Pfsense on mini-itx: need your input and advice

romainp

Hi all,

I have already asked in this forum some questions about PF and mini-itx systems. I realize that I didn't give enough information to you guys to really help me to choose.
So my goal is to train myself with several networking and firewalling concepts that could help me to be a better sysadmin (;-)). In fact, I am a linux sysadmin but I realize that I am completly lost when people talk with me about vlans, vpn, security and so on.
So I have deciced to invest in some stuff that could help to create a lab to train myself and also to create at home a pretty nice setup.

• I need a router where I can test PF, but I want something fanless and that does not make noise and to too much heat (so of course that will not be to electrical consuming).
• This router have to be compatible with PF. I need to have at least 2 Gigabyte links and some wireless link (usb or a PCI card).
• The router have to be compatible with other linux distro, meaning that if I want to test other firewalling distro, I can install it on the same hardware
• The router need to have a IDE/SATA HD (I want to test squid)
• The router have to be able to boot from an usb cdrom drive

The other part of the setup are:

• A 8 ports manageable (a procurve) that can do vlans
• A more powerfull mini-itx system to play with virtual machines and xen

The setup have to be as robust as one that I could setup at work (My girlfriend will never foregive me if something go wrong with the internet access, she is the most terrible user I have ever have to deal with!!!)

So I have several choices, but still need your input before I buy all of these stuff:

• The Hacom router seems very fine, specially the celeron systems but if I put an HDD in it, will I be able to boot with an external CD and reinstall PF from an iso/cd?
• Those Hacom systems, are they really fanless? Do they make any noise or excessive heat?
• I pretty sure that the answer will be yes but can I install whatever distro I want on those system (as soon as the ghardware is detected but the distro of course)?
• I am living in Montreal, Quebec, Canada, Does this hacom system be bought worlwide?
• Is there any other mini-itx solution other than listed from the recommanded vendors list in the pf site that I should also have a look and that can meet my needs? (Some people already talked to me about Lanner FW7520 and FabiaTech FX5620 or FX5621)

Please share with me all your great and successfull stories with mini-itx solution and home made router. I don't care buying each parts speratly and mount my router by hand, or, buying one ready to use.

Thanks to all great guys that have already replied to me and gave me some infos. Thanks for those that will share their knowledge here.

Romain

Here are the Hacom systems:

http://www.hacom.net/catalog/index.php?main_page=product_info&cPath=130_136&products_id=94

Other interesting stuff:

http://www.logicsupply.com/

Cry Havok

As has been said many times, pfSense is based on FreeBSD.  FreeBSD is not Linux.

If you search the forums you'll find many posts on the subject, though possibly few here about the Hacom systems.  Their advertising does say fanless, so I'd expect it to have no fans ;)  The underlying hardware is from another company (Lex) and if you have a look for them you'll find lots of people using their hardware over the years.  It's all fairly standard PC components so it'll work with any OS that has support for the hardware.

wallabybob

@romainp:

• This router have to be compatible with PF. I need to have at least 2 Gigabyte links and some wireless link (usb or a PCI card).

I presume you mean gigabit per second rather than gigabyte. Why do you want gigabit links? You have gigabit download speed from the internet? The answer impacts the type of CPU you are likely to need. If you want to route between gigabit links at gigabit speeds you will need a much more powerful CPU than you would to route between two 100Mbps links.

• The router have to be able to boot from an usb cdrom drive

This is a BIOS function.

The other part of the setup are:

• A more powerfull mini-itx system to play with virtual machines and xen

I presume this would be a separate system from the router. To provide acceptable internet service to your girlfriend you probably want to have a dedicated router that you hardly ever change or power cycle.
But I would seriously question mini-ITX for a system to play with virtual machines. The CPUs on those mini-ITX motherboards which include a CPU generally are limited to 32 bit operation, have limited memory addressing and are lower performing that CPUs marketed for desktop or server use. Generally mini-ITX motherboards have only a single memory slot which severely limits the amount of memory you can put on them. If you plan to run more than a small number of virtual machines you will probably find it useful to be able to provide a considerable amount of memory (and possibly even a 64-bit capable virtual machine hosts os). You would also probably want to be able to use a CPU with hardware assists for virtual machines. A micro-ATX motherboard with low energy CPU and "silent' or low noise power supply (such as used in some HTPC systems) might be a better base for the virtual machine host.

So I have several choices, but still need your input before I buy all of these stuff:

• The Hacom router seems very fine, specially the celeron systems but if I put an HDD in it, will I be able to boot with an external CD and reinstall PF from an iso/cd?

I use a Jetway mini-ITX board and I have successfully installed pfSense from USB CD-ROM. But boot from USB CD-ROM is a BIOS function.

• Is there any other mini-itx solution other than listed from the recommanded vendors list in the pf site that I should also have a look and that can meet my needs? (Some people already talked to me about Lanner FW7520 and FabiaTech FX5620 or FX5621)

Search the forums for ITX to see some other mini-ITX boards that have been considered for pfSense use.

cheesyboofs

As wallabybob & Cry Havok said this has been discussed at length, here is a good start.

http://forum.pfsense.org/index.php/topic,13098.15.html
And
http://forum.pfsense.org/index.php/topic,11913.0.html

The main thing to look out for on mini-itx boards are that they usually come with cheep Realtek NIC's, take my advice and spend a little extra and get one with Intel GB NIC's, this is the one I've been running for a while now.
http://www.icp-uk.com/index.php?act=viewProd&productId=416
Then if you need extra network connectivity buy a cheap VLAN switch as I have, again covered in the post above.

At the end of the day only you can decide what will meet your needs, no one is going to say "ear mate buy one of these" as all you will do is say Oh that too expensive, or they don't sell that here in Greece.

romainp

@Cry:

As has been said many times, pfSense is based on FreeBSD.  FreeBSD is not Linux.

If you search the forums you'll find many posts on the subject, though possibly few here about the Hacom systems.  Their advertising does say fanless, so I'd expect it to have no fans ;)  The underlying hardware is from another company (Lex) and if you have a look for them you'll find lots of people using their hardware over the years.  It's all fairly standard PC components so it'll work with any OS that has support for the hardware.

Thanks for your answers. Like I said, some of my question can seem to be stupid but well, I juste want to be sure about the way I will play with PF and mini-itx hardware.

romainp

@romainp:

• This router have to be compatible with PF. I need to have at least 2 Gigabyte links and some wireless link (usb or a PCI card).

I presume you mean gigabit per second rather than gigabyte. Why do you want gigabit links? You have gigabit download speed from the internet? The answer impacts the type of CPU you are likely to need. If you want to route between gigabit links at gigabit speeds you will need a much more powerful CPU than you would to route between two 100Mbps links.

• In fact, I want a 100mb on the wan interface add 1 gb for the internal network. I am pretty sure that I will never fully load the 1 gb link but the switch will managed gb links so are my internal pcs, so why not have them?

• The router have to be able to boot from an usb cdrom drive

This is a BIOS function.

• Yeah I was pretty sure that standard bios can do it but I never play with mini-itx bios setup so I just wanted to be sure.

The other part of the setup are:

• A more powerfull mini-itx system to play with virtual machines and xen

I presume this would be a separate system from the router. To provide acceptable internet service to your girlfriend you probably want to have a dedicated router that you hardly ever change or power cycle.
But I would seriously question mini-ITX for a system to play with virtual machines. The CPUs on those mini-ITX motherboards which include a CPU generally are limited to 32 bit operation, have limited memory addressing and are lower performing that CPUs marketed for desktop or server use. Generally mini-ITX motherboards have only a single memory slot which severely limits the amount of memory you can put on them. If you plan to run more than a small number of virtual machines you will probably find it useful to be able to provide a considerable amount of memory (and possibly even a 64-bit capable virtual machine hosts os). You would also probably want to be able to use a CPU with hardware assists for virtual machines. A micro-ATX motherboard with low energy CPU and "silent' or low noise power supply (such as used in some HTPC systems) might be a better base for the virtual machine host.

• In fact some mini-itx use core 2 dua cpus that can manage 64bits and also virtalization instructions, some boards can manage up to 4 Gb of memory. I don't want a big server to manage some pretty small applications or services but I want to play with some stuff without too much electrical power or too noise. I don't want to have a server room but want to have some nice stuff to play with.

So I have several choices, but still need your input before I buy all of these stuff:

• The Hacom router seems very fine, specially the celeron systems but if I put an HDD in it, will I be able to boot with an external CD and reinstall PF from an iso/cd?

I use a Jetway mini-ITX board and I have successfully installed pfSense from USB CD-ROM. But boot from USB CD-ROM is a BIOS function.

• Excellent! I was pretty sure that it will work but even if it is a stupid question, it is better to ask it somewhere and have a cleaver answer.

• Is there any other mini-itx solution other than listed from the recommanded vendors list in the pf site that I should also have a look and that can meet my needs? (Some people already talked to me about Lanner FW7520 and FabiaTech FX5620 or FX5621)

Search the forums for ITX to see some other mini-ITX boards that have been considered for pfSense use.

• I will I promise. Thanks again for all your comments and advice.

romainp

@cheesyboofs:

As wallabybob & Cry Havok said this has been discussed at length, here is a good start.

http://forum.pfsense.org/index.php/topic,13098.15.html
And
http://forum.pfsense.org/index.php/topic,11913.0.html

The main thing to look out for on mini-itx boards are that they usually come with cheep Realtek NIC's, take my advice and spend a little extra and get one with Intel GB NIC's, this is the one I've been running for a while now.
http://www.icp-uk.com/index.php?act=viewProd&productId=416
Then if you need extra network connectivity buy a cheap VLAN switch as I have, again covered in the post above.

At the end of the day only you can decide what will meet your needs, no one is going to say "ear mate buy one of these" as all you will do is say Oh that too expensive, or they don't sell that here in Greece.

Excellent! I will try to investigate further with all your help and advice. I will now more confortable with the idea of having an mini-itx system for PF.
Thanks again!