Soekris Network Appliance

Tom · October 28, 2012, 12:33:05 AM

I recently got a nice little Soekris net 6501-50 network appliance to use as a firewall/router, and its been pretty slick so far.

It's a small embedded form factor atom system with up to 2GB ram, 4 GbE ports, mSATA/mini-PCIE ports, one pcie port, internal and external USB, a couple sata ports, and some other useful features. Has the option of a small desk/shelf style enclosure, or a 1u rackmount enclosure.

It's not /cheap/ but its not "enterprise" expensive either. And I know some people who use them in enterprise environments (normally with pfSense).

It's had absolutely no problems running my piddling little needs. 50/3 internet firewall duties, squid filtering, and just recently running the management interface for my new Wifi AP.

I have the net 6501-50 model, which has a single core Atom 6xx @ 1Ghz, and 1GB ram. I installed a 32GB mSATA SSD that I found on ebay for under $40. It's a pretty slick little machine.

The nice thing about all my upgrades, is my entire network can now survive 4 hours (or possibly more) without power (I have my core networking equipment on a 1000VA UPS). So long as shaw keeps their backup power equipment maintained, I could get internet the entire time as well. I once had internet for two hours when the power was out, that was pretty nice. So hey, if the power goes out and you're jonesing for minecraft, you may just be able to play on the server

Melbosa · October 28, 2012, 04:55:08 AM

I've used SonicWalls and Fireboxes in small businesses before. Also great for that consumer->enterprise gap in the middle. Only problem with those devices is getting uPNP. The SonicWall devices are better in this regard and more feature rich like your Soekris. Not sure what they will be like now that Dell has bought them out though.

Tom · October 28, 2012, 04:58:27 AM

I've heard some rather harsh criticisms of SonicWall from a few people at ENTS.

Melbosa · October 28, 2012, 05:05:15 AM

They've been fine in my experience... but I'm not using them for high end features. Just more medium business features such as you described you were using. I've used site-to-site VPN as well with them.

Tom · October 28, 2012, 05:16:56 AM

Well, one of the guys is/was a sysadmin for a large-ish charity. The other is a/the sysadmin for a medium sized hotel chain. I recall hearing that one of them eventually just told the boss's they were ripping the SonicWalls out. I think many got replaced with cheap x86 machines running pfSense and soekeris's (also running pfSense). The one guy likes using two or more with CARP and other fancy features (load balancing, etc).

Lazybones · October 30, 2012, 09:46:50 AM

Quote from: Tom on October 28, 2012, 05:16:56 AM
Well, one of the guys is/was a sysadmin for a large-ish charity. The other is a/the sysadmin for a medium sized hotel chain. I recall hearing that one of them eventually just told the boss's they were ripping the SonicWalls out. I think many got replaced with cheap x86 machines running pfSense and soekeris's (also running pfSense). The one guy likes using two or more with CARP and other fancy features (load balancing, etc).

That is interesting because in enterprise SonicWall Generally is considered a good low-cost solution

Thorin · October 30, 2012, 10:07:45 AM

It's amazing how much smarts can be built into these network appliances. On the other hand, I keep having to write special code to handle what gets passed through load-balancing because it arrives on a different url than the user originally entered.

Lazybones · October 30, 2012, 10:14:07 AM

Quote from: Thorin on October 30, 2012, 10:07:45 AM
It's amazing how much smarts can be built into these network appliances. On the other hand, I keep having to write special code to handle what gets passed through load-balancing because it arrives on a different url than the user originally entered.

That behavior is usually a configuration item, I would be curious if you are fixing against something someone else set wrong or not optimally.

Melbosa · October 30, 2012, 10:23:35 AM

Yes that does seem weird to me as well Thorin... Load-Balancers typically shouldn't rewrite URLs, rather they should just host VIPs for URLs and pass/broker a connection between the client and the destination servers (depending on implementation). URL rewriting or manipulation is typically something you have to enable rather than disable out of the box implementations of Load-Balancers.

I've used the following Load-Balancers: F5 LTM, Cisco ACE, and Microsoft ISA. All of these require significant choice to do URL rewriting. But I haven't had much experience with Medium Business range Load-Balancers, other than DNS round-robins...

Thorin · October 30, 2012, 11:21:39 AM

Yeah, so, they're doing it deliberately. You know, give a techie a toy and he'll play with it. 3 of the last 4 jobs had load balancers that did URL rewriting and HTTPS decryption/encryption. Each time it was something that was specifically set up to address a perceived problem. Each time it meant I had to have code that translated URLs local to the server.