PFSense at the office – package suggestions?



  • I swapped out our commodity WiFi router today for a "real" server running PFSense. The server is quite a beast (dual Xeon, 8 gigs of RAM), so I'm wondering what else I might be able to do with it. It is just routing traffic for our office but anything to make that more efficient is a plus. Does it make sense to run pfBlocker and such on an office router? Any other suggestions?



  • pfBlocker for sure, include lists for ads, virus, spammers.

    Depending on your company policy, you can filter internet access with squid, squidguard

    You can use havp for browser virus scanning.

    If you have inbound services like http and smtp you can also check varnish and postfix



  • Also, OpenVPN or IPSEC can be used to setup VPN connections to allow users to work from home or on the road.  Furthermore, traffic shaping can be configured to help prioritize important traffic if you host web/ mail servers and also impose a bandwidth cap for general traffic (when say, users are just browsing the web or streaming videos online).


  • Netgate Administrator

    If you're looking for efficiency I have two suggestions, both assume that this hardware is massively over-specified for your WAN bandwidth (which it probably is since it's replacing a commodity router).

    1. Run pfSense virtualised. Use remaining CPU cycles and ram for some other application. This has some security implications however.

    2. Remove one of those Xeons. This will reduce your power consumption significantly and you can always replace it if you need the extra CPU cycles. Most of the hard work done by pfSense in firewall/NAT doesn't scale beyond a single core anyway.

    What is your WAN bandwidth?

    Steve



  • We only have a 10mb connections here with no inbound services. 12 people, so 12 workstations and half the folks have laptops (on part of the time), several have iPads and they all have smartphones with WiFi.

    I just installed the new router today with the default packages and the difference is pretty incredible. That little dlink was definitely getting overworked!

    Running pfsense as a virtual machine is actually something I had considered but the box that I used for it wasn't in use anymore. It wasn't broken but we got rid of our co-located dedicated servers this year in favor of some cloud hosting so it was just sitting there unused. Good idea about yanking out the second processor for some power savings.

    I appreciate everyone's suggestions! I probably won't do any content filtering but I'm definitely going to set up pfblocker!



  • As suggested, if you plan to have this power-hungry "monster" PC running 24/7, you should run pfsense virtualized. For a 10Mbps line even a small 5W Alix would suffice.

    Wrt packages, I'd only run Snort on pfsense, and run any disk-intensive services (e.g. Squid proxy, mail-server w/ anti-spam & anti-virus) on a different Unix-like server, which in your case might be just a different VM on the same physical PC. But this is a matter of personal preference.



  • @stephenw10:

    Most of the hard work done by pfSense in firewall/NAT doesn't scale beyond a single core anyway.

    I heard this will change with 2.1 and going to FreeBSD9?  I would love for my machine to actually take advantage of both cores.



  • Oh and since you're using such beefy hardware… make sure to turn on powerD so its not sucking up all that electric while its sitting there doing nothing.


  • Netgate Administrator

    @jaredadams:

    I heard this will change with 2.1 and going to FreeBSD9?  I would love for my machine to actually take advantage of both cores.

    That would be good! Where did you hear that?
    Of course you are still better of with multiple cores since the other processes can run on the unused core.

    Edit: Actually I could be completely wrong about this.  :-\

    Steve



  • @stephenw10:

    @jaredadams:

    I heard this will change with 2.1 and going to FreeBSD9?  I would love for my machine to actually take advantage of both cores.

    That would be good! Where did you hear that?
    Of course you are still better of with multiple cores since the other processes can run on the unused core.

    Edit: Actually I could be completely wrong about this.  :-\

    Steve

    IIRC, the embedded versions already use a SMP kernel since NanoBSD variants were made but I could be wrong.
    There are some fairly interesting commits to FBSD 9.0 that may or may not impact pfSense 2.0.1 though.

    More SMP-scalable  TCP/IP:
    http://permalink.gmane.org/gmane.os.freebsd.current/132807

    5 new TCP congestion algorithms:
    http://svnweb.freebsd.org/base?view=revision&revision=215166

    However, the throughput limitations for pfSense apparently is due to some of the firewalling processes being GIANT LOCKED in pf.  Not sure if the lock changes in FreeBSD 9.0.


  • Netgate Administrator

    I'm fairly sure since 2.0 all versions are using an SMP kernel since it now handles a single cpu with no problems.
    I also thought that it was a restriction of pf to a single process that limited the total potential throughput of pfSense. I realise that's a simplification.

    Steve


Locked