PfSense on a Dell Latitude E6420
-
Apologies if this is covered somewhere else on this forum. (It is covered but I still have questions)
I know I can run PfSense on a laptop. However, I have 3 questions for the guru’s here.
Background: Laptop is a Dell Latitude E6420 with an i7 2620M CPU @ 2.70GHZ and 8GB RAM with an Express Card Slot and an onboard Intel
82579LM Gigabit Network Connection. I have a Cox ISP connection with 300 down and 30 up. I may upgrade to gigabit connection.
I plan to purchase the Startech 1 Port ExpressCard Gigabit Laptop Ethernet NIC Network Adapter Card (EC1000S) with the realtech chipset as my second LAN port.
Questions:- Which LAN port/device should connect to my Ubiquiti managed switch…The onboard LAN or the Startech EC adapter? Does it matter which port connects to which device i.e. modem and switch?
- Will the Startech EC1000S with the Realtech Chipset work? I’ve seen some forums say it won’t work as well. The problem is I can’t find an intel based EC Express LAN adapter.
- Using two LAN ports (one onboard Intel and one Realtech Express Card device) will I get 1GB full duplex?
Thanks
-
@FrankZappa First is to check whether that Intel on board NIC works with pfSense as some don't. If it does, I would use that for LAN especially if you plan to run IDS/IPS package inline mode ... otherwise, you'll run legacy mode. You can use the Startech for WAN ... yes, you should have full 1GB duplex.
I couldn't find the link for compatible NIC; however, this could help.
https://docs.netgate.com/pfsense/en/latest/book/hardware/index.html
https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html#This is the one I was looking for: https://forum.netgate.com/topic/24/supported-hardware-for-pfsense-freebsd-hcl and https://forum.netgate.com/topic/151981/intel-i340-t4-nic-not-recognised-help/17
-
- If you're just connecting a LAN to the internet it doesn't matter.
- Probably.
- Likely.
More details:
-
Since you have a managed switch I'd just use the Intel adapter and VLANs. Otherwise, use the Intel for LAN and the Realtek for WAN.
-
The Realtek support is pretty robust. My own experience is that in a 1Gbps scenario a Realtek interface using the 're' driver uses a measurable amount of CPU interrupt which may or may not be significant. This is in comparison to an Intel nic using the 'em' driver (which is what the 82579LM uses) passing the same traffic, which does not consume the same amount of CPU time. I expect that in the majority of situations this won't make much of a difference but combining crypto and packet inspection can make even a 300Mbps residential connection quite demanding.
-
As long as you're not using packet inspection or VPN.
-
Thanks. Unfortunately I planned to use both OpenVPN and packet inspection. That said, if I had to pick only one, it would be to keep my OpenVPN.
Just curious as to how effective the firewall is if I don't use packet inspection?
I really wanted to use a laptop for this rig as I have a decent one hanging around that I don't use. The processor is great but my second NIC is not (Startech). Not having a second intel LAN is becoming a frustrating experience as there are no intel EC Express LAN adapters.
Thanks
-
Just to clarify my use of OpenVPN: I use it occasionally to remote into my LAN from afar. So it's not really processing WAN/LAN traffic 100% of the time. When not in use (connected to a client), does this reduce processor power, or is it always in a ready to receive traffic mode?
-
You may find that NIC works great for you but USB NICs have a terrible reputation in general and most of it's justified.
You may fine you can't get anywhere near Gigabit through it. You may find it does other odd things like disconnecting unexpectedly. Impossible to say without testing it.
Almost everyone would say use VLANs and a single NIC (router on a stick) in preference to a USB NIC. I certainly would.
Steve
-
@FrankZappa Yeah, if you just use OpenVPN for remoting into your home network it won't impact your performance in the way I was talking about.
Regarding packet inspection, we're talking about using snort or suricata on top of the packet filtering done by pf.
Using suricata is great, but the hard part about making it effective is knowing what to do with the data it gives you. I have it on on my home firewall right now and it's just doing its thing and logging the output. Which is fine, but in an un-curated setup like mine, it produces more than 13 million messages in a 24 hour period, the vast majority of which can simply be ignored. So if you want to make good use of it, be prepared to put in the time to really really dial it in.
Regarding the second NIC, you're talking about something like this right?
Anyway, depends on how fancy you want to get. I've seen at least one expresscard to pci-e x1 adapter out there. Heck, my own router is using a mini pci-e to pci-e adapter to connect a quad port NIC to a half-length mini pci-e slot. It only has one lane but it's been fast enough for me so far.
-
Thanks Whosmatt. Yes the NIC is the Startech EC Express single port version (you linked to the dual port version). I'll hook that up to the WAN (Modem) and use the onboard intel nic to connect to my Ubiquiti managed switch.
I wasn't planning on using suricata, but now you have my curiosity peaked (I watched an hour youtube tutorial). If I dont use suricata, is the pf packet filtering good enough? Also, does pf block bad IP addreses automatically? Wasn't sure if it did. My Asus router uses Skynet as an add-on and it blocks known bad IP's. Just curious.
Thanks for the advice.
-
pf blocks EVERYTHING by default :)
There is a package called pfblocker-ng that many (myself included) use for automatically blocking known bad actors with updated block lists and the like. That's probably what you're looking for.
-
Thanks whosmatt.
-
Thanks NollipfSense.
-
@stephenw10 Thanks Stephen. Is the Express Card Slot considered a USB NIC?
-
Nope. Or at least it probably isn't; ignore me!
Express card does provide USB so it can accept modems etc but I would not expect a NIC to use that. This looks like it uses the Realtek RTL8110 which is a PCIe chip.
Steve
-
@FrankZappa it's used like a PCIe slot.
-
@stephenw10 Any idea if I can use this excpress card adapter with pf?
Sonnet Technologies Presto Gigabit Ethernet Pro ExpressCard/34https://www.amazon.com/Sonnet-Technologies-Gigabit-Ethernet-ExpressCard/dp/B00I8MMWTY
It appears to have a Broadcom chip (I think). Not sure if this is compatible. Thoughts?
-
Without knowing what the actual chipset they're using is there's no way to know.
-
@stephenw10 If it's Broadcom, will it work?
-
@FrankZappa I read where it works fine with Linux with it's Broadcom NetXtreme BCM57762 controller. No idea if this is compatible w PF
-
If it is indeed the BCM57762 it should work with the bge driver:
https://www.freebsd.org/cgi/man.cgi?query=bge&sektion=4
-
@whosmatt Thanks whosmatt. Do I need to install the driver or will pf already recognize it ?
