First Time Setting Up Rack In CoLo: Router/Firewall?
May 13, 2008
I've been using dedicated hosting in places like the planet and rackspace for a long time now, but we're about to purchase a rack in a local data facility. This is my first time setting up a rack environment, so I have a bunch of questions.
They'll be giving me an ethernet drop into the cabinet. I have to take it from there. I'm thinking I needed a router/firewall. Am I right? Can those be a single device? Should they be? Which models would you recommend? (We're still a small operation, we don't usually push more than 1Mbps bandwidth).
I am in the process of gathering the peices to move from a dedicated box to my own hardware in a local colo and am undecided how best to choose the edge device.
The colo has a 30Mb pipe with about 10Mb of it being constantly used during biz hours. Another 10Mb is being allocated in the next couple of months. I want to be able to burst to the full 30Mb when needed.
I am getting 12 IP's allocated but will increase to 24 soon if all goes well (fingers crossed!).
I will have for starters just a single Proliant running dnp on 2008 with IIS, FTP, Mail, ns1 and a 2003 VM running my secondary ns.
What I am unsure of is the edge device and looking for others that have used either a 2800 series router or a ASA5500 series firewall in a similiar fashion. I know what the raw throughput of each device is, but raw benchmarks are not realworld numbers by any means.
I am looking at the 2801 with IOS Firewall turned on and hopefully even some inspects for FTP and HTTP traffic. The other option and one that I am less familiar with is to use the ASA5505 instead which will do my basic routing but supposedly provide more thourough inspects and advanced rules.
Does anyone have experiance with either of these in a hosting environment and have input on the realistic throughput one can expect from either device?
There is a signifigant cost difference with the ASA5505 being much cheaper but I am more familiar with IOS. Would anyone recommend a 1841 router instead?
I need 1U of space, .5 amp (50 watts) power, one IP, 2.5mbps bidirectional bandwidth (total of 5mbps up + down) and about 10GB of traffic per day each direction (total of 20GB up + down). Would be nice if they have remote KVM along with console (serial) access. Location should be anywhere in USA.
Purpose is to host a VPN router for various remote locations to connect in to. Reliability and good connection (low latency) is important.
The network will be designed like : we have 3 providers of IP transit, one will be the main network while the two other will feed the first network and manage a highly available network, probably using protocols like BGP4 and OSPF.
The current size of each fiber is 45 Mbit/s per operator. So I am looking for :
A router : - able to handle each provider with up to 200 MBit/s in/output - able to support protocol such as BGP4 or OSPF - able to output snmp for monitoring - have a little intuitive GUI for basic operations and have a real routing OS (like IOS or JunOS) - is branded and warrantly (a plus would be hardware extensible) - not too big box, something between 1 and 6U
A firewall : - able to handle ALL the traffic to all carrier - able to work as a SPF (drop all, allow only what I want, very accurate rules) - have a little intuitive GUI for basic operations - not too big box, something between 1 and 6U
About brand, most probably about Cisco, Juniper, Extreme or some good brand.
Which model would you advice me as router and which as firewall ? The price is not the main proccupation until it will do job just fine, but I would prefer to don't buy too expensive also.
I run a small datacenter, and we are migrating from Cisco to Linux based routers. This routers should run a firewall, DDOS mitigation rules, CBQ bandwidth limitation, etc..
I know how to mitigate DDOS using tcpdump, also I know how to route..
I just need some advice about the firewall, stopping basic DDOS, fragmented packets, etc..
Should I use APF firewall in this case? Is there a good IPTABLES set of rules I could use?
I'm giving up from Ciscos, as I just discovered there are some UDP packets that can easily break them. I tested it last night, and that was it, nothing secure A few traffic (bogus UDP packets) and the router was down for a few minutes.
I would like to thank in advance to anyone who shares his knowledge or experience here.
I am trying to find a firewall with some routing capability. Since I expect to have Gbps transfer in the near future, I don't think I can find a solid commercial hardware firewall within my low budget. That's why I am looking at software products.
I would need firewall functions(ability to prevent DDoS attacks is desirable) and basic routing functions (dynamic routing and BGP is desirable but not necessary at the moment).
Stage 1 environment: 20Mbps from provider P; 100Mbps from provider C; 35 servers for budget dedicated, mainly web servers;
*I have a question in mind that, can I have my network setup that incoming from both provider P and C but outgoing through C only? Is static routing able to do that?
Expected stage 2 environment: 40 ~ 60Mbps from provider P; 100 ~ 200 Mbps from provider C; 70 ~150 servers, mainly web servers;
Currently I am looking at Vyatta, Untangle and Endian. Can someone give some comments on these software or any others that might be suitable for me?
I have had an unmanaged server with theplanet.com for about 1.5 years now. I am looking to upgrade from my intel 3.2ghz to a core 2 e6600 server but I have been unable to find pricing that I liked in the dallas area.
The server is used for hosting game servers so low latency is a must. From some quick tests it appeared that both colo4dallas & theplanet were +/- 5ms of each other which is acceptable.
I am really likeing the $69 price that colo4dallas has for the 100gb transfer price which would save me around $75 a month I can use to offset the initial cost of the server.
Over the last 4 months my average useage was around 70gb of total transfer.
what should I be on the lookout for? If you had this option would you do it?
Anyone know what firewall do I need for my colo? I want to protect external IP. Here is my setup
3 servers, all have two nic cards, one of the cards will be the external IP and the other one will be LAN IP. So my question is what hardware firewall do I need to protect the External IP?
I was thinking of a cisco pix 515e. Which only route external IP to the LAN IP. I need something where I don't have to route, It just protect the external IP.
I'm looking to colo 5 servers, 3 app servers, 1 db, 1 backup/sparedb. I am looking for something to provide a bit of protection in, and it seems like the ASA5505 is a good firewall, but I was wondering if anyone had any other recommendations?
I probably won't need ridiculous features, I wish it had gigE ports (I need to get a separate gigE switch for now, just for internal transfers+backups).
Is there anything else that might be a little cheaper, or do I need to upgrade to the 5510? Myself and one other person are the only people who would be VPNing to the internal server cluster, so we don't need massive connection rights.
I do not think I will be pushing 100mbits of data transfer, so I'm not worried about the throughput of the server.
I am wondering what you think the average amount of time it should take to setup a firewall under the following circumstances.
The firewall in question is a Cisco ASA 5505
Say you have the firewall now but it is unstable so you an RMA to replace it, all the config rules are already known and can be seen in the old firewall when the new one arrives. There are only about 25 ACL rules and 6 object-groups that the ACLs use. There is NAT running with ~23 IPs that are statically routed to internal IPs and it has a VPN configured.
How long do you think it should take to configure the new firewall to act like the old one and replace the old one?
When i try setting time zone to GMT, it do not worked.
# date Thu Jun 26 10:05:20 UTC 2008 # ln -s /usr/share/zoneinfo/GMT /etc/localtime # /usr/sbin/ntpdate time.nist.gov 26 Jun 06:05:27 ntpdate[29806]: step time server 192.43.244.18 offset 1.429150 sec # date Thu Jun 26 06:05:27 EDT 2008
It still shows time in EDT.
I have the same problem in other server also, both servers are CentOS 5.2
When i set to UTC, it works
# date Thu Jun 26 06:10:16 EDT 2008 # rm -f /etc/localtime # ln -s /usr/share/zoneinfo/UTC /etc/localtime # date Thu Jun 26 10:10:16 UTC 2008 #
Many gurus and seasoned IM'ers alike have said that you actually don't need any technical knowhow to set up your business. But no sooner have you started than you realize that it's not the case and you have to get up to speed very quickly.
Just a couple of questions here, if I may:
1. What advice would you give to someone who has just purchased a new "unlimited" domain and knows diddly squat about all these technical issues?
2. I was reading what someone else said about add-on domains vs using Apache to redirect the add-on domains.
- what is the best way to actually set up your site so that you can have 1 main domain and then a bunch of others?
-should you rather use redirects (whatever that means)?
-What is Apache?
3. What is WHM?
Your collective help would be invaluable....
I just want to be able to set the thing up correctly....
I have a server in USA which I have leased to a customer. The customer is running an application in the server and for that he needs the timezone to be set IST in the server. If he does the same, then will it affect the working of the server. What can be the ill-effects of the same. The customer is running Windows 2003 server.
I really had a hard time in setting red5 on my VPS in /usr/local/red directory, I have done all the installation steps but still the port tester does not show success, I am using centos5 with cpanel installed, i have the installation steps from red5 forum but pretty much unsure what needs to be done after installation
1. I have only iptables installed and even if I remove iptables the port tester does not work properely
With all the high power servers/blade servers, the 40A (@ 110V) power limit is way too small. I am wondering if there is any colo space targeted for high density application, e.g. with 10 KW/cab limit for 60A @ 208V power drops. Does anybody know of such high density colocation space? East coast is preferred.
Please give me the difference. Colo in carrier hotel, we can choose our preferred network provider, but should we do that if we cannot have our own tech in datacenter? How about the supporting service from carrier hotel? Just general question, cause I dont address exactly which facility.
And the second would be more expensive? Saying the same number of rack, amount of bandwidth... Who is providing IP addresses then?
I can't get access to a certain site. I always get the page with:
network time out - server at *** takes to long to respons. More people have noticed this and apparently it only happens to people with certain specific providers. And not all the time. Some times they DO get access eventy to they belong to the same ISP. So I guess an ISP isn't blocking access to it otherwise it would be permenantly/The site administrator insists that certain ISP's are blocking his site. He's hosting it on his own server. The domain belongs is registered at namecheap.com.
If an ISP is blocking this site (if that's possible?), that would lead to that 'network timeout' page wouldn't it?
What is the most likely reason for getting a timeout page anyway?
Do you recommend a software firewall when behind a hardware firewall?
All of our servers are behind Cisco ASA 5505 firewalls which we rent from Liquidweb. All are being managed correctly and setup to there optimal levels. With hardware firewalls firmly in place, do you still recommend a software firewall such as APF or IPTables (we're talking linux); in our opinion we see it as an extra administration overhead. If this is however untrue, we will change out thinking.
I have a dedicated server specs: AMD 3500+ 64 Bit CPU, 1 GB Ram, 160 GB Sata Drive. For 1 month, CPU load average reaches 40-50 value. This happens about 5-6 times in a day. When I stop httpd service for 30 seconds everything goes normal. I think this is not a DoS attack because it comes systematic, I dont believe no one makes this regularly except bots.
Maybe its a system service or a cronjob but it stops when I turn off httpd service? How can I be sure about what's making this regularly load?
I also did set up a script which mail me when load average of system goes crazy and restart httpd service. But instant restart is not working to stop load increase.
The server is going down from time to time, every 12 days or so the site hosted there is no longer accesible, everything starts with the site slowing don and down and then is not longer reachable, what we do is to request a power cycle, and with this we start all over again till next power cycle, so on so on, of course, here are my server details and more info on this:
- MySQL - 5.1.41-3ubuntu12.10 - Apache - 2.2.14-5ubuntu8.4 - PHP - 5.3.2-1ubuntu4.9 - operating system: Ubuntu Server 10.04 LTS
After some time emailing the support guys to barely check about what's going on, we received an email with a few things:
1.- found a few errors that likely would cause issues with Apache. The first error is: [Mon Feb 04 05:03:10 2013] [error] mod_fcgid: fcgid process manager died, restarting the server and the next error is: [Mon Feb 04 14:32:34 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting ...
Both these errors seem to indicate that you have a process that is running out of control on your server. We were unable to determine what script on your site is running caused your connections to be maxed out however it does appear that before these errors were generated there was a WordPress plugin referenced in your access logs...
2.- Additionally during our review we did find that your error log for mercadodedinerousa.com is 45 GB's which is excessively large and can cause problems when Apache is trying to write a such a large file.
3.- The majority of the errors being logged are: [Wed Feb 06 12:12:31 2013] [error] [client 200.76.90.5] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/vhosts/mercadodedinerousa.com/httpdocs/index.pl, referer: [URL]
I've found a dedicated server at a great price and plan to stick with it, my first ( already have 2 vps accounts ). I don't have the money for a hardware firewall. However, I do have a chance to renew a Kerio WinRoute Firewall license from way back.
Does anyone think this would be better than the default windows 2003 firewall?
I am having a big question which has been often asked, but which all the time depends on the network topology; so first let's be honnest :
- I have no experience with BGP / OSPF - I have no experience with routers (except SOHO models - I will not have to make this to work in a productive environment
So in the next month we will get an AS number and few IP addresses; the goal is to test drive a gigabit network before using it as productive network;
I would like to ask some advices here for early all aspecsts, let's show some important points :
- Which brand? - Which model? - Maybe refurbished?
The key points for me:
I am looking for a cheap chasis but extensible with time when it will be needed
- Extensible system - Very cheap for small use (at beginning maximum $ 2-3k) - Trafic rate : ~ 100 MBit/s to 4-5 GBit/s - Type of trafic : HTML / JPG / GIF / PNG / CSS / EXE / ZIP (shared hosting network)
