New build queries, have researched honest!



  • Hi

    I have been doing a lot of research on here about making a new PFsense build. I currently have it set up as a VM in my NAS but am fed up if the NAS is taxed, the internet slows down.

    Current my needs are;

    • 400 down/20 up internet
    • Connect 2 devices to external VPN
    • Run Pfblocker
    • Good quality Intel NIC, reliable, use hardware offloading etc
    • AES-NI
    • Traffic shaping
    • 1G home LAN

    Not essential;

    • Would like 4 NICs, as I will like explore VLANs tagged vs untagged in the future
    • Explore setting up snort (processor intensive?)
    • Explore setting up VPN for home network, only for 2-3 devices max
    • Future proof for possible 600-700 WAN in a few years

    I am not keen a netgate product, only because higher cost of UK pricing and would like a project myself.

    POWER: Aiming to keep low 10-15W, but could justify the cost of 30-40W if power/cost justifies
    CASE: Hidden under the stairs so form factor not an issue. Dont have a rack mounted set up. I am also flexible about PSU.

    I was looking at;
    Supermicro X11SBA-LN4F BGA 1170 Mini ITX with has SoC N3700

    Or possibly a G4560 based machine? I was thinking best getting a supermicro board as better with enterpirse motherboard with running 24/7? Saves on buying a NIC?

    Or better with ASrock? Then again I see people with issues fairly commonly.

    If buying a PCI NIC, are you best with two dual NIC or one quad NIC?

    Thanks!

    Liam



  • I can answer some of your questions but not all of them. I'll give you my experience and suggestions for the areas that I know.

    Regarding the build, I would recommend something newer than the N3700 series. I'm currently running an Asrock J3455 based system now with a PicoPSU, and it's pulling 11 watts on 110v power here in the US.

    The J3455 board was about $65 from Newegg. The PicoPSU + power brick was $55. If you have some DDR3 memory laying around and an extra case, that is all you need to get started. If you need to purchase those items, add them to the cost.

    For a NIC, Intel based is highly recommended. I have also had good luck with Broadcom NICs after some tweaking however, Intel NICs can be found very affordably on ebay from a working server pull. When you order the NIC, make sure you're getting one from a server recycling vendor that is selling an actual OEM product, do not order from China or you will very likely get a fake Intel NIC. Some good options are the HP NC365T, this is the same NIC as an Intel Quad I340. It uses the latest Intel IGB driver on pfsense and is very easy to tune. I have one of these NICs and it is rock solid stable, and quad port gives you room to grow.

    I have also used HP NC382T NICs (dual port Broadcom 5709) and HP NC360T NICs (dual port Intel 82571). Both of these also work well, they aren't quite as new as the I340 and can be found cheaply, the broadcom NIC regularly sells for under $10. These are good budget options and both of them are very stable.

    If going with a J3455 setup, PCIe slots are limited, and there is usually only one full bandwidth slot for an x2 or x4 PCIe card. I would recommend you buy a quad port card on the J3455 setup so that you can have a single card in the fastest PCI slot and maximize your bandwidth.

    IMHO, I don't like to use onboard server NICs because of Intel Manage Engine issues (security hijack point). I much prefer a separate physical NIC to assign to WAN port and LAN ports to. Because of this, using a J3455 wasn't an issue for me because it had low quality Realtek NIC onboard, and I just disabled it and used my own PCIe NIC of choice.

    People have issues witht he J3455 because FreeBSD had a regression in 11.1 release, which is what pfsense 2.4.3 is based on. If you run the development release (2.4.4.a), it will install natively in UEFI without any issues, that's how I run on my J3455 setup. Traffic shaping is now easy on 2.4.4.a and fq_codel is built in to the GUI on the latest pfsense builds in 2.4.4.a.

    I don't used pfblocker, snort, or VPN on the firewall, so I can't give you direct feedback on those items. If you're on a budget, the J3455 is a very good setup, especially if you can re-use some older components (like an old ATX case) and just stick it under the stairs. You didn't mention your budget requirements so I'm not sure what targets you're trying to hit.