefer something that was relatively easy to install on, or at least has been used with CentOS before, where I'm not needing to pull my hair out finding working drivers, building custom kernels etc.
Though I might spend time down the road to come up with an extremely minimal install, for rapid deployment in the first round, I'd like to be able to do a pretty standard install and have a full featured CentOS system that I could logon to and use for local network administrative tasks.
I could use something like a Mac mini, but my sense is there are are probably less expensive and more suitable devices.
- Two ethernet interfaces - working drivers for CentOS - flash - enterprise quality (i.e. not some flakey little home router device) - fast enough to do openvpn encryption on WAN links ranging from 50mb to 100mb
Though I do want enterprise quality, my sense is to make the device affordable enough that I could keep spares on site for backup purposes.
I would appreciate anyones experience with deploying such a setup.
Thanks, Nataraj
Hi Nataraj,
Take a look at the Intel Atom platform. The D510MO & D945GCLF2D run beautifully under CentOS and I've used both as firewalls in the past. Another linux based firewall system I use has users reporting the two boards above supporting AV, Content Filtering (proxy), etc on 50Mbps FIOS connections down in the states.
If you want multiple onboard nics, the Jetway boards are also supposedly decent. I've never used one but users from the same site have reported sucess with these boards, and the optional 3x1GB nic still fits within the ATX backplate.
Only downside to these boards, both Intel & Jetway, is they seem to prefer Realtek chipsets onboard. Jetway I understand because of price points. Intel I don't as the Pro/1000 is a rock solid nic. That said, I've never had a problem with flaky drivers or hardware from Realtek. Maybe I'm just lucky. :-)
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
2010/12/29 Nataraj incoming-centos@rjl.com:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
take a look at: http://www.mini-itx.com/store/ and http://www.mini-itx.com/store/?c=40
-- Eero
take a look at: http://www.mini-itx.com/store/ and http://www.mini-itx.com/store/?c=40
http://ocf-linux.sourceforge.net/ possibly also helps on smp systems (dualcore) with openvpn aes encryption
-- Eero
On 12/28/2010 11:01 PM, Eero Volotinen wrote:
take a look at: http://www.mini-itx.com/store/ and http://www.mini-itx.com/store/?c=40
http://ocf-linux.sourceforge.net/ possibly also helps on smp systems (dualcore) with openvpn aes encryption
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That would be useful. I'm pretty sure openvpn uses the OPENSSL libraries, so it might very well improve openvpn performance. That would be a big win. I think the Dell dual xeon for $650 is the easiest solution. It is Redhat certified and requires no 3rd party device drivers for CentOS. I think I will still deploy some of the smaller appliance boxes for purposes other than high performance encryption.
Nataraj
That would be useful. I'm pretty sure openvpn uses the OPENSSL libraries, so it might very well improve openvpn performance. That would be a big win. I think the Dell dual xeon for $650 is the easiest solution. It is Redhat certified and requires no 3rd party device drivers for CentOS. I think I will still deploy some of the smaller appliance boxes for purposes other than high performance encryption.
anyway, it requires patching kernel and due that it's a bit complex solution.
maybe your hardware is enought fast anyway..
-- Eero
On 12/28/2010 10:32 PM, Eero Volotinen wrote:
2010/12/29 Nataraj incoming-centos@rjl.com:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
take a look at: http://www.mini-itx.com/store/ and http://www.mini-itx.com/store/?c=40
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Yes, that site kept coming up in my google searches. They are in the UK, but they do have quite a large selection and they are all custom configurable. Unfortunately, their celeron system, with shipping to the US cost me, $700 as much as a Mac Mini with a core 2 Duo and there are better service options for the Mac Mini in the US, though the Celeron is an industrial rackmount solution. I wouldn't really call the Mac Mini an Enterprise solution.
For $650 I could get a basic Dell R210 with an X3430 2.4Ghz dual core Xeon. For $500 I could get the R210 with a Celeron. I guess Dell wins on this one. I suppose one real advantage of these small embedded appliances, if they are fast enough for the application, is very low power consumption. I like that for my home firewall. Another advantage is they are easy to ship around.
Thanks, Nataraj
On Tue, Dec 28, 2010 at 10:23:43PM -0800, Nataraj wrote:
Then the Mac mini might be what I need performancewise.
The Mini has only one wired interface, and its 802.11 interface may or may not have a fully working driver in the CentOS 6 kernel. So if you really need two ethernet interfaces you should probably consider the other alternatives raised in the thread.
--keith
On 12/29/2010 01:03 PM, Keith Keller wrote:
On Tue, Dec 28, 2010 at 10:23:43PM -0800, Nataraj wrote:
Then the Mac mini might be what I need performancewise.
The Mini has only one wired interface, and its 802.11 interface may or may not have a fully working driver in the CentOS 6 kernel. So if you really need two ethernet interfaces you should probably consider the other alternatives raised in the thread.
--keith
Thank you keith. I've been able to use the driver from the broadcom website, at least with Ubuntu 10.04. Fedora14 has a working driver included. As you say, though there is only one interface. I once saw a fedora 10 kernel get wdged in some odd state where it was sending packets out the wrong vlan. Ever since that time, I'm pretty insistant that the Internet side of a firewall be on a completely seperate interface and switch and not just on a seperate vlan. It just feels more secure that way.
Thanks, Nataraj
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Piercepierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
http://www.acrosser.com/products/detail_id_427.html
2010/12/30 Steve Clark sclark@netwolves.com:
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
IE only website :(
So, you are using padlock hw encryption on device?
-- Eero
On 12/30/2010 07:34 AM, Eero Volotinen wrote:
2010/12/30 Steve Clarksclark@netwolves.com:
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Piercepierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
IE only website :(
So, you are using padlock hw encryption on device?
Yes it is supported by the padlock.ko module in Centos. It can also be used by openssl. /lib/modules/2.6.18-194.17.4.el5/kernel/drivers/crypto/padlock.ko
On 12/30/2010 07:34 AM, Eero Volotinen wrote:
2010/12/30 Steve Clarksclark@netwolves.com:
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Piercepierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
IE only website :(
Hmm... works fine for me using chrome and Fedora 12.
2010/12/30 Steve Clark sclark@netwolves.com:
On 12/30/2010 07:34 AM, Eero Volotinen wrote:
2010/12/30 Steve Clark sclark@netwolves.com:
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
http://www.acrosser.com/products/detail_id_427.html
IE only website :(
http://linitx.com/viewcategory.php?catid=79&pp=79 also supplies rackmounted firewalls and so on.
-- Eero
On 12/30/2010 04:34 AM, Eero Volotinen wrote:
2010/12/30 Steve Clark sclark@netwolves.com:
On 12/29/2010 01:23 AM, Nataraj wrote:
On 12/28/2010 09:04 PM, Eero Volotinen wrote:
2010/12/29 John R Pierce pierce@hogranch.com:
On 12/28/10 1:55 PM, Nataraj wrote:
- fast enough to do openvpn encryption on WAN links ranging from 50mb
to 100mb
THAT is a tough requirement.
I was going to recommend the Alix boards. they run pfSense really nicely, and should be able to run a stripped down centos install OK. with pfSense, you can boot from a CF card, so no HD at all.
The Alix cards use a 433-500Mhz AMD Geode ultra-low power processor, on a 6x6 card. they use 5 watts fully configured.
but, 100Mbit/sec SSL encryption, ouch. don't know. you'd probably have to benchmark that.
you need hardware encryption hardware or core2duo like processor ..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Then the Mac mini might be what I need performancewise. I am also considering Dell R210's as I would really like an enterprise solution. Anyone have any experience with Habey? http://www.habeyusa.com/products.php?id=125#Menu=ChildMenu124 They have a wide selection of barebones Intel Atoms, including the 1.8Ghz Intel D525's as well as Pentium 4's with broadcom ethernets and systems with up to 6 ethernets. My sense is that I will still use some of these systems for firewall and management functions (i.e. firewalling Dell IDRAC6 cards) even if the encryption for the vpn has to run on a faster box. 50MB would probably be adequate.
Thank you all for your responses.
Nataraj
Hi,
We use the following. It has hardware encryption in the EDEN Via processor. We were able to get 22 mbits across an ipsec tunnel using AES encryption. This more than enough unless you have a DS3 circuit.
IE only website :(
So, you are using padlock hw encryption on device?
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I see now that there is fairly extensive support available for padlock encryption. http://www.logix.cz/michal/devel/padlock/ http://www.logix.cz/michal/doc/article.xp/padlock-en
These pages are a bit old, but it appears that support for md5, sha1 and sha256 are in the mainline linux kernel. Openvpn has a -engine option for invoking padlock support in openssl. So I expect that I will order at least one of these boxes for testing purposes and probably another box with a somewhat faster processor for comparison.
Thanks, Nataraj
-
Drew -
Eero Volotinen -
John R Pierce -
Keith Keller -
Nataraj -
Steve Clark