Low power pfsense router for a noobie

No1451

Hello, new to the forums and (soon to be) new to pfsense. I've gotten tired of the the lousy support and fudged firmware for my Dlink router and want to step up to something a little more extensible and just plain fun to put together ;D

My needs should be fairly mundane and simple, but I'm seriously confused about what sort of hardware to run.

On the network:
-5 PCs, 2 laptops
-1 Windows Home Server/FreeNAS(VMs)
-1 HTPC
-2 X360, 2 PS3
-4 cell phones(all to be using Wifi)

We plan to have dual internet connections, one which is metered but fast for browsing/gaming/day to day usage and one that is slower but unmetered for heavy usage(P2P, FTP, Netflix, etc). My hope is to have all applicable traffic forwarded in/out of the slower connection to prevent overage fees.

I have my old file server hardware that I can use, but I've priced it out and for the cost of adding enough NICs, a PSU and a case it might cost less than buying something better suited to the task. I've been looking fairly seriously at some of the tiny little ALIX and Via boards, 6x6 inch would be perfect since I could merge it into the same case as my WHS, no additional clutter no additional noise. My big question is whether one of these little boards would be able to keep up, I'd love if someone could help shed some light for me on how I could expect performance to be(all the wired part of the network will be on a gigabit rackmount switch that then feeds into the router, I'm not sure how throughput is handled(does it pass through the router for LAN communication? I'm fairly uncertain with how these things work :P).

Wireless I'm expecting to implement with a few wireless APs littered around the house(it's fairly sprawling and coverage needs to be guaranteed or my roommates will have some words for me;)), will post about that in the wireless forum once I figure out what my basic wired needs will be.

Specs, old server(this would then be coupled with a pair of Intel NICs):
-ASUS M3A76-CM
-AMD 4400+ AM2 cpu
-512mb generic ram

And here I put together a little diagram in case my explanation was tough to understand or just too boring to bother with

Thanks for reading!

jasonlitka

Alix boards are capable of about 80Mbit/s one-way (only ACKs in the other direction) or around 50Mbit/s symmetrical when looking only at firewall performance.  If you add in snort, squid, VPN, other other more advanced options then the throughput will drop like a stone. Since all LAN traffic will be handled by your switch, only off-network access would count towards those numbers.

A Via C7 or Intel Atom board would be capable of much more but would dramatically increase the power consumption.

No1451

Thanks for the info, I guess I need to get reading on what all of those features actually DO before I can determine what exactly I will need.

dreamslacker

You can simply catchall to WAN2 and pipe HTTP/ gaming traffic only to WAN1 using firewall rules.  Note that this can cause certain issues particularly with Netflix since your authentication might take place on a separate IP than what is used to stream.
Also, running squid will help lower actual web usage if a lot of the HTTP traffic is commonly accessed.

valnar

Off-topic…but I suspect you will run into this.

Look at this post: http://forum.pfsense.org/index.php/topic,26947

pfSense (BSD) uses symmetric-NAT and not cone-NAT.  Symmetric is more secure, but it has its share of problems too.  Just FYI.

jasonlitka

@No1451:

Thanks for the info, I guess I need to get reading on what all of those features actually DO before I can determine what exactly I will need.

Snort = Intrusion detection
Squid = Caching
VPN = Remote Access

If you are on a metered pipe you may actually want Squid which will likely disqualify the Alix.

No1451

@jasonlitka:

Snort = Intrusion detection
Squid = Caching
VPN = Remote Access

If you are on a metered pipe you may actually want Squid which will likely disqualify the Alix.

Thanks for the info, I was reading around and while there seem to be lots of "how to set up squid" I couldn't find much about what it actually DOES :P

The connection is capped at 200GB, so if I move all the heavy stuff(P2P, FTP, Netflix) to the uncapped connection I don't think we should have much problem with keeping under it. VPN is fairly meaningless for me, any files I need constant access to are kept in sync already with rsync to my various devices.

Are there any other compelling reasons to step up to a more powerful machine? Even the possible noted 50MB/s is more throughput than my internet connections can handle(even if I had 3 of each), internet in Canada is sort of a joke for speed. I've seen some notes of stuff like logging, is it possible to log to another location(ie: not onto the compactflash or an internal hdd? though the hdd IS an option)?

dreamslacker

@No1451:

Thanks for the info, I was reading around and while there seem to be lots of "how to set up squid" I couldn't find much about what it actually DOES :P

The connection is capped at 200GB, so if I move all the heavy stuff(P2P, FTP, Netflix) to the uncapped connection I don't think we should have much problem with keeping under it. VPN is fairly meaningless for me, any files I need constant access to are kept in sync already with rsync to my various devices.

Are there any other compelling reasons to step up to a more powerful machine? Even the possible noted 50MB/s is more throughput than my internet connections can handle(even if I had 3 of each), internet in Canada is sort of a joke for speed. I've seen some notes of stuff like logging, is it possible to log to another location(ie: not onto the compactflash or an internal hdd? though the hdd IS an option)?

VPN just allows you to tunnel back home while you're out and connect to your local network as if you were connected to the LAN.  This is useful for stuff like RDP or perhaps to grab a file you need from home.  Most home users don't need it but you may or may not like to have it since you have a storage server/ vm going.  Another use would be to RDP  back and queue up downloads on the server(s).

As to the logging, you can setup a Syslog server on your VM and redirect the logs there.

No1451

@dreamslacker:

VPN just allows you to tunnel back home while you're out and connect to your local network as if you were connected to the LAN.  This is useful for stuff like RDP or perhaps to grab a file you need from home.  Most home users don't need it but you may or may not like to have it since you have a storage server/ vm going.  Another use would be to RDP back and queue up downloads on the server(s).

As to the logging, you can setup a Syslog server on your VM and redirect the logs there.

Awesome, thanks for the information! All downloads are "hands-off" from the time it's initiated until it finally gets deposited in the correct folder(regexp utopia), so judging from all this I think the ALIX board should cover my needs and then some, and at a lower cost of entry than adding the requisite additions to my current hardware as well!

jasonlitka

The Alix sounds like it will be fine.  I use one at home with my 35/35 connection and have no issues maxing it out.  I added a VPN1411 accelerator card so that I don't get any slowdown when connecting to my home network remotely (without one, you'll only get 10-12Mbit/s of VPN performance out of the Alix).

No1451

Awesome, now just to find a legit site that looks like I can trust it ;D

dreamslacker

@No1451:

Awesome, now just to find a legit site that looks like I can trust it ;D

You can find it under recommended vendors on the main page.  Specifically, here:
http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50

jasonlitka

@No1451:

Awesome, now just to find a legit site that looks like I can trust it ;D

I've bought the couple Alix boxes I have from NetGate.

No1451

Now, I'm seriously new to this, since it has no video output how do I go about performing initial setup? I did notice that it has a serial port(I'm fearing this is how I perform the setup), but I lack any machine that actually HAS a serial port. All my computers are running enthusiast hardware, old standards die quickly for gamer hardware.

How does one go about this? Can I install on another machine to my HDD/CF card and then migrate the install or would that cause issues?

dreamslacker

@No1451:

Now, I'm seriously new to this, since it has no video output how do I go about performing initial setup? I did notice that it has a serial port(I'm fearing this is how I perform the setup), but I lack any machine that actually HAS a serial port. All my computers are running enthusiast hardware, old standards die quickly for gamer hardware.

How does one go about this? Can I install on another machine to my HDD/CF card and then migrate the install or would that cause issues?

There are 2 choices:

1)  HDD full install.  You need a 2.5" PATA drive for this.  Do a full install on another machine but select the 'Embedded Kernel' when prompted.

2)  Embedded install on a CF card.  You need a serial port on another computer (I recommend getting a cheap USB to serial adapter).
Use physdiskwrite to write the image to the cf card and plug it in.
Then hook up the serial ports on both sets via a Null modem cable.
Fire up putty on the pc you're using to configure the box.  Settings are: (COM1 typically) 9600/8/N/1.
Once you've done the basic configuration (set the interfaces & IPs), you can proceed to do the rest of the work via the WebGUI.