Introduction and Request for comments



  • Hello,

    I am obviously new to these boards and software, however I've heard many great things about Pfsense and I'm eager to start using it in my own home network. A little background on my setup. I have a cable modem connected to a Cisco 881W, which goes out to various devices, etc. I've noticed that when I have a Zone based firewall and IPS configured on the Cisco device, CPU cycles go through the roof when pushing the maximum amount of data. I also notice a difference of 25 Mbps between having those two services enabled or disabled (i.e. 40 Mbps with them on 65 Mbps when they are off). Originally, I was looking at a Cisco solution such as an ASA 5505. However, after doing some research online and with some fellow Network Engineers, the performance leaves something to be desired. That is how I came upon Pfsense. I just happen to have a spare machine that I'd like to put into service. The general specs are:

    Core 2 Quad Q6600 Processor
    8 GB of RAM
    64 GB SSD
    2 PCIe Intel Gigabit NICs - EXPI9301CTBLK

    From what I've read, I feel that would be enough processing power for what I'm looking to do. My plan going forward is to connect the devices as such:

    Cable Modem <–-> Pfsense Machine <---> Cisco 881W <---> Internal Network

    I want to use the Pfsense device for Firewall and IPS so I can deactivate those things on the router. But I would keep my VPN configuration as normal on the router. Same thing for the wireless -- the router (with it's built in AP) would do that as well.

    So, any thoughts? Am I going about this the wrong way? Before you ask why I'm married to the idea of keeping the Cisco router, I'm a Network Engineer by trade, and I work with these devices on a daily basis. It helps me troubleshoot issues quickly and implement solutions appropriately. But I'm also definitely interested in using Pfsense to protect my network. Any suggestions, questions and comments would be greatly appreciated. Thanks in advance.


  • Netgate Administrator

    You haven't actually said what your WAN bandwidth is but I assume it's <100Mbps. In which case that machine will easily handle it. In fact you don't need a machine that powerful, you're just increasing your electricity bills. Since you already have it though it'll be good for testing you can always swap in a less powerful box later or just fit a Core2Duo instead.

    Personally I would move VPN duties to the pfSense box. Since it will be the public facing router it will be easier to setup there. However if you have everything setup on the Cisco already you can just forward the appropriate ports to it. If you do end up just using the Cisco as a wireless AP then there are probably better devices for that.

    pfSense can probably completely replace your Cisco box but taking it one step at a time is the way to go.  :)

    Steve



  • That machine will definitely crush.  You'll be pretty happy with the results.

    Personally I'd ditch the Cisco.  Throw a couple more NICs in the box, maybe a switch or two with some VLANS, and have some real fun.  You'll go from Cisco to networking.  :)  (Sorry, had to troll that one out there, meant in good fun.)



  • @tim.mcmanus:

    That machine will definitely crush.  You'll be pretty happy with the results.

    Personally I'd ditch the Cisco.  Throw a couple more NICs in the box, maybe a switch or two with some VLANS, and have some real fun.  You'll go from Cisco to networking.  :)  (Sorry, had to troll that one out there, meant in good fun.)

    Well it took longer than I would have liked, but I finally got around to putting everything together. I did go with your suggestion, and just got rid of the Cisco router all together. It was introducing too many hassles that I quite frankly did not want to deal with anymore. My setup now looks like:

    Cable Modem <–-> Pfsense Machine <---> Gigabit Switch <---> LAN Network
                                                                    ||          ||
                    UniFi UAP (Wireless N Access Point)          Trendnet Powerline Adapter <---> Powerline Adapter

    I have to say I was pleasantly surprised with the performance I am seeing. Even with Snort, Squid, Firewall, VPN, and other services all turned on, I actually improved my downstream throughput (50mbps on the Cisco versus 65mbps on the pfSense box), while drastically reducing my CPU usage (100% on the 881W versus maybe 8% total on the pfSense box). Still tooling around with it now, but I can say I am happy overall with the switch.

    Thank you again for providing me the push I needed to drop the device that was slowing me down. :)



  • I love a good pfSense story.  Glad it worked out, it's only going to get better.