NooB - Want pfSense H/W for 100Mbs symetrical - UK



  • Hi,

    Sorry, complete newbie with no idea :(

    I use PIA VPN today but because I have a very feeble 3Mbps DSL line I run DD-WRT on a router. We are soon to get fixed wireless in our village that will provide up to 100Mbps symetrical - Yay, welcome to this century. Anyway, the UK's snooping charter has hardened my resolve to keep out of sight as much as possible - it is a total infringement of civil liberties. In reality I will probably get between 60 and 80 Mbps. I have looked at PC Engines APU2 and I am not sure this will cut it? I have seen a J1900 box on amazon that looks promising but don't really know. I want something small and low powered (I care about the environment and my pocket).

    I think PIA will only provide about 50Mbps on VPN but I read about creating a VPN group or some such thing. No idea what that really means but it sounds like a way to get over the 50Mbps threshold. In fairness 50Mbps would be a massive improvement over where I am today. I could also change VPN provider but PIA have been great for me over the last few years so happy to stick with them.

    I have also seen somebody make a box from an Atom N280 HP thin client - would that be any good?

    I don't need to push all my traffic through a VPN - I don't care too much if the government see what I am watching on Netflix. I think this is possible by IP address in pfSense?

    Any ideas appreciated. BM.



  • @bogmonster:

    I use PIA VPN today but because I have a very feeble 3Mbps DSL line I run DD-WRT on a router. We are soon to get fixed wireless in our village that will provide up to 100Mbps symetrical - Yay, welcome to this century. Anyway, the UK's snooping charter has hardened my resolve to keep out of sight as much as possible - it is a total infringement of civil liberties. In reality I will probably get between 60 and 80 Mbps. I have looked at PC Engines APU2 and I am not sure this will cut it? I have seen a J1900 box on amazon that looks promising but don't really know. I want something small and low powered (I care about the environment and my pocket).

    The APU2 can handle 60-80Mbps easily, and will outperform the J1900 on crypto (it has AES-NI, the J1900 does not).



  • @bogmonster:

    I don't need to push all my traffic through a VPN - I don't care too much if the government see what I am watching on Netflix. I think this is possible by IP address in pfSense?

    Any ideas appreciated. BM.

    It's possible, and necessary actually, because Netflix actively blocks connections from PIA endpoints, at least in the USA.  It's casting a REALLY wide net, but I made an alias that contains every known Amazon AWS subnet (what Netflix uses) and use that to route traffic over my ISP gateway rather than PIA.  It's a HUGE alias but was easily created by scraping a list of AWS owned networks and with a little grep and awk I got a space separated list of subnets to paste into the config.  I'd be glad to share it if anyone is interested.

    Even that alias wasn't enough for my Roku and Fire TV devices; I ended up just routing all traffic from those via ISP gateway rather than PIA because other streaming services block VPN users as well.  But yeah, I don't particularly care that my ISP or whoever else is looking knows that I'm watching Netflix or streaming NFL Sunday Ticket.



  • @bogmonster:

    I have also seen somebody make a box from an Atom N280 HP thin client - would that be any good?

    Not really.  It would probably be fine for just the firewall with a 100Mbps connection but adding VPN would really drag things down.  It's an older single core CPU and even though OpenVPN is single threaded, you'll want at least one other core to handle the rest of the system duties while one core is completely used by OpenVPN.



  • I use PIA VPN today but because I have a very feeble 3Mbps DSL line I run DD-WRT on a router. We are soon to get fixed wireless in our village that will provide up to 100Mbps symetrical - Yay, welcome to this century. Anyway, the UK's snooping charter has hardened my resolve to keep out of sight as much as possible - it is a total infringement of civil liberties. In reality I will probably get between 60 and 80 Mbps. I have looked at PC Engines APU2 and I am not sure this will cut it? I have seen a J1900 box on amazon that looks promising but don't really know. I want something small and low powered (I care about the environment and my pocket).

    And what exactly is your in your pocket or plain your budget to realize that?
    What do you plan to install from the wide range of available packets for pfSense?
    To come closer to that, do you plan to set up a firewall and some VPN connections or do you
    plan to set up some thing that comes nearly or a fully UTM device? It might be more important
    or it comes on top of the WAN speed regarding the hardware specs!

    I think PIA will only provide about 50Mbps on VPN but I read about creating a VPN group or some such thing. No idea what that really means but it sounds like a way to get over the 50Mbps threshold. In fairness 50Mbps would be a massive improvement over where I am today. I could also change VPN provider but PIA have been great for me over the last few years so happy to stick with them.

    Is this an IPSec or an OpenVPN based VPN connection? For the AES-NI inside of the CPU much important
    and/or also for the horse power of the CPU itself.

    I have also seen somebody make a box from an Atom N280 HP thin client - would that be any good?

    I would be more having a closer look on the following devices;

    • APU2C4 + mSATA + WiFi card (perhaps and/or if really needed)
    • Jetway NF9HG-2930 + mSATA + WiFi card (perhaps and/or if really needed)

    I don't need to push all my traffic through a VPN - I don't care too much if the government see what I am watching on Netflix. I think this is possible by IP address in pfSense?

    If "they" are want to know what you are doing over your Internet account "they" will do
    either if you want it or not! And if you are a non fugitive guy you may have then an second
    option if anybody tells something else about you! ;-)

    Any ideas appreciated. BM.

    firewall & VPN together with that WAN speed will be marching well for you with the named
    above hardware.



  • I will second whosmatt's & BlueKobold's reply in regards to multiple cores by referencing this pfsense doc . Depending on the version implemented, multiple cores will be of use.

    Also take a look at the NanoBSD version because it looks like you will be inevitably using some form of flash storage. In a hunt to keep system costs down you will probably be running into cheaper SSD drives or USB keys which may take a performance/reliability hit from frequent writes (logs, graphing)

    Look for something with a decent amount of ram if you intend to use this solution as a firewall / vpn combo. Especially if you choose to go the NanoBSD route.

    EDIT: Since you are considering the apu2 series, this forum thread will be of great interest.



  • Hi,

    Thanks for all the replies and sorry for the slow response - on holiday and Ms Bogmonster gets grumpy if I am on the laptop too long. I think I am getting close to selecting an APU2 C4 4GB with a 32GB Kingston SSD. This comes pre-installed with pfSense from a UK supplier for little extra cost but I would be happy to install myself. I think I need the null modem cable for when I screw up the settings anyway and need to reset.

    I will be using OpenVPN and probably no additional packages - the VPN is all I really care about at the moment. For the time being I will use my router as an access point so will not add the wireless card yet - can always add it later if I decide to. May do this as it is probably going to work out cheaper in the long run due to the lower power consumption and the price of electricity + the environment. I think many routers are power hungry and I can always sell my existing router.

    As for the Government being able to see what I am doing with a VPN, then maybe if they put enough effort into it they can. I know in the US with a recent hacker they had to get a warrant for the VPN providers logs. Also I am not worried about the Government looking at my PC browser history because they will also need a warrant. What I object to is mass surveillance. I am not doing anything illegal so they will struggle to get a warrant (if our civil liberties don't slide further), I just don't want to share what I am doing with the Government as it is none of their business. As it is I hate to fund the mass data collection through increased broadband prices and potentially taxes. The government would not be telling ISPs to collect the data if it was easy for them to do themselves. I sure as hell will not make it any easier for them. If enough people stand up then the government spying bill will be flacid. I can't see how it is going to catch terrorists of stop organised crime so you really need to question the deeper motivations…

    I will need to do some research into how to prolong the life of the SSD. Hopefully I can make the necessary changes post installation of pfSense?

    Cheers, BM



  • OK, the deal is done. I have ordered:

    https://linitx.com/product/linitx-apu2-c4-4gb-3nicusbrtc-pfsense-msata-firewall-kit-blue/14230

    with the wireless card.

    BM



  • @bogmonster:

    OK, the deal is done. I have ordered:

    https://linitx.com/product/linitx-apu2-c4-4gb-3nicusbrtc-pfsense-msata-firewall-kit-blue/14230

    with the wireless card.

    BM

    Please don´t forget to buy a combo such as this is shown here console equipment
    Usually it will event happen, that you need it and it is weekend and none of your
    friends has  one ready for you to lean.

    If at someday something goes wrong with the BIOS or with a BIOS update, you should
    be knowing that you could get a SPi1A that can be used to recover that BIOS and you
    don´t brick that unit!



  • I'm also looking into this with maybe a different set up, still undecided if to beef up my hp gen8 microserver, and run pfsense in a variety, or go hardware.

    However bogmonster, just to clarify the UK government don't need a warrant to look at your browsing history. They do should they want to hack any of your devices, but to look at someone's URL history, then they can approve internally. Oh, and that is open to a huge list of government departments.



  • @Toastking:

    I'm also looking into this with maybe a different set up, still undecided if to beef up my hp gen8 microserver, and run pfsense in a variety, or go hardware.

    However bogmonster, just to clarify the UK government don't need a warrant to look at your browsing history. They do should they want to hack any of your devices, but to look at someone's URL history, then they can approve internally. Oh, and that is open to a huge list of government departments.

    All the more we need a good way to protect us from being hacked.



  • @Toastking:

    I'm also looking into this with maybe a different set up, still undecided if to beef up my hp gen8 microserver, and run pfsense in a variety, or go hardware.

    However bogmonster, just to clarify the UK government don't need a warrant to look at your browsing history. They do should they want to hack any of your devices, but to look at someone's URL history, then they can approve internally. Oh, and that is open to a huge list of government departments.

    My bad, I had meant to say "browser history" and not "browsing history". A warrant will be needed to inspect my PC to get the browser history.

    The device is waiting for me at the office, will pick it up Monday when I am back at work and let you know how I get on. Still on a 3Mbps service at the moment so won't be able to kick the tyres properly yet, 100Mbps comes early in the new year I hope.

    BM



  • How are you getting on with your APU2C4 Mr bogmonster? I'm thinking of getting one. I take it the LinITX service was acceptable?