pfSense on Raspberry PI 4
-
is there any way to install pfSense on a Raspberry PI 4 model B??
i'm looking for a low-cost firewall (for my home network) and would like to try with pfSenseI read in some posts on the forum (a bit dated) different answers: from "it is not yet supported" to "it makes no sense to install it because raspberry has low performances"
can you kindly tell me if it is possible to use it for the home network (a dozen phones, TVs, cameras) and 150Mbps connectivity?
Thanks in advance
-
@attilay2k No it is not possible. There's so pfSense CE for ARM. The only 3 boxes running pfSense on ARM are Netgate's own devices: SG-1100, 2100 and 3100.
If you look for something cheap/small/low power to run at home, have a look at the SG-1100 then, it's almost the same form factor as a Raspi but comes with 3 NICs to use already instead of 1 that you'd have split via VLANs.
I'd recommend the SG-2100 though even if pricier, it's a heck of a power-bundle and with the integrated 4 port switch quite versatile to use.Cheers
\jens -
@jegr "Low cost" and "Netgate products" are mutually exclusive, depending on where you are. Where I am, the SG-1100 costs $300. When I bought mine, I think it was closer to $350 at the time. The next one up, the 2100 costs $500. That's simply too much money for a home router for everyone except network enthusiasts. Used PCs are a dime a dozen and will run circles around these little ARM appliances. The only advantage is power-use, and you have to get several years of use out of it before you reach price parity.
-
@kom thanks, but if I have to spend 350/500 dollars for an appliance I will take a Cisco or a Fortinet (also refurbished)
I thought pfSense was Open Source.. -
@attilay2k Huh??? pfSense being open source has nothing at all to do with the price of hardware. If you don't want to buy their appliances then provide your own hardware and run pfSense CE on it. The source code is still there for you to read.
-
@kom i'll tried to provide my hardware (Raspberry PI 4) but doesn't run
-
@attilay2k As has already been explained, there is no pfSense CE for ARM. It's also a terrible device to run a firewall on. Too under-powered with a single NIC.
-
Terrible is a relative term, just as perfect is relative.
A Pi may be the perfect firewall for a traveler in a hotel, small, WiFi capable and fast enough to outrun hotel internet access. An SG-7100 is a terrible firewall for the same guy.My Pi4 will absolutely crush the 150Mb/s that is in the requirements. My Pi4 is my VPN target at home and gets over 200Mb/s, maxing out the remote client.
Getting the code to run on a Pi is a different problem.
-
@andyrh That may be. I find the SG-1100 to be in the same ballpark all things considered and it's a very similar form factor. Nice thing to carry around with to protect your laptop.
I also read many strange conceptions in this topic that make me wonder.
a) having non-supported hardware, first asking and afterwards "blaming" "I thought that is opensource aka free for me". Huh? What's that got to do with each other? pfSense CE is open source. It is built on top of FreeBSD x64. That's it. No ARM. No Solaris. No PowerPC. No other archs. No one has ever said anything against missing them. It's just the way it (currently) is.
So if you wanna play with the project on your own hardware - go for it, but the project is built on x64 nothing else. Hunt down some small x64 plattform, a NUC or sth like that damn pcengines APU2/3/4 and fire away :)b) "350/500$! Then I'll buy cisco!" ... Huh again?!
@KOM seems to live in a country where Netgate products aren't available or have hefty customs or shipping costs on top of the box price - that is really sad. BUT again: that is not the norm. I don't know where the OP @attilay2k is living, but instead of just repeating things without checking, perhaps he/she could have checked if Netgate HW is available and to what costs.
Where I'm located, I can buy one for 179$ + shipping. So now what about Cisco again? ;)So TL;DR your mileage may vary, one should check the facts before jumping to wild conclusions or accusations. :)
-
@andyrh that's just what I'm trying to say, without wanting to offend anyone who does an absolutely excellent job in this forum.
I can also understand that in addition to having created the code (Open Source), they try to sell appliances, but my performance requirements are so low that they do not allow me to spend OTHER 300/500 dollars
What I want (simply) is to get some information from someone who has already installed pfSense on Raspberry PI 4 .. if I then realize that it is penalizing in terms of performances, I will evaluate other ways ..
-
@attilay2k said in pfSense on Raspberry PI 4:
What I want (simply) is to get some information from someone who has already installed pfSense on Raspberry PI 4
Good luck with that. As far as I know, it has never been done by anyone.
-
Then look at something used. There are many embedded x86 options that will work great with CE now and Plus when it becomes available.
Steve
-
There are a couple of options for low-power x86 devices, where you could run your own copy of pfSense:
https://ameridroid.com/products/odroid-h2
https://ameridroid.com/collections/single-board-computer/products/atomic-piAlthough from what I gathered on this thread, I beg the question, what is stopping someone from compiling the source code of pfSense CE on the Armhf/aarch64 platform? If it runs on the NetGate hardware with arm, shouldn't it work elsewhere (with the correct effort)?
At a certain price & effort point, it might make sense to just buy someone else's solution, rather than trying to make your own. Time is money as they say.
-
@msf2000 said in pfSense on Raspberry PI 4:
If it runs on the NetGate hardware with arm, shouldn't it work elsewhere (with the correct effort)?
Of course, but that's the trick. If it was easy, it would already be done by now.
-
@msf2000 said in pfSense on Raspberry PI 4:
(with the correct effort)
That is the key. Everything is a simple matter of coding.
For ARM platforms that effort can be considerable so the result needs to be worth it. For RasPi it has not been. It's possible.Steve
-
@attilay2k said in pfSense on Raspberry PI 4:
I can also understand that in addition to having created the code (Open Source), they try to sell appliances, but my performance requirements are so low that they do not allow me to spend OTHER 300/500 dollars
Please start comparing real world prices. If you find you can get e.g. an SG1100 for 179$ and that's in your pricerange the whole price debate of 300/500$ is unnecessary as that's country/customs dependant. They DON'T cost that much normally.
Also again: there is no Raspi4 build as has been said multiple times already so the whole RasPi discussion is pointless. No ARM SOC is exactly like the other, just because SG1100/2100 are (I think) EspressoBins that work, doesn't mean that RasPi4 with a whole different ARM SOC works, too. There are also drivers and low level firmware to check with and licenses that may interfere while porting to other platforms.
I'd check in the way of @stephenw10 and see if there's some small tinkering board on x64 arch is available. Odroid, NUCs, etc. All not optimal but not expensive either.
-
@attilay2k I have tried a few Linux based firewall distros on Raspberry Pi over the years just out of curiosity. I have rejected all of them because the log files are useless when a large number of entries appear stamped 1 Jan 1970.
The RPi does not have a battery backed Real Time Clock so it relies on syncing with a NTP source. However, quite often log entries are made before time sync has occurred. Yes you can add a RTCmodule to a Pi but this puts the cost up further.
My preference is to use repurposed thin client terminals. There are a number of low power consumption 64-bit intel based thin client terminals that have been produced by various brands. My favourites use 1.3Ghz intel Atom 3825 dual core CPU with AES-NI.
Used prices and models vary, but I often can buy one used and upgrade it with 32GB mSATA SSD, 4GB-8GB or RAM for less cost than a comparable RPi4. The RTC, AES-NI and SSD using ZFS make it far better than a RPi.
The only downside is the number of Ethernet interfaces, usually just one. Up until 2.4.5p1 I have successfully used them in 24/7 use cases with USB Ethernet. However, with 2.5.2 and 2.6.0 now with ure driver, reliability on USB Ethernet has gone. Fortunately, for all but a few I have reconfigured them to use VLANs with a VLAN capable switch.