Need some opinions about what I should use for pfSense



  • Hi folks,

    so since I got myself an Android TV I have no need for my HTPC anymore, but since it's compact and passive I thought it would be cool to use it as a router.
    But since the ASUS H81T in that PC just has one NIC (a Realtek RTL8111G) and I don't have a managed switch I have a little problem there. I also can't use any PCIe cards since this mobo only has mini PCIe.

    I've looked around a little and I've come up with several solutions, but I need some advice since I can't really decide which would be the most stable solution.

    Solution 1
    I could get a MikroTik RB260GS which is a 5 port managed switch, with that I could hook up the pfSense box and use 2 VLANs and my problem would be gone.
    Advantage, it would only cost me 40€ and I wouldn't have any leftover hardware around.
    Disadvantage, more cables, another device that I have to find a place for and slightly more power consumption.

    Solution 2
    Get rid of my unmanaged 24port switch and get a 16port one.
    Advantage, I can just replace my old switch and everything would be like before.
    Disadvantage, leftover hardware, less ports (but with 13 devices it would be just enough) and it would cost around 150€.

    Solution 3
    Would be getting another mainboard with two NICs, but since the case is a Thin-Mini ITX there would be only two options the ASUS Q87T and the Gigabyte GA-Q87TN and I don't even know if pfSense supports their NICs. The ASUS one has a Intel I217-LM and a Realtek RTL8111G and the Gigabyte one also has an Intel and a Realtek but they don't mention the chipset anywhere so I have no idea which ones it has.
    Advantage, I don't have to use VLANs because I don't really need all the features of a managed switch and I could keep my 24port switch.
    Disadvantage, leftover hardware and it would also cost me around 150€ and there is still the thing with compatibility to the NICs.

    Solution 4
    I could get a Mini PCIe to PCIe 1x riser cable and get a supported NIC. Problem is that I don't know how well this would work and how safe these chinese riser cables from Ebay are.
    I would also have to get a new case since the current one doesn't have any PCI slots. Or I could just get this NIC from Delock: http://www.delock.com/produkte/G_95239/merkmale.html?setLanguage=en
    Advantage, pretty much the same as the third solutions advantages and it would probably cost me around 80-100€.
    Disadvantage, I'd have a leftover case and I don't know how stable this would run because Realtek.

    Solution 5
    Just get a barebone Zotac ZBOX CI323 nano.
    Advantage, should run stable according to owners of this computer and it would be the easiest to set up.
    Disadvantage, I'd like to use the wifi of this thing but I can't with pfSense, it would also cost around 150€ and I don't really like the design of these NUCs, I'd rather prefer something I can mount in a rack..

    Since I can only decide for myself but can't really figure out what's the best, I just thought you could share some opinions and give me some advice which solution would be best in your opinion, I'm especially interested in solution 3 but I don't know if the NICs are compatible, the RTL8111G of my current H81T got detected but I don't really know if it is any stable.



  • Anyone?

    Edit: So as far as I've read, Realtek NICs are pretty wonky and people recommend using Intel NICs so I guess all my solutions are somewhat unreliable because I'd have Realtek NICs with every setup. I know that some people don't have any problems with their Realtek NICs, but it's the same thing like using ZFS without ECC RAM, it can work but it's like riding a bike without a helmet. Sorry for stating the obvious, but I'm just writing down my thoughts, maybe some newbie will stumble upon this thread with the same questions.

    I guess I could either get myself a managed switch + a cheap Thin Mini ITX board with an Intel NIC or get myself the ASRock Rack J1900D2Y which has two Intel I210-AT NICs. Since  both solutions would cost me around the same (except if I go with the Mikrotik switch) I'll probably get the latter board since I can save power and some space in my room and it has IPMI. :)



  • Since all options involves money you should consider an APU2C4 kit. That's a nice board too, plenty of options for future upgrades and can be used for any other purpose.



  • Oh wow, that's almost cheaper than buying a 16port switch or a new mobo!

    I can get it on ebay with a case for 160€, since it has a SATA port, would a 2.5" SSD fit into that case?
    http://www.ebay.de/itm/OPNsense-Komplettsystem-mit-AMD-APU2C4-4GB-RAM-rot-10-05-16-/182303833257?hash=item2a7227bca9:g:aKcAAOSw8w1X9Uy8

    It comes with OPNsense but it should be no problem install pfSense I guess.
    I probably also need an adapter to supply power to the SSD if it fits, right?

    Edit: Alright after further digging there is no german site where I could buy this cable for the 2.5" drive so I guess I have to get an mSATA SSD or use a USB stick.

    Edit2: I'm kinda hesitating a little, how would the APU2 compare to the ASRock Rack J1900D2Y in terms of speed? Because I've come to a point where 50-100€ more or less wouldn't really matter to me anymore, I just want a router that I can pretty much keep until the internet reaches 10Gbps, which will probably take a long time..



  • 10gbps??? not even with US$500

    If you want speed go with the Asrock board.



  • @shawly:

    … keep until the internet reaches 10Gbps, ...

    Nope, currently not realistic.
    IIRC we're maxing out at approx. 4Gb/s with pretty much any hardware you run a software stack on top for routing & filtering. And that's more like server grade hardware than an HTPC or other low power devices.
    1Gb/s would be a fair value - but not with an APU2. Have a look at the SG-2xyz devices in the pfSense store for that.



  • That pretty much means I can keep this router for the rest of my life, even better.

    If I get more speed with the ASrock then I'll go with the ASRock I think.



  • @shawly:

    If I get more speed with the ASrock then …

    As compared to what, an APU? Probably, but totally different approach.



  • I like that ASRock board, but that's a lot of money.

    I got an Asus H110M-E and an Intel Skylake Pentium G4400 for $121 (US) and added in a gigabit quad-port Ethernet server card for $32 on eBay.



  • @shawly:

    So as far as I've read, Realtek NICs are pretty wonky and people recommend using Intel NICs so I guess all my solutions are somewhat unreliable because I'd have Realtek NICs with every setup. I know that some people don't have any problems with their Realtek NICs, but it's the same thing like using ZFS without ECC RAM, it can work but it's like riding a bike without a helmet.

    It's not like that at all.  Using ZFS without ECC RAM is indeed like riding a bike without a helmet;  eventually you're going to crash but the helmet provides protection.  Using pfSense with Realtek NICs is more like riding a mountain bike on the road vs a road bike;  one of two things will happen:  Either you'll work harder to go the same speed, or you'll simply be limited in your top speed, but usually a combination of both.  But the mountain bike will get you there; just as Realtek NICs will work.  If your WAN speed is less than a few hundred Mbps I bet you won't be able to tell the difference.



  • Wonderful comparison haha, thanks for clearing this up for me. ;D
    My current connection is indeed below 100Mbps, but I want to move out of my current apartment and I also want a router that I can pretty much keep for the rest of its or my own lifespan. And even though 1Gbps is not pretty common in most areas in my country, I still want to be able to achieve that speed if I ever get my hands on such a connection.

    I've configured myself some builds ranging from 230€ to 330€ without a CPU since I still have a Pentium G3258 lying around. If I pass on IPMI I could get a single NIC board with an additional Intel Desktop NIC for around 230€, for around 300€ I could get the ASRock Rack I mentioned before, which would also be a fully passive build and for 30€ additional bucks I could also get a Supermicro board with ECC RAM since the Pentium supports ECC, that would also be a small safety feature and I'd have IPMI included.

    I'm actually even tending to get the latter, since I really like the Supermicro IPMI, because I already got a Supermicro board in my homeserver, only thing speaking against this would be the CPU cooler which I don't want to be passive on a 53W TDP.



  • @shawly:

    …I also want a router that I can pretty much keep for the rest of its or my own lifespan...

    Huh, you must be at least 75+ then.
    We're talking about technology that's still bound to Moore's Law. In 5 years you can get hardware that has a multitude of today's benchmarks or that draws significantly less power with the same number crunching capabilities.
    It just doesn't make sense to buy hardware today that's supposed to last for the next decades. Completely unrealistic.



  • jahonix is right.

    Going back to your OP, I'd suggest grabbing a cheap "smart" switch (you can get a 5 port TP-Link for $30USD; I'll leave the currency conversions to you) and experimenting with your current hardware.  You'll have a functional router at that point, and will get to learn a lot about pfsense and networking.  I'd wager it will perform quite well with your current connection and probably a lot more.  If you decide that route (no pun intended) isn't for you, you're only out a little bit of cash.  The Realtek driver supports hardware VLAN tagging, and the Pentium G3258 is fast enough to make up for any shortcomings up to a point much higher than your current WAN speed.



  • @jahonix:

    @shawly:

    …I also want a router that I can pretty much keep for the rest of its or my own lifespan...

    Huh, you must be at least 75+ then.
    We're talking about technology that's still bound to Moore's Law. In 5 years you can get hardware that has a multitude of today's benchmarks or that draws significantly less power with the same number crunching capabilities.
    It just doesn't make sense to buy hardware today that's supposed to last for the next decades. Completely unrealistic.

    I actually didn't mean it like that literally, I'm not that old, lol. I know I could save a 100 bucks if I go with the cheaper options but I'm a fan of IPMI and Germany only provides high bandwidth connections in some parts of bigger cities and I don't expect that'll change soon. That's why I think I can keep that router for a pretty long timespan even if you can get 4Gbps connections in five years, I don't think that'll happen in my area as soon as it's possible.

    It's also for self satisfaction, since I don't really need a new router, but I want one because I'm interested in pfSense and I currently don't like the custom firmware router I currently use, I want to have freedom. I could technically use my homeserver to host a pfSense machine and pass through a NIC via VT-d, but if I ever shut down my server or just the VM then my DNS and DHCP server would also be down so I couldn't use the internet while my server is in maintenance so I'd need a fallback DNS.

    And I just like I said, it feels so satisfying to get new hardware and put it to use. ;D I definitely think this route is for me, I already tinkered around with a virtual pfSense machine and I like having so many possibilities which I don't have with my current router. I'm also not a complete newbie if it comes to networking, I'm employed as a software developer and we also had basic networking in school during my apprenticeship.



  • @shawly:

    It's also for self satisfaction, since I don't really need a new router, but I want one because I'm interested in pfSense and I currently don't like the custom firmware router I currently use, I want to have freedom. I could technically use my homeserver to host a pfSense machine and pass through a NIC via VT-d, but if I ever shut down my server or just the VM then my DNS and DHCP server would also be down so I couldn't use the internet while my server is in maintenance so I'd need a fallback DNS.

    And I just like I said, it feels so satisfying to get new hardware and put it to use. ;D I definitely think this route is for me, I already tinkered around with a virtual pfSense machine and I like having so many possibilities which I don't have with my current router. I'm also not a complete newbie if it comes to networking, I'm employed as a software developer and we also had basic networking in school during my apprenticeship.

    You just answered your own question.  If you like tinkering with hardware and networking, go for it!  You have a lot of options available to you, most of which you detailed yourself.  All will work just fine IMO.  Just a matter of how much money you want to put in to start with.  Whatever you decide, hope you have fun with it.



  • @whosmatt:

    You just answered your own question.  If you like tinkering with hardware and networking, go for it!  You have a lot of options available to you, most of which you detailed yourself.  All will work just fine IMO.  Just a matter of how much money you want to put in to start with.  Whatever you decide, hope you have fun with it.

    Yeah I pretty much did haha, but nontheless I still wanna thank all of you for your patience and your help!  :)
    I've looked a little more and if I'd go with the Pentium G3258 build it would consume a lot of power compared to a SoC board and because I like the Supermicro boards I've decided to go with the Supermicro X11SBA-LN4F since it has an even lower power consumption and even four Intel I210-AT NICs, so I could even try out dual WAN if there is a chance that my next apartment has cable and VDSL or better. :)



  • options the ASUS Q87T and the Gigabyte GA-Q87TN

    ASUS Q87T you will need the lastest BIOS F4, pfSense is running well on it.
    GA-Q87TN is not really flawless running with pfSense on it.

    APU2C4 will be nice to play with for a longer time
    Jetway NF9HG-2930 will be the next fine running appliance
    AxiomTek NA342 or NA361 will be coming nearly to this above.