Jump to content

pfSense Hardware


PenkethBoy

Recommended Posts

PenkethBoy

Focus on the basic functions

Admin authentication

ISP WAN setup

Basic internal default VLAN

firewall best practices for IPv4

firewall best practices for IPv6

pick private IP subnets

DHCP IPv4 (and reservations)

DHCP IPv6 (normally pass through)

DNS service for IPv4 and IPv6

 

Then make a backup. Save it off main system in case of a crash and burn. If you ever have a crash and burn you can keep the flash drive you used to load PFSENSE to reload it. You get an option to import the backup and be back to your last known good configuration.

 

Once you are up and running you can focuse on enhanced features and expanding the services you host on your firewall.

 

DNSSEC and DNSBL integration

(provides enhanced security for DNS queries and blocks queries for known bad network nodes.

 

Automatic blocking of known malicious public IP addresses.

 

DDNS service (used to bind your WAN IP address to a domain you own)

 

NTP service. (helps ensure that your logs are uniform in log times)

 

SNMP v3 (if you intend on monitoring)

setup a CA for your secondary services.

 

VPN to your home when away and need to access your home resources.

 

Private VPN for your home clients to keep your browsing habits private.

 

Let's encrypt Acme client (allows your to get publicly trusted SSL certificates.)

 

Reverse proxy to host and protect your internal resources that need to be accessible to the public Internet.

 

Squid web proxy with A/V built in.

 

Take good notes. Screenshots also help. You will likely need authentication to third party services. Make sure that you have a good repository for these accounts. Let us know if you need any help. I have done it more times than I can remember.

 

 

Sent from my iPhone using Tapatalk

Yeah hours of fun  :P

 

Will be back with questions i am sure

Link to comment
Share on other sites

Tur0k

I really need to look more closely at my VPN options.

I know that PFsense can be configured to connect to the ones I use with the openvpn package.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Guest asrequested

I know that PFsense can be configured to connect to the ones I use with the openvpn package.

 

 

Sent from my iPhone using Tapatalk

 

The Unifi has a whole bunch of options. I just don't know what the hell I'm doing, or what they do lol

Link to comment
Share on other sites

Swynol

you could also look at Sophos UTM, very similar to pfsense. 

 

it also depends what you enable on pfsense as to what hardware you need. when you start adding on VPN, DPI, HTTP and HTTPS scanning it will start to have a bigger hit on cpu. it also depends on your external connection. 

 

With Sophos UTM with everything turned on i was recommended an i3 6100t its 35w and handles my 100/20 line fine. I scan every packets that comes in for malware/virus i decode all HTTP and HTTPS traffic leaving my network and log it. I also have Intrusion protection on and country blocking. I dont currently use the inbuilt VPN as I use my Unifi setup for that. 

Link to comment
Share on other sites

PenkethBoy

I looked at the next level up of hardware to the Mini PC i bought - i5/i7 mobile cpu power and they remain an option for the future if i run out of horsepower - but were three times the price - so not a compelling sell at the moment - besides i have old unused cpu's and m/b that would be free to build something more powerful with no outlay although probably not as energy efficient.

 

If anybody is thinking of doing the same as me then i would suggest watching the Video's from Mark Furneaux

 

https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo0Zga2juUBxxFTH4Bk

 

I'm part way through Part5.1 as i dont have the hardware yet so will finish when the mini pc arrives

 

Part4 is very good for all those who use networks but don't fully understand them (as its not your day job) - @ - might be worth an hour of your time :) - cleared up a few areas for me that i have wondered about but did not have enough interest to investigate further

Link to comment
Share on other sites

PenkethBoy

@@Swynol

 

so are you using an i3 and is it heavily used with all the options you have enabled? i have a 200/20 line

 

pfSense has a lot of plugins available - not sure how many i might use but a couple look interesting out the gate for analysis/reporting which will probably demand some horsepower - will have to wait and see

Link to comment
Share on other sites

Tur0k

I currently get Comcast 200 Mbps WAN service to my home with on speed tests I am getting consistent 240 Mbps downloads and 12 Mbps uploads.

 

With all the above working on my firewall mini pc (case looks just about the same as that white one I linked except mine is black. I have an older Intel 5the gen CPU i5-5200u (dual core hyper-threaded 2.2GHz base /2.7 GHz turbo). It has 8GB of RAM and a 64 GB SSD. I don't see much CPU or memory being consistently used. My CPU utilization rarely spikes above 4%. Memory only increases if I am running NTOP.

 

baf9b191a5f04a23ae036a52d3bda084.png

 

My CPU isn't much more powerful than the N3150, and it technically has 2 fewer cores. The 5200U does support hyperthreading and has better L1/L2 management though.

 

Given my hardware, the only 2 bottle necks I see is the high average temp 27.8 Celsius (technically the max temp on my CPU is 105 C). But even an elevated temp will cause my CPU to protect itself and reduce voltage to the CPU to reduce temp. If it becomes a problem i will cut holes in the case and add fans for ventilation. I am kinda glad I didn't get the i7 model.

 

The other problem I foresee bumping up against would be the Realtek on-board NICs. In practice I prefer Intel/star tech/rosewill expansion card NICs. The real world difference would be 650+ Mbps versus 800+ Mbps sustained throughput over a long period of time so I won't have trouble with this until I want to do gigabit WAN service.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

puithove

I'll just mention this because I think it's kinda funny.  Definitely not the ideal hardware, but demonstrates what can be done - I mainly did it to see if it would work at the time, and it has worked well enough that I've just kept it around.

 

I previously had pfSense running on a little tiny Atom based mini-pc.  Its dual nics though were crap, and I wasn't able to push enough bandwidth with it.  The weak processor also couldn't encrypt packets fast enough for VPN causing another bottleneck.  One day I got fed up and started looking at equipment I had laying around... Spotted an old 2009 Mac Mini.  You might be thinking... "But it only has one NIC" - and you'd be right.

 

So since I also run Tomato on my Asus router (really operating as an accesspoint), I had already setup VLANs for my home and guest networks... so I setup another for the cable modem port, and created a trunk port to tag all the vlans and send to the single nic on the mini.

 

So pfSense can receive the tagged vlans on the single nic, and route between the ISP and the internal networks.  The old core duo and the Intel NIC are able to easily push enough packets for my 100Mb connection - including VPN encryption.  Works better than I thought it would.  Fun little experiment has been serving me well enough for a couple years now.

  • Like 1
Link to comment
Share on other sites

Swynol

@@Swynol

 

so are you using an i3 and is it heavily used with all the options you have enabled? i have a 200/20 line

 

pfSense has a lot of plugins available - not sure how many i might use but a couple look interesting out the gate for analysis/reporting which will probably demand some horsepower - will have to wait and see

 

No the i3 on full load i.e. using the entire bandwidth maxes out around 10% cpu. I run esxi on it and at the moment i only have the UTM on it. but at least i know i have head room for another VM if i need it.

  • Like 1
Link to comment
Share on other sites

PenkethBoy

Well the beast ( :) ) has arrived - 8 days from China and would have been 6 but for Bank Holiday weekend

 

A few pics for those interested  :)

59a56569b289a_DSC_0005.jpg

Front

 

59a56584b18b7_DSC_0006.jpg

Back

 

59a5659b2920d_DSC_0007.jpg

Inside (as delivered)

 

59a565b7003fd_DSC_0008.jpg

Memory and SSD installed (screws to the lid)

 

Looks well made and feels solid.

  • Like 1
Link to comment
Share on other sites

PenkethBoy

Small bonus - although listed as a N3150 the processor is a N3160

 

small bump in processor speed and better (internal) graphics chip - not that the GPU matters for pfSense

 

Just installing Win 10 to stress test as have widows tools and not familiar with linux equivalents

 

Appears to be keeping quite cool when under load :)

Link to comment
Share on other sites

PenkethBoy

Well that was easy - quick install from USB - quick wizz through the basic interface - pick Wan and Lan interface - reboot - login to web config - follow wizard

 

and here i am :)

 

30-45 mins with a bit of double checking of reference docs and videos

 

Got lots of config on the billion options to do but that can wait for a bit

 

Bonus is that pfSense is seeing the wifi card so have the option of a WIFI interface

 

Hardware runs cool - even after an extended Handbrake run when doing a burn in - did not get to 45c - idle at 32c - case is slightly warm to the touch as its the heat sync

 

In Win10 the pc was responsive and relatively snappy - so would be fine as a basic pc for browsing - tried Emby Server and its fine

 

Just got to fight with my WRT1900ACS to play nice as an access point as its being a PIA - but thats for tomorrow or a large hammer :)

 

Happy Camper 

  • Like 1
Link to comment
Share on other sites

PenkethBoy

Ok have had my wifi back for a few days after winning the fight with the Netgear 1900ACS to become a AP and not fight with pfSense for ownership of the network :)

 

So Question for the pfSense users out there

 

what packages do you use with pfSense?

 

testing

 

1) apcupsd - UPS support

2) pfBlockerNG

3) ntopng - looks amazing 

 

am also looking a Suricata and Snort

Link to comment
Share on other sites

  • 3 weeks later...
iamspartacus

Just to touch on a few comment I've seen in this thread.

 

VPN

 

pfSense is great for use as an OpenVPN client to a VPN service.  I've thought about moving to Sophos UTM (I use it at work) for years but that's the one feature they don't have that I can't live without.  I have 3 always up client OpenVPN connections to PIA that I've grouped into a single Gateway group.  I then have firewall rules sending traffic from certain hosts out that gateway group.  Works great for getting full speed 300Mbps downloads on my line over VPN.

 

pfSense Hardware

 

I have a pfSense box at home based of a SuperMicro A1SRi-2758F (Avoton 8-core).  It can handle a 300Mbps OpenVPN connection fully saturated without the CPU jumping above 35%.

 

I also have a pfSense box configured at my parents house based on a Celeron J1900.  Works great.  I have a 150Mbps Site-to-Site VPN between my house and there's and the Celeron easily handles that line speed via VPN fully saturated.

 

pfSense Packages

 

I don't run a ton of packages but I use the following:

  • Avahi
  • Darkstat
  • OpenVPN Client Export
  • pfBlockerNG
  • Snort
  • Squid
Edited by iamspartacus
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...