PfSense Build to Match Ubiquiti EdgeRouter Lite Price



  • What would be a good hardware to run pfSense if the main objective is to support Gigabit Internet and still be within the price point of the Ubiquiti EdgeRouter Lite (around $100)?

    It must supports true gigabit Internet routing of IPv4.



  • That's not going to be possible for new parts.  A used Dell R710 on eBay would work.  Be prepared to pay $500/year for power though.



  • I've had good luck with refurbished HP 7900 small form factor desktops, NewEgg and Amazon have some decent deals. Add an Intel PCIe network card or three depending on your needs. Unplug the unused bits and stick in a small, inexpensive SSD and you are under 40 watts.

    I used one of these for several years but recently upgraded to an SG-2440 when I had some spare cash.



  • @mifronte:

    It must supports true gigabit Internet routing of IPv4.

    As Jason noted, impossible at that price point for new hardware. The ERL also won't do gigabit for Internet connectivity for most people's purposes, that ASIC strictly accelerates routing, not NAT. Sounds like your case requires NAT, where ERL wouldn't do "true gigabit."



  • What would be a good hardware to run pfSense if the main objective is to support Gigabit Internet and still be within the price point of the Ubiquiti EdgeRouter Lite (around $100)?

    From eBay or from the dump court for free, by recycling old hardware.
    Or fiddling hardware together from various machines to one well working one.

    It must supports true gigabit Internet routing of IPv4.

    What is true GB Internet? 1 GBit/s true throughput or 1 GBit/s capable ports?
    EdgeRouter is a MIPS based device and such CPUs are pretty cheap to get the hands on
    and the EdgeOS is a Linux that is running famously on that MIPS CPUs but pfSense is a
    x86 based firewall and so you should be more looking for the right hardware for that and
    not what is the cost for other devices.



  • @mifronte:

    …within the price point of the Ubiquiti EdgeRouter Lite (around $100)? ... must supports true gigabit Internet routing of IPv4.

    It all comes down to: you get what you pay for.
    For $100 you can get a device that claims to be doing 1Gb IPv4 routing. Nothing more than routing and surely not with the feature-set of pfSense.
    If you want pfSense's features, UI, support, … AND Gbit speed you need to invest in suitable hardware.

    It's like the good ol cars analogy: you can buy one relatively cheap that takes you from A to B. But don't expect a SUV with top-notch interior, driver assist systems and looking great for the same amount.



  • I much prefer pfSense over the EdgeOS and that is why I was hoping to find hardware in the EdgeRouter Lite price point to run pfSense strictly as a standard Internet gateway router and firewall (no packages) with the caveat of supporting 1 Gbps throughput.

    The hardware would be deployed in customer environments and so recycling hardware is not an option since I would need to reliably source the hardware for each deployment.  Since these deployments will be to users who may never have a need for anything more then an Internet gateway/firewall router, I am not too concerned about being able to run more than the standard base pfSense install.

    I will be testing an EdgeRouter Lite-3 just to see how well it can handle a 1 Gbps throughput.  Regarding NAT and gigabit throughput on a MIPS CPU like the EdgeRouter Lite 3, the EdgeRouter Lite 3 offloading.


  • Netgate

    @mifronte:

    I much prefer pfSense over the EdgeOS and that is why I was hoping to find hardware in the EdgeRouter Lite price point to run pfSense strictly as a standard Internet gateway router and firewall (no packages) with the caveat of supporting 1 Gbps throughput.

    The hardware would be deployed in customer environments and so recycling hardware is not an option since I would need to reliably source the hardware for each deployment.  Since these deployments will be to users who may never have a need for anything more then an Internet gateway/firewall router, I am not too concerned about being able to run more than the standard base pfSense install.

    I will be testing an EdgeRouter Lite-3 just to see how well it can handle a 1 Gbps throughput.  Regarding NAT and gigabit throughput on a MIPS CPU like the EdgeRouter Lite 3, the EdgeRouter Lite 3 offloading.

    Good luck.  Come back when you found it.

    (We're working on it, but it's not going to be an ERL.)



  • @jwt:


    (We're working on it, but it's not going to be an ERL.)

    If you hit the price point and manage 1 Gbps NAT throughput, then I would be highly interested.  BTW, may I ask who are you referring to when your say "We're working on it, …"?



  • I have an edge router here as a backup to my pfSense setup and for that it is a pretty good deal for $100. Configuration is a pain and there are a lot of rough edges (some of which I helped file off in previous beta testing over there) but for a very basic setup or a minimal backup box it is not a bad choice. A consumer grade home router might do as well though.

    Going beyond the basics with the ERL you are going to be forced to do a lot of command-line configuration and that is neither simple or intuitive. I put configuring an edge router in the same class as creating Regex code, unless you work on it on a near daily basis it is very difficult to understand what you have created and maintenance or tweaking is not fun. If you go that way consider creating a text file with detailed steps and copy/paste your command-line information into it or be prepared to spend a lot of time refreshing your memory on what you did and why.

    For someone that wants a system that you can easily maintain after ignoring it for a few months pfSense is a far better option.

    Still the $100 edge router has a place here, my family has no real computer skills and hoping that they can deal with an issue even if I can chat with them on the phone is likely doomed to fail. However by powering on the ERL and moving two clearly marked Ethernet cables they can have their Internet connection back as well as connectivity to our networked printer. They will miss a lot of functionality that they get from pfSense but they will be on-line until I can get home and sort things out.

    Our last pfSense failure (not the software's fault but a bad RAM chip in the HP desktop) and the fallback to the ERL resulted in the wife telling me to scrap my re-purposed desktop pfSense box and grab an SG-2440 which has ended the hardware issues.



  • @mifronte:

    @jwt:


    (We're working on it, but it's not going to be an ERL.)

    If you hit the price point and manage 1 Gbps NAT throughput, then I would be highly interested.  BTW, may I ask who are you referring to when your say "We're working on it, …"?

    Perhaps he means they are working hard on an ARM based FreeBSD or pfSense port or fork and so this is
    likes in that direction but not hitting the point with the UBNT EdgeRouter that is MIPS based.

    I have an edge router here as a backup to my pfSense setup and for that it is a pretty good deal for $100.

    The UBNT EdgeRouter series is substituted by other devices from UBNT, please don´t forget this, and there
    is nothing pfSense should be messing with, its a plain Router and not a firewall and as second this should
    also be said, MIPS hardware is cheaper to get and pay for comared against x86 hardware needed by pfSense.

    For sure it would be nice to see pfSense working on that devices too, they comes with sufficient ports 
    and UBNT will be not angry about a better sales rate or a smaller to mid ranged offerings to pfSense if
    they want to get a bigger charge of those units. But at first it must be a MIPS port of FreeBSD and
    pfSense there right in the place.



  • @mifronte:

    If you hit the price point and manage 1 Gbps NAT throughput, then I would be highly interested.  BTW, may I ask who are you referring to when your say "We're working on it, …"?

    That's Jim Thompson, better known (previously) as gonzopancho, and CTO for Netgate - which basically runs, and employs just about everyone working on the pfSense project, with the exception of Chris Buechler (cmb), IIRC.



  • One major point is, the price of x86 platform is high when compared with ARM based platform, and some ARM processors are actually ASICs which is not even comparable (x86 is more generic purpose), so I would say it's not really possible to find such x86 build.



  • @dreamslacker:

    That's Jim Thompson, better known (previously) as gonzopancho, and CTO for Netgate - which basically runs, and employs just about everyone working on the pfSense project, with the exception of Chris Buechler (cmb), IIRC.

    Thank you for the clarification.



  • Got the Ubiquiti EdgeRouter Lite and hooked it up to my symmetrical gigabit fiber Internet and did a quick test:

    The firmware does leave a lot to be desired when compared to pfSense.



  • @mifronte:

    What would be a good hardware to run pfSense if the main objective is to support Gigabit Internet and still be within the price point of the Ubiquiti EdgeRouter Lite (around $100)?

    It must supports true gigabit Internet routing of IPv4.

    An ERL will barely do gigabit.  Enable anything that disables the hardware offload and you are toast.  I wouldn't touch anything smaller than an EdgeRouter Pro if I had gigabit Internet, and even then I'd be wary if I needed to do anything beyond basic routing.

    Spend a bit more and get decent hardware to run pfSense - you won't be disappointed.  You are absolutely about to get yourself into a pay me now/pay me later situation.



  • Connection speed is the limitation here.

    This is a Dell r210 II - I think I payed around $200 on ebay.

    Pretty minimal hardware:

    Running under vsphere 5.5, also running a server 2012 vm.

    This is what I give pf:

    Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz
    Current: 414 MHz, Max: 3312 MHz
    2 CPUs: 1 package(s) x 2 core(s)

    CPU usage never broke 25% on that test.

    What I am not understanding is why you would want to offer the massively larger feature set of pf to people whom you say have no need for it.

    I would point out that they do need more than the ERL offers, especially if they are clueless lusers.

    I do only some very light touch filtering for our public wifi, but there are still 5 people in the last week who are not infected with viruses because of the filtering I have in place.

    Neither the ERL, nor the Edgemax for that matter, are capable of offering that sort of protection.

    If your mission is to stuff security down the throats of people who do not see the value in it, and are not willing to pay the freight, you are already doomed.

    If they are willing to pay for it, a more fair comparison would be the edgemax, which I can stomp to dust with comparable priced hardware.



  • I am not trying to compare the ERL to pfSense.  I am just trying to find hardware that can reliably be sourced and be within the price point of the ERL that can run pfSense and still route at wired gigabit speed.  Since the ERL with hardware offloading can route at wired gigabit speed, I was hoping that there was some hardware that can do the same but be able to run pfSense.

    Just trying to minimize the hardware costs of deploying routers to users with gigabit Internet where I can run pfSense.  I may have to wait to see the price point of the Atom C2358.

    Edit:

    Looks like the Atom C2358 is starting at $180 for the Supermicro A1SRI-2358F



  • @mifronte:

    I am not trying to compare the ERL to pfSense.  I am just trying to find hardware that can reliably be sourced and be within the price point of the ERL that can run pfSense and still route at wired gigabit speed.  Since the ERL with hardware offloading can route at wired gigabit speed, I was hoping that there was some hardware that can do the same but be able to run pfSense.

    Just trying to minimize the hardware costs of deploying routers to users with gigabit Internet where I can run pfSense.  I may have to wait to see the price point of the Atom C2358.

    Edit:

    Looks like the Atom C2358 is starting at $180 for the Supermicro A1SRI-2358F

    The most peoples, in my mind, are not willing to accept that pfSense is a x86 software firewall with the need of
    more, faster or stronger hardware compared against many other "only routers". DD-WRT, OpenWRT and such
    Linux based Router software will be not having that need likes pfSense and on top they are not performing firewall
    rules that needs also their time.



  • @mifronte:

    I am not trying to compare the ERL to pfSense.  I am just trying to find hardware that can reliably be sourced and be within the price point of the ERL that can run pfSense and still route at wired gigabit speed.  Since the ERL with hardware offloading can route at wired gigabit speed, I was hoping that there was some hardware that can do the same but be able to run pfSense.

    Just trying to minimize the hardware costs of deploying routers to users with gigabit Internet where I can run pfSense.  I may have to wait to see the price point of the Atom C2358.

    Edit:

    Looks like the Atom C2358 is starting at $180 for the Supermicro A1SRI-2358F

    There doesn't seem to be a use case here then. If all they want is a gigabit capable NAT router, an Asus RT-AC66U would do the job and has far less hassle than the Edge series.

    What you could sell to them is the idea of a VPN gateway. Just a simple to setup OpenVPN feature and no licensing fees would be worth deploying pfSense for. Any comparable 'branded' device (Cisco ASA, Juniper SRX, Palo Alto, Fortinet, SonicWall etc) in the same performance league would cost more than pfSense hardware.