Is it more cost effective to build my own PFSENSE box or just buy a small one?

jwt

"only 2.4.x and amd64 architecture" does explicitly mean: no 2.3.x, no 32bit, no NanoBSD, not even in the future.

Incorrect, it doesn't "explicitly mean" that at all.  It's just how you chose to parse it.

While I understand how you got there, so I will say it explicitly, when those mitigations are available from FreeBSD (upstream), assuming they occur well enough before the October deadline for 2.3.x that we can bring them in, we will bring them into pfSense for 2.3.x as well.

Let's be 100% clear:  If 2.4.x supported i386 today, there still wouldn't be any Spectre / Meltdown mitigations.

KPTI mitigations aren't even available for Ubuntu yet.  See this: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ, but note:  "However, even with KPTI support, a 32-bit x86 kernel cannot use PCID or INVPCID, so the performance impact will be severe."

jahonix

Thanks for clearing this up, Jim.
Actually, the 32bit versions are not my main concern. NanoBSD is. Unfortunately, that's only available in 32 bit flavour.

Edit: corrected. Thanks.

jahonix

@jahonix:

NanoBSD is. Unfortunately, that's only available in 32 bit flavour.

Shit! There actually was a 64-bit NanoBSD install?  Upgrading 64-bit NanoBSD from 2.3 to 2.4

How could I miss that? Would have solved quite some issues for me "back then".
New installs will be (full) 2.4.x now anyways and existing installs on 32-bit hardware give a reason to contact clients and install new devices after years of service.

t1a

Hi, how exactly were you able to fit the NIC adapter into the 1u case? I don't see any way how even a low profile adapter would be able to be slotted into a 1u case.

@inxsible said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

@Live4soccer7:

My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.

I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?

I do have my current PFsense box running on VPN.

I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.

• J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product  – $56.70 NEW + 1.99 Shipping

• RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW

• Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED.  I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.

• Case - about $10 USED to $45 NEW based on what you want

• picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper

That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.

@live4soccer7 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

@Inxsible:

@Live4soccer7:

My LAN is gigabit all around except my current PFsense box, which is really the choke point of the system. It is super old hardware and one of the nics in it is absolutely super slow. I can't recall, but it is pretty awful.

I don't really see myself running any other software on pfsense other than what comes with it stock. I just like it because it is so configurable, however I would like the option to be able to run other programs/apps/whatever you want to call them on pfsense if I did see a need. Would the i3 version suffice for this or should I bump up to the i5?

I do have my current PFsense box running on VPN.

I built my own pfSense router based on J3355B for $106.68 – granted, I already had a 1U case that came with a PSU. But even if you add a picoPSU it would add about $10-$15. If you need a rackmount case then there is plinkUSA.com. Cheapest 1U rack case that will fit the J3355B is for $45. Or you can browse your local craigslist and get any case for about $10-$25 and replace whatever internals with a J3355B. It will handle gigabit WAN easily. What is your ISP speed currently? As long as you don't require more than 200-300Mbps over VPN, J3355B should serve your needs well since you mentioned you don't intend to run too many packages.

• J3355B SoC https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726&cm_re=j3355b--13-157-726--Product  – $56.70 NEW + 1.99 Shipping

• RAM - https://www.ebay.com/itm/SK-hynix-4GB-2Rx8-PC3L-12800S-DDR3-1600-SO-DIMM-204pin-HMT351S6EFR8A-PB-RAM/202274131369?epid=215825964&hash=item2f187a4da9:g:-wYAAOSw3MpavESY – $19.99 NEW

• Intel i340-T4 - https://www.ebay.com/itm/IBM-Intel-Quad-Port-PCIe-Ethernet-Adapter-Low-Profile-94Y5167-49Y4242-Free-Ship/292491780397?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2055119.m1438.l2649 – $18.95 USED.  I paid $28 for this when I bought it from a different seller. T2 might be cheaper if you look hard enough.

• Case - about $10 USED to $45 NEW based on what you want

• picoPSU - https://www.ebay.com/itm/NEW-DC-12V-250W-24Pin-ATX-Power-Supply-switch-PicoPSU-mini-ATOM-HTPC-ITX-PICO/323094106833?hash=item4b39e8d2d1:g:xoMAAOSwhvFZH~6g – $13.20 for a 250W NEW + 1.99 Shipping. You don't need that much. If you search for a 80W, you might find it cheaper

That's when buying most of the components NEW except the NIC. Totals up to $112.82 + case – the cost shouldn't go beyond $150 even if you buy a new case. There might be other non-rackmount cases that might be cheaper too and since as you mentioned, you have been using pfSense on super old hardware, this should feel like a great upgrade for the price.

Thanks! I may just go this route. My ISP speed is only 50mb/s, so quite slow. How does this setup compare to the i3 or i5 of the qotom machines? I don't need a rack mount, a simple ITX case for this should work just fine.

VAMike

@t1a said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

Hi, how exactly were you able to fit the NIC adapter into the 1u case? I don't see any way how even a low profile adapter would be able to be slotted into a 1u case.

The NIC goes in horizontally.

stephenw10

Yeah, exactly. You use a riser and fit it at 90° to the slot on the board.

Check out any 1U device that can fit an expansion card Such as:
https://www.netgate.com/docs/pfsense/solutions/xg-1537/io-ports.html#with-4-port-intel-1-gb-ethernet-expansion-card

Steve

t1a

@stephenw10 My apologies, I was a little unclear with my wording of the question. Using your J3355B type soc and a 1u case that fits the mini-itx board, it's still possible to get the nic adapter fitted in? I wasn't aware they had riser type cards for these socs to be able to fit it horizontally like you mentioned. I didn't want to get a 'cube/tower' like case.

VAMike

@t1a a simple 1:1 riser card is pretty generic (e.g., https://www.newegg.com/Product/Product.aspx?Item=9SIAE7R5YV3774&cm_re=riser_card--9SIAE7R5YV3774--Product) there are also flexible cable versions if there are geometry issues. Multiport risers may have more compatibility issues. You should be able to get the riser wherever you get the case.

Inxsible

@t1a Correct. They go in horizontally using a riser card.

A couple of things to consider:

• You need a right angled riser or a ribbon card
• You need to know how big your 1U case is. For example if you 1U case ONLY supports Mini-ITX, then a single angled riser/ribbon would suffice. But if your case supports mini-ITX & microATX, then apart from angled riser/ribbon, you will also need a riser extender to reach that open gap in the case where the card will fit.
  Something like this:

https://www.ebay.com/itm/PCI-EXPRESS-PCIE-8x-x8-Riser-Card-Extension-Adapter-for-1U-2U-Low-Profile-NEW/281044270981?hash=item416f8b3f85:g:mF8AAOxyDvxQ3vK9

Or get a ribbon riser with extra long length. I trust hard chips better than ribbons because 1U cases already have less space, and ribbons seem to clutter up the space too much.

S762

@inxsible - thanks for putting together the parts list which gave me the incentive to build one. I used a Thermaltake Element Mini-ITX case and went for the ASRock J3455B-ITX Intel board that was $10 more. Had it running for a few days with the case's 220watt power supply until the picoPSU arrived.

The issue I'm having is a little noise out of the 12V 20A 240W AC/DC Power Adapter so my question is what are you using for a power supply? I have an email in to the PS's vendor but have not heard back yet. We have used this type power supply in the past, (granted not 240watt unit) and had never heard any noise coming from them. other than all is good, thanks again for the parts list

Inxsible

@s762 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

@inxsible - thanks for putting together the parts list which gave me the incentive to build one. I used a Thermaltake Element Mini-ITX case and went for the ASRock J3455B-ITX Intel board that was $10 more. Had it running for a few days with the case's 220watt power supply until the picoPSU arrived.

You are welcome.

However, if the case already came with a PSU, why did you go on and invest in picoPSU? And that too a 240W one? I don't think I ever saw a 240W picoPSU on the mini-box site. Did you buy this off of ebay/China? If so that might be the cause of the noise. Even the largest adapter on mini-box.com is only 192W.

My advice would be to just continue using the Thermaltake case PSU.

t1a

Question, did you change to the Pico psu because it's More efficient? This site for Pico psu had reviewed a few adapters as well.

http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=207

s762 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

@inxsible - thanks for putting together the parts list which gave me the incentive to build one. I used a Thermaltake Element Mini-ITX case and went for the ASRock J3455B-ITX Intel board that was $10 more. Had it running for a few days with the case's 220watt power supply until the picoPSU arrived.

The issue I'm having is a little noise out of the 12V 20A 240W AC/DC Power Adapter so my question is what are you using for a power supply? I have an email in to the PS's vendor but have not heard back yet. We have used this type power supply in the past, (granted not 240watt unit) and had never heard any noise coming from them. other than all is good, thanks again for the parts list

S762

@inxsible & @t1a yes sometimes I’m pretty good at wasting money. Without the purchase of the extra PS & Pico could have knocked off another $54 and would have came in around $150. I didn’t even know what a Pico PSU was until I followed inxsible's link but once I seen it on eBay I reckoned it would take less power and provide silent operation.

To compare the two I metered out the pfsense box with the standard 220 watt PS and then with the Pico rig. The standard PS with the board & SSD was using 15 ~16 watts which is great but the Pico setup now has it at 10.5 ~ 11 watts and more importantly (to me) provides a silent operation except for the noise that was coming from the 12V 20A 240W AC/DC power supply.

The good news is I stumbled 12V 6.7A 80W AC/DC power supply that I took off my Drobo (NAS) from our computer graveyard that is now out of service. The plug length on the Drobo PS is a fraction shorter than the 240watt supply but it fits in there snug and is now providing silent operation which was also part of my goal. I’m still waiting on the vendor to get back to me on the problem PS, figure I'll give them 24 hours to reply back but its getting returned either way. IMO its always good to go higher on watts/amps but if the 80 watt does the job I’ll just call it a day. Again thanks for the parts list and Devs making pfsense available.

(edit typo)

stephenw10

Interestingly the PicoPSU proves that it is not always better to go higher power capability.
Switching power supplies often operate waaay below their rated efficiency when run at, say, 5% of rated load. It's better to have a correctly sized power supply. Even the 80W supply is operating at low load if the whole system is consuming only 11W. I'd stick with that.

Steve

Inxsible

@s762 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

The standard PS with the board & SSD was using 15 ~16 watts which is great but the Pico setup now has it at 10.5 ~ 11 watts

Consider the 5W increase in usage and multiply that by the electricity cost at your home. It will take years to recoup that $54, I am sure.

@s762 said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

IMO its always good to go higher on watts/amps but if the 80 watt does the job I’ll just call it a day. Again thanks for the parts list and Devs making pfsense available.

Not quite. Look into the efficiency ratings of the PSU. Check at what load, they are the most efficient and go with those figure. Most PSUs tend to be most efficient at around 70-80% load. So if you buy a 1000W PSU and put a load of 10 watts, you are actually making it worse.

A 80W picoPSU definitely is more than sufficient for the setup you have. I intended to go with a 80W picoPSU. Only reason I didn't was because I had this 1U supermicro case with a 300W 80+ Gold rated PSU lying around.

so in my case, if I use the picoPSU -- it will be more efficient -- but at a cost which doesn't justify me purchasing a new PSU because I have one lying around.

As a side note: I am thinking of moving to a picoPSU -- and then re-purposing that 1U for a ESXi server with 4 disk RAID array. I might have to look for a new 1U chassis too in that case.

plinkusa.net has some 1U chassis for $45 -- and a 200W PSU for additional $45 --- Not sure if picoPSU is still worth it though because an 80W picoPSU + power brick from mini-box sells for 36.50+shipping. But for $8.5 more, I get 3 Molex and 3 SATA connectors vs 1 in the picoPSU + Plus I don't have to worry about the length of the cable-- whether it will reach my 2.5" PATA drive. Also the 80W picoPSU has a 20 pin ATX plug, whereas my board J3355B has a 24 pin ATX plug.

Decisions Decisions....

johnpoz

@inxsible said in Is it more cost effective to build my own PFSENSE box or just buy a small one?:

Decisions Decisions....

Just buy a netgate unit and be done with it ;) I love to tinker as well... But when it comes to building or supporting the company that provides you with the software you love.. Why would you not just buy a unit from them - its a win win win for everyone involved..

They provide units that are energy friendly and good performance.. While it might be a few $ more.. You know its been tested, you know its supported and if any problems you can work directly with the company that does the software your running on it, etc.

I have run pfsense on VM for years and years.. And love that about it.. But if your going to do hardware - pick a unit that does want you want that they sell and there you go - decision made ;)

Inxsible

And what do I do with the J3355B based build that I already have?

I was just thinking of moving it in a different case, that's all.

johnpoz

Run whatever on it.. There are bajillion things to do with a box like that..

S762

@inxsible Got it and point taken. Just to clarify my comment where bigger is better let's say you have a choice between a 12V/5 AH or a 12V /7 AH battery for use in a USP unit or alarm panel or emergency lighting station. For that I’m going to take the higher rated Amp Hour all day long. Same for car battery with a higher CCA rating or electrical panel for your home. Having the extra in reserve for those instances will do no harm. Of course sticking a 200amp electrical service in a 70 year old 800 sq. foot home is probably overkill so there’s that too. I think we could agree in some cases bigger is better but not in all cases as you pointed out.

In any case glad to hear you confirmed my new found 80W PS is a better choice. What I’ve just noticed after switching from the case’s original 220watt PS to the Pico setup is the board is system is running a bit warmer. With the original PS that came with the ITX case the temp was always between 36 to 38.0°C and now with the Pico setup its hovering between 42 to 43.0°C which is still good according to pfsense’s default "Zone Warning" presets so not going to panic yet.. The only answer I have for that is fan from the original PS was keeping a nice flow of air going across the board to assist with the lower temp.

Thanks again for the part list and feedback, all is good. My next objective is to see if I how much uptime I could rack-up without a reboot. We all need goals right..