Ready to run hardware for a complete noob soho-user?
-
G'day all,
I have the habit of writing long stories, but I will try to keep is short ;D
-
EDIT: I'm sorry, I can't seem to get the bullet list correct. They are jumping, this is not meant to be. Every bullet is equal 'value', they are not subordinate *
-
I live in Belgium. I have VDSL (16,5 / 2). My ISP (Belgacom) is making a mess of things; they give you a modem/router (BBOX2), and then they push firmware updates to it that ruin the router function (my LAN is a mess now). Support is absent (and rude), so I've had it with this ISP.
-
In the past I used Draytek. Nice quality, but again: support is absent. So exit Draytek too.
I'd rather go the open source route and donate money to that good cause, than paying my money to companies that refuse to offer decent support. And I am a big fan of FreeBSD (fan only, I don't use it currently, I am waiting for PC-BSD 9.1). So, Pfsense.-
I lack a certain part in my brain when it comes to building your own equipment, so I would like to buy a ready to run hardware appliance. Either new, or second hand.
-
My requirements are not that big: I have only my wife and me, a couple of desktops and laptops, a couple of Synology NAS-systems, an AC-Ryan mediaplayer (to be replaced by something else also, I guess an appliance with XMBC or MediaPortal), that streams video from my Synology NAS, and a Pioneer AV-receiver that can do internet radio. My ethernet runs over the power line, because I can't lay down cables everywhere. Currently everything is connected via a gigabit switch that is connect to the ISP-supplied modem/router that I desperately want to get rid of.
-
It is my understanding this modem/router can be setup as a modem only, so Pfense should do everything else, which would mean issue the IP-adresses in the LAN, and protect it (IP-block lists, perhaps snort and squid also?).
-
Power consumption is a concern (the Draytek, and the current BBOX2, don't use that much power). I would like 'something' that works the same and uses the same power. So not something like a complete PC that uses 300W or something like that.
My questions would be the following:
-
Which ready to run appliances are suitable for my goal? Should I buy a specially built new appliance such as those the sponsors on this forum sell? Or can I use something second hand (I've seen some of the threads dealing with 'firebox' and other stuff, that you could install Pfsense on(?)? But I also need something future proof; I don't want to buy or have to upgrade new hardware every two, three, years, and it is my understanding for a router this shouldn't be necessary.
-
I do need wireless N, but I have no clue how that works. Is this something like an 'add on card' you have to install into the appliance? Is this robust?
- On browsing I see that most 'ready to run'-Pfsense appliances are 10/100, but why not 1000? This is the gigabit-age, isn't it?
I would appreciate your help extremely very much; by no means am I an IT-expert, it is just that I've had it with all these companies that try to sell you their stuff to get your money, and then don't have the decency to provide proper support (for starters, reply to an email in the first place :'().
I hope the above is short enough ;D
Thank you very much for any help :)
Bye,
-
-
-
-
I think you will have to define exactly how much building you're prepared to do. You pay quite a premium for a complete ready to go box with pfSense installed but you get guaranteed working hardware 100% and you are helping the project by supporting their biggest contributors.
In terms of which box you might need again you'll need to narrow down your requirements. Even the lowliest Alix box will easily handle a 16/2 WAN connection but if you want to run Squid and/or Snort you increase the requirements considerably. Further if you have multiple internal subnets and you need to move data between them, from your NAS to a client say, that could potentially be at Gigabit speeds which requires some pretty serious cpu power.
pfSense does not, currently, support any 802.11N hardware natively so if you need it you should use a separate access point. This has the advantage that you can position it for better coverage.
The reason that you see many boxes with 10/100 NICs is that Gigabit (especially good quality NICs) adds to the cost which can already be high and is often not necessary when WAN speeds are still relatively low.I am personally using various re-purposed fireboxes but none of them are really perfect and all require some tweaking of a fairly technical type. Actually the XTM5 and X-Peak boxes pretty much just work but are both expensive and rare. If you did go this route I'm sure you'd find the support you need here.
Most importantly I seem to remember reading recently that Belgacom had a some special requirement on their connection which might prove difficult. If you are still going to be using them as an ISP I think you need to research this before spending anything. :)
Steve
Edit: Yes, here is the thread I mentioned: http://forum.pfsense.org/index.php/topic,55402.0.html
Re-reading it I see it was inconclusive. There did not seem to be evidence either way. It's still worth looking into. -
Thank you extremely very much, Stephen; I am in your debt already :P
I will digest the information you gave tomorrow; currently I am fighting with one of my Synology servers who seems no longer to like me, and refuses to let me in ( :-[).
As to your remark about the sponsors and supporting this project; I do intend to donate to this project directly, anyway. I am a donator to the FreeBSD-foundation also, I've donated to the late desktopBSD (which unfortunately died due to Peter pursuing other interests), and I intend to donate to PC-BSD as well if 9.1 appears to be the solution I am looking for (I hate W7, and I can't afford Apple ;D). So, my objectives are not about getting things for free (there's no such thing as a free lunch in life, my grandpa told me ;D), my objectives are about getting good quality, and decent support. I've looked at the price of commercial support for Pfsense, and that really appears to be aimed at really commercial, as these are prices I can't pay. But, in the end, I refuse to supply vendors with my hard earned money if they appear to be nothing but 'cheap' 'rats', trying to get your money and then don't even live to their moral responsibility to fix the bugs in the product they've sold me ( >:( :-[ :-X).
Anyway, thanks again very much, Stephen: I'm in your debt already, and I will process your information tomorrow, after I have conquered the Synology which obviously wants to start a fight with me ;D
Thanks & Bye,
-
Unless I missed something, ALIX should be a good solution for you. I went with regular PC hardware as I wanted my box to scale close to 1 Gbps speeds (I now have 100/10 fiber), but ALIX should be good for anything under 100/100.
Obviously as Steve mentioned, ALIX won't run Squid and/or Snort too well, but for just the basic pfSense installation with light packages running it's enough.
EDIT: Gigabit speeds not only require decent NIC's (Intel,Broadcom or other quality NIC), it also requires a lot of CPU power with pfSense. This is why you don't see low power appliance like ALIX with Gigabit NIC's.
And again like Steve said, you should go for WLAN AP if you want Wireless N support. And in home environment you most likely don't need special access rights, filtering or other tweaks for WLAN vs wired so you don't even need to put them to different subnets or anything unless you really want or need to. I'm actually using my old Wireless N router/firewall as just a router in for my home network with NAT,DHCP and everything else I don't need disabled to serve my wired and wireless devices.
-
Unless I missed something, ALIX should be a good solution for you. I went with regular PC hardware as I wanted my box to scale close to 1 Gbps speeds (I now have 100/10 fiber), but ALIX should be good for anything under 100/100.
Obviously as Steve mentioned, ALIX won't run Squid and/or Snort too well, but for just the basic pfSense installation with light packages running it's enough.
EDIT: Gigabit speeds not only require decent NIC's (Intel,Broadcom or other quality NIC), it also requires a lot of CPU power with pfSense. This is why you don't see low power appliance like ALIX with Gigabit NIC's.
And again like Steve said, you should go for WLAN AP if you want Wireless N support. And in home environment you most likely don't need special access rights, filtering or other tweaks for WLAN vs wired so you don't even need to put them to different subnets or anything unless you really want or need to. I'm actually using my old Wireless N router/firewall as just a router in for my home network with NAT,DHCP and everything else I don't need disabled to serve my wired and wireless devices.
Thanks for your comments ;D
On another note, what do you all think of this:
http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/15351-15351-4237916-4237918-4237917-4248009.html?dnr=1
Recommended to me by some 'IT-guru' (who also sells this stuff) as being 'perhaps already overkill for something as light as pfsense/snort/ip-block/squirt'. I am not sure if I believe that, 'though, given the comments on this forum about performance.
-
There have been several threads about these boxes. Here's one recently:
http://forum.pfsense.org/index.php/topic,50904.0.html
These are brilliant little servers for home use or quiet enough to have under your desk at work. They work great with ESXi. A friend of mine has one and I have a VM pfSense instance on it that I use for OpenVPN testing. It works very well as long as none of the other VMs on it are doing much.
But…. the CPU in these boxes is nothing special: AMD Turion II Neo N40L (1.5GHz). That score puts it comfortably ahead of the fastest Atom. I would guess that the best throughput under pfSense will be up towards 1Gbps but probably not quite there. That's a guess mind you! ::)Steve
-
The HP microserver, while it's a great box for many things, I don't think it's that great for pfSense. You can get a much smaller box for pfSense with more power. I would much rather have a mini-itx or smaller (like Alix) box for pfSense. My current build has a Intel G630T CPU in a Antec ISK110 case.
-
Personally I'd go with a second hand notebook. Oh wait, in fact that's what I did.
You might even have a relative, colleague, or friend that wants to get ride of one. Again in fact that's what I did. A colleague gave me a couple old notebooks (2003 vintage DELL Inspiron 5100). They make good pfSense machine.
Just add an external access point for the WiFi N
That's my home setup. Work good and I like it.
-
Personally I'd go with a second hand notebook. Oh wait, in fact that's what I did.
You might even have a relative, colleague, or friend that wants to get ride of one. Again in fact that's what I did. A colleague gave me a couple old notebooks (2003 vintage DELL Inspiron 5100). They make good pfSense machine.
Just add an external access point for the WiFi N
That's my home setup. Work good and I like it.
You wrote it funny ;D
But then I have to add network cards. And I am not that technical op hardware, especially with the OEM-notebooks I expect this to be a problem(?)
-
The HP microserver, while it's a great box for many things, I don't think it's that great for pfSense. You can get a much smaller box for pfSense with more power. I would much rather have a mini-itx or smaller (like Alix) box for pfSense. My current build has a Intel G630T CPU in a Antec ISK110 case.
Thanks, by now I've indeed ditched the HP from my list. I will need to find out what exact hardware to buy, but, again, I am a noob on hardware (and actually wish to remain that way; hardware doesn't interest me at all ;D).
-
No additional network cards required.
VLAN the WAN interface. You mentioned that you already have a gigabit switch. If its a smart switch or better then it should support VLANs.So it goes something like this.
ISP modem connected to switch port 1
pfSense machine connected to switch port 2
switch port 1 PVID 98 & untagged member of vlan 98
switch port 2 PVID 1 & tagged member of vlan 98
switch port 2 and remaining ports PVID 1 & untagged members of vlan 1 (typically the default/admin vlan)
create pfSense VLAN 98 on the physical network device
assign pfSense WAN to vlan 98 network device
assign pfSense LAN to the physical network deviceWiFi N Access Point connected to switch port 3
Remaining LAN devices connect to remaining switch ports.
-
No additional network cards required.
VLAN the WAN interface. You mentioned that you already have a gigabit switch. If its a smart switch or better then it should support VLANs.So it goes something like this.
ISP modem connected to switch port 1
pfSense machine connected to switch port 2
switch port 1 PVID 98 & untagged member of vlan 98
switch port 2 PVID 1 & tagged member of vlan 98
switch port 2 and remaining ports PVID 1 & untagged members of vlan 1 (typically the default/admin vlan)
create pfSense VLAN 98 on the physical network device
assign pfSense WAN to vlan 98 network device
assign pfSense LAN to the physical network device
WiFi N Access Point connected to switch port 3Remaining LAN devices connect to remaining switch ports.
I do realize only now that I didn't say 'thank you' for your post :-\ My apologies, sorry :(
I will need to study hard to understand what you wrote (I am not that technical and am still searching for a good book on networking, aimed at the absolute noob :P).
For the last couple of months, I have been trying to get stuff to work. The GREAT Stephenw10 has been helping me all this time, since it was rather a disaster to get things working with the my ISP-provided VDSL modem/router/all-in-one. Finally we had it working yesterday, and this morning the box (a very old P4) died ::)
So I am now looking at the hardware. Stephen again has helped me here also, so most of it I think I know what to buy. Only one part is missing: the harddisk.
Sofar what I have is:
mobo: DQ77KB Intel Mini-ITX dual Intel LAN
http://www.mini-box.com/Intel-DN2800MT-Mini-ITX-Motherboard
http://www.newegg.com/Product/Product.aspx?Item=N82E16813121622CPU: Intel Celeron G1610 (apparently the successor of the G530).
http://www.newegg.com/Product/Product.aspx?Item=N82E16819116889&Tpk=G1610Case: Cooler Master Elite 120 Advanced
http://www.newegg.com/Product/Product.aspx?Item=N82E16811119261RAM: some 8GB in one of the two available slots
Power: integrated on the mobo, this cable to connect it to my APC UPS:
http://www.mini-box.com/19v-8-4A-160-Watt-AC-DC-Power-AdapterSo I think that all that is remaining is the hard disk, and here I run into a ???
Because I can not seem to find any information about how big the hard disk needs to be. Yes, I've found 'minimum 1GB', but what if I want to use snort, squid, RRD and such?
Would anybody be able to give some information on this? Do I need to buy a 64GB SSD for it ( ???) or are there better alternatives I could do?
Thank you very much for any help –- after months, I am almost there ;D
Bye,
-
In the OP you didn't seem to want to build something but now that you do, here is a complete build I did. It includes shopping list to build an 18 watt router with ~250+ Mbps throughput, using an Intel Atom as base. here
The build and shopping list starts 2 post below the link I referenced in this reply. I started you at that post because it shows some pics of where I put some extra heatsinks.
This has been a rock solid and completely reliable build for me.
-
In the OP you didn't seem to want to build something but now that you do, here is a complete build I did. It includes shopping list to build an 18 watt router with ~250+ Mbps throughput, using an Intel Atom as base. here
The build and shopping list starts 2 post below the link I referenced in this reply. I started you at that post because it shows some pics of where I put some extra heatsinks.
This has been a rock solid and completely reliable build for me.
Thank you very much for your reply :P
( ;D)
I decided to order some stuff, and it basically is the Intel mobo and G1610 I mentioned in the above. Actually, I picked it up in the store today, 2 hours ago. Only the power cord for this specific mobo is still missing, the store didn't have it. But it is in backorder now. Perhaps what I bought might turn out to be a little bit 'over weight' right now, but, as I explained before, I buy stuff to use it for 10 years, and I hope with this stuff I can comfort myself for the next 10 years.
So now I am waiting for the power cable, and then I can join the happy family of proud PFsense-users ;D
Thanks again for your reply,
Bye,
-
You could get away with a LOT less RAM. I have 4GB for two LAN and WANs (50/8 each) and barely fill 17%. You could even cache the entire pfSense OS into RAM and you'd still have plenty of room. But, RAM is cheap so it's only a few bucks difference.
-
… VLAN the WAN interface...
Sorry to hijack, but I'm curious on how safe a thing that is? My ISP is Verizon FIOS. So the Layer 2 frames and MAC address will be visible to them only and I'm sure they won't launch a L2 attack against me, their paying customer. Beyond the VZ network, no-one can see my L2 MAC, so I'm thinking it's relatively safe, right?
-
I am a very happy man ;D
I finally, after months of problems am running Pfsense flawlessly for one week now.
None of these problems were related to Pfsense (well, one, it turned out, was, but that should be solved in the 2.0.3 that was released yesterday).
All the major problems, and all the headaches and the hours of googling, reading, turned out to be related to my ISP and to my old crappy hardware that was too old, and too crappy (it died in the process of testing Pfsense. But it was old: a P4-2.4, I think I bought it in 2000 or so).
In short, my setup is:
- Mobo: Intel DQ77KB Intel Mini-ITX (dual NIC)
- CPU: Intel Celeron G1610
- HDD: WD Scorpio Black 500GB
- RAM: 8GB Corsair 'very long product number' (4GB used, since on X32, not X64).
- ISP: Belgacom (Belgium national ISP) VDSL
- Case: can't remember, but big and ugly for a mini-ITX (but an A-brand and the cheapest. Smaller was more expensive, - and since it is stashed away in my computer room anyway, I didn't want to spend the extra money. I spent that on a donation to Pfsense ;D).
Packages installed: Snort, Pfblocker, Squid, Squidguard, Ntop. CPU 18%, memory 40%.
The setup is:
Belgacom (ISP) modem-router (does the dial up) -> Pfsense WAN (DHCP from Belgacom) -> PFS - LAN (different subnet, does DHCP to the LAN) -> HP Switch -> LAN-'puters.(The reason the ISP-modem still does the dial up is that I couldn't get this to work from within PFS. Thanks to an extremely kind member of this board (who refuses consistently to let me buy him a cup of coffee :-[) I got it working anyway. This dial up problem should be fixed in 2.0.3, so I will test this when I have the nerves to do so ;D).
My experience for one week:
- Exactly 0 point 0-0-0-0-0-0-0-0-0-0 (enough zeros to make my point ? ;D) hickups from PFS.
- No slowdown whatsoever on my VDSL. Speed the same as with my switch being plugged in directly into the ISP-modem-router (tested with speedtest.net).
So, I am one very happy 'free man', now: no more retail plastic junk, and I would like to thank all of you who helped me, especially Mr. Very Special who refuses me buying him a cup of coffee for all his advice ( ;D). Of course I just donated to express my thanks to all the great people from Pfsense and FreeBSD who are making this possible for us. Thank you, peoples, you are extremely appreciated :-*
Bye,
-
Any particular reason why you stayed with the 32-bit version over the 64-bit version? You probably won't need it, but having access to that additional 4GB of RAM you have installed would be nice. :)
-
Any particular reason why you stayed with the 32-bit version over the 64-bit version? You probably won't need it, but having access to that additional 4GB of RAM you have installed would be nice. :)
Thank you for your reply :)
No, not at all; not at all.
This 'historically' grew like this. I started at X64, then had loads of problems (described high-level in the above), and then decided, in order to eliminate possible causes, to start at X32 (perceived by me, probably rubbish due to my noob-ness, as 'more safe'). So I built on that, and arrived at the final: after 1 week of smooth running, I will probably enjoy it for a couple of weeks to recoup from the 'horrors' (well, the frustration was really severe) of the past couple of months. After that, I will do a reinstall of X64 2.0.3. I have no reason whatsoever to think that that will turn into a nightmare, now that I have new hardware and at the same time know how to deal with my ISP.
Thanks again for your reply,
Bye,