Pfsense Hardware for a Newbie



  • I am new and interested in using Pfsense to run my VPN for which I have thru StrongVpn.  Currently, its running on my router which is an Asus RT-AC68U.  Without the VPN running on my router im getting about 190down/20up.  With the VPN on im only getting 22down/20up.  Which leads me to believe that the my router is my bottleneck. I don't necessarily have a budget but I would like something that is somewhat future proof.  Im open to building my own firewall would prefer for it to be compact.  I have also thought about buying a hp thin client pros/cons?  Any feedback/suggestions are welcomed.


  • Banned

    https://forum.pfsense.org/index.php?topic=127793.0

    That's what I recommend for just about any home use case similar to what you described. It's very cheap, with pfSense 2.4 BETA (very stable) you can even install to a couple of flash drives if you don't have something lying around.



  • @pfBasic:

    https://forum.pfsense.org/index.php?topic=127793.0

    That's what I recommend for just about any home use case similar to what you described. It's very cheap, with pfSense 2.4 BETA (very stable) you can even install to a couple of flash drives if you don't have something lying around.

    Just curious as to why you would suggest the 2.4 beta over the stable branch…? I noticed the 2.4 builds but decided to go for the stable release instead, figuring that I would have an hard enough time sorting out my VPN connections without throwing a "beta" in the mix....?

    When the 2.4 release is updated over the 2.3xxx should it be an update where the configurations and settings would be maintained...?

    Thanks


  • Banned

    Well I've been using it for a while now with VPN clients and servers, suricata, pfBlockerNG, DNSBL, and have not run into issues. I'm not saying there aren't any, just that I haven't noticed any issues and my system is totally stable. So for home use I would consider stability a non-issue, you can search for a list of open issues though (I think on redmine, should be a link to it in 2.4 subforum sticky).

    Here is a list of changes, the ones I think are most noteworthy:
    Upgrade to FreeBSD 11
    Upgrade to OpenVPN 2.4
    Upgrade to ZFS
    UEFI Installer Support
    Improved RAM Disk
    https://doc.pfsense.org/index.php/2.4_New_Features_and_Changes

    I want to say that when 2.4 rolls out it will be an upgrade, but don't know for sure. Even if it is a fresh install though, just backup your config.xml, install then restore from config.xml and all your settings will be the same!

    Setting up a VPN is as easy as finding one of the many step by step guides posted here or elsewhere and following it. Any questions you have you can probably find the answer to by searching the forum, and if not you can always ask here. It's just such a common thing for people to do on pfSense that it is very well documented.

    Really I just don't see any reason not to use 2.4 now for a home user.

    While you are researching hardware you can always mess around with pfSense in a VM to get the feel for it. The more familiar you are now the less downtime you will get on your initial install and configuration.



  • Being completely new to pfsense I was aware that this guide….

    https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/

    needed to be updated from a previous one written supporting an older version of pfsense. So I guess that being so new to pfsense and dependant on being able to follow that guide written for the 2.3xx branch was important for me at my stage of using this newly built ITX box.

    I had noted a thread....

    https://forum.pfsense.org/index.php?topic=123915.0

    but I'm not sure how relevant that would be, considering that it was started at the beginning of the year.

    Good to know that backing up that config file can restore the settings applied.

    Whilst I appreciate that many people would indeed use pfsense as a VPN client just taking a look at that guide I posted didn't make me think easy, it took several cups of tea before I had finished....!

    Good to know that 2.4 also supports UEFI installer, that would have avoided my early issues of wondering why it could never boot from my stick on the Asrock motherboard.

    As a side note - maybe not best asked here though - is the ARP table the best place to look at what devices are currently connected to the pfsense box and if so that only reflects what is or has been connected in the last few minutes...? Also can those devices not be given better "names" as well as knowing if they are connected from a static or DHCP derived address...?

    For example, My R7000 AP....

    Which shows a mere part of a list of all known devices which have connected and their MAC address and connection method and access etc.

    @OP: The link which has been shared for you by pfbasic  will take you to a ITX board and J3355 CPU. That board is the one I have just used to build an ITX box and configure that will pfsense. It works fine, very low powered and coupled with a Be-Quiet 80 Gold+ PSU it is really silent.

    My questions and purchase thread is here….

    https://forum.pfsense.org/index.php?topic=128388.0



  • @vimes:

    @pfBasic:

    https://forum.pfsense.org/index.php?topic=127793.0

    That's what I recommend for just about any home use case similar to what you described. It's very cheap, with pfSense 2.4 BETA (very stable) you can even install to a couple of flash drives if you don't have something lying around.

    Just curious as to why you would suggest the 2.4 beta over the stable branch…? I noticed the 2.4 builds but decided to go for the stable release instead, figuring that I would have an hard enough time sorting out my VPN connections without throwing a "beta" in the mix....?

    When the 2.4 release is updated over the 2.3xxx should it be an update where the configurations and settings would be maintained...?

    Thanks

    Thank you I appreciate all of the info.

    Here is what I have so far:
    Mother/Cpu: https://www.amazon.com/gp/product/B01M9EXCYB/ref=ox_sc_sfl_title_6?ie=UTF8&psc=1&smid=ATVPDKIKX0DER
    Ram: https://www.amazon.com/gp/product/B005LDLVAO/ref=ox_sc_sfl_title_5?ie=UTF8&psc=1&smid=ATVPDKIKX0DER
    SSD: https://www.amazon.com/gp/product/B00A1ZTZP0/ref=ox_sc_sfl_title_1?ie=UTF8&psc=1&smid=ATVPDKIKX0DER
    PSU: https://www.amazon.com/gp/product/B005TWE5E6/ref=ox_sc_sfl_title_3?ie=UTF8&psc=1&smid=A1ZXWJYIISJIMI
    Power Adapter: https://www.amazon.com/gp/product/B000VE7GQQ/ref=ox_sc_sfl_title_2?ie=UTF8&psc=1&smid=A2XSM833HSBO8A

    I believe that I have everything that I need with the exception of a case.  I would like a case that is compact but not sure what to get.

    Is it possible to install the software onto a flash drive?  If so, what is the reliability like?  I feel as though using a SSD I wouldn't have that issue.


  • Banned

    @vimes:

    I had noted a thread….

    https://forum.pfsense.org/index.php?topic=123915.0

    but I'm not sure how relevant that would be.

    The J3355 has no issues with VPN performance, it's actually surprisingly capable given that it's a passively cooled celeron. I personally got it 150Mbps @ 33% with a single VPN instance, synthetic Benchmarks suggest that it caps out @ ~300Mbps per instance, although until someone shows real world results, that is unconfirmed.

    @vimes:

    Whilst I appreciate that many people would indeed use pfsense as a VPN client just taking a look at that guide I posted didn't make me think easy, it took several cups of tea before I had finished….!

    I just scanned through that guide, I've never used AirVPN (I use Private Internet Access). But there are a couple of settings there that are IMO fundamentally wrong:
    AES-256-CBC: This is just silly unless you have a major overkill CPU and just want to do it for shits and giggles. AES-128 has no known vulnerabilities, using AES-256 will do literally nothing for you except limit your throughput. It's like you have to drive through a town that is full of indians with bow and arrow intent on killing you. You have two options to get you through safely, one is a bulletproof SUV with runflats, the other is an M1 Abrams. You can choose whichever you want, but you have to pay for the gas and maintenance. If you choose the SUV it will cost about $80, if you choose the M1 it will cost about $45,000 (these are random numbers with no correlation).

    SHA1 on the other hand does have known vulnerabilities and is widely recommended to avoid. Use any version of SHA2, SHA224 is what I would recommend if it's an option because again it has no known vulnerabilities and will do what you need with the least amount of CPU overhead.

    So recommending AES-256 and SHA1 is just… dumb.

    Also, using port 443 seems weird to me. If it's an option I would use something else, like the IANA assigned OpenVPN port: 1194. But this might be an  airVPN thing?

    @vimes:

    best place to look at what devices are currently connected to the pfsense box and if so that only reflects what is or has been connected in the last few minutes…?

    Status / DHCP Leases
    @vimes:

    Also can those devices not be given better "names" as well as knowing if they are connected from a static or DHCP derived address…?

    Services / DHCP Server / (Desired Interface Tab) > DHCP Static Mappings for this Interface > Click "+ Add"


  • Banned

    That stuff looks good!

    The only thing I would recommend is maybe source the picoPSU & Converter from mini-box. I just say that because IDK what the ratings of the AC/DC converter you listed are, and it isn't prime anyways so shipping speed isn't improved. The one bundled with the mini-box listing is rated at I think ~88% efficiency at "normal" load. It is also only 60W, which in this case is good because your router can't hit 60W with those parts, and the closer you are to design power the more efficient it will be.
    Not a big difference at all, just a thought.
    http://www.mini-box.com/picoPSU-80-60W-power-kit

    You also might find a case at minibox, but I wouldn't know, I'm still using 10 year old cases on my stuff.

    Also, SSD is definitely better than flash drive.

    Flash drive is a viable option with ZFS and a RAM disk on pfSense, but the only real benefit is cost. If you don't mind the cost then an SSD is definitely the better option.



  • @pfBasic:

    @vimes:

    I had noted a thread….

    https://forum.pfsense.org/index.php?topic=123915.0

    but I'm not sure how relevant that would be.

    The J3355 has no issues with VPN performance, it's actually surprisingly capable given that it's a passively cooled celeron. I personally got it 150Mbps @ 33% with a single VPN instance, synthetic Benchmarks suggest that it caps out @ ~300Mbps per instance, although until someone shows real world results, that is unconfirmed.

    @vimes:

    Whilst I appreciate that many people would indeed use pfsense as a VPN client just taking a look at that guide I posted didn't make me think easy, it took several cups of tea before I had finished….!

    I just scanned through that guide, I've never used AirVPN (I use Private Internet Access). But there are a couple of settings there that are IMO fundamentally wrong:
    AES-256-CBC: This is just silly unless you have a major overkill CPU and just want to do it for shits and giggles. AES-128 has no known vulnerabilities, using AES-256 will do literally nothing for you except limit your throughput. It's like you have to drive through a town that is full of indians with bow and arrow intent on killing you. You have two options to get you through safely, one is a bulletproof SUV with runflats, the other is an M1 Abrams. You can choose whichever you want, but you have to pay for the gas and maintenance. If you choose the SUV it will cost about $80, if you choose the M1 it will cost about $45,000 (these are random numbers with no correlation).

    SHA1 on the other hand does have known vulnerabilities and is widely recommended to avoid. Use any version of SHA2, SHA224 is what I would recommend if it's an option because again it has no known vulnerabilities and will do what you need with the least amount of CPU overhead.

    So recommending AES-256 and SHA1 is just… dumb.

    Also, using port 443 seems weird to me. If it's an option I would use something else, like the IANA assigned OpenVPN port: 1194. But this might be an  airVPN thing?

    @vimes:

    best place to look at what devices are currently connected to the pfsense box and if so that only reflects what is or has been connected in the last few minutes…?

    Status / DHCP Leases
    @vimes:

    Also can those devices not be given better "names" as well as knowing if they are connected from a static or DHCP derived address…?

    Services / DHCP Server / (Desired Interface Tab) > DHCP Static Mappings for this Interface > Click "+ Add"

    Thanks ever so much for your reply.

    When you write…..

    So recommending AES-256 and SHA1 is just... dumb.

    This is AirVPN spec page showing their encryption.....

    https://airvpn.org/specs/

    .DATA CHANNEL CIPHERS
    AES-256-CBC with HMAC-SHA1 for authentication

    CONTROL CHANNEL CIPHERS
    AES-256-GCM with HMAC-SHA384 for authentication(*)
    AES-256-CBC with HMAC-SHA1 for authentication

    So would I not need to use AES 256 to be compatible with their encryption.?

    Sorry if this is a silly question.

    Thanks


  • Banned

    Well it looks like they force you to use aes-256 and port 443.

    It looks like they are just forcing settings for marketing to the ultra paranoid user who doesn't know or care what the technical implications are.

    If I were you I would cancel my subscription and switch to a provider that offers at least the option of more reasonable settings. PIA as I mentioned did this and is very well supported in pfsense but they aren't the only game in town

    I'm not seeing any reason that AirVPN is a good choice.



  • @pfBasic:

    That stuff looks good!

    The only thing I would recommend is maybe source the picoPSU & Converter from mini-box. I just say that because IDK what the ratings of the AC/DC converter you listed are, and it isn't prime anyways so shipping speed isn't improved. The one bundled with the mini-box listing is rated at I think ~88% efficiency at "normal" load. It is also only 60W, which in this case is good because your router can't hit 60W with those parts, and the closer you are to design power the more efficient it will be.
    Not a big difference at all, just a thought.
    http://www.mini-box.com/picoPSU-80-60W-power-kit

    You also might find a case at minibox, but I wouldn't know, I'm still using 10 year old cases on my stuff.

    Also, SSD is definitely better than flash drive.

    Flash drive is a viable option with ZFS and a RAM disk on pfSense, but the only real benefit is cost. If you don't mind the cost then an SSD is definitely the better option.

    I appreciate all of your advise…in an effort to keep things simple I settled on the M300 enclosure from Mini-Box.  However, it looks like I'm going to need a riser card for the PCI.  I'm going to use the I340-T4 that you recommend.  Do you think this one is a compatible adapter: http://www.mini-box.com/s.nl/it.A/id.289/.f ?

    As far as the installation do you think this is a bad idea:
    i340 port1: WAN (from modem/router provided from ISP)
    i340 port2: LAN (to my RT-AC68U router as an AP)


  • Banned

    I don't have any experience with the M300. That riser card just says PCI not PCIe though. mini-box does list a PCIe riser though. and there are many more reputable sellers for riser cards (supermicro).

    You can try contacting mini-box and asking them the required dimensions for their case. Then just buy a card that matches those dimensions and the specs of your card & mobo.



  • Thanks PfBasic for all of your help.  I have my pfsense up and running with your suggested hardware and its running flawlessly.  I did have some issues with my vpn provider and DNS Resolver with some websites not resolving correctly so I had to utilize the DNS option in DHCP Server.

    So what I ended up getting:
    J3355B, 4GB Ram, 120gb Sandisk SSD, 340-T4. I got the M350 case from mini-box and a riser from Amazon but it doesnt fit nicely in the case but its working. At some point I either need to get a different case or another riser card.

    I dont have any parts laying around in the event of a failure but do you recommend anything as far as spares to have?


  • Banned

    I don't anticipate any of those components failing anytime soon. Nothing moves or gets particularly hot. If you have to replace anything it will probably be from a bad component that will fail in the first few months and that's a crapshoot.

    Just keep a thumbdrive loaded with the installer of the same basic version (i.e., 2.4.x, 2.3.x) of pfSense that you use and keep your config.xml's saved somewhere and you should be fine for many many years to come.

    Old desktop workstations often work for well over a decade and they have moving parts, deal with on/off cycles, etc. Your box will likely last at least that long and probably longer.
    The first thing to go will probably be capacitors, and you could even replace those for a few bucks and keep marching on if you wanted.