Hardware purchase advice please
-
That card should be supported by pfSense 2.0.X (built on FreeBSD 8.1), see:
http://www.freebsd.org/cgi/man.cgi?query=re&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&arch=default&format=htmlHowever most multiport cards like that use an on board bridge chip that can cause problems. It may not be supported by FreeBSD at all or, more common, it may not be properly initialised by your motherboards bios. With PCI-e you would think a bridge chip is unecessary but that card has something on it under the heatsink.
Perhaps more importantly that seems like an expensive way get ports. How many ports do you need? What bandwidth between those ports?
It is usually much cheaper to use VLANs and a VLAN capable switch. A Netgear GS108T for example will give you up to 7 additional interfaces but you have to share a single 1Gbps connection between all of them.Steve
Hi,
There was some uncertainty around Atoms like I said. I was going to go down the route of a normal (non embedded CPU) and buy a cheap'ish intel chip.
I'd like to atleast have 4 lan ports as I have a NAS drive and wanted to keep the NAS bandwidth and the internet bandwidth seperate.
So I'd plug the NAS directly into a port on the pfsense box.I have a switch. But I was going to get rid of that to eliminate clutter. I also plan to plug my Asus N16 router (DD-WRT) into the pfsense box for Wifi
and any other small LAN connectivity needs.For internet bandwith we're talking 12-15MBs max (my net is 100mb soon to be 120mb).
Another question I have. If I was to also run Usenet through OpenVPN on pfsense, that used threads to connect (bots) and like anything from 20 - 30 (and sometimes more)
or them to gain better connection speeds. Would this effect the throughput capability of an Atom on OpenVPN?thanks
-
I have a NAS drive and wanted to keep the NAS bandwidth and the internet bandwidth separate.
So I'd plug the NAS directly into a port on the pfsense box.I'm not entirely sure what you mean by that. Usually your NAS traffic would all be internal and your internet traffic is… not. Does your NAS box host externally accessible services? I agree that connecting you NAS to a separate interface presents some advantages though. You can much better filter traffic to and from it. The same could be said for a wifi access point. That's still only 4 interfaces total though unless you have more than one 'LAN' style subnet. You can never have too many interfaces though. ;)
Is your existing switch VLAN capable?
Your DD-WRT equiped access point is VLAN capable so you could use a separate VLAN interface for wifi which reduces your total by one. You could probably use it's internal switch to set separate VLANs on each of it's ports but that will get complex quickly. A challenge perhaps!
The question is what bandwidth do you need internally between your NAS and a client on your LAN? If the NAS is on a separate interface then that traffic will be going through pfSense. The Atom can manage ~500Mbps between two interfaces but that is without doing any VPN encrypting at the same time.
I don't think having multiple connections inside the VPN would make much difference. It's the cryptographic function that challenges the Atom.
Steve
-
Hi,
Jetway JNF99-525 Long Life Fanless Dual Core Atom Mini-ITX Board with Dual LAN, 6x SATA and Daughterboard Expansion
Extremely versatile Jetway JNF99-525-LF Dual Core 1.8GHz 64-bit Intel Atom D525 powered Mini-ITX motherboard with Fanless operation, Jetway Daughterboard Expansion, Intel ICH9R Chipset, Integrated Graphics and VIA VT1705 6-Channel Audio Codec. Supports up to 4GB of DDR3 1066/1333MHz SODIMM memory. Ports available include: 2x Intel 82574L 10/100/1000 Base-T Gigabit LAN, 6x SATA 3Gb/s (supporting RAID 0, 1, 5, 10 & JBOD), USB 3.0, PCI and Mini-PCI Express.4GB DDR3 1333 SODIMM
3x Gigabit LAN Daughterboard Module (Intel 82541PI chipset)
M350 Universal Mini-ITX EnclosureThe M350 Universal Mini-ITX Enclosure measures just 62 x 192 x 210mm (2.5 litres) and is capable of housing both embedded and socket Mini-ITX boards. Fanless operation possible using natural air convection through hundreds of tiny holes for CPUs with TDP < 10W; CPU Fan only operation possible for CPUs with TDP <= 65W.
StarTech 3.5in SATA to CompactFlash SSD Adapter Card.
- For 3.5" SATA Hard Drives
- Able to connect a CompactFlash card through a Serial ATA data port
- Includes a 3.5" bracket
- 1 Year Manufacturer Warranty
Kingston 4GB 40x Compact Flash Card
- 4GB Capacity
- 40x Performance
- Limited Lifetime Manufacturer Warranty
picoPSU-120 12V Plug-in DC-DC ATX PSU
The picoPSU-120 plugs directly into a motherboard ATX connector and measures just 31x45x20mm - about the size of two AA batteries. The picoPSU-120 generates up to 120 Watts of power from a 12V DC supply, at over 96% efficiency. An attached cable harness provides:20pin ATX Connector
SATA Power Connector
Molex (ATA) HDD Power
Molex Floppy PowerCompatibility: The picoPSU-120 can power all our Mini-ITX boards with Geode, C3, C7, Atom and Fusion processors. Additionally most lower power consumption Mini-ITX boards with Intel and AMD processors up to around 65W TDP can be powered. More powerful picoPSUs offer more headroom for additional devices. If you are considering using with a board not on our site, please email us to check compatibility.
Q1: Will a 120 be over kill?
Q2: Did I make any wrong choices that could cause compatability issues or heat issues?Thanks
I have a NAS drive and wanted to keep the NAS bandwidth and the internet bandwidth separate.
So I'd plug the NAS directly into a port on the pfsense box.I'm not entirely sure what you mean by that. Usually your NAS traffic would all be internal and your internet traffic is… not. Does your NAS box host externally accessible services? I agree that connecting you NAS to a separate interface presents some advantages though. You can much better filter traffic to and from it. The same could be said for a wifi access point. That's still only 4 interfaces total though unless you have more than one 'LAN' style subnet. You can never have too many interfaces though. ;)
Is your existing switch VLAN capable?
Your DD-WRT equiped access point is VLAN capable so you could use a separate VLAN interface for wifi which reduces your total by one. You could probably use it's internal switch to set separate VLANs on each of it's ports but that will get complex quickly. A challenge perhaps!
The question is what bandwidth do you need internally between your NAS and a client on your LAN? If the NAS is on a separate interface then that traffic will be going through pfSense. The Atom can manage ~500Mbps between two interfaces but that is without doing any VPN encrypting at the same time.
I don't think having multiple connections inside the VPN would make much difference. It's the cryptographic function that challenges the Atom.
Steve
-
I would think the 120W pico-psu will be over kill, I would not expect that box to use more than 30W at any time, mostly a lot less.
Steve
-
I would think the 120W pico-psu will be over kill, I would not expect that box to use more than 30W at any time, mostly a lot less.
Steve
Thanks Steve,
I might add in at some point a WiFi card.
Q1: I take it that once the initial set up is done I can make changes such as adding a Wifi card to the box?
Q2: Is there any advantages to doing this at the point of set up?The plan is to get rid of as much clutter as possible in the way of extra routers and if possible switches.
Also a little head room for a few fans that might be needed if I do run into heat problems for any reason.
And maybe a SSD or HDD add. So I'm thinking about not buying twice later on. So if I have a little extra power
will probably be for the best.
But the power consumption you mentioned… that's very low :)Is there anything else I've over looked?
-
You can add a wifi card at any time. I would recommend starting with the simplest system you can. Adding and testing more interfaces or packages in stages will result in fewer problems.
The biggest advantage of an Atom is that its peak power consumption is low. You can get a system that consumes a very small amount of power most of the time, my own Pentium-M setup is <25W, but because at peak load it consumes more you need much better cooling provision. The Atom can be passively cooled relatively easily for this reason.
If you think that 30W is low, check this out: http://ssj3gohan.tweakblogs.net/blog/8217/fluffy2-59-watt-high-end-desktop-computer.html :)
Steve
-
I would think the 120W pico-psu will be over kill, I would not expect that box to use more than 30W at any time, mostly a lot less.
Steve
Steve, I think 120W is not an overkill. That daughterboard with 3 Intel NICs is getting pretty warm.
We had originally set the box up with a 65W pico-psu - it died within 6 months of 24/7 usage. Switched to 120W, feels much better now. (can't state that the first psu died because of overload, it's just a guess, that peaks can occur).Just look at some specs.
The Intel D 2700 MUD board eats about 35W when the more power-efficient cedar Atom runs at 100%.
Jetway JNF99-525 uses an older an less power efficient CPU, and has lots (literally several times) more features than the former. It's normal, that it eats more power… -
Fair enough. Since you've actually used that board I'll definitely go by your judgement. :)
I don't think they make the 65W model any more, the 80W should be sufficient don't you think?
Steve
-
Yes, I guess.
-
You can add a wifi card at any time. I would recommend starting with the simplest system you can. Adding and testing more interfaces or packages in stages will result in fewer problems.
The biggest advantage of an Atom is that its peak power consumption is low. You can get a system that consumes a very small amount of power most of the time, my own Pentium-M setup is <25W, but because at peak load it consumes more you need much better cooling provision. The Atom can be passively cooled relatively easily for this reason.
If you think that 30W is low, check this out: http://ssj3gohan.tweakblogs.net/blog/8217/fluffy2-59-watt-high-end-desktop-computer.html :)
Steve
Hi Steve,
Thanks for your advice.
I will not be adding the Wifi card right away but I'm curious to which would be the best for general connectivity and range coverage?
I do want the fastest speed possible for wifi.
So I'm looking for the "best" option on what is avail from the shop I will be using below…
Also taking into consideration pfsense support.Here are what I was looking at. At this store....
http://www.mini-itx.com/store/?c=17
I was considering this since it seems to be the better one....
Intel Ultimate-N 633AN Half-Mini PCIe Wireless Card - up to 450 Mbps
I know you'd need all 3 antennas to achieve this.
Which is where perhaps I'd need to drill a few more holes in the case ;)would it be of benefit and most of all is it fully supported by pfsense?
-
Wifi hardware support in pfSense is… limited. ;) Especially under 2.0.X. It's built on FreeBSD 8.1 which was released in July 2010. Anything newer than that is unlikely to be supported. There is no support for 802.11N outside of the specific drivers so although some hardware will work it will only be at 'G' speeds.
There is better support in 2.1 since it's built on FreeBSD 8.3 and some drivers from 9 have been back ported. The best supported cards are those based on Atheros chips-sets.The best source of information is JimP's spreadsheet:
https://spreadsheets.google.com/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=enSteve
-
Wifi hardware support in pfSense is… limited. ;) Especially under 2.0.X. It's built on FreeBSD 8.1 which was released in July 2010. Anything newer than that is unlikely to be supported. There is no support for 802.11N outside of the specific drivers so although some hardware will work it will only be at 'G' speeds.
There is better support in 2.1 since it's built on FreeBSD 8.3 and some drivers from 9 have been back ported. The best supported cards are those based on Atheros chips-sets.The best source of information is JimP's spreadsheet:
http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=983Steve
Hi,
I don't see any spreadsheet.. Am I missing something on the link you provided.
So is there danger of newer cards not been supported at all or just at slower speeds?
-
Nooo, copy and paste fail! :-[
See corrected link above.There is a danger of no support at all. FreeBSD hardware support lags behind other OSs anyway and pfSense lags that by a bit.
Steve
-
I would strongly advise to use a dedicated, separate AP for wifi. pfSense is not really meant to be a wifi router.
-
I would strongly advise to use a dedicated, separate AP for wifi. pfSense is not really meant to be a wifi router.
OK, I think I will skip it anyhow.
Maybe look at it at a later date.thanks
-
I would think the 120W pico-psu will be over kill, I would not expect that box to use more than 30W at any time, mostly a lot less.
Steve
I'm using the Jetway NF99FL-525 with 3 Intel NIC Daughterboard, 1 Compex abg WLAN card and 1 CF attached to SATA via SATA2CF converter. With a standard 300 W ATX power supply it's consuming ~33 W - measured with a power meter. With a picoPSU you will probably reduce power consumption below 30 W. That's why I go along with Steve's opinion: 120 W picoPSU will be overkill :) Of course, my 300 W ATX PSU is overkill as well, but it's currently impossible to get a smaller standard ATX PSU.
-
pvoigt - would this be any better for you?
http://www.ebay.co.uk/itm/HIPRO-100W-ATX-PSU-Power-Supply-Unit-HP-A1463F5-/230822905477
-
With the Sata to CF converter. Should I select IDE or SATA mode in BIOS?
Assuming the bios on this motherboard will offer that choice? -
With the Sata to CF converter. Should I select IDE or SATA mode in BIOS?
Assuming the bios on this motherboard will offer that choice?Tested so far following CF converters:
http://www.delock.de/produkte/F_283_2-5_91697/merkmale.html?setLanguage=en
http://www.delock.de/produkte/F_283_2-5_91661/merkmale.html?setLanguage=enUsing BIOS IDE mode.
Peter
-
pvoigt - would this be any better for you?
http://www.ebay.co.uk/itm/HIPRO-100W-ATX-PSU-Power-Supply-Unit-HP-A1463F5-/230822905477
You may be right because its power data seems more appropriate. One the other hand I am using a 80+ PSU (Enermax). Only if I can directly compare both PSU I will become more wise :)
I suppose most effective would be using a picoPSU. I once decided to go with the ATX PSU because I wanted to use a standard miniITX case which could be re-used by another machine in the future.
Peter
-
The CF card I have is a 16GB… do I just use the 4GB image with that?
pfSense-2.0.3-RELEASE-4g-i386-nanobsd_vga-20130412-1022.img.gz
Is this the correct image?This will be going on an Atom 1.8 with VGA output only.
-
The CF card I have is a 16GB… do I just use the 4GB image with that?
pfSense-2.0.3-RELEASE-4g-i386-nanobsd_vga-20130412-1022.img.gz
Is this the correct image?This will be going on an Atom 1.8 with VGA output only.
This will work without problems. With this image you will have a VGA console. Mostly, a 4 GB CF will be sufficient for the 4 GB image. However, some CF seem to not provide full capacity so e.g a 4 GB image cannot be successfully written to a 4 GB CF. I've read somewhere in the pfSense forum about it but cannot remember the threads - sorry.
I am mostly using 4 GB CF and write a 2 GB image to it - just to be one the safe side :).
Peter
-
pfSense-2.0.3-RELEASE-4g-i386-nanobsd_vga-20130412-1022.img.gz
With the above image I read about serial port and that I won't see a console?
Will I deffo get a cmd promp with the above image?
And will the CF boot up once I install the image to it using Manuel Kasper's phydiskwrite ?thanks
-
pfSense-2.0.3-RELEASE-4g-i386-nanobsd_vga-20130412-1022.img.gz
With the above image I read about serial port and that I won't see a console?
Will I deffo get a cmd promp with the above image?
And will the CF boot up once I install the image to it using Manuel Kasper's phydiskwrite ?thanks
Well, the above image will provide a vga console. If you want a serial console only, you should use
pfSense-2.0.3-RELEASE-4g-i386-nanobsd-20130412-1022.img.gz - without "vga" in its name. A "cmd prompt" will be provided by both images.I had issues using physdiskwrite and was more successful with "win32diskimager". I used version 0.6 a while ago. Latest version is 0.7:
http://sourceforge.net/projects/win32diskimager/. Alternatively, you can use "dd" under Linux (or Unix).EDIT: We are slowly driving off-topic. If you are still having general installation questions I propose to open a new thread in the corresponding pfSense forum :).
-
So if I have a CMD prompt which I've seen where you pick WAN, LAN etc.
What is the difference between VGA and non-VGA versions specifically?
I thought CMD prompt was what VGA was? -
A command prompt is simply a text prompt where you can enter a command. It appears on the console. The console can be accessed either by keyboard and monitor (VGA) or via a serial connection.
If you want to use a keyboard and monitor directly on the pfSense box use a nanobsd_vga image.
@http://www.pfsense.org/index.php?option=com_content&task=view&id=43&Itemid=44:
Embedded (NanoBSD)
The embedded version is specifically tailored for use with any hardware using Compact Flash rather than a hard drive. CF cards can only handle a limited number of writes, so the embedded version runs read only from CF, with read/write file systems as RAM disks. The NanoBSD platform has two OS slices and a config slice. One OS slice is used to boot from, the other is used for upgrades, and the config slice is where the configuration is held separately.
There are two variations of the NanoBSD platform: The default version which uses a serial console, and another that supports using a VGA console. Each of those variations also comes sized for different sizes of CF cards.
The filename for NanoBSD downloads is laid out as follows: pfSense-2.0.3-RELEASE-size-arch-nanobsd.img.gz. In that filename, size can be one of 512mb, 1g, 2g, or 4g. The arch, as above is for i386 or amd64. The nanobsd part can is either nanobsd for serial console, or nanobsd_vga for the VGA-enabled version.
Steve
-
So if I have a CMD prompt which I've seen where you pick WAN, LAN etc.
What is the difference between VGA and non-VGA versions specifically?
I thought CMD prompt was what VGA was?The VGA images are useful only for boards with a vga adapter. There are boards like most boards of the Alix series from PC Engines which do not have a VGA adapter. You cannot use them with a VGA image. You need the non-VGA images instead and you get your console via serial line.
Peter
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
Yes. I'm using a VGA image for my Jetway NF99FL-525 as well. However, I've decided to go with the corresponding AMD64 2G image:
pfSense-2.0.3-RELEASE-2g-amd64-nanobsd_vga.img.gz.Peter
-
Are you able to run 64-bit pfSense on Jetway NF99FL-525? On the 525 Atom CPU? I wasn't aware it's 64-bit capable.
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
Yes. I'm using a VGA image for my Jetway NF99FL-525 as well. However, I've decided to go with the corresponding AMD64 2G image:
pfSense-2.0.3-RELEASE-2g-amd64-nanobsd_vga.img.gz.Peter
Is there a reason you went 64bit and are there any advantages?
Thanks
-
I'd be interested to hear your reasoning too because my advice would be to always use the 32bit image unless you really need 64bit. You can use more than 4GB of RAM but the Atom can't so no advantage there. There may be some performance advantage for specific tasks but it's so negligible you'd need some careful testing to see it. Mostly the 32bit image is better tested, especially on an Atom.
Steve
-
I'd be interested to hear your reasoning too because my advice would be to always use the 32bit image unless you really need 64bit. You can use more than 4GB of RAM but the Atom can't so no advantage there. There may be some performance advantage for specific tasks but it's so negligible you'd need some careful testing to see it. Mostly the 32bit image is better tested, especially on an Atom.
Steve
I've once had two reasons:
1.) My system has 4 GiB RAM.
2.) I wanted to test the AMD64 version.The AMD64 image runs very stable over months without any problems. It has turned out, however, that my pfSense installation newer uses >= 3.3 GiB. That's why I could have gone with the 32 bit image without any disadvantages :).
Peter
EDIT: Do you think there are significantly more i386 installations than AMD64? If so, I agree with you that the feedback from those users may make pfSense i386 more stable. Furthermore, many older Atoms were 32bit systems. Do you know about other reasons why the i386 image may be more stable?
-
The last time the question was asked I believe the figures showed more 32bit installs by some way. I imagine that more and more people are using 64bit though. I can't find it now. :-
Of course the more people who use 64bit the quicker an bugs will be found and squashed. ;)I don't know what the figures are for FreeBSD, would be interesting to find out.
Steve
-
At least for a few years, there will probably be more i386 installs. I'm not sure if we have a way to track that accurately though.
The reason i386 is still more common is because of embedded devices, i.e. ALIX and its cousins, and re-purposed old machines that aren't 64-bit.
As the hardware in that area catches up and becomes 64-bit capable, only then would I expect it to be more common.
That said, it is definitely picking up from what I've seen with customers. New server-grade hardware and VMs are almost always using amd64 now.
-
Got it all up and running…
Well almost...
I've got WAN and LAN working.
But when I set up opt1, opt2, opt3.
They don't seem to do anything.
I can't pull up the web panel.Do I need to set a firewall rule?
I did the set up via the CMD setup
-
Do I need to set a firewall rule?
Yes.
By default only the LAN interface has rules in place to allow access to anything. You will have to add appropriate rules to the additional interfaces.Steve
-
Another reason for i386 images are that not all motherboards are capable of housing over 4GB of RAM. Typical installs of 4GB is way more that sufficient for pfSense and some resource hungry packages.
When I first started using pfSense, Snort was the killer and would hog up almost 80% of the 4GB RAM. The package now has gone through several cycles of fine tuning and refinements. It barely takes 20% of my 4GB RAM. With Snort, Squid, Dans, pfBlocker and OpenVPN all combined my RAM usage hovers around 35% and steadily increases by 2% everyday. pfSense reloads the cache after some days and memory usage drops down. So not even 2GB of RAM is being used.
Hats off to the developers who have made such a fine UTM product.
-
All I want to do is set up each LAN port like any other simple setup for a home network.
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination ---> tick NOT then select "Any".
Place a description and SAVE?Then Services ---> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?From the Googling I've done,,, does this look correct?
thanks
-
Hmm, a few problems there I think. ;)
All I want to do is set up each LAN port like any other simple setup for a home network.
Do you mean like a SOHO router with 4 LAN ports?
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?The usual way this would be set up is that each interface is a separate subnet. So for example you could use:
LAN is 192.168.1.1/24 (the default configuration)
OPT1 is 192.168.2.1/24
OPT2 is 192.168.3.1/24
OPT3 is 192.168.4.1/24If your WAN interface is using a private IP, like 192.168.1.2 as you say above, then you would have to choose something else because the WAN interface must use a different subnet.
Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination –-> tick NOT then select "Any".
Place a description and SAVE?If you want to allow traffic from devices connected to OPT2 out to the internet or to other interfaces you need a rule more like:
Pass
OPT2
Protocol: any
Source: any
Destination: anyThis is a very permissive rule though.
A rule that has destination 'NOT any' will never match traffic. ;)Then Services –-> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?The IP range would be different because OPT2 is not the same subnet as LAN. So for the above example it could be 192.168..3.10 - 192.168.3.254
That would leave 192.168.3.2 - 192.168.3.9 for any static IP assignments you wanted to use.Steve