New hardware suggestion? (pfsense + proxy + ntpd = done)



  • Hi there,
    currently I am trying to upgrade my dear old soekris net4801 from pfsense 1.01 to the current release. In addition to my current usage I want to have a proxy (with login) running and I' appreciate if there was a time server then. Problems occured I don't want to bug you with yet (hope when having flashed a new BIOS version then it will boot from the new 4GB CF), but while digging the net I found several hints that my nice 4801 might have gotten on a bit in the meanwhile and I should think about getting a successor.

    As you can see in the title, there are no performance killer applications, my internet connection is slow anyway and the WIFI network segment is also slow. But I might get faster internet access in the near future and preparations are made to stream HD movies through pfsense to WIFI clients.

    When I followed the "hardware" links on the pfsense.org main pages, I got lost somewhere. Maybe someone here has a suggestion to look at. What I am looking for:

    • (preferably small) appliance for embedded system.

    • fanless design

    • low power consumption (at least when not actively in use, which will be around 22 hours a day)

    • silent

    • at least 3, better 4 NICs (WAN, LAN, DMZ, untrusted=WIFI access point) or 3+1 WIFI

    • I prefer buying in EU cause everything else is pretty annoying due to our tax authorities who can need 3 weeks to pass a small item, but EU is not a must.

    • I prefer a lot to have a box where I can flash an unaltered image and configure it. Again, this is not a must. I am not afraid of using Linux and have a Fedora box running (yeah I know, it's a girls' Linux …) and downloaded a *BSD image already, but I am not very familiar with it, hence I won't be able to solve many of the problems that might occur.

    I normally don't need much throughput, but short latencys for games and skype as well as the traffic shaper which works fine for me with my old soekris board.

    I hope that I could get a nice box for a total of less than 300 € (price, taxes, tolls, shipping, additional NICs), but for quality and peace of mind I'd rather spend 100 € more. There is no hard limit on my (private) budget, though.



  • I would recommend the D510 based boards but your requirements may scale to beyond what the processor can handle (in terms of throughput) with the implementation of HD movie streaming.

    At the worst case, we're looking at 35Mbits per 1080P uncompressed streaming - which, if it has to be routed through the box from LAN to WLAN, will chew up a fair bit of the available throughput on the D510 (this will be capable of approx. 200+Mbps with filtering enabled).

    However, if you can simply use a separate Wifi AP to implement the wireless security and connected to the LAN segment (presumably, the movies are streamed off a server of sorts on the LAN segment), then the D510 will likely suffice and meet your requirements.

    As to running packages like Squid (Proxy) on flash media, this is not quite recommended due to the increased disk I/O which will kill MLC media fairly quickly.  Since this is not absolutely required, I would recommend using a 2.5" HDD (laptop HDD) which will still have low power consumption but would be more apt for Squid caching duties.



  • Hi dreamslacker! Thank you for your reply!

    Yes, media will be streamed by a Synology NAS Box (UPnP media server, NFS or CIFS). Actually I mainly bought it to improve data availability (RAID5), but it comes with several features one might want to use, once they're around. :-)

    Currently my pfsense has 3 NICs, one is simply attached to a WIFI access point. I can keep it like this to reduce the CPU load of my future pfsense appliance. Will a D510 then be able to put through (from NIC to NIC) around 200 Mbps (if I understood your post right)?

    I do not need caching, I only want the feature of forcing to login, as this prevents software from "calling home" and even can reduce the impact of malware that found it's way to my computer. Sorry that I forgot to write that earlier.
    Currently my proxy (apache on a about 15 years old desktop) keeps a log file because there are some legal uncertainties in my sweet home country and keeping an access log can help you in case of false accusations. I thought that I would have to give up logging when using squid on pfsense, but having it run from a hard disk can be an even better option.

    Thanks again for your help!



  • @rd:

    Hi dreamslacker! Thank you for your reply!

    Yes, media will be streamed by a Synology NAS Box (UPnP media server, NFS or CIFS). Actually I mainly bought it to improve data availability (RAID5), but it comes with several features one might want to use, once they're around. :-)

    Currently my pfsense has 3 NICs, one is simply attached to a WIFI access point. I can keep it like this to reduce the CPU load of my future pfsense appliance. Will a D510 then be able to put through (from NIC to NIC) around 200 Mbps (if I understood your post right)?

    I do not need caching, I only want the feature of forcing to login, as this prevents software from "calling home" and even can reduce the impact of malware that found it's way to my computer. Sorry that I forgot to write that earlier.
    Currently my proxy (apache on a about 15 years old desktop) keeps a log file because there are some legal uncertainties in my sweet home country and keeping an access log can help you in case of false accusations. I thought that I would have to give up logging when using squid on pfsense, but having it run from a hard disk can be an even better option.

    Thanks again for your help!

    The D510 will be capable of 200Mbits/s throughput in total when filtering.
    In any case at all, you can simply run the proxy without caching and also running a syslog server for logs if you wish to run embedded on a flash drive.
    If you just want to force users to authenticate, then you'd use Captive Portal functions instead.  Both are available for pfsense.


Log in to reply