First time creating a PFSENSE for Verizon FIOS Gig connection

  • So first thing I am not a noob :) I have been in IT / Security for around 18 years + (which does not mean much but trust me I know what I am doing :)

    So I want a decent firewall for home. I was using SonicWALL before but have upgraded to a Gig Internet and the old TZ could not keep up with the speed so I was looking at all the usual Palo Alto, Check point, Cisco 5525 etc. but the price for a gig speed jumps up pretty high so this brings me to PFSENSE.

    I have this thing sitting on my desk that I planned to use as a HTPC but I am thinking about using it for this build instead. it is i7, 16gb ddr 4 ram, 256gb ssd (I got this as a giveaway from a vendor event so no need to worry about the cost of the thing). The only issue is it only has 1 Network port I can add a usb based network port but I am not sure how stable it is going to be and what kind of performance i am going to get? It has multiple USB 3.0 and 1 USB C 3.1.

    So does it look like this will work?

  • Galactic Empire

    We don't recommend USB NIC's because most of them are not built for 24/7 usage. pfSense should work great on your device however it does seem like a bit of a overkill. I would rather install ESXi on it and use it as mini server (with pfSense virtualized) :)

  • I have a Quad Core Xeon server with 64GB ram and windows server 2012 R2 that I am using as Hyper-V server to run my virtual machines and some other services. That server also has 6 Intel Gig ports.

    I am not sure how the routing will work with VM.

  • Galactic Empire

    My biggest issue with the device is lack of second NIC. Instead of using USB NIC try building a "one-armed-router", single NIC but with VLAN's for WAN and LAN. Of course, you can go with USB NIC but don't be surprised if NIC stops working after some time :)

    As for your main server and virtualizing pfSense, should work just fine in a VM. We have guides here:

  • First, I was in the same position you've found yourself, coming from CheckPoint and Netscreen many years ago. So, my advice to you would be to do it right the first time. Once you have PfSense up and running, you won't want to tear it down.

    There's a few potential issues you should be aware of with that little mini-pc:

    1.) The USB thing as everyone has pointed out
    2.) The chipset of the motherboard is fairly recent, therefore it may not be supported, or poorly supported, by the FreeBSD (pfSense), VMware, etc., HCL
    3.) You really need at least 2 physical Ethernet interfaces, preferably made by Intel, and supported by the OS HCL. The one-armed router thing is a reasonable idea, but adds a layer of complication you may not enjoy until you get a little keyboard time under your fingers

    My advice for an un-eventful, newbie, PfSense hardware experience:
    Supermicro is a no frills, solid, motherboard manufacturer. Most have at least 2 Intel interfaces onboard. You should be able to find a LGA1156 or LGA1155 M/B and appropriate processor (clockspeed is more important than number of cores) on eBay for $100-150. Get 8G RAM for a bare-metal, 16G for virtualized, a spindle hard-drive, a case and you're ready to go.  If you want an out-of-the-gate performance boost, grab a 2 or 4-port Intel PCIe NIC, and leave the onboard NICs relegated to out-of-band management. For $250-500 you can get a firewall/router/IDS/IPS that will put any of the traditional hardware vendors to shame.

  • I would ditto what everyone else is saying. Using a router on a stick should work out pretty good assuming you have a managed gigabit switch laying around. I also have Fios and put my PfSense in the DMZ of the Fios provided router and everything seems to work well (Site to site vpn's, xbox live, plex, …) and I never have to touch the Fios router. I also turned the Wi-Fi off on the Verizon router and use Ubiquiti AP's works well.

Log in to reply