Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking to move pfsense from vm to hardware - solutions under $300?

    Scheduled Pinned Locked Moved Hardware
    25 Posts 14 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      richtj99
      last edited by

      Hi,
      I have been using PFsense on my homelab esxi vm. I am having an issue with the pfsense vm cpu getting going to 100% when my freepbx vm is running - both should be pretty low cpu items.

      Anyway I think maybe moving pfsense to a dedicated physical box might be a better long term solution.

      I would love it to be under $300 & use less than 10 watts at idle. Any suggestions / recommendations?

      A bonus would be if it had intel nics.

      Thanks, Rich

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        PC Engines APU2C4 (bundle)
        Jetway NF9HG-2930 (self made)
        pfSense SG-2440 (bundle)
        A1SRi-2358/2558/2758 (self made)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          where are you seeing sg-2440 for under 300, its 500 on the pfsense store.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            pfSenseSnort
            last edited by

            I think it's very important to include your internet speed/bandwidth plus the package you'll be using.
            I recently purchased Ci323 nano ( comes with 2x Gbps Realtek NIC port ) and found out that it can route only ~300-400 Mbps on my 1000Mbps line and also Snort load really slow compared to i3 Skylake box I have.

            Just my 2 cents.

            1 Reply Last reply Reply Quote 0
            • R
              richtj99
              last edited by

              I have a 100 meg connection for the WAN & 1000gb on the LAN.  I would rather get something a little more future proof which is why i cant tell if something like this:

              https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1468435409&sr=8-1&keywords=pfsense

              Quad Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache
              4 Gigabit ethernet Intel NIC ports
              4GB DDR3 RAM
              8GB mSATA SSD
              Fanless and silent operation

              Would have the 'ommph' i am looking for?

              1 Reply Last reply Reply Quote 0
              • D
                dwood
                last edited by

                Yes.  Just installed two. $256 with 8GB RAM, 128GB mSATA drive. : https://forum.pfsense.org/index.php?topic=114202.0

                We run snort on 3 interfaces, squid, squidguard etc.  Max CPU load I've seen is 37% at 50Mbit

                1 Reply Last reply Reply Quote 0
                • I
                  icest0rm
                  last edited by

                  interesting topic.

                  I'm interested in the same question, about to move from VM to HW and looking for a cheap solution 64-bit capable…

                  the Celeron J1900 seems to catch a lot nowadays...how about missing AES-NI?

                  1 Reply Last reply Reply Quote 0
                  • A
                    albatorsk
                    last edited by

                    I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

                    The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

                    You can pick it up from Aliexpress or similar for roughly 200 USD.

                    1 Reply Last reply Reply Quote 0
                    • I
                      icest0rm
                      last edited by

                      @albatorsk:

                      I can recommend Partaker B5, a Celeron N3150 based mini-PC i got a few months ago. It's got dual gigabit NICs, and the CPU has AES-NI, so it has no problems shovelling ~100Mbps OpenVPN traffic back and forth.

                      The only "downside" to it is that it has RealTek NICs. I say that in quotes since I can't really tell if it actually is a downside anymore. Since pfSense 2.3, I have no problem getting the full 1Gbps throughput.

                      You can pick it up from Aliexpress or similar for roughly 200 USD.

                      interesting option…I'm just not too attracted in buying from aliexpress because of long delivery time (if you don't choose a courier) and duty expenses....correct?

                      1 Reply Last reply Reply Quote 0
                      • B
                        bytecode
                        last edited by

                        AliExpress shipping time depends on the vendor, the Qotom shop on AliExpress selling the J1900 boxes actually gauranteed 9 day delivery which sounded great, better than the usual 1 to 2 month wait time from AliExpress.

                        1 Reply Last reply Reply Quote 0
                        • A
                          albatorsk
                          last edited by

                          Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.

                          1 Reply Last reply Reply Quote 0
                          • I
                            icest0rm
                            last edited by

                            @albatorsk:

                            Exactly. Now I don't remember what vendor I got mine from, but I selected DHL shipping, and had it in my hands a week after ordering.

                            yeah DHL shipping should do the trick…it just cost a little (around 30$ depending on vendor)...

                            what aboud customs?

                            1 Reply Last reply Reply Quote 0
                            • M
                              mauroman33
                              last edited by

                              Totally agree with albatorsk.

                              I've just ordered the second one for the summer house; the first one was delivered in 5 days:
                              http://www.aliexpress.com/store/product/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/1383581_32354251046.html

                              I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

                              1 Reply Last reply Reply Quote 0
                              • G
                                guardian Rebel Alliance
                                last edited by

                                Can recommend this one… Fast delivery, nice little box, intel nics works well.
                                https://forum.pfsense.org/index.php?topic=113308.0

                                If you find my post useful, please give it a thumbs up!
                                pfSense 2.7.2-RELEASE

                                1 Reply Last reply Reply Quote 0
                                • P
                                  Paint
                                  last edited by

                                  @richtj99:

                                  I have a 100 meg connection for the WAN & 1000gb on the LAN.  I would rather get something a little more future proof which is why i cant tell if something like this:

                                  https://www.amazon.com/Firewall-Micro-Appliance-Intel-PFSense/dp/B01AJEJG1A/ref=sr_1_1?ie=UTF8&qid=1468435409&sr=8-1&keywords=pfsense

                                  Quad Core Celeron J1900 Bay Trail 2.0GHz, 2MB L2 Cache
                                  4 Gigabit ethernet Intel NIC ports
                                  4GB DDR3 RAM
                                  8GB mSATA SSD
                                  Fanless and silent operation

                                  Would have the 'ommph' i am looking for?

                                  take a look at my recent build. I have a 150/150 mbit FiOS Fiber connection and Gigabit LAN

                                  https://forum.pfsense.org/index.php?topic=113610.0

                                  It is future proof for your needs and exceeds the speeds you currently have. I can OpenVPN into my network and download/upload at my full WAN speeds (150/150)

                                  pfSense i5-4590
                                  940/880 mbit Fiber Internet from FiOS
                                  BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
                                  Netgear R8000 AP (DD-WRT)

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    icest0rm
                                    last edited by

                                    @mauroman33:

                                    Totally agree with albatorsk.

                                    I've just ordered the second one for the summer house; the first one was delivered in 5 days:
                                    http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

                                    I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

                                    What about CPU missing AES-NI?
                                    How much did you pay for customs?

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mauroman33
                                      last edited by

                                      @icest0rm:

                                      @mauroman33:

                                      Totally agree with albatorsk.

                                      I've just ordered the second one for the summer house; the first one was delivered in 5 days:
                                      http://www.aliexpress.com/item/Free-shipping-Mini-PC-Intel-Pentium-J1900-Quad-Core-2-41GHz-Fanless-Micro-PC-4G-RAM/32354251046.html?spm=2114.13010608.0.56.qzlURn

                                      I'm really satisfied. Just over $200 (with 8GB RAM and 64GB SSD) and it's capable to run snort, pfBlocker and the OpenVpn client smooth as silk.

                                      What about CPU missing AES-NI?
                                      How much did you pay for customs?

                                      There is the AES-NI support because the CPU is the Celeron N3150.
                                      I did'nt pay customs fee because they have declared a value of USD30.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        duren
                                        last edited by

                                        If by future proofing you mean speed wise, check this out…

                                        1. This thread says a Zotac CI323 nano will do 3-400mbps
                                        2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
                                        3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
                                        4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

                                        So the conclusion I'm reaching is
                                        1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
                                        2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
                                        3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

                                        Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

                                        Of course, price is also a consideration..

                                        100-150 US gets you a J1900 or N3150
                                        300 US gets you an i7-4500U
                                        350-500 US gets you Atom C2xxx systems.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mauroman33
                                          last edited by

                                          @duren:

                                          If by future proofing you mean speed wise, check this out…

                                          1. This thread says a Zotac CI323 nano will do 3-400mbps
                                          2. https://forum.pfsense.org/index.php?topic=113610.msg633918#msg633918 says a CI323 nano will do 117mbps over OpenVPN () which implies #1 was without VPN.
                                          3. 2 also says that an I7-4500U will do 287mpb over OpenVPN.
                                          4. https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux says a reasonable AES-NI expectation is +25%.

                                          So the conclusion I'm reaching is
                                          1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do. Perhaps the Zotac CI323 would be a good idea because it's a name brand with support.
                                          2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
                                          3. If you want 1gpbs over OpenVPN, AES-NI is KEY. Even the 4500U may not be enough but close and likely cheaper than the required server hardware. See the OpenVPN tests in 4.

                                          Once OpenVPN supports AES-NI, you'll want to be on atleast the N3150 to utilize it. The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

                                          Of course, price is also a consideration..

                                          100-150 US gets you a J1900 or N3150
                                          300 US gets you an i7-4500U
                                          350-500 US gets you Atom C2xxx systems.

                                          Sorry, I don't agree with the first two points of your conclusions because as albatorsk said "Since pfSense 2.3, I have no problem getting the full 1Gbps throughput."
                                          So when you write "If you want 100mbps…" that's only an OpenVPN matter for CPUs like J1900, N3150 or 4500U.

                                          1 Reply Last reply Reply Quote 0
                                          • PippinP
                                            Pippin
                                            last edited by

                                            @duren:

                                            So the conclusion I'm reaching is
                                            1. If you want 100mbps, any of the J1900, N3150 or 4500U boxes will do.
                                            2. If you want 1gbps, you're probably limited to the 4500U or better, so no celerons.
                                            3. If you want 1gpbs over OpenVPN, AES-NI is KEY….......
                                            See the OpenVPN tests in 4.

                                            Have Gigabyte N3150N-D3V here, so cannot write about the others.
                                            2x Realtec 8111G nics.

                                            1. Yes
                                            2. No, it will happily saturate 1 Gbps (948 Mbps), maybe even more but I no have faster network to test.
                                            3a. That article from Jan Just Keijzer (who wrote some very nice books about OpenVPN) was written at least 5 year ago. Not all is current info.
                                            3b. OpenVPN:
                                            Following test was done in a client to client scenario. Meaning, on the OpenVPN server there is an extra decrypt+encrypt going on compared to client to server, Because of the packets flowing between two clients. Client to server scenario, I haven't tested yet but I would think that throughput would go up.
                                            My tests with following settings:
                                            Server:

                                            
                                            Remote Access (SSL/TLS+User Auth)
                                            udp
                                            tun
                                            tls static key 2048
                                            Diffie Hellman 2048
                                            Certs 2048
                                            Encryption AES-256-CBC
                                            Auth digest SHA512
                                            prng RSA-SHA512 32
                                            fast-io
                                            comp-lzo no
                                            tls-version-min 1.2 or-highest
                                            
                                            

                                            Both clients:

                                            
                                            dev tun
                                            persist-tun
                                            persist-key
                                            cipher AES-256-CBC
                                            auth SHA512
                                            tls-client
                                            client
                                            resolv-retry infinite
                                            remote 192.168.11.200 1194 udp
                                            lport 0
                                            verify-x509-name "OVPN-SERVER-CERT" name
                                            auth-user-pass
                                            ns-cert-type server
                                            comp-lzo no
                                            prng RSA-SHA512 32
                                            tls-version-min 1.2 or-highest
                                            
                                            

                                            The iperf result was 160 Mbps.

                                            When encryption is disabled, "auth none" "cipher none", throughput is 270 Mbps. I did not test with other crypto settings. Here one gets an idea for what impact crypto/hashing has.

                                            The second idea is the difference between 948 Mbps normal and 270 Mbps OpenVPN (unencrypted). Mainly caused by packets travelling between kernel and userland, and OpenVPN`s internal fragmenting and defragmenting, here CPU power (of single core!!!) comes into play.

                                            When version OpenVPN 2.4 is ready, bringing AES-GCM, it is expected that throughput will go up.

                                            Once OpenVPN supports AES-NI

                                            See 3a above.
                                            It does already or more accurate OpenSSL does. When AESNI is supported then one no needs to set any hardware crypto options in pfSense/OpenVPN. OpenSSL will automatically use it when available.

                                            The question is, how much will the realtek nics kill the performance in comparison to intel nics which currently don't seem to exist on any N3150 system (that I could find).

                                            I see no problems with the 2 RT nics 8111G on my board. I left settings at default because fiddling with them brought no benefit in my case.
                                            Off course I have no comparison to this board with Intel nics but I have a feeling it would not be very different.

                                            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                                            Halton Arp

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.