PfSense vs prosumer routers for a small business office



  • Hello pfSense gurus, a newbie here trying to figure out what to get for the small 10 person office.

    We are a small IT shop with an 100/100Mbit dedicated fiber link, most of our services are running on VPSes
    located across Europe. As we are financing the company out of our own pockets right now, we are strained on cash right now.
    So I thought I would find a suitable open source firewall/router distro.

    From all the posts and the wiki, I understand we would need something around 1.5Ghz CPU to get 100/100 Mbit throughput via pfSense.
    (And that is just the NAT, without squid or other packages.)

    I like what I have read about pfSense, and we would like to use features such as 1:1 NAT, local DNS, DNS cache.
    No plans atm to use VPN.

    So a i3 machine with dual intel NICs is about 300-400€. (Sounds great if compared to a firebox)

    But, i can't stop to wonder if a prosumer router like the Asus RT-N56U might be a simpler choice? (100€)
    http://www.smallnetbuilder.com/wireless/wireless-reviews/31436-asus-rt-n56u-black-diamond-dual-band-gigabit-wireless-n-router-reviewed

    How do they get 800+Mbit  throughput on a 500Mhz CPU? Is there something I am fundamentally missing?
    I understand that the Asus does not have any of the advanced features of pfSense, not even close, but given the features we are interested in,
    is it worth the extra 300% cost and setup time?

    Any recommendations on what to do?

    Thankful for any advice.
    /JT



  • I would feel more confident installing a pfsense firewall at a client than some cheapo asus or netgear. Once pfsense is setup in a simpler environment like that you can just "setup and leave it".

    If you have a rack then i would get a rackable appliance and install fpsense on that. If you are realy cheap on cash you can get any old desktop pc and buy some gigabit nic and set pfsense up on that.

    Once you have experience with pfsense then set up time would be no different than any other device. I would recommend learning it before you start recommending and rolling it out to clients. Same with any technology.

    http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html


  • Netgate Administrator

    An Atom based box will do 100/100 easily.
    See: http://forum.pfsense.org/index.php/topic,27780.0.html
    That D510 board managed >200Mbps duplex.
    However an i3 based system will be far more flexible and will handle any VPN loading you might need in the furure.

    Steve



  • In your case I'll vote for Netgear WNDR3700 v2 + dd-wrt firmware.
    You can look to http://www.smallnetbuilder.com/lanwan/router-charts/bar/74-wan-to-lan
    and also to http://www.dd-wrt.com as for compatibility different routers with this firmware.



  • The Asus does local DNS?

    It's worth the 30 minutes of time, total, to go pfSense:

    • Buy a SuperMicro SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN w/ IPMI.
      – $300-330

    • Buy 2 x 2GB 1333MHz (PC10600) DDR3 SO-DIMMS.
      – $25-30

    • Buy a SATA II to CF adapter.
      – $10-15

    • Buy a 2GB CF card.
      – $10-15

    That should take about 5 to 10 minutes of some serious clicking to complete :). While you're waiting for the parts to come in, download the 64 bit live CD ISO and the SuperMicro IPMI software.

    • Put it together. The case will hold a full length bracket and has clearance for a CF+PCB if one were to buy a SATA II to CF adapter that mounts that way ;).

    So, another 10 minutes but let's add 5 more to that so you have time to examine the fanless PCB and turbine they call a PSU fan.

    • Plug in a USB DVD-ROM and hook up KVM to install…or just hook up the first Intel Gigabit LAN port and fire up the IPMI 2.0 software to perform a network install.

    • Select the embedded kernel when asked near the end of the installation process. Alternatively, sell your first born and use the proceeds to purchase a hard drive at current prices instead of the CF+adapter and select the SMP kernel instead.

    That's a final five minutes, if you read all the prompts.

    • Take an early lunch.


  • @stratagem:

    The Asus does local DNS?

    • Buy a SuperMicro SYS-5015A-EHF-D525 1U Intel Atom D525 Dual Gigabit LAN w/ IPMI.

    • Buy 2 x 2GB 1333MHz (PC10600) DDR3 SO-DIMMS.

      • Buy a SATA II to CF adapter.

      • Buy a 2GB CF card.

        That should take about 5 to 10 minutes of some serious clicking to complete :). While you're waiting for the parts to come in, download the 64 bit live CD ISO and the SuperMicro IPMI software.

        • Put it together. The case will hold a full length bracket and has clearance for a CF+PCB if one were to buy a SATA II to CF adapter that mounts that way ;).

        So, another 10 minutes but let's add 5 more to that so you have time to examine the fanless PCB and turbine they call a PSU fan.

        • Plug in a USB DVD-ROM and hook up KVM to install…or just hook up the first Intel Gigabit LAN port and fire up the IPMI 2.0 software to perform a network install.

        • Select the embedded kernel when asked near the end of the installation process. Alternatively, sell your first born and use the proceeds to purchase a hard drive at current prices instead of the CF+adapter and select the SMP kernel instead.

        That's a final five minutes, if you read all the prompts.

        • Take an early lunch.

        Ok, what's about WiFi'N Good card? What's about if they will need in PPTP uplink? The final grand will be near $500 or even more. And the result will be quite the same (for 10 computers). And in the very long perspective they will pay for electricity 10-times for "big" routerbox. No misunderstanding - I like pfsense and use it as good free router OS, but in the "serious" cases - fast down/uplinks, failover/balancing uplinks, 20 and more computers etc. In the case of very small office modern routers are good too (especially with dd-wrt or openwrt).



  • @lokapal:

    Ok, what's about WiFi'N Good card?

    WiFi is for coffee shops, not offices :D. I use PoE APs on a VLAN with captive portal/VPN pass-through.

    @lokapal:

    What's about if they will need in PPTP uplink?

    A PPTP uplink? I haven't had the need but, AFAIK, pfSense can handle that.

    @lokapal:

    The final grand will be near $500 or even more.

    $500 total? Nah, I was being conservative with those prices. I put together this exact machine last week for $355, shipped. Now, if you add in wireless things will go up a bit.

    @lokapal:

    And in the very long perspective they will pay for electricity 10-times for "big" routerbox.

    The SYS-5015A-EHF-D525 will be drawing less than 30W AC at full load. The wall transformer for the Netgear WNDR3700 v2 supplies a maximum 30W DC to the device…at an average efficiency of 40-50%.

    @lokapal:

    In the case of very small office modern routers are good too (especially with dd-wrt or openwrt).

    I agree.



  • pfSense is very feature-rich and beyond the basics there is a learning curve, even if one has a solid background in networking (knowing the BSD/Linux way of doing things also helps).

    pfSense would shine if you expect to host services internally, or do VPN, or complex routing.

    Until now cheap consumer routers were very limited in terms of hardware, but it seems that this new Asus RT-N56U "prosumer" router can handle a 100/100 line (note: if the SNB review is to be believed).



  • Interesting input guys,

    @stratagem:
    Interesting that you mentioned SuperMicro board, found this article on SNB:
    http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense?start=1

    ATM I'm leaning towards the €50 Netgear WNR3500L or €75 WNDR3700, with dd-wrt or Tomato. (Thanks lokapal) That will cover the short term need for a couple months,
    giving me time to read up on pfSense.

    I think I'll go for an appliance, in the long run. (Somehow I think an appliance would be more reliable? Am I wrong?)

    Regarding this one:
    http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html
    It has a 500MHz CPU, will that cover the 100/100 throughput? I suppose Squid is out of the question.

    Also found this one:
    http://www.excito.com/node/9
    2xGbit LAN, 1.2Ghz CPU, 8W power - for those living in the EU (me) this would be a steal.
    Anyone knows if you can run pfSense on it? Seems to come bundled with Debian.

    /JT


  • Netgate Administrator

    @jtsoi:

    I think I'll go for an appliance, in the long run. (Somehow I think an appliance would be more reliable? Am I wrong?)

    More reliable than a general purpose server? Not necessarily. Choose one with few moving parts but make sure it has been designed for few moving parts!

    @jtsoi:

    Regarding this one:
    http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-rack-edition-pfsense-appliance.html
    It has a 500MHz CPU, will that cover the 100/100 throughput? I suppose Squid is out of the question.

    I think you might be pushing that CPU but I can't find any data.

    @jtsoi:

    Also found this one:
    http://www.excito.com/node/9
    2xGbit LAN, 1.2Ghz CPU, 8W power - for those living in the EU (me) this would be a steal.
    Anyone knows if you can run pfSense on it? Seems to come bundled with Debian.

    That's ARM based. No pfSense on that I'm afraid.  :(  (Yet!)

    Steve

    Edit: Yes that appliance is just an Alix in an enclosure.
    @Koen:

    Maximum throughput is about 85 mbit/sec on NAT and bridging and 15 mbits/sec when using IPSec



  • Thanks stephenw10,

    I'll do some more research on hardware, will post if I find anything interesting.
    Thanks all for taking your time with my questions, very appreciated! :)

    /JT



  • I also advice you to look for Mikrotik solutions - it's proprietary linux-based routers, but they are damn good, and level6 Mikrotik software license are free for their own hardware. Although, again, I have to tell you, that both Mikrotik and pfSense will be overkill in your case - netgear 3700v2 will cover all your needs until you will become something like to Google!  ::)


Log in to reply