Hardware builds: Two devices for two sites

  • Hi.

    I am looking into hardware to deply a firewall at two separate locations, both for 'home' use.

    A have a budget at around 1600 USD/1300 EUR for two devices. However, it can be reconsidered for good reasons.

    My main consern is to understand what kind of hardware I need to run pfSense stable within the usage as listed below. I have not been running any pfSense environment, and I have therefore no experience of how resource intensive it is for the mentioned tasks. It should also have some resource reserves to stand the test of time (to some degree).

    Site A holds all the main services:

    • VPN remote access (Low traffic)

    • Site-to-site VPN ("Site B")

    • Firewall and services like Snort

    • Reverse proxy for:

      • Cloud services and file server

      • Media server

      • 3 to 4 additional low traffic network services

      Site B mainly holds the backup server for Site A:

      • VPN remote access (Low traffic)

      • Site-to-site VPN ("Site A")

      • Basic firewall


      • Reliable hardware (Stable/Good quality)

      • Min. 4 ethernet ports

      • Site A should have some resource buffer to handle change of services and ageing. Site B is not expected to change.

      • Hardware accessible in Europe is preferred.

      I am open to consider any type of hardware that satisfy the requirements. Any "down-to-earth" guidance and suggestions are also appreciated.

      Best regards,

  • Netgate Administrator

    The most important consideration is what throughput you need.

    What bandwidth are the connections at those sites?

    Do you need to be able to push the full bandwidth for VPN traffic?


  • Thank you for your reply.

    The infrastructure (ISP) currently support 500/500Mbps for my area. However, I expect to limit it to 250/250Mbps the coming years.

    I don't need the full bandwidth for VPN traffic, it should handle 100 Mbps. Higer is convenient, but strictly not neccessary.


  • The APU2 won't work as right now it would be taxed 100% with those specs. Minimal requirement would be an i3 and Intel network cards. There are prefab boxes that do that, Netgate sells a few as well. Check out the big topics on this hardware forum for suggestions.

  • LAYER 8 Global Moderator

    "1600 USD"

    Why would you not just buy say to 2 SG-4860's at that budget mark?  Comes in under budget…

    Can tell you mine freaking screams!

  • Yes, that would be a option. The good thing is that it is well tested. What worries me is that the SG-4860 1U had EOS date last year, and the SG-4860 unit is beginning to get some years on it's back (although it has been stated it won't be replaced any time soon). Since I live in europe two units would actually tick inn at 2000 USD including freight and taxes. With this in mind, I think that is a little too much for these devices.

    Admittedly I follow your reasoning. I have therefore been looking at the XG-7100, and all in all accepted the extra cost. I hope to expect that I get a unit with long service life, and find that I would not get a better trouble free build for that cost with the formfactor and quality in mind anyway. The catch is that it has not been tested out there yet.

    When it comes to storage for the main unit (Site A). Would it be sufficient with 32 GB SSD, or should I upgrade the 256 GB M.2?

  • Netgate Administrator

    Unless you're planning to run a caching proxy, Squid, or another package with extensive logging you won't need additional storage.


  • Good to hear. Thank you.


Log in to reply