What a Newbie like me should look for in hardware when preparing pfSense build



  • Hello All,

    I'm sure i'm years late to the party :) but I have just found out about this pfSense firewall and with the features it offers i'm excited to go ahead and build one straight away.

    I am trying to get an idea of the hardware I need to look at buying. Surely the first question must be what are my requirements for this implementation.

    My purpose is really experimental. I want to build this for a basic home network, to be my perimeter firewall, is the main goal. But I want [the build] to have the flexibility to be able to support the different features, i.e. running Snort and being able to keep a few days of firewall logs at the very least.

    From what i've seen around here and googled, most build seem to be based on Mini-ITX Server type Motherboards, at around the $120-200 mark.
    Some of these boards have two nics, which seems wise to start with… Other than that i'm not too sure what to look for (other than I suppose memory limits, as some seem capped at 4GB).

    Ideally i'd be able to seperate 3 networks, DMZ, internal LAN, and LAB LAN. So I will need an extra NIC.

    "The most common deployment of pfSense is as a perimeter firewall, with an Internet connection plugged into the WAN side, and the internal network on the LAN side. It supports multiple Internet connections as well as multiple internal interfaces."

    Assuming I already have a wireless router, where would I want to position it? Does the incoming (cat 3) internet line go into the motherboards onboard connection, and then into the 3 internal nics available (e.g. Green, Orange, Red), I plug my wireless router where I want my internal clients (e.g. green). Then plug a switch (or whatever) into Orange and Red to connect clients to those networks?

    Memory and HDD. Most posts I read think that 8GB is overkill-- assuming i'm not entirely sure exactly what I will do with the device (and waht to be flexible) should I just go with 8GB anyway... or can I easily get away with 4?

    Also assuming that SSD is overkill... but what kind of storage (size of disk) do I need for pfSense?

    Thank you kindly for reading!

    Cheers



  • At the logging part i must say, that you'll need syslog server.
    snort requires at least 2 GB of RAM and it would be better, if you have 4 GB.
    You can also work with one to two interface, if you have managed switch(vlan capable)
    Size of HDD is determined by how much snort cache.



  • I have been using pfSense for my home network for 1,5 month. I can suggest you Intel Atom D2500CCE with combination of 4GB ram. D2500CCE will be good enough to run HAVP, Squid and snort unless your WAN connection isn't greater than 50Mbps (mine is 20Mbps and it works fine).

    Also I don't believe that using an SSD is overkill. I am using a 120 GB SSD too. When I was building up my pfSense router, I didn't have any spare 2.5" hdd so I had to by a new one. Then I saw that the price of a 320GB WD HDD is almost same with sandisk 120 GB SSD. I bought SSD for a fast boot and fast SWAP space in case of need.



  • This is my setup

    Here is maybe a way to do it…..
    pfSense is a superb border router, most consumer wireless routers pales in comparison to the performance, reliability and flexibility you get with pfSense. If your going to spend time and money setting up a pfSense you might as well make it your border router! I use this as the basis for my home network:

    WAN ---> pfSense --> switch1

    Connect all your home devices to switch1 (wireless router, computers, game consoles, etc.). For most people you just set up your wireless router as a WAP only - no routing!

    For your multiple networks (VLAN) requirement - first question is your wireless router supported by dd-wrt? If so, you could set up dd-wrt with port base vlan. Then each of the ports is a separate network. I use dd-wrt for my WAPs (runs very well) but I don't run multiple networks so I don't know how well this works.

    If you can't or don't want to change the firmware on your wireless router to dd-wrt, you can buy a managed switch and set up your networks (VLANs) on it.


Locked