Booting from Compact Flash

[jasonsRX7]

I need to build several small computers to function as VPN clents and firewalls. They need to be highly reliable and failsafe. I want to use CF rather than hard drives, so that they can run for years without the risk of drive failure.

Does anyone have any experience booting from CF? Specifically, booting Mandrake MNF or similar linux firewall with around a 300mb boot image? Space isn't a concern, as 1gb CF cards are available, I'm mainly concerned with speed. It would be nice for it to boot fairly quickly, but most imporantly, I don't want the speed of the CF to interfere with the normal operations, such as squid caching and logging (since I won't be using another syslog server).

Other than that, I'll be using a fanless VIA C3 533mhz board, so it'll have no moving parts at all. It should be able to hold up for years in the fairly harsh (for a computer) environments they'll be subjected to.

Thanks

 

[jasonsRX7]

bump

 

[Electric Amish]

That sounds REALLY COOL!

Sorry I don't have any info for you though...

amish

 

[RichieZ]

this has been discussed before I think, CF cards are good for a limited number of writes, and if you had a swap file on one it could be used up rather quick. Hit the search button for more details.

 

[jasonsRX7]

Originally posted by: Electric Amish
That sounds REALLY COOL!

Sorry I don't have any info for you though...

amish

We have several frame relays that run to our remote labs and facilities that together cost us thousands each month. Broadband has just become available in most of those areas so the frames can easily be replaced by a <$100 DSL or cable connection. Building a VPN client for around $500 using MNF will be much cheaper and more capable than a $1500 appliance like a Sonicwall.

BTW, all the parts to build on of these boxes are available on newegg for around $450, except the IDE to CF adapter, which is carried by several other online stores.

 

[jasonsRX7]

Originally posted by: RichieZ
this has been discussed before I think, CF cards are good for a limited number of writes, and if you had a swap file on one it could be used up rather quick. Hit the search button for more details.

Good point. I did search, and discovered that CF has a lifespan of around 1,000,000 read/writes. This wouldn't last long in a system that was running an OS that wasn't aware it shouldn't be doing periodic drive writes.

Maybe the IBM microdrive would be a better choice than CF. Even though the microdrive has moving parts, they are still more durable to heat and shock than an IDE drive.

 

[Pauli]

Do you really think hard drives fail often enough to warrant CF or Microdrive consideration? I disagree. As previously mentioned, CF devices have rather limited lifetimes if used as a main disk in an often-used desktop system. The Microdrive IS a hard drive, probably with similar, if not worse, failure rates. Man, I've been running many IDE HDs both at work an at home and have NEVER had one completely fail on me. I did have one 6GB WD that developed quite a few bad sectors that reduced its reliability, but that's because I dropped it. IDE drives are relatively VERY reliable in a desktop environment.
I think your ideas about CF or Microdrive are a bit misguided. If you are THAT concerned about reliability, you ought to go SCSI with RAID (mirroring), not CF!

 

[MysticLlama]

What sort of speed would you be pushing on the broadband links?

You should be able to use something like a PIX 501, it's rated to do 10Mbps ClearText and 3Mbps 3DES encrypted throughput, which should cover most broadband lines.

Also, it shoudl be compliant with almost any sort of endpoint you're using as long as it uses typical IPSEC standards.

I'm using a few of them with a 515 for an endpoint at the main office, and they are working great.

They also just put them up on newegg (no stock yet) for $460 w/3DES, which is a good price.

 

[jasonsRX7]

Originally posted by: Pauli
Do you really think hard drives fail often enough to warrant CF or Microdrive consideration? I disagree. As previously mentioned, CF devices have rather limited lifetimes if used as a main disk in an often-used desktop system. The Microdrive IS a hard drive, probably with similar, if not worse, failure rates. Man, I've been running many IDE HDs both at work an at home and have NEVER had one completely fail on me. I did have one 6GB WD that developed quite a few bad sectors that reduced its reliability, but that's because I dropped it. IDE drives are relatively VERY reliable in a desktop environment.
I think your ideas about CF or Microdrive are a bit misguided. If you are THAT concerned about reliability, you ought to go SCSI with RAID (mirroring), not CF!

Yes, I do think that IDE drives fail often enough to warrant CF or microdrive consideration. An IDE drives life span is around 3 to 7 years, and possibly less if it runs 24/7 and in harsh conditions which several of our devices will be exposed to (heat, dust, vibration).

I also run IDE drives at home, and have experienced very few failures. However, this is for my company, and I'm not trying to achieve "few" failures, I'm trying to achieve *NO* failures. Some of these locations are several hours away, and the device will be located in a hard to reach area. I'm not going to cut any corners on reliability just to save a few dollars by using inexpensive IDE drives. It's not uncommon in an environment with several hundred computers to experience a few drive failures on a regular basis.

SCSI drives, while more reliable than IDE, won't achieve the small form factor goals that I'm aiming for.

 

[Electric Amish]

If you're just using it as a firewall/router you should be able to get something like FreeSCO that can boot/run from a floppy.

amish

 

[jasonsRX7]

Originally posted by: MysticLlama
What sort of speed would you be pushing on the broadband links?

You should be able to use something like a PIX 501, it's rated to do 10Mbps ClearText and 3Mbps 3DES encrypted throughput, which should cover most broadband lines.

Also, it shoudl be compliant with almost any sort of endpoint you're using as long as it uses typical IPSEC standards.

I'm using a few of them with a 515 for an endpoint at the main office, and they are working great.

They also just put them up on newegg (no stock yet) for $460 w/3DES, which is a good price.

Our central office has a 2mb/1mb cable connection. The remote offices will probably have a 1mb/512k or 512/512k connection, depending on the site. If the upgrade on our Definity switch goes thru, we may even consider doing VoIP to these locations.

Right now, our main office is using SME 5.5 (www.e-smith.org) for VPN endpoint for just a few users. However, this was just a quick fix solution until we decided which route to take on a permanant basis. Our internet connection is currently very under-utilized, but this will of course change once all our remote sites drop the frames and come in thru a vpn tunnel.

Any of the PIX firewalls should be able to do what we *need* to do in the remote offices, except for the transparent squid proxying and network monitoring that MNF can do. We could still do that, but then we'd be looking at having multiple boxes. I agree though, a PIX solution is probably the route we'll take if the MNF solution doesn't work out.

 

[jasonsRX7]

Originally posted by: Electric Amish
If you're just using it as a firewall/router you should be able to get something like FreeSCO that can boot/run from a floppy.

amish

Good suggestion, but unfortunately something like LRP isn't quite robust enough for what we're needing to do. It would be nice if it was that simple Thanks, though

 

[MysticLlama]

Couldn't you run it so that on the PIXs you take all traffic and then encrypt it, send it to the endpoint, decrypt it, and then send it through your box to do your proxying and monitoring?

I realize that takes a little more bandwidth at the head office then it would if you were to let them all to the net indivudually, but it also give a single point of administration.

I would think this would eliminate the multiple boxes thing, and you could do net monitoring on a per-site basis (all traffic coming to the office) or even a per machine basis from the remote site (nat inside to inside to that all remote machines come in as their own IPs on the other end).

The only thing that I can think of it not working for would be if you need to do network monitoring of stuff going on on the remote networks, that's not going offsite. But isn't that what managed switches are for?

Also, I'm not sure about the price range, but I think that there are solid state PCMCIA drives that may not have the same read/write limit of CF. I remember working on some Compaq routers years ago that used PCMCIA, and they kept logs and everything on them and we never had one go bad, and they were in production for a long time.

On the moving parts side of things, what about 2 9GB SCSI drives mirrored? Still not tolerant enough?

Or how about this (not sure how you'd do it, but that's besides the point) a SCSI main drive hosting your OS, and a CF backup that you wrote the contents of the main drive to once per day, but that was bootable as well. Sort of a delayed mirroring type of thing. Just thinking as I type at this point....

 

[jasonsRX7]

Originally posted by: MysticLlama
Couldn't you run it so that on the PIXs you take all traffic and then encrypt it, send it to the endpoint, decrypt it, and then send it through your box to do your proxying and monitoring?

I realize that takes a little more bandwidth at the head office then it would if you were to let them all to the net indivudually, but it also give a single point of administration.

...and a single point of failure. If our internet connection at the main office went down, we'd have as many as 9 remote offices down (an even worse scenario if we do VoIP). I don't really want route external internet traffic thru the VPN, otherwise, whats the use of caching.

Originally posted by: MysticLlama
Also, I'm not sure about the price range, but I think that there are solid state PCMCIA drives that may not have the same read/write limit of CF. I remember working on some Compaq routers years ago that used PCMCIA, and they kept logs and everything on them and we never had one go bad, and they were in production for a long time.

I found a Simpletech 640mb solid state drive for $400. That would make the total cost of the machine around $700. Closer to the cost of a firewall appliance, but still cheaper and more capable.

Originally posted by: MysticLlama
On the moving parts side of things, what about 2 9GB SCSI drives mirrored? Still not tolerant enough?

Or how about this (not sure how you'd do it, but that's besides the point) a SCSI main drive hosting your OS, and a CF backup that you wrote the contents of the main drive to once per day, but that was bootable as well. Sort of a delayed mirroring type of thing. Just thinking as I type at this point....

I think any continuous spinning drive would have a limited lifespan if it was mounted in a dust/moisture free enclosure with no airflow, as these systems would be. I want to know that these systems could last five years easily, without ever being touched, and I don't think SCSI or IDE is that failsafe. Solid state would seem to be the way to go.

Thanks for your suggestions... bringing all the traffic back thru the VPN wouldn't be bad if it was only network traffic. Something to consider at some of our other sites maybe... We may still go the PIX or Sonicwall route. Fortunately, I have plenty of time to decide.

 

[Dug]

I'd be thinking about spending money on the environment that your electronic components are going into rather than the components themselves.

 

[jasonsRX7]

Originally posted by: Dug
I'd be thinking about spending money on the environment that your electronic components are going into rather than the components themselves.

They'll be going into a few labratories where they'll be in a wiring closet that gets very hot because it shares space with an autoclave, a few farms where there is no A/C and lots of dust in the air, a wash station control room that has no A/C and frequently has such high levels of moisture in the air that water condenses on just about everything, and grain mills where everything eventually gets covered in a thick layer of powder. Some of the others will be going in regular wiring closets in offices and won't need the extra protection, but I want them all to be configured exactly the same.

So... What would you suggest? Spending hundreds of thousands of dollars on facilites to store a $400 firewall? Or just make use of what we have?

How about not filling up my thread with useless crap...
(that was mean of me, my apologies)

 

[Dug]

Originally posted by: jasonsRX7

Originally posted by: Dug
I'd be thinking about spending money on the environment that your electronic components are going into rather than the components themselves.

They'll be going into a few labratories where they'll be in a wiring closet that gets very hot because it shares space with an autoclave, a few farms where there is no A/C and lots of dust in the air, a wash station control room that has no A/C and frequently has such high levels of moisture in the air that water condenses on just about everything, and grain mills where everything eventually gets covered in a thick layer of powder. Some of the others will be going in regular wiring closets in offices and won't need the extra protection, but I want them all to be configured exactly the same.

So... What would you suggest? Spending hundreds of thousands of dollars on facilites to store a $400 firewall? Or just make use of what we have?

How about not filling up my thread with useless crap...

Recommending that you secure your electronics is not useless crap.... but if you think it is, then you get what you deserve. There are inexpensive ways, but I won't waste my time sense you aren't willing to listen.

 

[Jeff7181]

Originally posted by: jasonsRX7
How about not filling up my thread with useless crap...

Your thread? Useless crap? Someone needs a kick in the arse. Come here looking for help, then insult people who offer suggestions. I hope nobody else offers any useful solutions.

 

[jasonsRX7]

Originally posted by: Jeff7181

Originally posted by: jasonsRX7
How about not filling up my thread with useless crap...

Your thread? Useless crap? Someone needs a kick in the arse. Come here looking for help, then insult people who offer suggestions. I hope nobody else offers any useful solutions.

I really don't think what he said was useful. My way of securing the electronics is to build a small system that has high tolerances for heat and no fans to draw dust, and then to enclose it in a case to keep out moisture and as much dust as possible. That's what I've been saying all along. His suggestion was to spend money on the environment itself, and not the systems themselves, even when I had never even mentioned what the environments were.

Sorry, just annoying when I initially asked a very specific question, got a few really useful answers, and then someone insinuates that it would be better to change the whole environment rather than just build a reliable machine to high tolerances. I mean, really, how useful is that?

 

[Dug]

However, this is for my company, and I'm not trying to achieve "few" failures, I'm trying to achieve *NO* failures. Some of these locations are several hours away, and the device will be located in a hard to reach area. I'm not going to cut any corners on reliability just to save a few dollars

This guy is a riot.

 

[Jeff7181]

Not saying you have to renovate the building it's going in... but maybe make some sort of effort to clean up the area it will be located in, or simply relocate it.

My uncle lives on a farm, and they have a computer in the office off the barn with cows and pigs in it. He didn't want an old computer so slow it didn't require fans... so we built him an enclosure for the computer that actually uses a K&N air filter for a car to keep dust away from the computer. I've never seen a computer that clean before... after a year there's absolutely no dust inside the case.

 

[jasonsRX7]

Originally posted by: Dug

However, this is for my company, and I'm not trying to achieve "few" failures, I'm trying to achieve *NO* failures. Some of these locations are several hours away, and the device will be located in a hard to reach area. I'm not going to cut any corners on reliability just to save a few dollars

This guy is a riot.

Where's the riot in that? Sure a component could have an electronic failure, there's not much you can do about that. But I can avoid common mechanical failures such as fans and hard drives by not having them. I can't imagine that's such an unreasonable desire.

 

[Paperlantern]

what about ram drives? i've only heard about them, or are they essentially compact flash. I wouldnt think so, since RAM is unlimited read writes, and direct access memory. They have battery back ups to keep info, but if the computer are going to be used in server type scenarios they wouldnt be turned off ANYWAY. jsut a thought

 

[mechBgon]

Originally posted by: Jeff7181
Not saying you have to renovate the building it's going in... but maybe make some sort of effort to clean up the area it will be located in, or simply relocate it.

My uncle lives on a farm, and they have a computer in the office off the barn with cows and pigs in it. He didn't want an old computer so slow it didn't require fans... so we built him an enclosure for the computer that actually uses a K&N air filter for a car to keep dust away from the computer. I've never seen a computer that clean before... after a year there's absolutely no dust inside the case.

Yeah, here's one way: Filter pic 1 and filter pic 2. That's the air cleaner off a regular ol' General Motors V8 and it will filter a heck of a lot of air. Note that this is just conceptual, I didn't actually bolt the air cleaner to the case.

As for the topic at hand, you say you want reliability and then propose doing something that has not been extensively tested. I suggest a tried-&-true Cheetah 15k.3, which puts out no more heat than a Seagate IDE drive, and is warranted for 5 years of 24/7 usage in a server (meaning, heavy usage).

(let's see if my advice is useless too )

 

[jasonsRX7]

Originally posted by: Jeff7181
Not saying you have to renovate the building it's going in... but maybe make some sort of effort to clean up the area it will be located in, or simply relocate it.

My uncle lives on a farm, and they have a computer in the office off the barn with cows and pigs in it. He didn't want an old computer so slow it didn't require fans... so we built him an enclosure for the computer that actually uses a K&N air filter for a car to keep dust away from the computer. I've never seen a computer that clean before... after a year there's absolutely no dust inside the case.

I don't think I'm going to have much control over the places staying clean. Some of the locations are contract locations that we don't own, we simply have to use the space we're provided.

Unfortunately, most of these systems will be mounted in places where there is no office to keep it seperate from the rest of the farm. They'll be mounted on the wall inside of a barn, connected to PLC's that monitor temperature, weight, and regulate water flow and fan speeds for the livestock.

We've used some of the filtered enclosures for our full sized workstations in the mill before and you're right, they do work really well. You should have seen the literal inches of powder in the old PCs that weren't encased. We'll be using smaller versions by the same company for our mini-VPN clients.