Hardware suggestions
-
Hi,
I want to get into PfSense and for that would like to build my own setup:
so far my wishes/requirements are:
-low power consumption
-wifi (I would love to use this as a access point)
-AES-NI for VPN and future proof
-2 NICs (of course ;) )
-my speed requirements are pretty low, my WAN is only 100/40 and of course there will be wifi but again that'll be below 1GBIT/s
-"cheap"So far I came up with the following idea:
-gigabyte GA-N3150N-D3V board: the 6W Celeron N3150 has AES-NI and a m.2 for the wifi card
-4gb of DDR3L
-Inter_tech Mini ITX-601 housing with 60W PSU
plus an a/c wifi card that works well with PfSense and has good speeds and a drive (would a usb stick as a "hdd" work as well??)the total price of this setup would probably be under $200 and would suit me nicely :)
I of course would be very open to alternatives but I'm not so pro about those chinese imports because of customs and support.
Thanks a whole lot
Regards
Nana
-
I use OpenVPN at 20/30% Load on the CPU.
I would highly recommend the below if your looking at something that would be suited for low power use, low noise depending on your requirements and of course
enough legroom to mess around with!.AMD A4-5000 APU Built onto an Asrock ITX Motherboard
4 GB of RAM
80GB SATA Hard Drive.Built into a 1U Case.
Total Cost: 150ish Quid.
Hope this helped.
-
Hi,
thanks for your reply.
I actually just ordered all parts.
In the end I went for a Zotac CI327 with 8GB of Ram.
I'm curious how pfsense will run on this system and if all components run out of the box.Regards
Nana
-
I just got my hardware and wanted to drop a line here:
the installed intel 3165NGW wfif card is not supported out of the box. Since I'm completely new to pfsense I have no idea if there is any possibility to change that but for now I'll give Sophos XG a spin and see how hardware support is there.Thanks
Nana
-
I just got my hardware and wanted to drop a line here:
the installed intel 3165NGW wfif card is not supported out of the box. Since I'm completely new to pfsense I have no idea if there is any possibility to change that but for now I'll give Sophos XG a spin and see how hardware support is there.Thanks
Nana
As far as I know no 802.11AC hardware is supported in FreeBSD, and therefore not in pfSense. If you want to run pfSense, use a separate AP. If you really need to use the built-in wireless capabilities of your hardware something based on Linux is probably your only choice.
-
I really would like to have the wifi devices in their own zone and control their behaviour that's why I liked the idea of an included wifi card. Unfortunatelly my box only has 2 RJ45 interfaces so there is none to connect an AP to.
How do USB interface cards behave under FreeBSD 10.3, would that be an option?
Otherwise which linux fw distribution would anyone recommend, from what I read they're all pretty hungry performancewise.Thanks
Nana
-
Just get a switch that supports VLANs.
Putting the wifi physically on your router is not great for a lot of reasons. You will have much better performance using a separate AP for wifi, whether you use pfSense or not.
Just plug your modem into one port and plug a VLAN capable switch into the other port.
Then plug your AP and whatever else into your switch.
You can get web managed switches starting at around $25 these days.
https://www.amazon.com/TP-Link-Gigabit-Ethernet-Managed-TL-SG108E/dp/B00N0OHEMA?th=1
-
Hardware-wise, you might just as well get one of those cheap intel-based router platforms you get from china. Comes with a wall-mountable chassis, multiple Intel NIC's, DDR3L, SSD support and uses very little power (and is of course fanless). I think most of them are derived from industrial PC's, but even then, they are ideal for small scale or home setups.
https://qotom.aliexpress.com/store/108231
-
I might be mistaken here but maybe someone else can confirm. On the gigabyte page it's not stated how many lanes that pcie port has. It needs to be at least pci2 x2 to handle 1gbit and i'm not sure that's simultaneous, in that case it needs to be x4.
-
No, pcie v 2.x+ at x1 speed = 4 gigabits full duplex
-
Yeah I saw the qotom j1900 but decided against that one because 1. no AES-NI for PfSense 2.5 and 2. I made some very bad experiences with buying hardware directly from china so I'm not doing that anymore.
Now I have the hardware that I bought and would of course like to use it. Since it's brand new hardware the support looks pretty grimm in whatever firewall/utm distribution I looked at. This will of course change with time so I might just need to have some patience.
Using a vlan capable hotspot is an idea BUT there are a few reasons which I rather not use wifi at all:
1. VLANs are an organisational feature but not a security feature so I guess it would be better to get a wifi hotspot and a supported usb-rj45 "card"
2. I was trying to keep the energy footprint of my extra hardware as low as possiblemaybe at some point some of those neat china boxes will make their way officially to europe (of course more expensive but still). For now I can at least use pfsense to protect my lan and my wifi devices are stuck in my wan for the time being (serves them right ;) )
-
Those china boxes are sold on amazon too. The j1900 is old, they sell Core i3 4th gen and Celeron based (all with AES-NI) boxes with Intel NIC's as well. TDP around 15w.
i.e.: https://www.amazon.co.uk/Qotom-Q330G4-Industrial-Fanless-Mini-Storage/dp/B06Y5ZGQJ4/ref=sr_1_1?s=computers&ie=UTF8&qid=1494942008&sr=1-1&keywords=Q330G4
-
What makes you say VLAN isn't a security feature?
Also, NICs consume power too. PRO/1000 consumes a lot. ixxx series are much more efficient.
-
PRO/1000 also gets reasonably hot. If you stick 4 or more of them in a small box you'll need airflow because otherwise the combined head of the motherboard chips, CPU and NICs will ramp up pretty quick.
-
-2 NICs (of course ;) )
The SG-1000 or SG-2220 unit from the pfSense store would be nice matching too!
-my speed requirements are pretty low, my WAN is only 100/40 and of course there will be wifi but again that'll be below 1GBIT/s
Can please clarify what is exactly "below 1 GBit/s"
–"cheap"
Is 200 Euro - 300 Euro ok?
- APU2C4 bundle
- mSATA 30/60/120 GB
- UBNT SR71-E or Compex WLE200NX
- Antennas & Pigtails
- Console cable & USB > Serial adapter
-
What makes you say VLAN isn't a security feature?
Because it's a management feature. It's basically just 'more network domains'. Instead of only having one physical network and one logical network you have many logical networks. While more networks could be used as part of a more secure network setup, they are not 'more' secure by themselves. VLAN technology isn't only implemented using 802.1q, there are other tagging and segmentation technologies out there.
-
@johnkeates:
What makes you say VLAN isn't a security feature?
Because it's a management feature. It's basically just 'more network domains'. Instead of only having one physical network and one logical network you have many logical networks. While more networks could be used as part of a more secure network setup, they are not 'more' secure by themselves.
I agree with the above.
But:
Vlans make (L2 separation) easier & cheaper to implement , and therefore i would say it would be "more probable" to be implemented. And a proper L2 separation would make your network less error prone , both from a broadcast domain perspective , and an "infection" perspective. Especially the latter would count as better security in my book.
Besides it would prob. make the fw rules easier to implement. , less complexity is more secure.@johnkeates:
VLAN technology isn't only implemented using 802.1q, there are other tagging and segmentation technologies out there.
If you want vendor interoperapability .1q would be the only one to use.
I have only ever used ie. Cisco ISL , until .1q was a standard. And nowadays you can't even chose ISL in the newer switches.
Now: If pfsense (BSD) would be made fully VRF aware .. Yummy ….. ;)
-
@johnkeates:
Those china boxes are sold on amazon too. The j1900 is old, they sell Core i3 4th gen and Celeron based (all with AES-NI) boxes with Intel NIC's as well. TDP around 15w.
i.e.: https://www.amazon.co.uk/Qotom-Q330G4-Industrial-Fanless-Mini-Storage/dp/B06Y5ZGQJ4/ref=sr_1_1?s=computers&ie=UTF8&qid=1494942008&sr=1-1&keywords=Q330G4
My 330G4 arrived today and pfsense says that NIC 1 is igb0, NIC 2 is igb2, NIC 3 is igb3, doesn't see NIC four and as you can tell it is "missing" igb1. Not happy and not sure what to do.
-
I am sorry to hear that a nic is not working on your new Qotom. Is it a case that no driver for the nic?
Curious to know if it is listed at all in
pciconf -lvc
-
I am sorry to hear that a nic is not working on your new Qotom. Is it a case that no driver for the nic?
Curious to know if it is listed at all in
pciconf -lvc
Well the funny thing is that I have a couple other people telling me they have the same box without issue, but then also said they are not using all four interfaces on the card. I can plug an active cat5 into all four interfaces and will show the status lights. When I am in pfsense in the CLI and I choose to assign interfaces all four show yet they identify wrong and during the assignment as well if I choose auto then it doesn't see the fourth interface. For grins in the next day or so I am going to try installing Ubuntu on it and Windows 10 for verification for usability for each interface. It could be a pfsense bug or something. I need all four ports so it is important for me to figure it out quickly before my return time expires.
