Considering trying out pfsense
-
Hello there..
I'm new to all this, but I'm always curious to try out stuff..
I'm currently renting a house with my brother, and within a month or so, we're going from 15/5 connection, to 100/100 (for a lower price at that)
And I was thinking perhaps it would be cool to try out pfsense, now that we'll be getting quite alot higher internet connection.
I've never used pfsense before, so I don't know what it can really do, but that's what I kinda want to find out :)
I do have some old computer parts laying around.Option 1:
Intel Core 2 Quad Q9300 @ 2.50 GHz
4 GB of memory (4x1GB sticks. 2 different brands)
Asus P5Q Deluxe
That board only has SATA 2
Does Dual Gigabit ports. (Marvell 88E8056/88E8001 Gigabit LAN controllers.)Option 2:
Intel Core i7-920 Quad Core w/HT @ 2.66GHz
6 GB of Corsair XMS3 DDR3
Gigabyte GA-EX58-UD3R
This board is also only SATA 2
Only has 1 Gigabit port.I can buy second hand IBM Intel Pro/1000 PT Dual Port, or equivalent for about 30-40 USD.
I could always get HyperX Fury SSD 120GB for 60 USD, mind it would only run at around half the speed.
Is this something you guys would recommend using as a first time build, or should I actually spend some money buying a newer system? -
Option 1 is more than enough:
-
"21-100 Mbps We recommend a modern 1.0 GHz Intel or AMD CPU."
-
"101-500 Mbps No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters."
https://www.pfsense.org/hardware/
-
-
I guess I could try build the Option 1 up, and see if it still works. I don't see why it shouldn't, but we never know..
But should I buy a new NIC, or could I test pfsense out with the Marvell NIC first, just to see how it will go?
We don't really have much stuff going thru the router at any given time. 2-3 computers at times, and obviously phones/tablets over wifi access point. -
Try your current HW first, I think Marvell 88E8056/88E8001 should work with pfSense 2.2.X.
https://www.freebsd.org/releases/10.1R/hardware.html
-
I would also try out at first the existing hardware, but if this will be then not really nice working,
it might be better in my eyes to buy something strong enough but more power saving and smaller.I can buy second hand IBM Intel Pro/1000 PT Dual Port, or equivalent for about 30-40 USD.
I could always get HyperX Fury SSD 120GB for 60 USD, mind it would only run at around half the speed.So you will spend something around ~$100, pleas e have a look to this PC Engines APU1D4 bundle
that might be enough for running pfSense as a pure firewall. I don´t know where you are living an so;Is this something you guys would recommend using as a first time build, or should I actually spend some money buying a newer system?
It all depends on what you want to build, run and install on top of the pure firewall function.
Let us imagine you want be turning the pfSense firewall into a full UTM device, the made suggestion
above would not match that case! (UTM = Squid & SquidGuard, SARG, Snort, ClamAV and pfBlocker-NG)Small:
- Jetway Intel Atom D525 ~$200
- PC Engines APU1D4 ~$250
- PC Engines APU2D4 ~$300 (upcoming)
Mid ranged:
- Jetway N2930 ~$300 (barebone)
- Intel Atom C2358, C2558, C2758 ~$300 - ~$800
The older parts can be used to play around with many other systems in a VM or to test newer
pfSense versions. If you will self assembling the parts together you could get the APU1D4 for;- board $165
- case $15
- PSU $15
- mSATA $35
- WiFi $40 (if needed)
- Null modem cable (Serial> USB) $10
-
Opt 1 is good enough, you should give it a shot!
-
Bluekobolt,
I am looking for cpu preferably with atom with AES-NI instructions in the chip for open vpn. I need 100Mbps on vpn. I will also probably be running it on ESXi server.
I have found few besides the one you mentioned. Any recommendation for motherboard for any of those ?
Looking spend ~200$. If more i may have to wait later on. Maybe atom E3845 ? -
Small:
- Jetway Intel Atom D525 ~$200
No AES-NI & QuickAssist - PC Engines APU1D4 ~$250
No AES-NI & QuickAssist - PC Engines APU2D4 ~$300 (upcoming, not fully ready now)
AES-NI but no QuickAssist
Mid ranged:
- Jetway N2930 ~$300 (barebone)
No AES-NI & QuickAssist - Intel Atom C2358, C2558, C2758 ~$300 - ~$800
AES-NI & QuickAssist
Looking spend ~200$. If more i may have to wait later on. Maybe atom E3845 ?
http://ark.intel.com/search/advanceds=t&FamilyText=Intel%C2%AE%20Atom%E2%84%A2%20Processor&AESTech=true
I am not really informed about the newer Intel Atom CPUs or SoCs that coming actual out there, sorry.
Only some vendors I know really that are using this kind of Intel Atom Nxxxx SoCs in their devices to
be a router or firewall. But I really can´t say anything about the VPN capabilities and throughput that
will be able to reach with them. Sorry again.Axiomtek NA342 w/ Intel Atom E3825 processor
- AES-NI
- no QuickAssist
Axiomtek NA343 w/ Intel Celeron N3050
- AES-NI
- no QuickAssist
Supermicro X11SBA-LN4F w/ Intel Pentium Processor N3700
But problems with pfSense are reported.- AES-NI
- no QuickAssist
So i really would go more with the SG-2220 from the pfSense store or waiting until the APU2C4 is ready
and the name is changing into to APU2D4 both comes woth AES-NI and will be sufficient enough for
100 MBit/s IPSec VPN as I see it right. What the OpenVPN is really needing others should answering
because I don´t use it and as I am informed it is not getting any benefits from the AES-NI. - Jetway Intel Atom D525 ~$200
-
Bluekobolt thanks a bunch. That actually helps a lot. I will wait for the board release. I'm not in rush and it's in april.
BTW i found some testing on Open vpn on that 2d board and can easily do 100Mbps on openvpn with encryption so i will give this a shot when it comes out.
I can pots a link to this but its from competitive firewall product so not sure if pfsense would be happy about that. -
Quick question here on that APU board. How does one setup initially install and nic assignment when there is no graphic card?
Is console port on Putty going to display all the boot information and will show nic assignment just like on graphic card ?
I kinda see this as maybe becoming nightmare as that's crucial step in stetting it up. What about troubleshooting it later, threw condole as well? -
Quick question here on that APU board. How does one setup initially install and nic assignment when there is no graphic card?
It could be well done by using the amd64-full-console-image with no problems!
- Set up at the BIOS Console to 115200 8/1/n
- Set it also up at your Putty settings
- pfSense comes with this numbers as default
And now you will be getting a clear and fast console output, and please don´t forget if sometimes
something goes wrong the mostly and only thing is then the console to revive the box or fix problems.Is console port on Putty going to display all the boot information and will show nic assignment just like on graphic card ?
This should be so. I can´t really say yes but it must be if the correct baud rate was set up.
I kinda see this as maybe becoming nightmare as that's crucial step in stetting it up.
Never, since the older Alix Boards are in usage this was working for many thausend users and customers
well and it will also doing it for you!What about troubleshooting it later, threw condole as well?
For routers, switches and firewalls the console port either as an USB, RJ45 or serial port
is mostly the last chance to them revived or fixed up. Please remember these couple
of words! Perhaps not really mostly, but really often for sure. -
BlueKobold thanks that give me some reassurance. This board with all parts should be $150-170 total so half the price of atom setup but i realize atom is better.
The way i configure atom setup at very least i would have to pay $350+ so this is good alternative. The only reservation i have is not having that vga output
but if you're saying console is A OK then OK hehe.Does this board fit mini itx other enclosure or one would have to go with theirs. I can't tell from pictures but it seems different and maybe only their custom enclosure works due to where the ports are. Thoughts?
-
Does this board fit mini itx other enclosure or one would have to go with theirs. I can't tell from pictures but it seems different and maybe only their custom enclosure works due to where the ports are. Thoughts?
The PC Engines boards are coming not in the miniITX format, it is more that this is an custom format
and the entire case is a part of the cooling, so no other case should be used in that case, either you
go with the APU or APU2 Board. I personally would wait on the APU2 that might be better sorted with;- AES-NI
- Intel NICs
- 4 GB ECC RAM
- a quad core cpu
A CPU core can not so easily compared to another CPU core, that are not likes things are going.
And a router, a switch or a firewall without any kind of console port I would never buy. -
Bluekobolt u rock man. So i see the APU engines only support nano image. Does that mean that certain packages like snort or other downloadable packages may not be available for Nano pfsesne ? Is there limitations in nano vs full or is this only during install. I see nano is only 177mb tiny comparing to 1.0G full version. Just trying to see if this is not stripped version of pfsense and packages may not be available. ???
download pfSense (pfSense-X.Y.Z-RELEASE-4g-amd64-nanobsd.img.gz) image. (nano, amd64, non-vga)
https://doc.pfsense.org/index.php/Full_Install_and_NanoBSD_Comparison
http://pcengines.ch/howto.htm#OS_installation
-
Bluekobolt u rock man. So i see the APU engines only support nano image.
You was mixing the older Alix boards and the newer APU & APU2 ones from today!
Does that mean that certain packages like snort or other downloadable packages may not be available for Nano pfsesne ?
Yes, for NanoBSD this might be absolutely correct. But together with the PC Engines APU & APU2 you
are able to use the following storage and boot mediums such as;- SDCard
- mSATA
- SSD/HDD
- SATA -DOM
- USB pen drive (internal & external)
Is there limitations in nano vs full or is this only during install. I see nano is only 177mb tiny comparing to 1.0G full version. Just trying to see if this is not stripped version of pfsense and packages may not be available. ???
For sure it will be not only one.
https://doc.pfsense.org/index.php/Full_Install_and_NanoBSD_Comparison
Here you will get the detailed answer on your earlier question you made above.
http://pcengines.ch/howto.htm#OS_installation
That we both are clear to talk about one and the same thing here is a http Link to the APU & APU2
boards we are talking about. PC Engines APU2C4
Above it will be shown how sorted and what kind of hardware it is.The APU2 actual status is the following:
_BIOS is not feature complete yet, in particular -• No boot from SD card.
• ECC not working yet.
• iPXE module not included yet._ -
So on new APU2d board that will be coming out can i install fully featured iso and run all packages i desire as long as msata drive is in it?
And would it be be non-vga iso since this board has no vga card ?
They feature their msata drive for APU board, does that mean i only can use theirs or can i use any other msata. I suspect no as it refers to apu msata controller?
I'm new to this and instructions on apu site were talking about nano so i took it as only nano be used on their (apu) boards. Sorry i pasted entire line. It's been edited. Didn't even notice that.
Thank you for all your help in this.
-
This thread was started by @JanFrode and was originally based on other informations and questions she or he
were asking! Please accept this, because I really don´t want to high jack his or her thread so this might be the
last time I will answering your personally questions here. Please go and open your own thread that is helping you.So on new APU2d board that will be coming out can i install fully featured iso and run all packages i desire as long as msata drive is in it?
Yes.
And would it be be non-vga iso since this board has no vga card ?
Yes.
-
Oh so sorry. I'm also trying to pick best solution so i'm only joining the chat for best solution. One more question and i'm done as i think i got everything.
On apu website they feature their msata drive for APU board, does that mean i only can use theirs or can i use any other msata. I suspect no as it refers to apu msata controller for that apu board only?
-
pc engines apu, are pretty nice. Also I am from Zurich, Switerland, so it is just next door to me (few minutes by tram to pick directly from their hq).
Found some benchmarks for older ones: http://www.firewallhardware.it/entry_level_apu_based.html based on current pc engines board, does about 500Mbps in NAT.
The apu2 is coming in few days, and should easily have 2x CPU performance. (And does AES in hardware, which is also nice)
I guess, I will actually get then new one, something like apu2c4, which has Intel NICs and better CPU. Should do 1Gbps actually. Around 125 CHF (~128USD, without case, psu, and storage, but all the accessories are surprisingly cheap in their webshop for Switzerland, wil probably fit below 180$). I like it. VGA would be somehow useful, but serial port is ok too. And I can always use 3rd NIC as an emergency network access or something. It is pretty expandable too, with usb, minipci, sata, SD, etc.
Anyhow, I had no idea AMDs APS comes also without GPU. And indeed apu2c4 comes with CPU which doesn't have GPU (but that might be just a binning, the GPU might be still there on silicon disabled).
Rango: I am pretty sure you can put most of the other mSATA or SD stuff there. I think they just have it in the shop for your convenience,. and often they are good enough to do the job. 16GB is somehow small by current standards tho. They list some stuff on their webpage, as for APU board, or for older ALIX boards. It is just so people do not choose something like this mSATA drive, or minipci express wlan card, when they are buying ALIX board, because this will not work or fit even.
-
Cool when you get it lest us know how you like it. BTW the board name will change to apu2d4 from what i heard. For me no vga was deal killer. I don't wanna mess around with console port. If you do some research you won't see some of the output during install. It will be garbage, then you have to switch some bound on console port. It's ok but hassle for me. I would appreciate simple 1024x768 vga output, don't have to be hdmi or anything but serial port is no go for me, as troubleshooting may be an issue, at least for me.
Also that amd chip i'm not impressed with it. Didn't dig the way they implemented heat sink solution either. Since this is custom build board if there are issues you will have to deal with their forum board and play around there. Like their custom BIOS development and bugs and updates within their custom board and bios that drives it. I don't wanna deal with that. With NUC it's a pc essentially with vga output. I don't thing throughput is bad, i don't know exactly what it is. Maybe be similar to intel but i know intel will outperform. Realtek nics are not issue for setup, just maybe high end throughput, from what i hear.
Honestly i like 2758 the best but not willing to spend that kinda money now at this box so this was best compromise. I didn't want to mess around with serial port. I think they made mistake by not including vga output but that's my opinion. Also with that NUC you can always convert it to media player as it's 4k compatible and has hdmi. It's more versatile and price is right. It's really personal preference. I honestly wanted 2758 but its too much $ for pfsense box imho.
btw 1d sucks….that's not even 100Mbps, and NUC will anihilate that box, 2d maybe way better but u should pass on 1d. And it's 230 euros so it's expensive for this performace.
My asus 78u does 60Mpbs on it's ARM processor. Any pfsense box MUST MUST do more then 100Mbps on AES 256, otherwise it's not worth my time.AES256 58,63 Mbps 55,00 Mbps