anyone familiar with the Juniper SRX1500? interested in how it would go on a 10GBps internet connection assuming i didn't want to do any fancy intrusion detection stuff - specs say "9gbps of firewall performance"
it can act as a switch too can't it?
anyone familiar with the Juniper SRX1500? interested in how it would go on a 10GBps internet connection assuming i didn't want to do any fancy intrusion detection stuff - specs say "9gbps of firewall performance"
it can act as a switch too can't it?
@decryption Meanwhile sitting here using a $80 ThinkCentre Tiny to route my 10 gbps connection ( ´・ω・`)
@kalleboo what ya running on there to do the routing & firewall stuff?
@decryption OpenWrt. I tried OpnSense and pfSense first but couldn’t get more than about 5 Gbps throughput. Replacing it with Linux and I have no trouble pushing 9 Gbps of IPv4 NAT traffic.
What it won’t do is 20 Gbps throughput (10G up and 10G down at the same time). I’m not sure if it’s due to the lack of PCIe lanes (tiny formfactor uses an 8x riser) or due to lacking CPU grunt (it’s an i3-8100T)
@kalleboo ahh good old openwrt
@decryption Mostly yes to both, with an answer that takes too long for this textbox.
@LapTop006 @decryption yup, very yes but* areas
* depending on which features you turn on or off from the default config
@jpm @LapTop006 hmm, which features have the most impact on performance?
@decryption @LapTop006 deep packet inspection is by far the worst offender
@jpm @LapTop006 tempted to get one, only $700 on eBay - I can’t even build an OPNsense box for the price of an SRX1500, not sure what the catch is? It seems to still get updates?
@decryption @LapTop006 the catch is the support contract required to obtain said updates
@jpm @LapTop006 ahhh, so the software updates on the website can be downloaded, but they can’t be applied?
@decryption @LapTop006 can’t be downloaded without an account linked to a support contract for the device
@jpm @LapTop006 ohhh, makes sense - are there, uhh, other methods to obtain this very affordable software
@decryption @jpm less than there used to be, for example I no longer have access to the switch images despite my employer being a _rather large_ customer. Yes you can usually find them, and you probably won't actually need any features which want a licence, but it's harder. As long as you disable the web interface they're pretty solid security-wise.
@LapTop006 @jpm so is the base JunOS free and the juicier features are what costs?
@decryption @LapTop006 “free” as in you need to study the license SKU list for the platform to figure out what you’re going to miss out on and if that matters to you
@jpm @LapTop006 ugh too much fucking around, I’ll stick to a server running OPNsense and a separate switch I reckon
@decryption @jpm hopefully dumb question, why do you want a stateful firewall in front of your servers? You absolutely shouldn't need one.
@LapTop006 @jpm no it's a very good question! i wasn't sure - I didn't think I do, but maybe thought I should just to keep track of what's going in and out? but now I don't think I actually need that and it makes life easier for me
@decryption @LapTop006 @jpm well, you're gonna have to do SNAT/DNAT (if you only have a /30 and a few hundred VMs) which is intrinsically stateful.
@theraspb @LapTop006 @jpm yeah I need a router that'll do NAT!