Is it more cost effective to build my own PFSENSE box or just buy a small one?
-
I'm just curious if it will really make a difference if I build my own little pfsense box or buy one.
It is for home use, but I do run a small business and will be running network cables throughout the house with 20-30 cables total. There are several video streams that could be going on simultaneously. I run an unraid server on the network that is transcoding often, downloading, running vms, several thin clients around connected to the vms, etc… I have a separate wireless router, so I don't need wireless functionality and I also have an external switch as well for all the additional network cables I'll be running.
I currently have vpn enabled on my pfsense build, but have not added modules/apps to pfsense.
This is the build that I created a couple years back. I'm not sure that the prices are still accurate. I believe that it is probably a bit overkill, but I'm curious on opinions.
M350 case - comes w bracket for 2.5" drive $40
A1sri-2758 or 2558 processor ( get mini-itx version) $330
8GB Ram $40
PicoPsu - 80w - $25
40mm noctua fan w low noise adapter
Noctua NF-A4x10 Flex (40x40x10) $17
Intel S3500 SSD 80GB $100
Full install on a high-end SDXC card (Samsung Pro) in a low-profile USB adapter
32GB - $20
Low profile adapter - $10?Edit: I already run pfsense on a old computer I have and have had it running for years and love it. You guys have helped me through some good configuration setups as well with it.
Would it be better for me to build something like the above mentioned, get something from the pfsense store, or is there a good piece of hardware out there that I can buy that would be better geared toward a router that I can repurpose instead of a really old dell desktop?
-
Am on the camp of build-yourself doesn't save$ you anything, is for people who enjoy the process and want to have total control of what goes into the box.
Since you already have an old box, you know whether if was over-built or what not and make adjustment.
Buying from Netgate affords direct tech support, if u don't have time playing I.T. while doing your business.
-
It seems the Qotom may be the way to go since it is already all in the package and appears to be upgradeable to a certain extent.
Is there a particular version I should get and do they work with the latest pfsense?
-
Is this the one you're referring to? https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-Barebone/dp/B0741F634J/ref=sr_1_1?ie=UTF8&qid=1522363158&sr=8-1&keywords=q355g4#customerReviews
Does it run well and most importantly reliable/stable and is it a PIA to setup (finicky with things)?
-
Thanks!
-
You can buy these minisys-like boxes from ProtectLI who's a reseller in Amazon, based in the U.S., you do pay a premium but reduces your shipping time and most importantly real english, real tech local support, the feedbacks in Amazon confirm, and because it's shipped by amazon, well, nobody does zero-pain return like Amazon, at least in the U.S.
I have a 2-months old minisys-4 (hardware version 3, I found out) and am fairly contend with it, install hardly PITA. I did bought it barebone because I don't trust Chinese Ram/SSD, and threw it my own Crucial/Sandisk. Upgradable? Ram and storage that's it. This should not be of any concern because this box will be dedicated to firewalling, you are not going to suddenly play 3D game on it, and the packages most likely you are adding in the future is not gonna suddenly render what you have obsolete. Only thing is, if you are thinking of going gigabit in the near future, get an i3-class as mentioned and you are all set. If you are like some folks here who start throwing proxy, WIFI, Samba blah-blah at it, like hey, I got plenty of CPU this box here! and you are adding more failure points to your FW, Mr. Trump, I QUIT.
-
Don't forget about the PCEngines APU2. You should be able to put one of those together for less than $200. Not as powerful as those Qotom systems, but they're still good systems. I think they can only handle up to about 600-700MBit connections though.
-
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
-
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.
-
J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product – $56.70 NEW + 1.99 Shipping
-
RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW
-
Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED. I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.
-
Case - about $10 USED to $45 NEW based on what you want
-
picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper
That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.
-
-
My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.
I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?
I do have my current PFsense box running on VPN.
I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.
-
J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product – $56.70 NEW + 1.99 Shipping
-
RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW
-
Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED. I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.
-
Case - about $10 USED to $45 NEW based on what you want
-
picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper
That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.
Thanks! I may just go this route. My ISP speed is only 50mb/s, so quite slow. How does this setup compare to the i3 or i5 of the qotom machines? I don't need a rack mount, a simple ITX case for this should work just fine.
-
-
Thanks! I'll probably go with your $150 setup or the qotom setup if this doesn't pan out. Hard to say no to $25 if it'll work. It has two LAN ports in the back as well :)
I looked locally to find a used mini itx case to help keep costs down and I found one with everything it. I may even be able to use what's in it for the entire setup. I have an offer in of $25 lol. It has an intel core i3, but that's all the info I have on it minus basic ram, hdd info.
-
You might also want to make sure that i3 supports AES-NI so that it's future proof.
-
Thanks! He didn't accept my initial offer, but said he would take $50 and I get a 250W power supply that's separate from it that I could use for something else, so still not a bad deal since it is a case, board, and the board is loaded with the necessary components to run a small computer. Anyways, i asked for the CPU and Board Model.
Gigabyte GA-H77N-WIFI
Intel Core i3 3225Let me know what you guys think?
-
It isn't AES-NI. How big of a deal is this? It's an 1155 socket, so sure there has to be a processor I could replace it with if needed???
Does the newer version of pfsense require AES-NI?https://ark.intel.com/products/65692/Intel-Core-i3-3225-Processor-3M-Cache-3_30-GHz
Here is the board: https://www.gigabyte.com/nl/Motherboard/GA-H77N-WIFI-rev-10#ov
It looks like I would have plenty of CPUs that I could choose from that would fit the LGA 1155 Socket and be capable of AES-NI: https://ark.intel.com/Search/FeatureFilter?productType=processors&SocketsSupported=LGA1155&AESTech=true
It looks like each port is able to run full 1gbps as they advertise 2gbps if you "pair them together". Hopefully that means they would each be capable of fullduplex.
-
It isn't AES-NI. How big of a deal is this?
The deal is non-AES processors will become obsolete to pFsense in a year time.
Can upgrade CPU? as long as the new AES capable CPU uses the same socket. CAVIAT, there was Intel CPU refresh back in 2014? which required some Mobo to BIOS update before you can upgrade the CPU.
Isn't building your own fun?
-
Haha. I don't mind it. Especially if I can get it and all related hardware in a nice package for about $50 with an extra 250W power supply that I can immediately repurpose for something else.
These are the LGA1155 chips with AES-IN, so plenty of options and they are all prior to 2014, so probably won't have to mess with bios, which I would mind anyways.
https://ark.intel.com/products/65692/Intel-Core-i3-3225-Processor-3M-Cache-3_30-GHzThe current version of Pfsense doesn't require AES-IN? My machine is updated to the latest version at this time and I'm 100% certain my current processor in my pfsense setup isn't AES-IN.
With all that said, it looks like that ITX board/setup should work just great for what I want and have plenty of power and expandability.
-
pfSense 2.4.X (the current version) does not require AES-NI.
pfSense 2.5+ will require AES-NI or some other AES offloading. There is no hard timetable for that but it will likely be at least a year.
We have committed to continuing to support 2.4.X with security updates for 1 year following 2.5 release so there will be no sudden requirement to replace all your hardware overnight!
There are plenty of 3rd gen i5 options with AES-NI.
Steve
Edit: typo
-
We have committed to continuing to support 2.4.X with security updates for 1 year following 2.5 release…
Sorry, but I don't buy that anymore.
Exactly the same was said about 2.3 (the last version supporting NanoBSD and/or 32bit HW) but, if memory serves me right, it was short after 3 months that it was de-facto obsoleted. JWT explicitly announced NO updates for Meltdown and Spectre for NanoBSD installs / 32bit hardware.2.4.0 was released October 12, 2017 and received patches and fixes up to version 2.4.3
2.3.5 was released October 31, 2017 and got one maintenance release on December 14th, 2017 since.To be fair, there are snapshots of a 2.3.6 development branch on the server.
But I would neither want to run a rather old 2.3.5 nor a development branch on an internet facing device in production. This means that hardware, not capable of running a full 64bit pfSense install, is obsolete only 5 months after initial 2.4 release. That's somewhat different than a year, isn't it?Expect the same focus shift after a 2.5 release. Only buy AES-NI capable hardware today. And if you like pfSense then buy it from netgate's store (or one of their resellers).
-
“JWT explicitly announced NO updates for Meltdown and Spectre for NanoBSD installs / 32bit hardware.“
I announced no such thing. The mitigation’s aren’t available yet for 32-bit.
What Steve said is exactly right.
-
@jwt:
I announced no such thing. The mitigation’s aren’t available yet for 32-bit.
Well…
@https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html:By Jim Thompson
…snapshots including the fixes will only be available for pfSense
2.4.x and amd64 architecture."only 2.4.x and amd64 architecture" does explicitly mean: no 2.3.x, no 32bit, no NanoBSD, not even in the future.
You never said something like" these fixes are for 64bit FreeBSD only and therefore can be implemented in the 2.4.x branch only. When/if such code is available for 32bit FreeBSD we will update the 2.3.x branch accordingly."
