Multiple SFP+ Ports In A Rackable Network Server

[ThePie69]

I am looking to build or buy a rackable networking server who's sole job will be to run a firewall applicaiton like pfSense. The hard part is that I would like something that has 6 or more SFP+ ports or the option to install NICs that can get you to 6 or more SFP+ ports.

Does anyone have any recommendations for servers that match what I'm looking for?

 

[k1pp3r]

You will need to use add in cards, there are plenty out there that take sfp+ transceivers or twinax cable

 

[Cmustang87]

Going to be expensive, but you're looking for something like this - https://www.amazon.com/StarTech-com-2-Port-Fiber-Network-Card/dp/B01273K570

 

[k1pp3r]

Eh you can find cheaper ones, even refurbs, just depends on what speeds you want, and if you don't mind off brands such as https://www.newegg.com/Product/Product.aspx?Item=9SIA9Z94Z52658

 

[Cmustang87]

Eh you can find cheaper ones, even refurbs, just depends on what speeds you want, and if you don't mind off brands such as https://www.newegg.com/Product/Product.aspx?Item=9SIA9Z94Z52658

Well, sure - I was just giving the OP an idea of what to look for, didn't feel like shopping for other options, lol. $100 isn't bad, but this seems like kind of a wonky project. You are trying to get a free pfsense firewall, but spend hundreds of dollars on SFP ports?

 

[ThePie69]

Well, sure - I was just giving the OP an idea of what to look for, didn't feel like shopping for other options, lol. $100 isn't bad, but this seems like kind of a wonky project. You are trying to get a free pfsense firewall, but spend hundreds of dollars on SFP ports?

So instead of buying https://www.netgate.com/products/xg-1541.html and then buy the Chelsio expansion card which gives you 2 SFP+ ports I was shooting for something that would get me 4 - 6 SFP+ ports. There isn't anything that Netgate has that gives you more than 2 SFP+ ports.

 

[k1pp3r]

Why do you need 4 - 6 SFP+ ports anyway?

 

[ThePie69]

Why do you need 4 - 6 SFP+ ports anyway?

So I can have multiple interfaces. I wanted to physical segment the network from the firewall server.

 

[k1pp3r]

So I can have multiple interfaces. I wanted to physical segment the network from the firewall server.

Right, but why do you need SFP+ what's wrong with 1 GB RJ42, it would be a lot cheaper.

Or get a layer 3 switch and do it properly.

 

[Aluminum]

Do not pass go, do not buy startech/crap chipset or from amazon/newegg/etc, go directly to fleabay and buy used. Stick to intel and chelsio for pfsense. Also do not try to make a router be a switch especially a software one, each of those ports should be real networks otherwise you're doing it all wrong.

You might even find QSFP cheap (the breakout cable to 4xSFP+ might even cost more than the NIC) but the driver support for 40Gb chipsets on *BSD is not as broad.

 

[ThePie69]

Right, but why do you need SFP+ what's wrong with 1 GB RJ42, it would be a lot cheaper.

Or get a layer 3 switch and do it properly.

I have a 10 GbE network and want it to stay that way, lol.

Speaking of layer 3 switch though, could you have then a 10 GbE connection coming in to the firewall in pfSense and then the other Chelsio port going to the layer 3 switch and still have more than one interface? Now that I think about it could you make use of VLANs with pfSense and have multiple interfaces in the firewall but have them all going threw just that one physical interface? If so I would like to see the procedures for that cause it would solve this issue then. Although I wonder if only one physical connection would get bogged down by all the internal traffic on the network. Half of it won't actually even leave the network so the uplink is fine, maybe 1 physical connection still might not be enough for the internal traffic...

Do not pass go, do not buy startech/crap chipset or from amazon/newegg/etc, go directly to fleabay and buy used. Stick to intel and chelsio for pfsense. Also do not try to make a router be a switch especially a software one, each of those ports should be real networks otherwise you're doing it all wrong.

You might even find QSFP cheap (the breakout cable to 4xSFP+ might even cost more than the NIC) but the driver support for 40Gb chipsets on *BSD is not as broad.

Agreed. I'm definitely not taking any shortcuts or anything. 100% enterprise grade equipment here.
I liked the "Do not pass go", gotta add in "do not collect $200", haha.

 

[k1pp3r]

With a Layer 3 switch you do all your inter-vlan routing on the switch (And vlan access lists), since the switch is handling that layer3 routing it knows to only send data to the PFsense IF it is not a local destination, that is your IP Route statements or in Meraki your "Next Hop"

Generally you want your firewall to do what it was built for, detect and mitigate threats and attacks, in addition to minimal layer 3 routing such as Address Translation. As a rule of thumb, I keep all traffic local on the switch unless it has a purpose to go to the firewall. It reduces the load on your firewall a ton.

 

[ThePie69]

With a Layer 3 switch you do all your inter-vlan routing on the switch (And vlan access lists), since the switch is handling that layer3 routing it knows to only send data to the PFsense IF it is not a local destination, that is your IP Route statements or in Meraki your "Next Hop"

Generally you want your firewall to do what it was built for, detect and mitigate threats and attacks, in addition to minimal layer 3 routing such as Address Translation. As a rule of thumb, I keep all traffic local on the switch unless it has a purpose to go to the firewall. It reduces the load on your firewall a ton.

Ya I like that plan. Not sure why this hasn't crossed my mind before. Now it just comes down to finding a layer 3 switch that can handle 10 GbE. Needed to get one eventually so now is as good a time as any.

Does anyone know of any good 10 GbE layer 3 switches? I know there's a good amount and would prefer to not spend 10k on a single piece of hardware.

 

[Cmustang87]

The cost is going to be high if you are looking for a 10Gb layer 3 switch. Several thousand dollars.

What is your budget, and what kind of port density?

 

[Cmustang87]

A Meraki MS250-24 (layer 3 stacking switch w 4x SFP+) with TwinAX connector (they have both a 1M and 3M version).

https://meraki.cisco.com/products/switches/ms250-24

https://meraki.cisco.com/products/switches/accessories