pfSense Hardware

[PenkethBoy 2063]

I am looking into setting up pfSense and was wondering what people are running their setup on

 

I see the hardware spec is low (unless you have a large complex network setup) - was thinking of using stuff i have to hand - trying to keep it low power

 

I have an old QNAP nas with a Intel Atom and two NIC's as a possible candidate

 

Or if i decide to buy something then maybe something like this would do fine if a bit overkill

 

https://www.aliexpress.com/item/HCiPC-B207-1-HCL-SZ87-6LB-Barebone-LGA1150-Z87-82574L-6LAN-1U-Firewall-SYSTEM-6LAN-Motherboard/32721666026.html

 

 

[Guest asrequested]

This one seems to be inline with what you're talking about

 

http://www.ebay.com/itm/HP-Intel-Atom-N280-3-Port-Gigabit-Firewall-Router-2GB-RAM-pfSense-Software-/222597233746?hash=item33d3d43c52:g:z9EAAOSwRQlXceWA

[dcrdev 251]

I have been contemplating this for some time and one of the things that has held me back, is that there isn't really any inexpensive (and low powered) hardware around anymore that's a viable foundation for a pfSense box. The pfSense guys announced a couple of months back that the next version of pfSense will require AES-ni, this is something that these Chinese mini pcs and enterprise surplus thin clients do not have. You could of course go with OPNsense instead who have said they currently have no intentions to enforce that particular hardware requirement.

 

From my point of view there are only two options:

• Build something.
• Use an APU2 C4 board, which does support AES-ni ; but probably won't scale too well.

[PenkethBoy 2063]

Thanks

 

You just bought firewall device?

[PenkethBoy 2063]

Isnt AES-NI something only recent CPU support?

[dcrdev 251]

Thanks

 

You just bought firewall device?

 

No still not done anything yet - going to build something from scratch based around this https://www.supermicro.com/products/motherboard/atom/A2SDi-2C-HLN4F.cfm . But just forked out £3k on a new server, so need some time to recoup money.

 

Isnt AES-NI something only recent CPU support?

 

Not really it's been around for some time, but it has traditionally only been available on Intel's high end CPUs. It's only very recently that Intel started including it on all of their lineup, I think that started sometime around 5th gen.

[PenkethBoy 2063]

Looks like most CPU from approx 2010 onwards potentially have AES-NI and its for pfSense 2.5 onwards so a bit of time yet - but good catch as will have to check if cpu's i might use have it.

 

Yes looked at those Supermicro boards and the enclosures for them - but they are very expensive and difficult to get in Europe from a quick look earlier.

 

The buying of a new firewall was actually directed @

[Guest asrequested]

Looks like most CPU from approx 2010 onwards potentially have AES-NI and its for pfSense 2.5 onwards so a bit of time yet - but good catch as will have to check if cpu's i might use have it.

 

Yes looked at those Supermicro boards and the enclosures for them - but they are very expensive and difficult to get in Europe from a quick look earlier.

 

The buying of a new firewall was actually directed @

 

Oh, yes, I did. Not pfsense, though. It's Unifi. I'm not an authority on this stuff, but it's got a lot of options. They keep updating the controller and firmware. I'm still learning about most of it.

 

I'm doing traffic school, so I'm a little distracted lol

Edited August 20, 2017 by Doofus

[Tur0k 143]

I would be looking at a multi-NIC fanless mini pc. You don't need much processor, disk space, or RAM to run PFSense. The average Celeron or AMD CPU, small SSD, and 4GB Of RAM will do perfectly. The better quality NIC you can find the better (I prefer Intel based units.

Agreed here, the problem with the 1K and 2K Celeron series CPUs often don't have AES-NI support. I would plan for AES-NI support hardware supported encryption will be introduced in version 2.4 and enforced in version 2.5. This limits your Intel based low-end processors in the Celeron spec to 3k series and above (check Intel Ark specs to verify).

I would look at the following and plan for 4GB RAM and a 64GB SSD.

Fanless Desktop Computer Mini PC Intel Quad Core N3150 2 LAN 2 HDMI B5 (Barebone No RAM,No Storage) https://www.amazon.com/dp/B072MDNBDY/ref=cm_sw_r_cp_api_GUIMzbZ53JVH9

 

The Celeron N3150 is a quad core 1.6GHZ base clock/ 2.08 GHz turbo. It has 4 single thread cores and supports 2 channels for RAM. It supports AES-NI. http://ark.intel.com/products/87258?ui=BIG

 

Sent from my iPhone using Tapatalk

Edited August 21, 2017 by Tur0k

[PenkethBoy 2063]

Thanks for the link to the fan less pc - found similar on .co.uk

 

Have the N3150 in my main nas and its more than powerful enough for that so using that as a basis - interesting

 

The nas i was considering using is atom based and i think will not support AES as its likely too old - oh well nice idea while it lasted

[PenkethBoy 2063]

Thanks @ - could not remember what you got - UniFi is a proprietary system and i guess does what pfSense does in broad terms.

 

I see the Avatar has changed

[Guest asrequested]

I'm sleuthing

[PenkethBoy 2063]

Kato!

[PenkethBoy 2063]

Mini PC suggested by @@Tur0k ordered

[Tur0k 143]

Ah ok. AES-NI has been around since 2010, granted it only had limited support in the low end Intel lines. I would look up your atom CPU's specs on the Intel ARK site. Whether or not it supports AES-NI you can stand up the firewall with the older system and when you are ready to support AES-NI backup your config, install PFsense on the new system and recover your backup on it.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

Mini PC suggested by @@Tur0k ordered

Nice!!! Don't forget ram and an SSD!!!

 

 

Sent from my iPhone using Tapatalk

[PenkethBoy 2063]

Already have those hanging around

[dcrdev 251]

Let us know how it goes!

[PenkethBoy 2063]

i imagine a lot of */?@# before i understand pfSense - basic setup looks ok but all the billions of other options looks 

[Guest asrequested]

Lol... Yeah I'm going through that process with my Unifi. A few bumps on first install (user error). Then you get that "Ah ha!" moment

[Guest asrequested]

One of the main things I wanted to do (use my VPN service), I found I can't do...yet!

[Tur0k 143]

i imagine a lot of */?@# before i understand pfSense - basic setup looks ok but all the billions of other options looks

Focus on the basic functions

Admin authentication

ISP WAN setup

Basic internal default VLAN

firewall best practices for IPv4

firewall best practices for IPv6

pick private IP subnets

DHCP IPv4 (and reservations)

DHCP IPv6 (normally pass through)

DNS service for IPv4 and IPv6

 

Then make a backup. Save it off main system in case of a crash and burn. If you ever have a crash and burn you can keep the flash drive you used to load PFSENSE to reload it. You get an option to import the backup and be back to your last known good configuration.

 

Once you are up and running you can focuse on enhanced features and expanding the services you host on your firewall.

 

DNSSEC and DNSBL integration

(provides enhanced security for DNS queries and blocks queries for known bad network nodes.

 

Automatic blocking of known malicious public IP addresses.

 

DDNS service (used to bind your WAN IP address to a domain you own)

 

NTP service. (helps ensure that your logs are uniform in log times)

 

SNMP v3 (if you intend on monitoring)

setup a CA for your secondary services.

 

Radius Authentication.

I use this as the basis for authentication, and authorization all over my network:

1. WPA2-enterprise encryption,

2. DB logon access,

3. NAS Share access.

4. network administrative access.

5. VPN remote access to my house.

 

You may also want to stand up a log server to capture and allow you to audit access.

 

VPN to your home when away and need to access your home resources.

 

Private VPN for your home clients to keep your browsing habits private.

 

Let's encrypt Acme client (allows your to get publicly trusted SSL certificates.)

 

Reverse proxy to host and protect your internal resources that need to be accessible to the public Internet.

 

Squid web proxy with A/V built in.

 

IPS(active IDS)

Network monitor like an intrusion detection system (IDS) that identifies potential threats but also responds to them in an automated fashion. The reaction is based on a set of rules established by the network administrator. The reason for the automated response is due to the relative speed that an exploit is implemented after the attacker gains access.

 

Take good notes. Screenshots also help. You will likely need authentication to third party services. Make sure that you have a good repository for these accounts. Let us know if you need any help. I have done it more times than I can remember.

 

 

Sent from my iPhone using Tapatalk

Edited August 22, 2017 by Tur0k

[Tur0k 143]

One of the main things I wanted to do (use my VPN service), I found I can't do...yet!

You mean like setting up your private VPN tunnel in your firewall so all your traffic is private?

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

You mean like setting up your private VPN tunnel in your firewall so all your traffic is private?

 

 

Sent from my iPhone using Tapatalk

Using a VPN paid service, as a client. In my case, Torguard. So I need to put in my username and password. The part of the controller that handles that is still in beta. I chose the unifi so I wouldn't have to do it from the command line. They'll get it working, eventually.

[Guest asrequested]

And I can't agree more about backing up. I wiped the machine that I was running my controller on, and then I couldn't log back in to the router. Fortunately, I had experimented with the controller on another machine, so I had an old file that got me back in. Otherwise I'd have had reset the router. Now I have Syncback copying it to another machine.

Edited August 21, 2017 by Doofus