I am looking for some words of wisdom from the members of this forum.
I do consulting work for three related non-profits in the same building. The three have decided to share the same internet pipe and have tasked me with building a new gateway box. I plan on purchasing a 1U SuperMicro Atom box with an add-in card for a total of 6 physical network ports.
The gateway would be used to split the internet between the non-profits, provide some basic traffic shaping, and filter content using DansGuardian.
Right now I am trying to figure out how to set up the software and would like some advice. Some options that I see are:
Install Ubuntu directly onto the box and use iptables, Squid, and DansGuardian to do all the tasks. I have done this before and am familiar with the setup.
Install ESXi on the bare-metal and run an Ubuntu VM to do the above.
Install ESXi on the bare-metal and run a pfSense VM for the firewall/router and pass port 80 packets to another VM running Ubuntu with Squid and DansGuardian. I have not used pfSense before but it seems like I could pick it up quite readily.
If I do option 3 are there any thoughts on running 3 separate Ubuntu VMs so that each non-profit would have its own DansGuadian instance instead of running one instance and using filter groups.
There would be about 50 users on one network, 20 on the second, and 5 on the third. The internet pipe is a 50Mbit down/12Mbit up cable connection.
Any advice on the above or other options that anyone would recommend would be appreciated.
Thank you.
A lot depends on how much time you expect to spend on maintaining/fixing this solution; if you want to spend as little time as possible on it, I would suggest installing a dedicated router/firewall distro (such as pfsense, which you mentioned above) as the routing component, and set up everything else on a second VM.
The router part needs very few resources compared to the rest, and pfsense or other dedicated routing distros will run uninterrupted for years; the same can usually not be said for full-fledged servers providing proxying and possibly more.
Without knowing any more about customer requirements or expected load, option 3 seems the most flexible one to start with.
Oh, and yes, ESXi 5.
However, this will not run very well on an Atom - I would suggest a Sandy Bridge i3 2100T (only 35W) instead.
It will kick the backside of two of those Atom boards.
Oh and Intel PRO NICs for the network, in case that has to be mentioned - although 100mbit would suffice traffic-wise, GbE offers better latencies.
You do not need a NIC with 6 ports - a NIC with a single port and a VLAN-capable managed switch would do a much nicer job here.
You only would need any kind of virtualization solution, if you plan on setting up administrative separation for the routing services - i.e. if the three non-profits would need to be able to administer their very own router, change packet filtering rules, set up own services there etc. You would need to be able to obtain an IP subnet to accommodate at least your three hosts plus the ISP's router address - a total of 4 hosts, one network and one broadcast address resulting a requirement for at least a /28 network - in this case.
Even if you do administrative separation for packet filtering services, a use case for a single point of administration would be a QoS setup - if you need to guarantee bandwidth or some kind of fair use policy where none of the organizations should be able to use up as much bandwidth as to starve the other two, you inevitably end up with at least one routing device all three would depend on which could not be administered in separation.
You would not necessarily need a server machine to do these tasks - there are plenty of router appliances which are more resilient than a commodity PC board. Some of these are capable of splitting into "virtual routers" or "virtual systems" like Juniper Netscreen devices or "security contexts" as with Cisco ASA devices - very much in the way you would get with your virtualized installations, but without all the baggage of ESXi and three running instances of operating systems needed to be administered. I would consider this kind of approach the most elegant, but it would require you to either get familiar with the system or hire another consultant / engineer to do the setup.