Home use, use home server + vmware pfsense or buy sg-2220?



  • Hi Guys

    I'm looking at deploying pfSense into my home LAN, to policy route 3 specific IP addresses through OpenVPN

    I currently have a 'home server' running Win7 x64 with core2duo and 4GB, which gets used for media sharing and a few other things. CPU used to be an AtomD525 but was too sluggish.

    Being new to pfsense I notice there's a variety of ways to deploy in this scenario.

    • I can either buy an sg-2220, which is quite pricey for home use at $299

    • I can buy a mini-itx pc with aes-ni equipped celeron,atom or i3

    • I think I can run pfsense as a vmware image on the home server. I'd buy an additional dual intel network card for this

    May I ask what the general consensus would be, in terms of best option on limited budget?

    Also, I think i read somewhere I can buy the netgate sg-2220 board only, and perhaps add a nano-itx case and do the pfsense install myself on it to keep costs down?


  • Netgate Administrator

    What sort of throughput do you need?

    You can run pfSense in a VM in this scenario but you need to be sure the WAN side is isolated from the host and the rest of the network. Can you really be sure of that running inside Windows 7?  :-\

    I would want to run a real hypervisor at the very least before considering that option.

    Steve



  • Thanks for the reply.

    To answer your question, my broadband speed is roughly 100Mbps down / 5 up, here in the UK.

    As it's for home use, I'd be happy to run OpenVPN with AES 256 or 128, if it helped speed things up

    Regards VMware pfSense, perhaps I can switch to a Hypervisor foundation. Would it be asking too much of a core2duo to run both vm's on that Hypervisor?

    vm1 pfsense,
    vm2 windows 7 x64



  • A couple of things:

    You don't say what variant of Core2 Duo you are using.

    If you use ESXi:
    -  you would need to increase the memory on your home server - to probably at least 8 GB - just to install ESXi - and give the VMs some space.
    -  you might find that your Win 7 product key can't be "activated" for a Win 7 VM - the VM does not "see" the same "hardware" as the bare metal install.
    -  dual-port Intel NIC yes, for sure.

    An SG-2220 might be easier, if not less expensive.


  • Netgate Administrator

    Depends what you're running in Win 7 among many other factors.

    I personally would not want to run pfSense as the edge firewall in a VM under Windows. I couldn't be sure it would not open up the WAN if you reboot it for example.

    Obviously I'd rather you bought our hardware  ;) But if you have the D525 available still you try that even if only as a test. You won't get 100Mbps OpenVPN traffic through it but you might come close with some tweaking.

    Steve



  • @biggsy:

    A couple of things:

    You don't say what variant of Core2 Duo you are using.

    If you use ESXi:
    -  you would need to increase the memory on your home server - to probably at least 8 GB - just to install ESXi - and give the VMs some space.
    -  you might find that your Win 7 product key can't be "activated" for a Win 7 VM - the VM does not "see" the same "hardware" as the bare metal install.
    -  dual-port Intel NIC yes, for sure.

    An SG-2220 might be easier, if not less expensive.

    I had a Core2Duo 2.8GHz E5500 spare, so I put that in the home server with 4GB. I have the intel Atom D525TUD lying spare - motherboard, 4GB DDR3 and integrated realtek Gigabit adapter. As I can't stop buying things on ebay (!) I picked up an Intel Pro/1000 PT PCI-E LAN adapter. Upping RAM to 8GB is no problem.

    I suppose its getting a bit elaborate what with having to install the hypervisor, then the two vm's - I should probably just get an sg2220!



  • @stephenw10:

    Depends what you're running in Win 7 among many other factors.

    I personally would not want to run pfSense as the edge firewall in a VM under Windows. I couldn't be sure it would not open up the WAN if you reboot it for example.

    Obviously I'd rather you bought our hardware  ;) But if you have the D525 available still you try that even if only as a test. You won't get 100Mbps OpenVPN traffic through it but you might come close with some tweaking.

    Steve

    Thanks Steve. Win7 is idle for 90% of the time, waking from its slumber to occasionally serve up the odd document, image and media to a pair of Amazon Fire TV's  and a pair of workstations. I suppose I wanted to leverage that wasted horsepower by using a psfsense VM.

    Happy to try the D525, but I noted it doesn't possess AES-NI, which would really help performance I'd guess. It has a single Realtek LAN integrated, but I've aqquired a Pro/1000 PT DUAL-LAN card. It'll be a bit bulky by the time I add case, and PSU. I do love how small and efficient the sg-2220 is. I think I'm talking myself into a purchase ;-)



  • The home server already runs the OpenVPN client.

    All I really want is the 2 Amazon Fire TV's to share that OpenVPN client.

    I wonder if there's a way to set the 2 Amazon Fire TV's gateway address to point to the home server's static LAN IP and somehow utilise the OpenVPN client running on it?



  • Hmmm, the 2.8GHz E5500 is really a Pentium processor, not Core2 Duo.  Two cores, no hyperthreading or AES-NI.  Not an ideal machine for ESXi but it would probably work, especially as you say the Win 7 machine is idle a lot of the time.  Still, you've seen that it would be an effort - and then there's the learning curve if you haven't used ESXi.

    SG-2220 looking better?  :)



  • @biggsy:

    Hmmm, the 2.8GHz E5500 is really a Pentium processor, not Core2 Duo.  Two cores, no hyperthreading or AES-NI.  Not an ideal machine for ESXi but it would probably work, especially as you say the Win 7 machine is idle a lot of the time.  Still, you've seen that it would be an effort - and then there's the learning curve if you haven't used ESXi.

    SG-2220 looking better?  :)

    Yes, but can the sg2220 do firewall , routing and openvpn all together? Its job would be to replace my existing router, which has a regular firewall. The sg2220 need only offer a basic firewall



  • @Spectrum48k:

    … can the sg2220 do firewall , routing and openvpn all together?

    Maybe I'm missing something but why would you think it might not?

    The SG-2220 should handle your WAN speed of 100/5 easily - and with somewhat lower power consumption than the E5500.



  • Yes of course, I think I must've mis-read the UK distributor's website, where it states "Stateful packet filtering firewall or pure router"

    I inferred it could only do one or the other!


  • Netgate Administrator

    I would certainly expect it to. You will only get close to the limit of it's abilities trying to fill the pipe with encrypted traffic. But even then since OpenVPN is single threaded it can only use one core leaving the other to do whatever else may be required.

    The D525 won't do that.

    Steve