RaspberryPi model 2 6x the power for running pfsense on
-
Just found out the RaspberryPi 2 is now out http://www.theregister.co.uk/2015/02/02/raspberry_pi_model_2/ and pfsense 2.2 runs on freeBSD 10.1 which is reported to run on ARM cpu's, so what else would be needed to get pfsense running on one of these?
Edit.
Found this link https://vzaigrin.wordpress.com/2014/11/17/running-freebsd-10-1-on-the-raspberry-pi/ so hopefully when the Pi's arrive tomorrow, I'll be able to post a progress update to see if I can get pfsense2.2 running.http://ftp.freebsd.org/pub/FreeBSD/snapshots/arm/armv6/ISO-IMAGES/10.1/
-
Despite the increased performance the raspberry is still a bad choice for a firewall. The nic is probably the same as the previous Pi's, USB based.
Also, you will need to add a VLAN capable switch and struggle with compatibility/performance issues.If power consumption/size is an issue wait for the fitlet-b.
-
The NIC is the same based on one site that I read. Sounds like the only things changed are the cores and memory, but all other parts remain the same.
-
The fitlet-i or -x look interesting with dual or quad Ethernet ports, the -b with a single port would be more hassle. I keep checking on availability and it looks like a few more weeks. Prices sound not too bad from their press release:
"CompuLab will start accepting orders for fitlet in February 2015 at a price starting from $129 for fitlet-B Barebone."
-i http://www.fit-pc.com/web/products/fitlet/fitlet-i/
-x http://www.fit-pc.com/web/products/fitlet/fitlet-x/
-
If pfsense ran on a RaspberryPi I'm sure it would get used to death by home users assuming it wasn't flakey and slow.
Its probably not so simple though.
-
They are missing the point…129$ is still more than most SOHO routers with a lot more options and performance.
And not to forget a lot better firmware support.
It doesnt have the power to run Enterprise level FW, so it ends up in between markets...
-
35$ yes… 129$ No. And it would be for hacker types at least for a while.
-
My biggest problem with the raspberry pi advocates is that they try to make it be something it's not. The two most common things are routers and supercomputers.
There are countless really neat ideas for the pi. I use one as a stratum 1 time server and two for dns/dhcp failover pairs. I have one I'm making a book reader for my parents who can't read with a regular magnifying glass anymore. Any low-traffic device that you want to stay on and not be a vm, they're great. Any device that needs a little cpu or which might benefit from one.
But it has a single 100 mbsp port it can't saturate (maybe the new one can) and while it's remarkable that you can get a functional computer for USD $35 that in no way implies that it competes with an i7 when comparing dollars per MIPS.
-
I bet it would make a great small chat server or SIP server. Like you say - anything that isn't going to get cpu/IO/memory intensive.
-
There are countless really neat ideas for the pi. I use one as a stratum 1 time server and two for dns/dhcp failover pairs.
The time server is interesting, do you use it as an NTP server for pfSense and what did you add to the basic Pi to get the time sync?
I can't resist one of the new ones which will leave my old original version looking for a purpose and an NTP server sounds interesting.
-
You will need a GPS and clear view of the sky. I'd just plug that GPS cable into pfsense if it were me.
-
I got an adafruit ultimate gps v3 for it. You need something with pps output. The price difference is nonexistent and the pps makes it much more accurate. I think I'm about USD $100 all in. Might be cheaper now.
I like to avoid having all my eggs in one basket. The time server was originally for a database timestamp but of course once you have it you use it for everything.
Same with dhcp and dns, the two pi's each can handle the entire network easily but are configured as failover pairs using isc-dhcp and bind9. Pi's are cheap and more than adequate for a small office or home and you can leave them running for a long time. The time server has been working since about 2 weeks after the b+ came out. The dns/dhcp was started more recently and is still not doing dynamic dns. Just haven't gotten around to it.
As for attaching the gps directly to the router that seems to be pretty common but I think i'll leave it to a dedicated pi.
Oh yeah, the antenna. You want to get the external antenna. Adafruit sells one for the board i got. It says built in antenna but if you're inside you'll need to tape the gps to the window to get a half-decent signal.
-
My biggest problem with the raspberry pi advocates is that they try to make it be something it's not. The two most common things are routers and supercomputers.
But it has a single 100 mbsp port it can't saturate (maybe the new one can) and while it's remarkable that you can get a functional computer for USD $35 that in no way implies that it competes with an i7 when comparing dollars per MIPS.
Comparing an I7 to a Risc chip is not perfect, plus for most home/soho users the Rpi will be able to handle all the broadband net access we can get for years to come. Another attraction is its modular, if something fails or you need to add new capability, just add it to the Pi and it will go becuase unlike some I've not had any problems with usb nics with pfsense 2.1 or 2.2 so the costs of some usb nics instead of a big vlan switch has its uses.
As its still not arrived I cant compare it to my intel nuc D847 +128GB msata & 8GB ram using many 10/100 plugable.com usb nics, but many things have not changed that much. For example, email still tends to have size limits around 10-20MB, sure we consume more data like watching/listening to stuff online and we might send more data, but in the scheme of things these dont always need to be instantly moved around the planet and the time savings are not always noticed or appreciated by the user.
When I was setting up a couple of SBS2012 machines on some 48GB Dell R620 rack servers via ESXi, I was shocked at how bloated so much software has become. MS SQL 2000 still runs faster on a SBS2000 box compared to a SBS2012 R2 box with its own dedicated SQL server instance. Plus some of my customers dont need all the extra facilities built into some software, they would just never use it, so the costs of some high end equipment could be better spent on less expensive equipment that enables a more redundant setup by virtue of affording two machines instead of just one.
However I'm not recommending an Rpi becomes a firewall for some multi national corp, thats for sure, I'm focused on home/soho users for which I think this could be an interesting development but until I get my hands on it I cant tell for sure how much quicker and better this would be compared to an earlier Rpi.
-
I'm trying really hard not to be disrespectful of you or anyone else who simply can't afford to get commercial equipment or who lives in a place where a pi could actually handle router duty with the best available Internet connection. A pi certainly can't handle my current internet connection, and when my ISP delivers gigabit the pi won't even come close. So I fall far outside of your 'most soho users' group.
If comparing an i7 to a risc chip is not perfect, then comparing a raspberry pi to a router is also not perfect. There are other boards for very close to the same price which would easily do a better job of it, including the tp-link wifi router on amazon right now for USD $19.99. That has 4 100mbps ethernet ports and wireless n, good for up to 300 mbps. You need to spend at least $35 if you want free shipping though. But that price includes a power supply and an operating system, even if it's not what either of us would call a real router OS.
http://www.cnx-software.com/2015/02/02/raspberry-pi-2-odroid-c1-development-boards-comparison/ has a pretty interesting comparison to odroid which has a real gigabit ethernet card instead of a USB-based 100mbps card and a slightly better review overall, also sold for $35.
I will be interested to see you post results for this setup since you already bought the board. I hope you don't think I'm anti-raspberry pi or anti-experimenting, I own several b+ boards and I'll probably own several of these new ones both as handy appliances for small tasks and as computer-driven hardware.
Let me explain some of my reservations about the raspberry pi for certain tasks. It's not really very much related to pfSense and for that I'm sorry to the group. It's also not aimed solely at the pi, but rather at people leaping before they look because of an unrealistic assumption. I feel it's important because even if you know what you're getting into, the Raspberry Pi crowd is full of amateurs who expect impossible things based on what somebody on a forum said.
There are a lot of people doing fantastic things with a Raspberry Pi, and for that matter a lot of other SBCs. One such fantastic thing is a Beowulf cluster that's as fast as a 'supercomputer.' http://coen.boisestate.edu/ece/raspberry-pi/ This was a project done by students who actually understand the purpose, advantages and disadvantages of a cluster and tried to make the cheapest beowulf cluster they could. They spent something like $1500 USD to make a 32-node Beowulf cluster. This is admirable and truly fantastic.
A lot of novices and hobbyists were really excited and they started pounding rpi forums about making a Beowulf cluster to get a cheap 'supercomputer' which would somehow be more cost effective than anything they could afford. To dispel that, I went to newegg.com, searched on servers and ordered by price. I took the first system which was at or under the price of the cluster and found the CPU benchmarks for that system. I then compared that performance to the pi beowulf cluster, and did some simple math. It turned out that in order to match the performance of that server, the beowulf cluster would have to cost around $70,000 assuming linear performance increase with nodes, which is highly unlikely with beowulf. To match the performance of a fair-to-middling rack mount server you could get at the time for $1500.
What people don't realize is that in this case 'supercomputer' means the world's first supercomputer, and that smart phone processors will soon be considered supercomputers by that standard. Any desktop worth its salt, and even a few netbooks, can beat this beowulf cluster hands down. Another thing they don't realize is that a cluster like Beowulf is extremely sensitive to every detail, and something as simple as misjudging the NIC can change the performance from excellent to terrible. Since many real-world clusters have thousands of nodes that error in judgement can bankrupt the project.
A raspberry pi beowulf cluster is useful only to people who are studying beowulf clusters and need a certain minimum number of nodes to make their algorithms work. It's not useful in the real world, only in the study of Beowulf clusters and algorithms for them.
That's not a direct analogy to your router project, but a pi-based router is unlikely to perform as well as another board for the reasons outlined by most of the people responding to this post. Which are essentially the same reasons the beowulf example is not competitive with a desktop computer.
Single-board computers and IOT and all the maker projects are fantastic and exciting, but they do not compete with purpose-built hardware when trying to perform the task that the purpose-built hardware was designed to perform. Raspberry Pi was designed to get people interested in actually making things with computers in them, and it exceeded far beyond the dreams of the people who made it. http://www.raspberrypi.org/about/ It was intended to be a way to get a computer into the hands of third-world people, and also into the hands of experimenters who might think the board is cheap enough to not cry when they fry it by hooking up the red wire where the black wire goes.
I wonder what your broadband throughput is at your home, and what you expect the performance of the pi to be as a router. It's my understanding that the entire USA is scrambling to accommodate online video in 4k format, which basically means something approaching gigabit speeds. While I don't care so much for that my wife certainly does, and for me it's a handy coincidence because there is now communications-specific hardware available for prices I could never have afforded a couple years ago, designed specifically for my scenario.
People seem to assume that rpi is the only company making these kinds of boards. Single-board computers have been around as long as personal computers, if not longer. The original PCs were the equivalent of SBCs in the day. You can get them in a huge variety of sizes and processors and capabilities.
There is a huge difference between 'cheapest' and 'most economic.' The most economic solution is the one which performs the required task at the required rate and has the lowest total cost of ownership, from the time you start researching until the time you unplug it and throw it away. The cheapest solution at the outset might technically be able to perform the job but might not do it at a satisfactory rate, or maybe not perform the entire specification (say, no VPN in the router use case) or maybe with an early failure and some significant resultant down time.
Then there's the elephant in the room: How long are you going to mess with it before it works? What's your time worth, really? If you just like to do things your own way, then this cost can be written off as entertainment. If you have a big long list of things that need to be finished, then your time – even at home -- has a price even if it's not in money. Edit: I'm building my c2758 router because I like to mess with it, and because I want to do it my own way. There's nothing wrong with that, but since I have a lot of other projects it means that I DO have an extra cost beyond money.
Good luck and please post results both here and on raspberry pi-based forums. I'm sure there will be a lot of interest.
-
I've bought two Pi's for the fun of it. I don't have extra server hardware around to play around with Linux so I bought a Pi. Now one runs irssi and offers a backup node to SSH back to home for tunneling RDP through SSH (normally I use a VM running on my desktop as the Pi really lacks in the CPU department). The second one runs NTP with GPS time source and lighttpd + cron to host a IP blocklist for pfBlockerNG on pfSense (which runs on a mini-ITX / Pentium G630T box).
The minimum requirement for running pfSense on any hardware for me would be two half decent GigE NIC's that are not connected to the CPU/SoC through USB :)
-
@ kroberts
So far its dead out of the box. I need to double check my old 2gb micro sd card which came from my htc hero phone is not the problem but the Rpi's support SDR50 which is UHS-1 (~22MBps) iirc so it should be ok but as I'd tried the OS'es which would fit on the microsd card ie not the latest raspberian or ubuntu snappy and seeing on one of the rpi2 threads that some of the images have not been updated to work, thats likely to be the reason why so until so bigger micro sd's arrive I've yet to test the latest version of raspberian, ubuntu or anything which should be capable of running linux with the arm7 kernel files.The ODroid looks interesting for the Gigbit nic and yes I can post results just let me know what tests to carry out. I saw an interesting thread on the rpi forums lastnight about fast or slow silicon. I dont know how true it is, but apparantly some silicon can be fast and some slow which explains why some models overclock faster than others. Plus with other sites suggesting things to remove or change with different versions like removing bash for dash, a few Mb of ram saved here and there can get freed up and so on making the experience a little better.
The Turbo mode certainly helps with variable overclocking and its surprising just how responsive the experience becomes, I was surprised to find out they even do heat sinks and fans for them.
I wonder what your broadband throughput is at your home
I get 4.52Mbps and this wont be changing for a few more years to come as there simply is not the infrastructure where I am, in fact my old home can only get 1-2 Mbps net access as its right on the end of the line and I know that used to be a party line going back over 35 years ago with little change to the physical wiring.
But I had to pop down to London on Sat drop some things off (so past the London Eye, Houses of Parliament etc ie tourist route in at 11pm) and the thing that hit me was, yes I can get full signal, could I get any form of data, no, plus the office blocks blocking the GPS didnt help the satnav either, so whilst its safe to say we can get good speed with 4G and other new tech, its just not reliable enough to be useful in some places and its why this early adopter is no longer buying the hype from so many high tech companies beit hw or sw.
I wasted so much on tech that for me its time to find something that will work to my satisfaction so starting with the lowest cost option and working up until I find something good enough for my needs, but I am steering aware from US tech after the Snowdon revelations where possible, or going for stuff that cant become a liability ie no intel vpro/amt as this provides out of band remote support, nice for keeping your bank depts PC's all up to date without having to be physically in front of them, but knowing that cpu microcode is updated theres an unaccountable untrusted risk with that sort of stuff now.
Edit. Just saw this which shows methods to put your own back doors into CPU's danluu.com/cpu-backdoors/ .
AFAIK the main thing we have to contend with is the bootloader in the RPi as everything else like black bin boxes which could present a risk excluding bugs yet to be discovered in code, can be removed mostly. -
Dead out of the box: Are you using a pi 2 distro on it? I understand many/most pre-xisting distros won't work on pi 2.
I'd hang on to that 2gb sd card, I can't seem to find them around here. I'd love to have a box of 1-2g cards for installs and the like.
The only benefit I see to what Snowden did is now we have more information about how to build our firewalls. I don't completely trust the NSA any more than anyone else, but what concerns me more is whether the NSA can keep the information they learn about me out of the hands of others. And whether all the information he took with him was all that accurate in the first place. Seems to me that it would be awfully convenient for the NSA if they could send off a circus act with a lot of facts they know are out there or are suspected, plus credible but tainted information about what they really care about and then pretend to go after his blood. Not saying I believe he is one exactly, every action he has taken shouts that he knows he's in the moral wrong. But I don't trust any news that came out of the NSA, the CIA or any other security service. They never give the whole, untainted truth.
The NSA has hooks into our ISPs, and China manufactured most of the hardware and much of the software we use. IMO there are lots of black hats out there, not sure if I trust any government or company entirely on that. Even when they tell the truth it's tainted to give the impressions they want to give.
Not trying to make conspiracy theory discussion here.
Tests: Just tell us how it's configured (nat, number of firewall rules, ISP specified throughput, etc) and what actual performance you see. I don't think there's much more that would apply to a pi.
I've never heard of fast or slow silicon. Variations in manufacturing process changes specs of components slightly, which limits the overclocking speed. I'm a server guy, so I have never overclocked anything for any reason. I want it to last as long as possible.
A pi might be able to route <5mbps, not sure but it seems reasonable from what experience I have with pi speeds. If you can get pfSense to work on it acceptably then it might actually be a better option than a SOHO router.
Just as a frame of reference I have 60/10 by contract now, actually usually tests at around 65/15 with Midcontinent Cable in the USA. They offer 200 mbps right now. They promise gigabit speeds before two years is out. This is not just for cities, a lot of rural areas get the same treatment. I know people quite some distance from town who get rock solid 100mbps service from them. And my cell phone regularly tests at 30 mbps or better.
I know what you're talking about with the party line. I remember my home as a boy, my parents complaining about neighbors listening in on their phone calls. I also remember them being excited when private lines came in, and how some of the neighbors didn't seem so excited. Funny now, but I didn't understand it then.
I hope you get your pi working. Nothing sucks more than having your toy broken right out of the box.
-
Tests: Just tell us how it's configured (nat, number of firewall rules, ISP specified throughput, etc) and what actual performance you see.
Will do, but wont be for a while now as other things have cropped up. :(
check out http://berryterminal.com/doku.php/berryboot its quite good and was using this on the 2gb to overcome the 3gb size of raspbian, ie boot from berry on 2gb, install raspbian on a usb memstick although dont know if the memstick will be too slow or not.
-
The new R-API is NOT 6x faster.
That's pure hype.
-
The 6 times fasters is the result of some tests carried out using multi threading benchmarking software like SysBench, its not pure hype.
The Neon enabled multicore video codecs can be over 20x faster, yet other single threaded benchmarks only show a 1.5x faster result.Whats also been interesting is seeing how raspbian (debian) has been optimised since I last played with it when the RPI model b came out, they have cut the bloat from it quite well.
Edit.
Found some networks stats for the rpi, www.hauweele.net/~gawen/blog/?p=34, suggests 94Mbps without any I/O.also found this blog where someone has freebsd running on it with a simple pf. blog.khubla.com/freebsd/simple-pf-for-raspberry-pi
Will be interesting to see how these fair with pfsense if I can get it to run.Does anyone know if trying to use the nano version of pfsense on a pi would be better or stick with the main version of pfsense?
I'm not familiar with the diffences, so although I've got some scripts together to quickly config and setup these rpi's in a variety of ways, freebsd would have to be my weakest OS, then Linux, then Windows and I'm still learning pfsense as always.
TIA.
