Mac Mini pfSense System Hardware?
I’m looking for some advice. I have a Mac mini, late 2012 with 16GB of RAM, 500GB HDD and its got 2x gigabit NICs. (One built in, one thunderbolt) so they both run at the rated 1Gb, no usb nics. The system was literally collecting dust, so I’d like to use it for a pfSense system.
The pfSense system would be for my home, 4 users including 2 teenagers that have 6-10 friends over all the time, and using the internet. (That’s another story). We have 3 AppleTVs, and another 12 IoT devices, plugs and low bandwidth stuff. All things considered 12 users on line at once, max. My internet speed is 400Mb. So far I get 300Mb - 400Mb to each device, Netgear-Orbi fire wall only.
I’d like to use the Mac Mini, as a pfSense box with the following packages. With out loosing speed. In order of priority. (I can drop packages if my HW won’t support it.)
- inbound VPN (infrequent only 2 users)
The system seems overpowered, compared to Netgate offering.
This is where I need some advice.
Will 16gb ram useful/used by the pfSense OS.software?
Does pfSense need that much disk space, assuming I clean logs every 2 weeks.
Are there any gains from upgrading to a SSD?
If it’s overpowered I’d like to use VMWare and have another VM with Ubuntu for running some smart home cron jobs.
I don't want to drop my 400Mb speed.
Thanks for your help.
occamsrazor last edited by occamsrazor
I can't answer all your questions but maybe the below is a little useful. I have a Qotom Q355G4 with Core i5-5250U processor 8gb ram and 64GB SSD. I'm a Mac user and have the same Late-2012 Mac mini (2.6 GHz Intel Core i7) but don't use it for pfSense.
Running pfsense with Suricata on WAN & LAN, pfBlockerNG, squid etc on my 50Mb line uses around 8%CPU idle, up to around 15% CPU at full speed torrenting. My disk identifies as 55GiB, of which about 2% is used. RAM usage is 27% of the 8GB, which if I use the "TLD" option in pfBlocker rises to around 50%.
So my gut feeling is that your Mac Mini would indeed be overpowered. Which obviously isn't a problem in itself. I would be more wondering about the reliability and compatibility of the Thunderbolt>Ethernet adapter when used with pfSense (maybe it is fine, I just haven't looked into that). I guess the only way is to try and see. As for SSD vs HD I don't think pfSense is particularly disk intensive, though maybe useful for squid. That said I don't actually find squid that useful - the vast majority of traffic is https and I (personally) found it to be too much hassle and difficulty to intercept SSL traffic. But if you leave it only to intercept http then the ratio of traffic that gets served by Squid is so minimal.
My overall view is the Late-2012 Mac mini is such a great general-purpose machine that it would seem a bit of a waste to dedicate it solely to pfSense. I'd be tempted to upgrade it to SSD and then use it as something else e.g. a movie/music server etc, and get another device for pfSense. But of course you say it's gathering dust so..... up to you..... and good luck for whatever you decide to do!
I agree it's probably overpowered for that task but if that's what you have then give it a try. You can always export the config into something else later.
The only real speed advantage you get from an SSD is boot time which is usually not a problem anyway. You would get an advantage from Squid cache but with the current web being so dynamic there is not usually much advantage in caching. Especially with a relatively fast connection such as yours.
My advice to you is if you are planning to boot a Pfsense usb to a Mac mini is good luck. Booting in an Apple device is not that easy. The hackintosh community was able to circumvent that several years ago by using pc parts. If I were you, just move on and get at least a 3 year old pc that support 64 bit cpu with aes-ni and intel nic.
It doesn't look that difficult. For example: http://angerman.net/articles/freebsd-mac-mini/
I've never had any issues installing alternative OSs on my slightly later Mac, though I've never tried FreeBSD/pfSense.
'Hackintosh' users are trying to do the opposite, install OSX on non-Mac hardware, which is far harder. Apple deliberately try to prevent it.
Thanks for all the responses!
Okay, so here's what I found out and what I did.
The mini will boot from a pfSense USB and install the software. There are difficulties and some workarounds, they are below.
Option 1 - Install pfSense on the Mac Mini
The mac will boot from the pfSense USB installer. Hold down option and choose the install drive. I had problems with the Apple BT keyboard, so wired is best. You might get it to work, I had a wired Windows keyboard so I did not bother. The install will delete everything on the drive. Go through your normal setup and BAM! You'll have a power house for pfSense.
If you want, and you should 2x1GB Ethernet NICs you'll need the Apple Thunderbolt > Ethernet adapter, pfSense is happy showing both NICs. This means you can't use a Mac monitor during install, or to trouble shoot at the console. The work around for this is to use a the Mac's HDMI output for the monitor and configure the system. ( A newer TV will also work) After install you can continue to run the system headless, attaching a HDMI monitor and keyboard as a "crash cart" when needed.
Option 2 - Use VmWare on the MacMini
- Using the complete Mac system for a firewall got you down? install VMWare ESXi 6.x. It's available FREE for home use. You give up enterprise features, vSphere and etc. But everything else works. You can get it here. https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi6
Install ESXi the as per VMWare's instructions. They are not very difficult for a basic install, but too much to go into here. Be sure to use a static IP address, you'll need to know the address to get to the ESXi server. ESXi has a web console that will allow you to access the host and virtual machines. When you are done shutdown the Mac, unplug the monitor and plug in the Thunderbolt > Ethernet adapter, and turn on the system. You'll need that static IP now, since DHCP won't be running at at reboot, until pfSense loads, you'll need to know where to access the server.
Once ESXi host is running it will show the internal NIC and the TB interface. Create a VM with power and disk you need.
- Follow pfSense's VM install guide.
- Set the ESXi server and pfSense VM to auto boot.
- You can always increase/decrease CPU & Disk as needed.
- You should have enough power on the Mac Mini to install OSX and/or Linux desktop.
- Other VM instances won't bother pfsense. ESXi can dynamically allocate resources, moving resources to accommodate load.
- Using VNC you now have a desktop and a pfSense server.
What I did, crazy I know...
I had a Dell Optiplex with 4GB ram and i5 -3470 with aes-ni, and 128GB SSD. Picked it up a refurbished unit for $144. I got the Ultra Small Form Factor, a mistake since there is no room for additional NICs. IT was too late and returning it would mean 15% restock fee and I pay for shipping. Not worth it for a $144 PC. I was able to add 2x1GB NICs via USB 3.0 using this. https://www.amazon.com/gp/product/B00D8XTOD0/ With the adapter the rig runs $200.
I have 400Mbps at my home, so far the configuration can keep up. I have not loaded any packages yet. If needed I can add RAM. Be warned, I went through several USB 3 > Ethernet adapters to find one that would work (thank you Amazon for free returns). Even when the adapters are working some have said the they can be flakey and/or slow. SO home use is good, I would not do this in production or critical environment. My setup has worked out so far and I have 30 days to make sure it works, again thank you amazon.
I like this configuration it gives me 2 LAN ports & 1 WAN, I can use the additional LAN port for a VLAN later. Additionally, it frees up my Mac Mini to tool around with. I left VMware on it and I'm able to switch between Linux/OSX. BIG plus for me I'm using the PC I mistakenly bought. Was not a lot of money, but I hate wasting.
If things go south, crossing fingers that they don't. OR If I need to add too much more RAM, I don't want to invest more in that Dell. I can always put the Mac into service.
Hope this help some one else out there.
occamsrazor last edited by
Okay, so here's what I found out and what I did.
Mad respect for all the tweaking and the extensive writeup :-) Still gonna keep my Mac Mini as movie/music machine and my Qotom for pfSense, but you've given me the urge to try out ESXi on something.
This is a dumb question I'm sure, having never used ESXi, but how do you switch between or view the different virtual machines?
I was looking at the Qotom systems as well. Decided to work with what I had on hand.
ESXi gives you a browser based interface, and you can click on VM and they open in window. Edit VMs, meaning assign more RAM, Disk, or even a virtual CD-ROM that you mount as an ios. Really cool stuff. I attached some screen grabs.
I thinking of building a HTPC, when I'm done with pfSense. Likely to put the Mini back into commission for that.
BTW I've got an Iron Man theme going... Pepper Pots, Happy, and Heimdall :-)