(SOLVED)Replacing Ubiquiti Edge Router X with PFsense
-
I have a Small Form Factor Dell Desktop.
Core i5, 4GB RAM, 240 Crucial SSD and a PCIe Gigabit Intel Network Card. All of this is overkill but its future proof.I got this from one of our clients who was gonna throw it away. And now its the best firewall i ever used.
-
Does the cpu have aes-ni? What is the model number of the dell desktop?
-
Does the cpu have aes-ni? What is the model number of the dell desktop?
Its a Dell OptiPlex 780 Small Form Factor
It came with a Core 2 Duo but i had a motherboard and CPU sitting around again from another client. I used the Dell for Chassis and power supply and used different board and CPU. Yes. It has AES-NI.
Are you planning to buy hardware? There are tons of options online again depending on your budget.
-
I was thinking of building something like this with parts from newegg.
COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case
Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510
ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard
CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply
WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive
Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections
4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC
Grand Total: $283.23
the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance I was thinking of buying instead.
What do you think?
The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.
-
Right On. Apart from $7 saving, you have double the RAM plus ton of storage. They probably would not EOL it anytime sooner as it was just introduced (maybe Sep-Oct 2017) but like you said, you can re-purpose the machine anytime you want. You can upgrade it anytime you want. Building your own firewall has its own rewards. Maybe in the future replace the HDD with a 32GB or bigger SSD to make it more reliable.
Go for it !!!
-
I was thinking of building something like this with parts from newegg.
COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower Computer Case
Intel Pentium G4400 Skylake Dual-Core 3.3 GHz LGA 1151 54W BX80662G4400 Desktop Processor Intel HD Graphics 510
ASRock H110M-ITX LGA 1151 Intel H110 HDMI SATA 6Gb/s USB 3.0 Mini ITX Intel Motherboard
CORSAIR VS Series VS400 (CP-9020117-NA) 400W ATX12V / EPS12V 80 PLUS Certified Active PFC Power Supply
WD Caviar SE WD1600JS 160GB 7200 RPM 8MB Cache SATA 3.0Gb/s 3.5" Hard Drive Bare Drive
Intel EXPI9402PTBLK 10/100/1000Mbps PCI-Express Two Gigabit Copper Server Connections
4GB Samsung DDR4-2400MHz Non-ECC 288pin Memory M378A5244CB0-CRC
Grand Total: $283.23
the G4400 cpu has aes-ni and once you add the shipping it's $294.42 still 71$ cheaper then the sg-3100 that's the appliance I was thinking of buying instead.
What do you think?
The main reason I wanted to build one is I feel I have more flexibility with the hardware. If I buy an appliance as soon as netgate eols it I can't use it for anything else.
I see you do like to tinker…I agree with Goldfish, go for it!
-
Just wanted to point out that your talking a few bucks difference in price… And buying the sg3100 would get you gold for a year don't forget that! And huge part here is you fully support the project by getting hardware from them.. And your going to be freaking sure its a rock solid box vs something you threw together with cheap parts you got from online..
How much power is that box going to draw vs the sg3100? Looks like you only have 2 nics there.. Don't forget the sg3100 comes with
"four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN. "Which can be used as switch or can be used as interfaces for different networks.. Your diy box doesn't seem to have that.. Why would you need that much space in your Router/Firewall? an OLD hdd to boot.. Put in a SSD at min.. .
I am all for tinkering... But as a new owner of a shiny new sg-4860... I say support pfsense/netgate and get hardware from them.. While some of their models might be high for a home/lab I just like to tinker budget, etc. Clearly this is not the case with what you put together vs the 3100 model...
edit: BTW if you have question on when might be the eol date for the 3100, check here
https://www.netgate.com/support/product-lifecycle.htmlThey list the 3100 as replacement for the 2440.. The point to take away from that page would be this statement I think.. "End of Life (EOL) will typically occur within 1-3 years after the EOS date"
So when they stop selling the 3100, you most likely would have 3 years after that.. They have stopped selling the 2440 and its end of life date is end of 2020.. And just because is listed as eol doesn't mean it still won't work, or that it would not be able to run the current version of pfsense at that time, etc. We have a 2440 in one of our branch offices with plans to change all the offices out to pfsense - they will all prob be 3100.. Was hoping to get a couple of more this year but didn't work out - my teamlead would never pull the trigger on the order even though I brought it up every few weeks ;) I would love to put in the 4860s but they are way overkill for the needs of the branch offices ;) And I don't think I will ever be able to make mine even break a sweat... But won't stop me from trying - looking forward to playing with the new layer 7 stuff...
-
I see your very good points johnpoz and you've giving me some things to ponder.
-
I've had some time to ponder and I happened to find this http://pcengines.ch/apu2.htm
It seems like a good compromise between the performance of the SG-3100 and the SG-4860.
I'm saving more money then buying the SG-3100 or building one with the parts from the last post. It came out to $200.20 at the most seeing as the site states about $30-$40 shipping for one system.
For the apu2 4GB ram version with a case, power adapter and a 16GB mlc ssd it's $200.20
My main concern is if the ssd is reliable enough for all the logging of pfsense. As well as if in the future I want to install ntopng that it will keep up and not become a bottleneck.
I can save even more money by buying the 2GB ram version. Is the 2GB version enough to run most packages? I have about 20 users at most.
Finally with the money I saved I figure I can buy a $99 gold subscription and still be donating to the project.
Sorry to be long winded but what do you guys think?
-
Finally with the money I saved I figure I can buy a $99 gold subscription and still be donating to the project.
I would go for SG-1000 which is $50 extra and get a free gold subscription with it. So all in all the device would cost you 50+shipping. Then you can use this for lab, testing, etc
-
I am heavily leaning toward the sg-1000 but I have two problems with it.
1. It only has two ports whereas I need three subnets and I can't afford to buy a managed switch to implement vlans.
2. The specs state it has 512MB of ram, I'm not sure if I can run ntopng with that amount of ram.
My end goal is to move the edge router x out of production in favor of a device running pfsense.
-
1. Because they are so expensive?
https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08P/dp/B008ABLU2I?th=1
$29Or save a couple of bucks if you want and get the 5 port version for $25..
With a smart switch that does span ports you can run ntop on any box you want.. Doesn't have to be run on your router…
Here is the thing if your planning on moving into better network setup.. Your going to want a smart switch... While you can get them for cheap the above dlink 1100 for example works.. But its very feature starved.. For home budget I am a fan of the cisco sg300.. I picked up a 28 porter because was tired of being interface starved ;) And wanted to be able to leverage the 6 interfaces on my 4860 to spread my vlans out, etc. Have ports to play with laggs if someone had an issue I was trying to duplicate to help them.. I personal see ZERO reason for a lagg setup in a home/lab setup - its a waste of ports for no real benefit..
So I have plenty ports now.. Moved the sg300-10 I had to my av cab and replaced the cheap netgear I had there.. I have 3 cheap switches that come up a lot here to be able to help.. The netgear, the dlink I linked to and the utter POS... Not worth the 20$ I got it for price tag tplink one -- you can not remove vlan 1 from any ports..
I would be willing to sell you any of them... But even if I sold them to you for $15 by time you paid for the shipping it would be just easier to order from amazon and have it in 2 days, etc.
The sg300-28 I show for 232, I had gotten it for 200.. The sg300-10 I show for 120... Well worth the price point... The money you save if you went with the sg-1000 would pay for the sg300-10..
-
Thanks for that johnpoz I wasn't aware d-link made 8 port managed switches.
Well with that here is what I'll do.
I'll buy the SG-1000 along with the d-link 8 port smart switch.
Instead of having
port 1 LAN-192.168.0.0/24
port 2 DMZ-192.168.200.0/24
port 3 WAN-0.0.0.0/0I'll do this
port 1 vlan 2-LAN-192.168.0.0/24
port 1 vlan 3-DMZ-192.168.200.0/24
port 2 WAN-0.0.0.0/0Thanks for everyones help.
