New to pfsense - Hardware Recommendations
Firstly I am quite new to pfsense but IT security is something that interests me so I'm about to embark on a project of my own and that's to really tighten up my home security on my broadband.
The plan is to build a small 19" rack with a NAS server and a pfsense box on top of that to provide security to the home network. The things I'd like to implement within that pfsense box are as follows:
1 - Rack-mounted and Forward I/O (not massively fussed on 1U / 2U)
2 - Low noise.
3 - Low power consumption but 24 hour operation.
4 - 4xGigabit NICs; WAN, LAN, WLAN1, WLAN2 (separate WLAN for guests).
Question; can I host the wireless adaptors actually within pfsense itself rather than buying external routers? This would be cleaner but there is a problem, the pfsense box will be hosted in a garage next to the house so signal strength could be an issue, thoughts / views appreciated.
1 - Cope with my line speeds at up to 50Mb (although I'd like headroom here ideally!).
2 - IDS capability with Snort.
3 - AV Capability.
4 - Web Caching with Squid.
5 - Filters on incoming and outbound traffic.
6 - URL categorisation.
7 - Allow LAN and WLAN1 to pass traffic (wireless devices to control and have access to devices on the LAN).
8 - Allow WLAN2 only access to the internet through filters.
9 - Output to a reporting/analysis tool (onboard or externally).
10 - Remote control.
11 - Alert via mail of problems.
12 - Enable family to VPN into my network.
I've been doing some research and what I'm reading is that the latest integrated Atom boards are probably going to be ok for my requirements. I already have 4GB of RAM that I removed from a Mac Mini so I am hoping to recycle that. I've no problem putting more RAM in if the applications I want to run on the pfsense box are demanding. I've also considered an i3 chip instead. Hard disk I've been looking at is a simple 500GB HD and having this mainly for the logging and web cache, I wasn't going to put in SSD as I don't see the point in this.
My main concerns are hardware compatibility (going to go with intel NICs only), ensuring the power of the box is sufficient for it's purpose and of course cost effective. I've seen appliances on here costing 1400 euros, ideally I'd not like to spend more than £400 - £500 all in.
I appreciate the above probably shows my ignorance in some of these areas, and I apologise for the fact that there are 100 of these types of posts on this forum (I've read most of them), but if anyone has the patience / is willing to help I'd be grateful!
Some comments in no particular order:
Yes you can put wireless cards directly in the box but most people here would probably advise against it. The biggest reason to use external access points instead is that the current pfSense release (2.1.3) supports only a limited number of cards. Importantly it doesn't support any 802.11N hardware, at least not in 'N' mode. Some Atheros N hardware is supported in 'G' mode and will likely get 'N' support when 2.2 is released. The other reason is, as you say, the location of the pfSense box is rarely the best location for wifi signal distribution. There are some advantages to having wifi hardware in the box. It allows direct logging of wireless errors or wireless packet capture which may not be available in an access point. It provides a kind out out-of-band access, if your LAN goes down for whatever reason you can still access the pfSense box to troubleshoot. Personally I have both in my home box. ;)
You may be able to do both wifi networks with one interface using VLANs and virtual access points.
Fundamentally pfSense is not a UTM appliance. It can be made to do everything on your list by adding packages but it will probably take a little tuning to get a setup right.
What do you mean by 'latest integrated Atom boards'? Rangely?
What sort of VPN speed do you need?
Firstly, thanks Steve!
I think the option for including the wireless cards within the box appeal because it's nice and tidy that way. I had considered using an external access point but I am tempted to mount a couple of antennas in my false roof to provide WI-FI in the house. I am tempted to buy a WI-FI card and put it in the box and would be open to recommendations.
I've recently bought the book and have been reading about the hardware recommendations, one thing that struck me was that the author seems to be quite anti-Realtek LAN options, although they appear to be a staple part of the hardware on sale within the hardware section on this site! Is this something that has now been rectified? The author mentions that there are performance differences when using Realtek LAN compared to an Intel LAN solution. It's also pretty hard to find motherboards with onboard Intel LAN!
The VPN can be pretty slow in fairness, we're talking about connecting family up to my home system to share data basically so it's restricted to the speed of their connection anyway (and mine of course). I have 50Mb or so, so it would be nice to be able to cope with that sort of throughput, although in all likelihood I won't get to that.
Yes I was talking about the Rangely boards, they seem to pack quite a punch and should do what I want them to do.
Again I stress, this in part is exploratory for me, I want to learn more about this sort of technology, it's about learning, building up skills as much as it is building a capable box for my home network security, hence my ambitious URL filtering (categorisation), IDS, AV, Web Caching and so forth…. I think from what I've read PFSense is capable of all of these with the appropriate packages installed.
I could go for a larger board in perhaps a 4U box if that opens up my options and means I don't need to spend extra money on smaller capable boards with incorporated CPUs. Space isn't so much a premium, capability is the name of the game with a reasonably green solution in terms of power for 24/7 operations. One of the issues I've been having with this approach is the amount of bloat on boards, trying to find boards without a whole heap of junk on them that I just don't want, such as optical outs, and so on. I'm almost tempted to just buy one of the small mini appliances from this site and be done with it!
Views / opinions etc.. I will post some specs I've been looking into shortly.
Option for hardware I am exploring:
MB; Jetway JNF9G-QM77 3rd Gen Mobile G2 CPU Mini-ITX Motherboard
RAM; 8GB DDR3 1333 SODIMM for Selected Mini-ITX Boards
CPU; Intel i5-3320M Socket G2 Mobile Processor
LAN Extension; Jetway 4x Intel Gigabit LAN PCIe Daughterboard Module (JNF9G-QM77, JNF9I-2550)
Disk; Intel 525 Series 30GB mSATA SSD for Selected Mini-ITX Boards £49.00 £49.00
Case; C1-RACK 1U Rackmount Mini-ITX Chassis with Jetway JNF9G-QM77 Backplate
This comes out quite expensive though and ideally I'd like to build in the WI-FI to this too and it doesn't give much room. I have a feeling this is major overkill though and works out more expensive than purchasing a pre-build PFSense box from this website!.
If you're putting antenna in a false ceiling they presumably will have long cables running to them. Long wifi cables are either very expensive or very lossy! ;) It would be no more difficult to put access points in the same location in my opinion and significantly better. Small access points that support high 802.11N speeds are very cheap these days. Use passive PoE adapters to get power to them if you need to.
Are you talking about the currently available real paper book? Although much of it applies to current pfSense versions (and it's a great book anyway) it was written alongside pfSense 1.2.3. Older 10/100 Realtek NICs were rubbish, their newer gigabit NICs are much better but that's not saying much. If you start to push the limits of your hardware you'll find the Realtek NICs use far more system resources and cannot acheive the same speeds as other NICs. Intel are most prefered followed by Broadcom then everything else them Realtek. If you are not pushing the continuous 1Gbps streams through your box you'll likely never notice. The APU box sold by pfSense/ESF/Netgate uses Realtek NICs but cannot get close to 1Gbps anyway so it's not an issue.
The Rangely Atoms look like a great platform, I've not used one personally. They will get even better when 2.2 is released since it's using a new multithreaded pf which will use the cores much more efficiently. You should have no problems pushing 50Mbps VPN with that where as the older Atoms topped out at around 50Mbps of encrypted traffic.
Yep, desktop boards have heaps of surplus components on them. Sever hardware doesn't though. Do I take it from your prices that you're in the UK?
I am from the UK yes, appreciate you taking time out to talk to a complete novice like me!
SO.. my thoughts have continued.. and I have come up with a new novel way of achieving what I want to do without the need for separate boxes. I'm thinking what I might do is build the 4u 20bay NAS but put a bit more horsepower into that system. The plan would be something like this;
Supermicro Mobo with 4LAN ports and a management port
Xeon CPU Quad Core 3.1Ghz
1 x 1TB HDs for PFSense and an SSD for the overlaying O/S controlling the File Storage (I will explain how I will configure this in a moment).
The plan would be to install Windows 8.1 Pro 64bit onto this box, and run some file sharing software like Drivepool to manage the hard drives in the machine for NAS purposes. The O/S would probably boot from a very small SSD. I'd install Virtual Box and assign it 3 of the 4 LAN ports directly, and disable them for the rest of the O/S. The O/S would then drive share on say NIC4 and I would install PFSesne into a heavily resourced VM running within Virtualbox. It would have 3 of the NICs dedicated to it, WAN, LAN, WIFI (probably achieve separation using a router further upstream). This way I can have one machine doing everything… I figure if I get enough horsepower it should be able to do it and at the end of the day DrivePool shouldn't use too much resource, I'll also run my other apps like media streaming etc.. on the Windows 8.1 Pro platform that sits behind.
Has anyone done anything like that?
SO.. my thoughts have continued.. and I have come up with a new novel way of achieving what I want to do without the need for separate boxes.
Has anyone done anything like that?
I'm doing a similar thing at the moment - I'm using ESXi as a VM hypervisor with PFsense and my windows server as virtual machines within. It works, but it also means that when I take down my server to do hardware maintenance, my network is down and I can't google things to find out how to fix them :-)
The above and other idiosyncratic behaviour has let me to decide that I want to replace the aove with a physical hardware solution instead for pfsense.
Yes, I would use a hypervisor like ESXi rather than running virtual box under Windows. That way you can reboot/update your Windows VM without killing your whole network.