Best Hardware for 1Gbps Link?

  • Hello Everyone,

    I want to have openvpn secure server + client + IDS + IPS + wifi network + Web filter + adblocker at the sametime within the pfsense,

    so everyone who is connected to the wifi or lan will have all the services above without need to setup anything on their devices.

    is this something can be accomplish with pfsense ? if yes, what is the best hardware to have?

    Thank you for your support.

  • HTTPS does not work with web filters unless you configure the client. HTTPS was designed specifically to defend against this situation.

    As with all complex computer technologies, they do what they tell them to do, not what you want them to do. There is no turn-key IDS or IPS. You are going to need to do a lot of learning.

  • Thank you for your quick response,

    whats about pfblocker? does will block all adservers no matter http(s)?

  • Banned

    You can filter HTTP/S without doing a MiTM of all your clients with DNS blacklisting on pfbng's DNSBL. The filtering will only be as good as the lists you use, but there are good lists available (shallalist is a good one).

    I don't use any MiTM (or squid in any form) on my network, but I can force google safe search and filter websites fairly effectively. I can even block connections to public VPN providers. The filtering would be even more effective if I turned on TLD, but last time I tried that my system ran out of memory and crashed so I haven't tried again.

    In short, you can do some pretty effective filtering without using MiTM. MiTM will open up some doors but in my experience is a real PITA and not worth it on a home network.

    As far as hardware goes, you won't get gigabit OpenVPN throughput on any hardware. IDS/IPS is going to be by far your biggest CPU hog unless you are running a very light rule set (i.e., a few simple rules). I would say using the free snort VRT, OpenET rules after turning the FP's off would be a moderate rule set.

    For hardware - get Intel NIC's - non negotiable for what you want to do. I would recommend i3x0-tx. If you are building for home and like money then buy a used eBay server pull from a reputable seller, you won't be able to tell the difference from a new one and it will cost significantly less.

    Use a cheap, small SSD for storage (even if you want to use squid). ZFS has some benefits worth considering, even on single disk installations.

    RAM is cheap, speed of the RAM won't matter on anything semi-modern, but do use dual channel. I would recommend no less than 6GB with large pfBNG / DNSBL lists + the packages you listed, see the below official RAM requirements for TLD - keep in mind these are for TLD only. My system runs all of the packages you listed and generally has a little over ~5GB RAM in use without TLD but with RAM disks.

    TLD Domain Limit Restrictions:

    < 1.0GB RAM - Max 100k Domains
        < 1.5GB RAM - Max 150k Domains
        < 2.0GB RAM - Max 200k Domains
        < 2.5GB RAM - Max 250k Domains
        < 3.0GB RAM - Max 400k Domains
        < 4.0GB RAM - Max 600k Domains
        < 5.0GB RAM - Max 1.0M Domains
        < 6.0GB RAM - Max 1.5M Domains
        < 7.0GB RAM - Max 2.5M Domains
        > 7.0GB RAM - > 2.5M Domains

    CPU really depends on what you're willing to compromise on (you have to compromise on gigabit OpenVPN - you simply will not gigabit throughput). If you want to run lots of complex IDS/IPS rules at gigabit speeds you'll need a  beefy CPU.
    Gigabit without packages can be done on the cheapest SoC Celerons from a couple generations ago.

    OpenVPN throughput needs modern architecture + AES-NI + High clock speed. Unless you have a virtually unlimited budget I would recommend an absolute upper limit CPU budget for home use of an i3-7350K @ ~$150. In other words I don't reallt recommend spending this much on your CPU unless you absolutely must have the maximum OpenVPN throughput.

    For a frame of reference I saw someone report I think ~650Mbps OpenVPN AES-128 on an i3-7350k w/out IDS?
    My i5-2400 maxes in the 10% range with OpenVPN AES-256, moderate IDS/IPS, PfBNG + DNSBL for a 150/15 line.
    On the opposite end of the spectrum a 2.0GhZ passively cooled SoC Celeron J3355 will get ~300Mbps OpenVPN AES-128 w/out IDS, ~64Mbps w/ IDS.

    That kind of outlines the built in speed limitation to OpenVPN. A $55 Soc Celeron @ 2.0GhZ gets half the speed of a full blown core i3 Desktop CPU @ 4.2GhZ that costs triple the price for CPU only. Don't be fooled by comparing clock rates only, these are entirely different architectures. My point is that there are seriously diminishing returns when buying CPU for OpenVPN throughput.

    In most cases a used eBay SFF desktop w/ a used Intel NIC will suit you best. Cost of electricity is an often cited reason not to do this. Often it's actually not an issue but check your bill and see what you pay for electricity. If you are paying >$0.25/KwH then consider paying more for a modern low power system if you will keep the system for a very long time.

    For a frame of reference my above mentioned 95W TDP i5-2400 system burns about 34W. For a home network your system will likely spend the massive majority of its life at idle simply because you aren't usually maxing out your connection at home.

    Here's an example of what I would call a high-end system for your use-case:

    Plus a used NIC:

    ~$245 for a whole system with a monster CPU - you can certainly do better than that. That's just what came up in <1 minute google search.

    I personally would not spend a penny more than that and would shoot for ~$185 for a high end system, you can certainly get by with less depending on IDS/IPS requirements.

    If you have used components laying around that you can reuse than do so and spend even less.

  • pfBasic, There is no enough way to say thank you, you just made my day, Thank you for taking the time to write every letter, I really appreciate your valuable time for sharing your knowledge and experience with the community.

    I have a AMD PC with FX 8350 and 8Gb ram + gts 450 sitting in the basement, I will start immediately playing with it to get my hand dirty in pfsense.

    I am waiting for Ryzen 1920x to arrive, as I will use it 24/7 for VFX and I hope to run pfSense at the same time with this rig through KVM.

    so here is what I am going to do:
    I will run two KVM, one with Win10 and the other with pfsense, and I will plug my wan cable directly with the PC(dual intel Nic) and make bridge from PC(pfsense) to the DD WRT router to have dual band wifi network access.
    can I make kvm windows 10 to use pfsense not my ISP wan as gateway (they are both running on same machine) ? can this done virtually or I need to add more nic and port link from dd wrt?

    Have a wonderful weekend

Log in to reply