Installing pfSense on brand new hardware – no drivers?
-
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
-
GA-H77N-WIFI will work with 2.1 but I think the wifi will not. That board has been tried out here before. I spent some time in a thread with a different guy with that board. All running except the wifi if I remember correctly.
-
Running Nano on that SSD it should last forever.
That switch seems expensive compared with, say, this: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122397 which would also do the job. That Netgear might be more difficult to setup though, it requires a Windows only setup program. This one doesn't though and many people are using it: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381
However if that's available today and others aren't it should be fine.
Steve
-
I got the distinct impression that speed of purchase and functionality mattered more than cost to this guy. Thats why I didn't get into the price bit. I don't know though. The TL-SG3210 is advertising alot of function for a sorta not too high price. I'm interested to see how he rates it if he gets it.
-
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
that board will work. no clue about the wifi, I've always ignored pfsense's wifi capabilities.
Realtek NICs are bad in the sense that you're unlikely to get the "full" throughput available to you from the GigE spec and tend to have higher CPU utilization vs Intel NICs. -
Holly crap its almost as if I already just said that… Good god.
-
Thanks for the feedback everyone! I will be taking the hardware back to Microcenter tonight; they have the switch in stock so it shouldn't be too painful to do an exchange – it looks like their return policy is fairly liberal and the only note about CPUs is that they have a shorter return period.
As much as I want to build a new box (I enjoy putting together new computers, and haven't done so in a while), the significant cost savings of slapping in a managed switch vs. building a whole new box can't be overlooked. There's also the time savings (more critical at this point) of being able to drop in something that's almost guaranteed to work and doing a little configuration vs. building another box, setting up pfSense, copying the configuration over, and tweaking/tuning until things work right.
One side note: I assume throughput in this setup is (theoretically) restricted, since both WAN and LAN traffic share the same port on the pfSense box? 99.999% of the time this won't be a problem since the WAN is only 50mbit (100mbit if we upgrade our connection), but just want to make sure I understand the limitations.
-
Correct, all the traffic has to share the one NIC. However most of the time that isn't an issue since if you are downloading a large file, for example, that traffic comes in via the WAN and goes out via the LAN. The NIC should be capable of 1Gbps full duplex, in and out simultaneously. You do have some return traffic but at a much lower level. This will never be an issue for you since an Atom can't get close to saturating a Gigabit link anyway.
Steve
-
Correct, all the traffic has to share the one NIC. However most of the time that isn't an issue since if you are downloading a large file, for example, that traffic comes in via the WAN and goes out via the LAN. The NIC should be capable of 1Gbps full duplex, in and out simultaneously. You do have some return traffic but at a much lower level. This will never be an issue for you since an Atom can't get close to saturating a Gigabit link anyway.
Steve
Hah, good to know >_<
What sort of max throughput should I expect from the Atom (D525)? If it can keep an upgraded 100mbit WAN link saturated, or nearly so, I'll be happy for a year or two more :)
-
~550Mbps. It can vary depending on your NIC. Packages slow that down of course.
Steve
-
The only package I have installed is File Manager, so that shouldn't significantly affect throughput, right? I assume the packages that have a higher impact on throughput would be ones that interactively manage traffic e.g. Squid?
550Mbps should be fine for my needs for the next 2-3 years… and by that time there will be better, cheaper solutions that I can build when I have time to research the hardware (and subsequently employ hardware that can handle my throughput needs).
EDIT: Apologies, my system actually seems to have a D425, not a D525. Does this significantly impact my throughput, or am I still safely above the 400mbit mark?
-
Ok, you really need to do better research before buying…
After doing some brief research on hardware while I was at work today, I settled on the Gigabyte GA-Z87N-WIFI
Staring intently at the motherboard, I found the Atheros chip, marked "8161-8L3A" – this seems to indicate the AR8161 chipset. I have also found what I believe to be the Intel chip, marked "WG1217V" -- a Google reveals many non-English pages that have just enough Latin characters to suggest that this is indeed the Intel ethernet chipset. Is there any way to get drivers for this beast, or should I just accept defeat, pack everything back up, and get a "canned" router?All Haswell boards with intel nics come with i21x, this is still not supported in 2.1.
Ivy/Sandy bridge boards with intel will have either 82574L, 82579V and/or 82579LM which will work.The atheros is not supported. When people say "buy atheros" they are talking about WLAN, and it really only applies to old PCI chipsets. Until 2.1 zero pci express (aka minicard) were supported, and even now my 9280 which is the first (oldest) one they made isn't quite right still. N isn't supported either, don't even think about AC.
To be perfectly honest, pfsense sucks at wifi because the drivers are way too old and freebsd isn't the greatest at wifi to begin with. Get a nice and/or cheap standalone access point (aka consumer router flashed with better firmware from your choice of _wrt distros) and hang it off another interface.
Hmmm… I found that I might be able to get the GA-H77N-WIFI motherboard... which would allow me to avoid the hassle of returning the CPU (the part I fear most about returning this hardware) -- it has dual Realtek GigE ethernet.
My only concerns with this would be whether the chipset is supported, and also I've heard some people pan Realtek around here -- I know they're not Intel, but are they really that bad?
That is a different socket (1155 sandy/ivy vs 1150 haswell), you will need a different CPU. Realtek does suck, and that board might even have the E/F/G or whatever revision isn't supported in 2.1 yet anyways.
Pretty much all your problems would be solved with a cheap 1155 board (like one of those $50 microcenter itx), the $35 celeron and a dual/quad intel nic off fleabay and some $20 router. Don't try to get it all onboard, it doesn't exist.
Don't put trust a single port w/ vlan switch to keep your internet and lan apart.
-
EDIT: Apologies, my system actually seems to have a D425, not a D525. Does this significantly impact my throughput, or am I still safely above the 400mbit mark?
I think the D425 is just a single-core version of the D525. Since pf doesn't support multiple cores, I doubt it would make a measurable difference.
-
Don't put trust a single port w/ vlan switch to keep your internet and lan apart.
Care to elaborate? As long as the switch properly handles VLANs (as opposed to just passing through tagged frames), I don't see how this is any cause for concern!?
-
Ok, you really need to do better research before buying…
Pretty much all your problems would be solved with a cheap 1155 board (like one of those $50 microcenter itx), the $35 celeron and a dual/quad intel nic off fleabay and some $20 router. Don't try to get it all onboard, it doesn't exist.
Except time is of the essence for this – I had a few hours to do my research, and ordering a NIC off eBay is right out (getting any of those overnighted costs a ridiculous amount on top of the price of the card itself). Fortunately I managed to fudge a script that auto-cycles the interface when it detects the IP drop, so I have a little bit of breathing room (VoIP calls cut out for a few seconds, but don't drop entirely). I was trying to get it all onboard because I was building it with off-the-shelf parts I could drive down to the store and pick up.
To be perfectly honest, pfsense sucks at wifi because the drivers are way too old and freebsd isn't the greatest at wifi to begin with. Get a nice and/or cheap standalone access point (aka consumer router flashed with better firmware from your choice of _wrt distros) and hang it off another interface.
The problem with hanging an access point off it is that I would then lose my guest network (unless I hang two off there, maybe?). That's really something I'd rather not lose. pfSense has been doing quite well with wifi on my current Atom box using an Atheros wifi card. Sure it's not blazing fast, but the most demanding thing we do on any of our wireless devices is watch YouTube videos, and we spend most of our time on the wired systems anyways.
-
The problem with hanging an access point off it is that I would then lose my guest network (unless I hang two off there, maybe?). That's really something I'd rather not lose. pfSense has been doing quite well with wifi on my current Atom box using an Atheros wifi card. Sure it's not blazing fast, but the most demanding thing we do on any of our wireless devices is watch YouTube videos, and we spend most of our time on the wired systems anyways.
If you get an access point that supports a guest network (or, more generally, multiple SSIDs), chances are this is exposed as a separate VLAN, which pfSense can easily deal with. Point in case, I have an Airport Extreme attached to my pfSense box, and the built-in guest network feature works just fine once you figure out what VLAN tag it uses.
-
The single core CPU will be slower. Although the pf process is single threaded the other processes can be run by the second core. You'll still be far faster than 100Mbps.
I would have no worries relying on VLANs to separate wan from lan, at least not with a half reliable switch.
Steve
-
I like that little router… I think that plus the switch will be excellent. Better than average.
-
I think when he gets the switch, he should:
Take 1 of the ports on either the far left or right and make it the WAN by making that port untagged vlan10 (for instance) but also include tagged vlan10 in that port. Then label the port with a sticky as WAN. (Don't include vpid1 here)
Then take port right next to it and make it a trunk vlan tagged to include vlans 10 and 20 (but not vpid1) and plug that into pfsense.
Put a sticky label on that as pfsense connection.Then make several ports right next to that as vlan untagged vlan20 to act as LAN ports and do include tagged vlan20 + vpid1
And label l those all as LAN.Maybe leave a couple ports at the other end of the switch to later use as vlans 30 and 40 for guest networks or whatever.
Label them.Then go into pfsense and set up those vlans and firewall rules.
What do you think? Further suggestions stephenw10? Anyone? I don't think OP has done this before.
-
What is "vpid1"? Is this referring to the management VLAN?
This is what I would do on something like a Dell PowerConnect 28xx:
- create VLAN "WAN" with VLAN ID 10
- create VLAN "LAN" with VLAN ID 20
WAN port:
- make member of VLAN "WAN" only, in untagged mode
- set PVID (the default VLAN that incoming untagged frames on a given port get assigned to) to 10
- set ingress filter to allow untagged frames only
LAN ports:
- make member of VLAN "LAN" only, in untagged mode
- set PVID to 20
- set ingress filter to allow untagged frames only
pfSense port:
- make member of both VLANs, both in tagged mode (plus possibly whatever VLAN the switch has its management interface on)
- PVID doesn't matter (unless the management VLAN has to be untagged)
- set ingress filter to allow tagged frames only (unless the management VLAN has to be untagged)
So I guess the main difference is that I see no reason to allow incoming tagged frames on any of the non-trunk ports, and I wouldn't allow LAN ports to access any other VLANs (directly, that is – they could of course still do so through the pfSense box if the firewall rules permit).
