Looking for cheap hardware to run pfsense
-
Hi there.
I'm looking for cheap hardware options to use pfsense in my small home network, i have seen sg-1000 (a bit expensive) and this one:
https://www.miniserver.it/home-page-products/apu2-firewall-entry-level-2-nic-2gb.html (a bit expensive too)
I will use 10 machines in my network (vm's) and three physical, some smartphones too. I will use too pfsense to connect from outside throught OpenVPN to my main computer.
What minicomputers or harware firewall i have? also i need shipment to Spain.
¡Thanks all!
-
I don't think you'll find anything new less expensive than the SG-1000 besides an old PC, but the power use of a PC would be a waste. I'd just run another VM.
-
I'd just run another VM.
Thanks for your response.
Can i run pfsense in a vm and protect all my home network? How?
-
Sure, there is a whole subforum dedicated to it. I run mine in Hyper-V. Your LAN virtual switch will use the same NIC as the one shared to your home net. You will need a second NIC to assign to your WAN virtual switch. That network should have no access to inside net except through the FW. Then just build your VM as you do now, from ISO or whatever source. This is a basic guide for Hyper-V:
https://doc.pfsense.org/index.php/Virtualizing_pfSense_under_Hyper-V
But they show the management connection on the WAN switch which I would not do. I would put it on the LAN side for safety. I used a 4GB fixed size disk and 512MB RAM for pfSense 2.4.3. -
Thanks for the replies.
I have a pfsense virtualized with vmware workstatio in a W10 host machine, in this W10 machine i have 5G Wifi USB connected to my home router, this computer also have a NIC.
I have created 2 virtual Network adapters in the pfsense virtual machine, 1 network adapter uses 5G wifi usb in bridge mode for WAN (192.168.1.70 ip pfsense WAN), and the other network adapter is for LAN to use for other's virtual machines LAN segment (192.168.5.1 ip pfsense LAN)
The LAN clients have internet, all goes fine here.
Now i have created another virtual network adapter bridged to the NIC physical of W10 host, i have created the new interface in pfsense (OPT1), in this NIC is connected a TPLINK Wireless router, i have created a DHCP server in OPT1 lan segment (192.168.6.1)
I have deactivated DHCP in the TPLINK Wireless router. If i connect my android device to the Wireless router it assign an IP address 192.168.6.34 from pfsense OPT1, but have no internet access from my phone.
I have created a firewall rule in OPT1 identical as LAN firewall rule, also checked the outbound NAT have LAN and OPT1 segments ok.
i can ping from pfsense using OPT1 to 8.8.8.8 and google.es hosts.
What i am doing wrong?
Thanks for the help in advance!
-
Sounds similar to what happened to me here:
https://forum.pfsense.org/index.php?topic=125446.msg800566#msg800566I could ping DNS but I could not resolve addresses or even telnet to my chosen DNS servers on port 53 from my wireless, but wired worked fine (and this was all on same network). I recreated the virtual switch and it started working. I you have an OPT1>ANY rule, that should be fine.
You could try plugging in a wired machine to the NIC your wireless AP is plugged into and see if that works. Or recreate your WAN/LAN interfaces. -
Solved!
I have set dinamic ip address in my physical NIC, and the most important part, my wifi router has a 4 rj45 port and a rj45 wan port, i unplugged cable from wan port, connected to lan port, and now i have internet in phone!!
Also i have noticed that windows 10 have priority in wired connections over wifi connections, so for me it's perfect. My W10 host are filtered from pfsense! since NIC gets an ipaddress from lan segment 192.168.6.x (OPT1)
Another question, if i would restrict access from 192.168.6.x (OPT1) to 192.168.5.x (LAN) machines how i would do that?
Thanks all!!
-
Can i run pfsense in a vm and protect all my home network? How?
There a lot of people you will say it's okay to run as VM, which is technically possible but I strongly suggest against it. The firewall should be dedicated, independent of any complication and should run by itself - you agree or not. Pick up a something like this:
https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1311.R3.TR3.TRC1.A0.H0.Xdell+R210.TRS0&_nkw=dell+r210+ii&_sacat=0I'm running my pfSense off one of those for about 3 yrs. now and couldn't be happier.
-S
-
-
Another question, if i would restrict access from 192.168.6.x (OPT1) to 192.168.5.x (LAN) machines how i would do that?
Add a Block rule in the LAN rules
Interface - LAN
Protocol - ANY
Source - Network, 192.168.6.0/24
Dest - Network, 192.168.5.0/24Glad it's working.
-
The firewall should be dedicated, independent of any complication and should run by itself
I completely get your point and favour a dedicated box myself.
However, suggesting to run pfSense on server grade hardware in a small home environment is a bit over the top, isn't it? It's noisy and consumes more power than necessary. Compare it to an SG-3100… -
Another question, if i would restrict access from 192.168.6.x (OPT1) to 192.168.5.x (LAN) machines how i would do that?
Add a Block rule in the LAN rules
Interface - LAN
Protocol - ANY
Source - Network, 192.168.6.0/24
Dest - Network, 192.168.5.0/24Glad it's working.
Not working setting your rule in LAN
my rules before change:
LAN :
-
-
- LAN Address 443 80 * * Anti-Lockout Rule
IPv4 * LAN net * * * * none Default allow LAN to any rule
IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
- LAN Address 443 80 * * Anti-Lockout Rule
-
OPT1:
IPv4 * OPT1 net * * * * none
Thanks!
EDIT:
I solve it doing this in OPT1 rules:
IPv4 UDP OPT1 net * 192.168.6.1 53 (DNS) * none Easy Rule: Passed from Firewall Log View
IPv4 TCP OPT1 net * * 443 (HTTPS) * none
IPv4 TCP OPT1 net * * 80 (HTTP) * none -
-
If u think a dedicated pfs box is expensive compare the alternative, what does it cost you to buy one of those rules based, state full Internet Appliances. Ya, an old PC/VM should hold u over, until u can afford to do it the proper way.