Hardware options to run pfSense

cphillips

All,

I am planning on turning my current router (Netgear R9000 X10) into an AP and installing a dedicated PFSense firewall.

I have the following hardware available to run the PFSense installation:

Dell R210ii with 8Gb RAM and a pair of SSDs

Supermicro A1Sai-2750F with upto 16Gb RAM and a pair of SSDs.

I also run an ESXi server so could put this into service as a VM but am a bit sceptical in case of problems with the host...

I plan to install PFBlockerNG/Suricata on PFSense. (and maybe a few other services/addons I like the look of)

I also have a dedicated VM for my OpenVPN server which I intend to remove and make use of the OpenVPN service on PFSense.

Broadband connection is 80Mb download 20Mb upload into a BT OpenReach modem (white box) which then goes into the Netgear X10.

Both servers above pull about 25w with PFSense installed (with a 10Gb card installed but I plan on removing that as not really needed at the moment).

Any recommendations?

provels

@cphillips
The machine in my sig runs virtual on Hyper-V and handles my 300/20 connection fine. That said, I'd use the lowest power consuming box you have if your not confident of the ESXI host. It doesn't take a lot of hardware.

PS - The Hyper-V host is a 12 year old Intel Q6600.

cphillips

@provels
Thanks for your comments. It's not that I have no confidence in my ESXi host, I do. It has great uptime. I think I'd just rather run a hardware device as if there is a problem with the ESXi host then this would prevent the internet from being offline..

stephenw10

I would have had the Dell down as consuming significantly more than the Atom based Supermicro.

A C2750 will be more than sufficient there. You won't need 16GB of RAM in it. You could probably do all of that with 2GB, 4GB to be safe.

Steve

ora23362

With a BT OpenReach modem on an 80/20 connection I have been using an SG-4860 for several years now with zero complaints in performance (Can easily max out the available bandwidth with single digit CPU percentage usage).
It runs on a C2588 @2.4Ghz with 8GB ram and ~20Gb EMMC storage. 8 configured network interfaces (several VLANs) and quite a stack of rules added over the years.

provels

@cphillips said in Hardware options to run pfSense:

@provels
Thanks for your comments. It's not that I have no confidence in my ESXi host, I do. It has great uptime. I think I'd just rather run a hardware device as if there is a problem with the ESXi host then this would prevent the internet from being offline..

Just a thought, but you could duplicate your ESXi VM config on a throwaway PC for backup. My hardware backup is a 32-bit pfSense 2.3.5 recycled VPN appliance from my old job. Not current version, but would get me online in a pinch.

stephenw10

@provels said in Hardware options to run pfSense:

32-bit pfSense 2.3.5

Raffi_

@stephenw10 said in Hardware options to run pfSense:

I would have had the Dell down as consuming significantly more than the Atom based Supermicro.

A C2750 will be more than sufficient there. You won't need 16GB of RAM in it. You could probably do all of that with 2GB, 4GB to be safe.

Steve

Agree with this. The supermiro sounds like the least power hungry out of all options. I would go with that. All of them will be more than enough for all the requirements mentioned. To give you an idea, I'm running pfblockerNG, suricata, OpenVPN, and a few other packages on an overkill 8th gen i3, 8GB of ram and a single 120GB SSD. The CPU is always sitting close to 1-2% and ram is only ~40%. All of this is overkill for the small office even during heavy VPN use.

provels

@stephenw10
Not to worry, as it's a cold backup. If you want to compile 2.4.5_p1 on x86 for me, I'll happily upgrade. And if that blows, I still have my Nokia ip530 on 1.2.3 on a gmirror raid... In any case it would only need to be online long enough to DL an ISO if needed.

stephenw10

@provels said in Hardware options to run pfSense:

I still have my Nokia ip530 on 1.2.3 on a gmirror raid...

Ha.

cphillips

Thanks all, I am going to run the C2750 and see how that goes.

This is the board I have - https://www.supermicro.com/products/motherboard/atom/x10/a1sai-2750f.cfm

Do we know if the onboard NIC's are ok to run pfSense or should I be looking at installing an Intel card?

stephenw10

C2K CPUs are a SoC with 4x igb NICs built in. You should be fine there.

Steve

DaddyGo

@cphillips

Just for the sake of completeness...
It's a matter of taste, the Atom series

https://www.servethehome.com/intel-atom-c2000-series-bug-quiet/
https://www.servethehome.com/intel-atom-c2000-avr54-bug-strikes-sth/

and etc.

stephenw10

It does depend on the age of that board though.

cphillips

It's not new, a few years old but I am willing to use it. I actually have two of them so can have a cold spare ready to go.

provels

@stephenw10
HA you say! :) I think it was $15,000 our price ($17,000 MSRP). Probably the most expensive home installed pfSense box ever!
And they just gave it to me... :)

Memories...

stephenw10

Ha nice.