Just set up pfSense at home and at work, which packages should I consider?



  • After upgrading both home and work (small business) internet to FIOS gigabit I had to leave my old routing hardware behind.  I've had the two sites connected via ipsec vpn for years and now that the speeds are nearing gigabit It really showed how lacking my routers really were.  The old hardware was unable to go faster than 350 mbps to the internet.

    Over the weekend I upgraded both sites to pfSense and set up a ipsec vpn between them.  Now I'm seeing my full gig speeds to the internet and waiting for updated hardware with AES-NI to achieve truly fast vpn speeds.

    So my hardware for pfSense are I7-3770 cpus.  Two reasons.  1.  Fastest possible ipsec/vpn throughput I could afford right now.  2.  Want to be able to run some packages.  On my old router appliances I never ran any of the anti-virus / intrusion detection stuff as the devices were subscription and I wasn't going to pay huge annual subscriptions.

    So my question is:

    Now that I'm getting more comfortable with pfSense what packages should I look at?  I've used Pi-hole in my old environment and like the concept so I guess pfBlockerNG would be a possible addition?  What about Squid?  Others?

    I really don't want to many things, as I really want the highest performance on ipsec/vpn throughput for late night transfers, but neither sites gets crazy internet use, occasional music/video streaming is probably the biggest demand.  Web browsing would be limited to daytime hours and probably not too much of an impact.

    So what products have you found to be beneficial?

    I'm amazed that pfSense is really capable of going toe to toe with enterprise level equipment and is community supported.  This concept I would gladly donate to, and plan to once I have a good stabilized environment under my belt.

    Very interested in responses.

    Roveer



  • I would say what ever you want. I would get the BGP/OSPPF (FRR) and Routed (RIP)package as well as ACME LetsEncrypt package. Open-VPN client export tool.



  • @mikeisfly:

    I would say what ever you want. I would get the BGP/OSPPF (FRR) and Routed (RIP)package as well as ACME LetsEncrypt package. Open-VPN client export tool.

    I was thinking more along the lines of

    clamav
    squid
    snort
    pfBlockerNG
    etc.

    I'm thinking I might just skip it all and keept the firewall very clean.

    Roveer



  • I would try a/b testing and see how you make out. My firewall is a i5 with 8GB of RAM running of a Kingston SSD 120GB I think. I don't use any of those packages you listed because I don't want to take a performance hit although I have squid and squidguard installed , but I guess I really should do some a/b testing myself to see what I get. Currently I have a 1GB symmetric connection from Verizon FiOS. If I get some time during this holiday break (Thanksgiving in the USA) I may try to run some number to give folks a idea of the hit on the throughput. My co-worker runs snort and pfBlockerNG and loves them. I have been reading the forums and I think there is a issue with pfBlockerNG right now resulting in a 404 error in the GUI but the router still functions. I think I read they have a fix for it in 2.4.2 but I can't confirm that.



  • @mikeisfly:

    I would try a/b testing and see how you make out. My firewall is a i5 with 8GB of RAM running of a Kingston SSD 120GB I think. I don't use any of those packages you listed because I don't want to take a performance hit although I have squid and squidguard installed , but I guess I really should do some a/b testing myself to see what I get. Currently I have a 1GB symmetric connection from Verizon FiOS. If I get some time during this holiday break (Thanksgiving in the USA) I may try to run some number to give folks a idea of the hit on the throughput. My co-worker runs snort and pfBlockerNG and loves them. I have been reading the forums and I think there is a issue with pfBlockerNG right now resulting in a 404 error in the GUI but the router still functions. I think I read they have a fix for it in 2.4.2 but I can't confirm that.

    Since pfSense is so easy to do A/B testing (just make and restore backups) I might try a bit of this myself.  If you've seen any of my other posts I have 1gb FIOS at 2 locations and really want the best ipsec vpn performance I can get.  My most recent iperf testing (by binding to specific interfaces is showing 900+ mbps firewall to firewall across the internet (just what I wanted), but ipsec performance at 200mbps.  Right now one side is i7-3770 but the other side is Pentium dual core which in the lab tested very poorly for ipsec vpn due to lack of hardware encryption acceleration.  As soon as I get my other Dell Optiplex 7010 (I7-370) I'll get AES-NI running on both boxes and test site to site vpn speeds with iperf and file transfers.  In my lap I tested i7 & i5 vpn on a gig switch and was able to achieve 800+ mbps across a vpn tunnel so I'm hoping for similar results.  Fingers crossed.  Once the environment is stable and fast I'll take a look at some packages.  On my home setup I'm using pi-hole to adblock which I had implemented when I had my checkpoint 680.  I built it on a RaspBerry Pi and really liked what it did.  So for pfSense I just pointed DNS to the pi-hole and got an error which I was able to resolve with a setting.  I might keep that or I might look at pfBlockerNG but the more I think about it, I might keep the pfSense boxes clean.

    Roveer



  • iperf for performance testing, just turn it on when you need it
    acme for let's encrypt cert management, no load when not actively using it
    openvpn client export, if you are going to want to VPN in from a mobile laptop or phone its easy.
    PFBlocker NG , Go Slow, its easy to create a mess with this app.
    Bandwidthd, simple usage graphs



  • @MervinCM:

    iperf for performance testing, just turn it on when you need it
    acme for let's encrypt cert management, no load when not actively using it
    openvpn client export, if you are going to want to VPN in from a mobile laptop or phone its easy.
    PFBlocker NG , Go Slow, its easy to create a mess with this app.
    Bandwidthd, simple usage graphs

    Thanks so much for sharing.

    Already use iperf for my testing
    Don't need acme - using built in certmgr to make local certs for remote access
    Staying away from OpenVPN
    Eyeing PFBlockerNG but using pi-hole currently

    Bandwidthd - just installed it tonight.  Was something I was going to miss from my old router that would show top talkers etc.  Already used it to trace down a 1.5MB inbound burst every 20 seconds from the wan to the lan.  Turns out it was my daughters Tivo Mini streaming netflix.  Now I know.  This one's a keeper!!!

    Err-ahh…  Now I have a question completely off topic.  It has to do with Acme and Let's Encrypt.  I'm tired of all of my https internal sites showing up in chrome as "your connection is not private" because the cert is not trusted by the OS.  If I proceed, it sticks for a week.  There's a startup switch to ignore, but it puts up an ugly banner.  Very annoying.  I see firefox will allow you to accept and won't bother you again, but I have to stick with Chrome.

    So I'm thinking about let's encrypt, except they expire in 90 days.  Is it possible using acme to auto renew?  I never get my head around certs so I'm not sure what it is that's expiring.  The cert or the CA trust?  Would I have to renew on all https sites using CA?  I have about 6 total internal?  Mixed bag of OS's, Windows Server, Dell iDrac, linux, Netgear NAS etc. Just wondering if this is something that could be done or if I'm asking for lots of lost hours and little results.

    Roveer


  • LAYER 8 Netgate

    Yes. Pick one of the DNS providers supported and set up automatic renewals every 60 days. Works great.

    You also, naturally, need a registered domain name.

    The dynamic DNS is necessary because, in order to automate the process, the package needs to be able to create a TXT record with the current blob for Let's Encrypt to query proving current management capability for the domain in question.

    There are other methods there. I personally like DNS.


Log in to reply