Wednesday, July 17, 2019

Firewall recommendation for 5 Gb/s throughput

I work for a sports organization that puts on sporting events. As part of this, a few times a year we put on large-ish scale events and have to set up networking to support them. Normally, we partner with a local cable/phone company and simply tell them where we need access and they set it up. For example, we'll give them a list of 15-20 locations on the property and tell them how much bandwidth each location needs, then they will deploy a modem at each location and we take it from there. That's all pretty easy.

We have an event upcoming in 2021 and I just did a site visit to get a lay of the land. This particular event has partnered with the local cable company, but rather than having them deploy access at each location, they got them to put in a 192 count single mode fiber backbone that terminates in a server room on one end and spans the entire property with hand holes having between 6-24 fibers each at key locations, so the ISP is going to give us a 5 Gb/s IP handoff in the server room and we'll distribute it as needed ourselves.

We have plenty of switches and other equipment to handle that, but the one piece of the puzzle we don't have that we are researching is a firewall capable of handling that throughput. Our intent is that we would install this in the server room and put it between the Internet handoff from the ISP and our event network.

We don't need much in the way of features - pretty much just NAT and the ability to create 5-10 virtual interfaces so we can segment the LAN into different networks. We expect that we'll be supporting approx 1000-1500 concurrent users with approx 45% of those being various media / TV outlets covering the event - they're historically our heaviest users in terms of bandwidth since they tend to upload huge files (photos, videos, streaming, etc), another 45% being public WiFi (i.e. smartphones and tablets in hospitality suites) and the final 10% being staff doing general browsing / e-mail.

The one minor caveat here is that since this is a special event, we really will only need this equipment for about 30 days. That being the case, if we can swing it, we'd like to avoid spending a ton of money. All of the readily apparent commercial offerings seem to be in the $10-15k price range for something that can support that throughput and number of users, so it'd be a $20-30k investment for a HA solution.

In the past, I've successfully used commodity x86 hardware running pfSense, but that was for much smaller events (i.e. 1 Gb/s bandwidth with a maybe 150-200 concurent users). As it happens, I've got access to some decent x86 servers with 10Gb networking, but I'm not thrilled about the idea of slotting pfSense in for something of this scale. I'm sort of stuck between going the pfSense route which is very cost effective but doesn't offer much in terms of support, and going the commercial route which would do everything we need and be a supportable solution but would also be very expensive (insert obligatory "you get what you pay for")...

I've heard of VyOS, which sounds like it might be another consideration but before I start diving down a rabbit hole I wanted to socialize this and see if anyone could offer any ideas or recommendations.

If we need to go the commercial route, we can do it, but the money we spend on that will have to come from somewhere else. We have approx $75k budgeted for IT support for this event and that has to cover a lot more than just the firewall solution, so we're trying to determine if there are viable options that won't suck up 30-40% of our total budget.



No comments:

Post a Comment