Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense vs prosumer routers for a small business office

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 6 Posters 14.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jtsoi
      last edited by

      Hello pfSense gurus, a newbie here trying to figure out what to get for the small 10 person office.

      We are a small IT shop with an 100/100Mbit dedicated fiber link, most of our services are running on VPSes
      located across Europe. As we are financing the company out of our own pockets right now, we are strained on cash right now.
      So I thought I would find a suitable open source firewall/router distro.

      From all the posts and the wiki, I understand we would need something around 1.5Ghz CPU to get 100/100 Mbit throughput via pfSense.
      (And that is just the NAT, without squid or other packages.)

      I like what I have read about pfSense, and we would like to use features such as 1:1 NAT, local DNS, DNS cache.
      No plans atm to use VPN.

      So a i3 machine with dual intel NICs is about 300-400€. (Sounds great if compared to a firebox)

      But, i can't stop to wonder if a prosumer router like the Asus RT-N56U might be a simpler choice? (100€)
      http://www.smallnetbuilder.com/wireless/wireless-reviews/31436-asus-rt-n56u-black-diamond-dual-band-gigabit-wireless-n-router-reviewed

      How do they get 800+Mbit  throughput on a 500Mhz CPU? Is there something I am fundamentally missing?
      I understand that the Asus does not have any of the advanced features of pfSense, not even close, but given the features we are interested in,
      is it worth the extra 300% cost and setup time?

      Any recommendations on what to do?

      Thankful for any advice.
      /JT

      1 Reply Last reply Reply Quote 0
      • S
        sekular
        last edited by

        I would feel more confident installing a pfsense firewall at a client than some cheapo asus or netgear. Once pfsense is setup in a simpler environment like that you can just "setup and leave it".

        If you have a rack then i would get a rackable appliance and install fpsense on that. If you are realy cheap on cash you can get any old desktop pc and buy some gigabit nic and set pfsense up on that.

        Once you have experience with pfsense then set up time would be no different than any other device. I would recommend learning it before you start recommending and rolling it out to clients. Same with any technology.

        http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          An Atom based box will do 100/100 easily.
          See: http://forum.pfsense.org/index.php/topic,27780.0.html
          That D510 board managed >200Mbps duplex.
          However an i3 based system will be far more flexible and will handle any VPN loading you might need in the furure.

          Steve

          1 Reply Last reply Reply Quote 0
          • L
            lokapal
            last edited by

            In your case I'll vote for Netgear WNDR3700 v2 + dd-wrt firmware.
            You can look to http://www.smallnetbuilder.com/lanwan/router-charts/bar/74-wan-to-lan
            and also to http://www.dd-wrt.com as for compatibility different routers with this firmware.

            1 Reply Last reply Reply Quote 0
            • S
              stratagem
              last edited by

              The Asus does local DNS?

              It's worth the 30 minutes of time, total, to go pfSense:

              • Buy a SuperMicro SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN w/ IPMI.
                – $300-330

              • Buy 2 x 2GB 1333MHz (PC10600) DDR3 SO-DIMMS.
                – $25-30

              • Buy a SATA II to CF adapter.
                – $10-15

              • Buy a 2GB CF card.
                – $10-15

              That should take about 5 to 10 minutes of some serious clicking to complete :). While you're waiting for the parts to come in, download the 64 bit live CD ISO and the SuperMicro IPMI software.

              • Put it together. The case will hold a full length bracket and has clearance for a CF+PCB if one were to buy a SATA II to CF adapter that mounts that way ;).

              So, another 10 minutes but let's add 5 more to that so you have time to examine the fanless PCB and turbine they call a PSU fan.

              • Plug in a USB DVD-ROM and hook up KVM to install…or just hook up the first Intel Gigabit LAN port and fire up the IPMI 2.0 software to perform a network install.

              • Select the embedded kernel when asked near the end of the installation process. Alternatively, sell your first born and use the proceeds to purchase a hard drive at current prices instead of the CF+adapter and select the SMP kernel instead.

              That's a final five minutes, if you read all the prompts.

              • Take an early lunch.
              1 Reply Last reply Reply Quote 0
              • L
                lokapal
                last edited by

                @stratagem:

                The Asus does local DNS?

                • Buy a SuperMicro SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN w/ IPMI.

                • Buy 2 x 2GB 1333MHz (PC10600) DDR3 SO-DIMMS.

                  • Buy a SATA II to CF adapter.

                  • Buy a 2GB CF card.

                    That should take about 5 to 10 minutes of some serious clicking to complete :). While you're waiting for the parts to come in, download the 64 bit live CD ISO and the SuperMicro IPMI software.

                    • Put it together. The case will hold a full length bracket and has clearance for a CF+PCB if one were to buy a SATA II to CF adapter that mounts that way ;).

                    So, another 10 minutes but let's add 5 more to that so you have time to examine the fanless PCB and turbine they call a PSU fan.

                    • Plug in a USB DVD-ROM and hook up KVM to install…or just hook up the first Intel Gigabit LAN port and fire up the IPMI 2.0 software to perform a network install.

                    • Select the embedded kernel when asked near the end of the installation process. Alternatively, sell your first born and use the proceeds to purchase a hard drive at current prices instead of the CF+adapter and select the SMP kernel instead.

                    That's a final five minutes, if you read all the prompts.

                    • Take an early lunch.

                    Ok, what's about WiFi'N Good card? What's about if they will need in PPTP uplink? The final grand will be near $500 or even more. And the result will be quite the same (for 10 computers). And in the very long perspective they will pay for electricity 10-times for "big" routerbox. No misunderstanding - I like pfsense and use it as good free router OS, but in the "serious" cases - fast down/uplinks, failover/balancing uplinks, 20 and more computers etc. In the case of very small office modern routers are good too (especially with dd-wrt or openwrt).

                1 Reply Last reply Reply Quote 0
                • S
                  stratagem
                  last edited by

                  @lokapal:

                  Ok, what's about WiFi'N Good card?

                  WiFi is for coffee shops, not offices :D. I use PoE APs on a VLAN with captive portal/VPN pass-through.

                  @lokapal:

                  What's about if they will need in PPTP uplink?

                  A PPTP uplink? I haven't had the need but, AFAIK, pfSense can handle that.

                  @lokapal:

                  The final grand will be near $500 or even more.

                  $500 total? Nah, I was being conservative with those prices. I put together this exact machine last week for $355, shipped. Now, if you add in wireless things will go up a bit.

                  @lokapal:

                  And in the very long perspective they will pay for electricity 10-times for "big" routerbox.

                  The SYS-5015A-EHF-D525 will be drawing less than 30W AC at full load. The wall transformer for the Netgear WNDR3700 v2 supplies a maximum 30W DC to the device…at an average efficiency of 40-50%.

                  @lokapal:

                  In the case of very small office modern routers are good too (especially with dd-wrt or openwrt).

                  I agree.

                  1 Reply Last reply Reply Quote 0
                  • D
                    dhatz
                    last edited by

                    pfSense is very feature-rich and beyond the basics there is a learning curve, even if one has a solid background in networking (knowing the BSD/Linux way of doing things also helps).

                    pfSense would shine if you expect to host services internally, or do VPN, or complex routing.

                    Until now cheap consumer routers were very limited in terms of hardware, but it seems that this new Asus RT-N56U "prosumer" router can handle a 100/100 line (note: if the SNB review is to be believed).

                    1 Reply Last reply Reply Quote 0
                    • J
                      jtsoi
                      last edited by

                      Interesting input guys,

                      @stratagem:
                      Interesting that you mentioned SuperMicro board, found this article on SNB:
                      http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense?start=1

                      ATM I'm leaning towards the €50 Netgear WNR3500L or €75 WNDR3700, with dd-wrt or Tomato. (Thanks lokapal) That will cover the short term need for a couple months,
                      giving me time to read up on pfSense.

                      I think I'll go for an appliance, in the long run. (Somehow I think an appliance would be more reliable? Am I wrong?)

                      Regarding this one:
                      http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html
                      It has a 500MHz CPU, will that cover the 100/100 throughput? I suppose Squid is out of the question.

                      Also found this one:
                      http://www.excito.com/node/9
                      2xGbit LAN, 1.2Ghz CPU, 8W power - for those living in the EU (me) this would be a steal.
                      Anyone knows if you can run pfSense on it? Seems to come bundled with Debian.

                      /JT

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        @jtsoi:

                        I think I'll go for an appliance, in the long run. (Somehow I think an appliance would be more reliable? Am I wrong?)

                        More reliable than a general purpose server? Not necessarily. Choose one with few moving parts but make sure it has been designed for few moving parts!

                        @jtsoi:

                        Regarding this one:
                        http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html
                        It has a 500MHz CPU, will that cover the 100/100 throughput? I suppose Squid is out of the question.

                        I think you might be pushing that CPU but I can't find any data.

                        @jtsoi:

                        Also found this one:
                        http://www.excito.com/node/9
                        2xGbit LAN, 1.2Ghz CPU, 8W power - for those living in the EU (me) this would be a steal.
                        Anyone knows if you can run pfSense on it? Seems to come bundled with Debian.

                        That's ARM based. No pfSense on that I'm afraid.  :(  (Yet!)

                        Steve

                        Edit: Yes that appliance is just an Alix in an enclosure.
                        @Koen:

                        Maximum throughput is about 85 mbit/sec on NAT and bridging and 15 mbits/sec when using IPSec

                        1 Reply Last reply Reply Quote 0
                        • J
                          jtsoi
                          last edited by

                          Thanks stephenw10,

                          I'll do some more research on hardware, will post if I find anything interesting.
                          Thanks all for taking your time with my questions, very appreciated! :)

                          /JT

                          1 Reply Last reply Reply Quote 0
                          • L
                            lokapal
                            last edited by

                            I also advice you to look for Mikrotik solutions - it's proprietary linux-based routers, but they are damn good, and level6 Mikrotik software license are free for their own hardware. Although, again, I have to tell you, that both Mikrotik and pfSense will be overkill in your case - netgear 3700v2 will cover all your needs until you will become something like to Google!  ::)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.