PenkethBoy 2063 Posted August 20, 2017 Share Posted August 20, 2017 I am looking into setting up pfSense and was wondering what people are running their setup on I see the hardware spec is low (unless you have a large complex network setup) - was thinking of using stuff i have to hand - trying to keep it low power I have an old QNAP nas with a Intel Atom and two NIC's as a possible candidate Or if i decide to buy something then maybe something like this would do fine if a bit overkill https://www.aliexpress.com/item/HCiPC-B207-1-HCL-SZ87-6LB-Barebone-LGA1150-Z87-82574L-6LAN-1U-Firewall-SYSTEM-6LAN-Motherboard/32721666026.html Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 20, 2017 Share Posted August 20, 2017 This one seems to be inline with what you're talking about http://www.ebay.com/itm/HP-Intel-Atom-N280-3-Port-Gigabit-Firewall-Router-2GB-RAM-pfSense-Software-/222597233746?hash=item33d3d43c52:g:z9EAAOSwRQlXceWA Link to comment Share on other sites More sharing options...
dcrdev 251 Posted August 20, 2017 Share Posted August 20, 2017 I have been contemplating this for some time and one of the things that has held me back, is that there isn't really any inexpensive (and low powered) hardware around anymore that's a viable foundation for a pfSense box. The pfSense guys announced a couple of months back that the next version of pfSense will require AES-ni, this is something that these Chinese mini pcs and enterprise surplus thin clients do not have. You could of course go with OPNsense instead who have said they currently have no intentions to enforce that particular hardware requirement. From my point of view there are only two options: Build something. Use an APU2 C4 board, which does support AES-ni ; but probably won't scale too well. Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 20, 2017 Author Share Posted August 20, 2017 Thanks You just bought firewall device? Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 20, 2017 Author Share Posted August 20, 2017 Isnt AES-NI something only recent CPU support? Link to comment Share on other sites More sharing options...
dcrdev 251 Posted August 20, 2017 Share Posted August 20, 2017 Thanks You just bought firewall device? No still not done anything yet - going to build something from scratch based around this https://www.supermicro.com/products/motherboard/atom/A2SDi-2C-HLN4F.cfm . But just forked out £3k on a new server, so need some time to recoup money. Isnt AES-NI something only recent CPU support? Not really it's been around for some time, but it has traditionally only been available on Intel's high end CPUs. It's only very recently that Intel started including it on all of their lineup, I think that started sometime around 5th gen. Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 20, 2017 Author Share Posted August 20, 2017 Looks like most CPU from approx 2010 onwards potentially have AES-NI and its for pfSense 2.5 onwards so a bit of time yet - but good catch as will have to check if cpu's i might use have it. Yes looked at those Supermicro boards and the enclosures for them - but they are very expensive and difficult to get in Europe from a quick look earlier. The buying of a new firewall was actually directed @ Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 20, 2017 Share Posted August 20, 2017 (edited) Looks like most CPU from approx 2010 onwards potentially have AES-NI and its for pfSense 2.5 onwards so a bit of time yet - but good catch as will have to check if cpu's i might use have it. Yes looked at those Supermicro boards and the enclosures for them - but they are very expensive and difficult to get in Europe from a quick look earlier. The buying of a new firewall was actually directed @ Oh, yes, I did. Not pfsense, though. It's Unifi. I'm not an authority on this stuff, but it's got a lot of options. They keep updating the controller and firmware. I'm still learning about most of it. I'm doing traffic school, so I'm a little distracted lol Edited August 20, 2017 by Doofus 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 21, 2017 Share Posted August 21, 2017 (edited) I would be looking at a multi-NIC fanless mini pc. You don't need much processor, disk space, or RAM to run PFSense. The average Celeron or AMD CPU, small SSD, and 4GB Of RAM will do perfectly. The better quality NIC you can find the better (I prefer Intel based units. Agreed here, the problem with the 1K and 2K Celeron series CPUs often don't have AES-NI support. I would plan for AES-NI support hardware supported encryption will be introduced in version 2.4 and enforced in version 2.5. This limits your Intel based low-end processors in the Celeron spec to 3k series and above (check Intel Ark specs to verify). I would look at the following and plan for 4GB RAM and a 64GB SSD. Fanless Desktop Computer Mini PC Intel Quad Core N3150 2 LAN 2 HDMI B5 (Barebone No RAM,No Storage) https://www.amazon.com/dp/B072MDNBDY/ref=cm_sw_r_cp_api_GUIMzbZ53JVH9 The Celeron N3150 is a quad core 1.6GHZ base clock/ 2.08 GHz turbo. It has 4 single thread cores and supports 2 channels for RAM. It supports AES-NI. http://ark.intel.com/products/87258?ui=BIG Sent from my iPhone using Tapatalk Edited August 21, 2017 by Tur0k 1 Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Thanks for the link to the fan less pc - found similar on .co.uk Have the N3150 in my main nas and its more than powerful enough for that so using that as a basis - interesting The nas i was considering using is atom based and i think will not support AES as its likely too old - oh well nice idea while it lasted Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Thanks @ - could not remember what you got - UniFi is a proprietary system and i guess does what pfSense does in broad terms. I see the Avatar has changed Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 I'm sleuthing Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Kato! Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Mini PC suggested by @@Tur0k ordered 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 21, 2017 Share Posted August 21, 2017 Ah ok. AES-NI has been around since 2010, granted it only had limited support in the low end Intel lines. I would look up your atom CPU's specs on the Intel ARK site. Whether or not it supports AES-NI you can stand up the firewall with the older system and when you are ready to support AES-NI backup your config, install PFsense on the new system and recover your backup on it. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 21, 2017 Share Posted August 21, 2017 Mini PC suggested by @@Tur0k ordered Nice!!! Don't forget ram and an SSD!!! Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Already have those hanging around Link to comment Share on other sites More sharing options...
dcrdev 251 Posted August 21, 2017 Share Posted August 21, 2017 Let us know how it goes! Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 i imagine a lot of */?@# before i understand pfSense - basic setup looks ok but all the billions of other options looks Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 Lol... Yeah I'm going through that process with my Unifi. A few bumps on first install (user error). Then you get that "Ah ha!" moment Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 One of the main things I wanted to do (use my VPN service), I found I can't do...yet! Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 21, 2017 Share Posted August 21, 2017 (edited) i imagine a lot of */?@# before i understand pfSense - basic setup looks ok but all the billions of other options looks Focus on the basic functions Admin authentication ISP WAN setup Basic internal default VLAN firewall best practices for IPv4 firewall best practices for IPv6 pick private IP subnets DHCP IPv4 (and reservations) DHCP IPv6 (normally pass through) DNS service for IPv4 and IPv6 Then make a backup. Save it off main system in case of a crash and burn. If you ever have a crash and burn you can keep the flash drive you used to load PFSENSE to reload it. You get an option to import the backup and be back to your last known good configuration. Once you are up and running you can focuse on enhanced features and expanding the services you host on your firewall. DNSSEC and DNSBL integration (provides enhanced security for DNS queries and blocks queries for known bad network nodes. Automatic blocking of known malicious public IP addresses. DDNS service (used to bind your WAN IP address to a domain you own) NTP service. (helps ensure that your logs are uniform in log times) SNMP v3 (if you intend on monitoring) setup a CA for your secondary services. Radius Authentication. I use this as the basis for authentication, and authorization all over my network: 1. WPA2-enterprise encryption, 2. DB logon access, 3. NAS Share access. 4. network administrative access. 5. VPN remote access to my house. You may also want to stand up a log server to capture and allow you to audit access. VPN to your home when away and need to access your home resources. Private VPN for your home clients to keep your browsing habits private. Let's encrypt Acme client (allows your to get publicly trusted SSL certificates.) Reverse proxy to host and protect your internal resources that need to be accessible to the public Internet. Squid web proxy with A/V built in. IPS(active IDS) Network monitor like an intrusion detection system (IDS) that identifies potential threats but also responds to them in an automated fashion. The reaction is based on a set of rules established by the network administrator. The reason for the automated response is due to the relative speed that an exploit is implemented after the attacker gains access. Take good notes. Screenshots also help. You will likely need authentication to third party services. Make sure that you have a good repository for these accounts. Let us know if you need any help. I have done it more times than I can remember. Sent from my iPhone using Tapatalk Edited August 22, 2017 by Tur0k Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 21, 2017 Share Posted August 21, 2017 One of the main things I wanted to do (use my VPN service), I found I can't do...yet! You mean like setting up your private VPN tunnel in your firewall so all your traffic is private? Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 You mean like setting up your private VPN tunnel in your firewall so all your traffic is private? Sent from my iPhone using Tapatalk Using a VPN paid service, as a client. In my case, Torguard. So I need to put in my username and password. The part of the controller that handles that is still in beta. I chose the unifi so I wouldn't have to do it from the command line. They'll get it working, eventually. 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 (edited) And I can't agree more about backing up. I wiped the machine that I was running my controller on, and then I couldn't log back in to the router. Fortunately, I had experimented with the controller on another machine, so I had an old file that got me back in. Otherwise I'd have had reset the router. Now I have Syncback copying it to another machine. Edited August 21, 2017 by Doofus 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now