April 14, 2015

473 words 3 mins read

Project “Falcon” – The DIY Router (server?) Experiment

As previously mentioned, I work in a “Cloud company” which typically means we claim we’re a “serverless” office. However sometimes I need a server-like machine to make a point. For this particular project we needed a machine that was, for all intents and purposes, a server… except I wanted to build it myself. It wasn’t so much to save money, but so I could customize the machine to get exactly what I wanted out of it (and because it was a fun diversion). The result of that was known as “Project Falcon”.

The final purpose of this not-server is actually to function as a router. After you read the specs for the machine, you will probably say “this is massive overkill”. You will also be 100% correct. Though it is more than just a simple packet pusher, rather a “Unified Security” appliance (think things like passive proxy, IDS/IPS, etc) that will be able to push at least 500 megabits per second (or at least that is the goal).

Post hardware build, I installed PFSense 2.1 on the machine. It then served as the core router/firewall for our main office for about 6 months. The only issues we had were related to an Intel driver issue that was fixed in PFSense 2.2 and PEBKACs during administration. During testing I had an IPSec tunnel setup offsite that could saturate the entire internet connection at ~250mbps, during which the CPU hit ~8% utilization. It was, for all intents and purposes, a $4,500 (approximately, at time of build) router than could blow anything out of the water around it. Today it’s about $3,500 to build an identical unit.

Old greek money. CC-BY-2.0
This project was inspired and executed because our previous router vendor charged us ~$25,000 for a device that couldn’t handle our existing load without jitter. They claimed it was my network design/circuit/etc. For 20% of their price I made them eat their words (and eventually refund the entire price, far beyond the 30-day RMA window).

This “Falcon” design ended up serving 2 offices with a 3rd “Mini Falcon” (half RAM/CPU/SSD) serving at a test location. The units were all eventually decommissioned in favor of Palo Alto Network security appliances. I would, however, gladly build them again and would recommend PFSense for any location looking for good quality firewalls at Open Source prices.