New to pfSense, looking to put something in place, assistance appreciated!

Dyspareunia

Greetings!

I'm fairly new to pfSense and I'm looking to do my first build!

I'd like to run my potential setup past you folks and get your thoughts (No doubt I've seriously over-killed it here...)

First of all my devices:
3 Desktops
1 Laptop
1 Tablet
4 - 5 Cellphones
5 IOT devices, which will grow considerably over the next while

Usage:
Average monthly usage around the 1TB range. Lots of 4K streaming video including 4K over wireless. Could see as many as 1 Wireless 4K and 2 wired 4K streams going at once.

Ok that being said, the features I'm interested in exploring:
Content Caching
Snort
GeoIP Blocking
App Detection
VLANs
IP Black Lists
Guest Network
Threat DB
split tunneling
VPN
etc

Some things I'd like to accomplish:

VLAN for IOT devices, specifying an ACL on a device by device basis.
VLAN for roomates devices, who isn't very 'security conscious'
Blocking applications that case me issues with my ISP, like torrenting
Caching some frequently used content
Malware detection
Route all traffic through a VPN with CIDR exceptions, for example not gaming traffic to reduce latency

Ideally I'd like to accomplish all of this on one device, instead of the pfSense box to a managed switch. If I can save the money on the switch, great.

Here is the hardware I"m looking at, forgive me if it's overkill, I'm not very versed on what's 'acceptable' considering my use case:

CPU: i3-8100 (3.6GHz)
Cooler: NH-L9i
Board: B360N
Memory: F4-2666C15D-8GVR (8G)
Storage: 970 EVO (250G)
NIC: E1G44HT (Quad)
PSU: MPW-4001-ACAAN1-US (400W)
Case: CA-1B8-00S1WN-00

So, lay it on me! The questions i'm spinning my wheels on:

How far off base am I on the hardware? I don't really want a pico PSU, I know that much...
Can I do what I outlined with no managed switch?
Can I use the WiFi on the board as a poor mans WiFi in my place until I get a proper AP?
When I have a proper AP connected to one of the ports on the NIC, can I set per device ACL rules?

Thanks everyone! Sorry if I'm extremely noobish here...

chrismacmahon

The SG-5100 at $799 will be cheaper (and use less power), and do all of that.

I would not do: Content Caching There is 0 point to; too much of the web is now dynamic you won't save much bandwidth. Your better bet would be using pfBlockerNG with an adblock list to conserve bandwidth.

Dyspareunia

While I like the form factor of the 5100, it's actually less capable and more expensive than the parts I listed.

I priced out the components at $725 USD, with more of literally everything, just a larger form factor...

chrismacmahon

If you are in no rush, I would advocate waiting a week or so.

akuma1x

@chrismacmahon said in New to pfSense, looking to put something in place, assistance appreciated!:

If you are in no rush, I would advocate waiting a week or so.

New hardware alert! New hardware alert!

:)

Jeff

chrismacmahon

No new hardware at all.

stephenw10

@dyspareunia said in New to pfSense, looking to put something in place, assistance appreciated!:

Can I use the WiFi on the board as a poor mans WiFi in my place until I get a proper AP?

Almost certainly not. I couldn't find much by way of detail for the chip but it's Intel 802.11ac wave 2 so probably AC 9560.
There is no driver for that in FreeBSD currently. The Intel AC driver that does exist does not support hostap mode so it can't run as an access point.
https://www.freebsd.org/cgi/man.cgi?query=iwm&sektion=4&apropos=0&manpath=FreeBSD+12.0-RELEASE+and+Ports

You don't mention what your actual WAN bandwidth is which is key factor in sizing hardware. And what bandwidth you need over VPN?

Steve

chrismacmahon

The SG-5100 is now at 699.00 vs 799.00: https://store.netgate.com/SG-5100.aspx