pfSense hardware help for new box (DiY)
-
Hi,
i want to ask for help with hardware review for new pfSense box (home use). Max price 450€ (only local reseler - no eBay, Amazon, ... )
Interfaces:
2 x Wan: Wan1 50/1Mbps (LTE router), Wan2 (ADSL+ router) 8Mbps/512kbps, setup as wan failover for parents, childrens will use only Wan2
1x LAN
1x Wifi (i will use AP)
1x DMZ (optional)planned services:
snort (on all interfaces), pfblocker, ntopng, DHCP, DNSSEC, Dynamic DNS, OpenVPN server for ADSL+, nut, traffic totalsMy HW from local reseller:
CPU: Intel i3-8100
RAM: 16G DDR4 2666 CL16 (HyperX Fury Black)
SSD: Intel 545S 128GB
Mobo: Asus TUF B360-PRO GAMING
LAN card: EDIMAX EN-9260TX-E V2 (RTL8168E) 4xThx,
Marian.
pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker
-
Hello, we build a lot of routers based on PC Engines APU2C4. An entire setup with case and power supply should be under $300, probably more in EU.
I imagine most people will complain about a Realtek LAN card. We used to use a lot of HP NC365T quad port LAN cards. Those are built with Intel LAN chipsets. They cost about $30 on eBay. There is a NC364T but that is based on Broadcom LAN chipsets which other people dislike.
If you can find a 30GB or 60GB SSD for a little less it makes more sense. The 128GB is fine, just a bit overkill.
Same kind of overkill for memory and mobo. The APU2C4 run with 4GB and have never given our offices any limiting issues. A gaming mobo is fancy but I would chose a CSM model (long term business support) from Asus/MSI/Asrock.
If you're happy with the local supplier, request a change to the LAN card, but, everything else will work fine. It just super duper hardware for home use.
-
An entire setup with case and power supply should be under $300, probably more in EU.
Nope on the contrary. Complete APU bundles are available for around ~165€ for an APU2D2 (3 NICs) or ~175€ for a APU4C2 (4 NICs). For less than 50Mbps I'd stay low on the hardware.
Yeah I would agree with @vegastech , just don't use Realtek based cards. Simply not worth the trouble. Just drop in a simple Intel card and be good.
snort (on all interfaces), pfblocker, ntopng, DHCP, DNSSEC, Dynamic DNS, OpenVPN server for ADSL+, nut, traffic totals
See no sense in running snort a) on all interfaces (why the hell?) or on WAN at all. Are you planning to offer services on your DSL line or via LTE? I suppose not, so can't see the deeper sense of running an IDS or even in IPS mode if most or all traffic on WAN is blocked anyways. pfBlockerNG's lists and settings are well used for additional LAN->WAN blocking. Any other things aren't that performance greedy so could run on an APU without hitch.
hardware list
Besides that I'd go for a solution better suited for network purpose. The hardware is bonkers IMHO. i3-8100 isn't needed for anything as the connection is no more then 50Mbps at max, even crypted. 16GB are too much and not needed anywhere. I've seen big corporate setups of pfsense that don't even need 8. I'd go with 8GB to have reserves but that's it.
SSD is nice even if 128 won't be needed but SSDs are happy little bunnies if they have enough space for wear leveling so nothing wrong with it. But as @vegastech already pointed out, a gaming MoBo and lowbob Realtec networking card show a severe lack of understanding what really is important for pfsense. A good/moderate CPU, RAM and superb network interfaces. The hardware list seems more like: "hey let's build a gaming rig and throw pfSense on it, if it annoys me, I'll just turn it into a gaming PC again"
As you're now running on a microserver, why bother with a gaming rig and don't just build/use something like a real networking platform? E.g. use a denverton based SOC (c3558 or alike) and put it in a small case, throw 8GB RAM into it and your SSD and be done? That thing can route a bunch and will most likely serve you years if you don't plan to require more than ~400-500Mbps of encrypted performance
Perhaps there are smaller Denverton SOC boards around but I'd go the Atom C2xxx or C3xxx route if an APU is too small for you. Will serve you well with network performance AND low power (~10W) instead of stealing ~60-80W with that gaming rig setup.
Cheers,
Jens -
Thx all for advices, now i must consider, what i will choose.
When done, i will post.
Thx, again.
so:
pcengines APU4c4
mSATA 30GIs there any WIFI n/ac module, that it can work with pfSense on that board, ideal for 2,4GHz and another for 5GHz?
-
@marian78 said in pfSense hardware help for new box (DiY):
Is there any WIFI n/ac module, that it can work with pfSense on that board, ideal for 2,4GHz and another for 5GHz?
I'd advise not to go that route. You won't get any (AFAIK) -ac to run, -n would be the most and even for that, the hardware to choose from is very sparse and picky. You could try some Atheros based cards but considering your time and the money for that, you'd be better of buying some good and configurable AP (I took a unify AP-AC-Pro and had no regrets).
