PfSense for Home use? Necessary for my needs?



  • I've been using DD-WRT routers in my home for the past 5-6 years without any issues.  I have two sites (one of which hosts a media server that is heavily accessed by 5-10 users consistently) and the other site (which is connected with a site-to-site OpenVPN connection) houses a server that backups all my media from Site A (UnRAID server via rsync).

    Site A is running a Linksys E4200 and Site B is running a Netgear R7000.  As you can probably surmise, the CPU on the E4200 is severely limiting the speed of my site-to-site VPN connection.  I'm only getting about 10Mbps when the actual connection speed is 75Mbps.  So I'm considering buying another R7000 to replace the E4200.  I'm hoping the two combined will be able to give me at least 50Mbps on the OpenVPN connection even if I have to OC them a little bit.

    My question is mainly this.  For someone who has never worked with pfSense before (I'm mainly a Windows and Cisco guy), how big is the learning curve (don't want to spend weeks configuring a new router because I can't really afford the downtime) and is it worth it to go with a solution like pfSense for home needs like my own (Vmware, Plex, Storage server, backups over VPN, etc.)?

    Any insight would be greatly appreciated.  Thanks.

    EDIT:  Assuming pfSense is this (http://store.netgate.com/ADI/RCC-VE-2440.aspx) a good option for me, would something like this serve my needs?  (75Mbps VPN connection).

    EDIT #2:  What is the least powerful CPU I can get away with that will handle a 75Mbps site-to-site OpenVPN connection without a hitch?  Will the C2358 do the job?



  • There is something to be said about familiarity. Since the one site is already an R7000, the two sites cannot be faster than the weakest link. Site to site is a fairly common thing to do in PFSense, so it shouldn't be hard to setup, but the biggest hurdle for most PFSense setups is when people want to save money, so they purchase cheap hardware and they're let down with poor support.

    If you don't want to be wasting time with potential hardware issues, purchase a recent Intel CPU and a recent Intel NIC and make sure you use a full size HD and not some embedded install.



  • @Harvy66:

    There is something to be said about familiarity. Since the one site is already an R7000, the two sites cannot be faster than the weakest link. Site to site is a fairly common thing to do in PFSense, so it shouldn't be hard to setup, but the biggest hurdle for most PFSense setups is when people want to save money, so they purchase cheap hardware and they're let down with poor support.

    If you don't want to be wasting time with potential hardware issues, purchase a recent Intel CPU and a recent Intel NIC and make sure you use a full size HD and not some embedded install.

    So the link I posted in my OP wouldn't be good because it has an embedded flash card?



  • I wouldn't say that it's "no good", but there are some "gotchas" from pop up from time to time. If I had the money, I would go for something with a regular HD. It does have a mSATA SSD port.  That does look like a nice little box.

    Personally, I'm that kind of guy to build his own stuff.

    I'm sure someone will give a better and more experienced response soon.



  • @Harvy66:

    I wouldn't say that it's "no good", but there are some "gotchas" from pop up from time to time. If I had the money, I would go for something with a regular HD. It does have a mSATA SSD port.  That does look like a nice little box.

    Personally, I'm that kind of guy to build his own stuff.

    I'm sure someone will give a better and more experienced response soon.

    I'm actually the same way, I prefer to build my own stuff as well.  But in this case I'm really looking to maximize my space.  I already have a VM box and a big storage server.  Prefer not to add another big box if I can still get the performance I need in a small package.



  • As long as you do not want to do proxy-cache or other packages that want to save loads of data to storage, the flash storage is fine. With that box you can have an SSD if you want anyway.

    pfSense site-to-site OpenVPN works really easily and is solid. If secure site-to-site is the prime need, then that works great.

    In contrast to Harvy66, I had enough messing about with wiring of DB25 and V35 plugs, crappy Emulex early-model disk drives and other hardware pain decades ago. These days I am very happy to buy a pre-assembled box with all the components known to work well together, and have my fun with the software  :P



  • I'm a hobby user so I wanted something not too big, not too power hungry and not too expensive… you can't get all three though. My solution was a refurbished small form factor HP 7900 from NewEgg for about $100 and a couple nice Intel NICs for my WAN and LAN, keeping the internal port for testing stuff. I liked it well enough that I added an inexpensive SSD to eliminate the hard drive. Total into it is just over $200 and it is loafing along with under 10% CPU, near zero RAM and disk use even when I do a speed test on my 60 Mbps Cox Cable link.

    The initial learning curve is very easy if you have a very basic understanding of networking, adding on to the basic operation isn't difficult as you can take one step at a time and recover from any changes with a simple restore of your last good configuration. Good help options on most of the config pages and great help here on the forums also make things easier.



  • pfSense does have a learning curve, but if you have previous networking experience, it should not be too bad. The GUI can sometimes be a hinderance to power users.

    I run the nanobsd (the build used with embedded systems) build in my old Pentium 4 PC. It runs from a Compact Flash card using a CF-to-IDE adapter, so it acts like an HDD. The drop in heat and noise was surprising. It runs well except for some incompatability between the Compact Flash and my motherboard's DMA (I should have probably got an "industrial" CF card).

    If you want better support, I would stay away from embedded/nanobsd simply because it is not the most commonly used build. I may be switching back to the standard build myself to keep potential problems to a minimum.



  • Thanks for the feedback everyone.  I'm not too worried about the learning curve as I have plenty of networking experience and I work a little bit with Sophos UTM at work.  Mainly I'm just concerned about getting the right hardware to get the most out of whatever software I run.

    My #1 priority is the speed of my site-to-site VPN.  Secondly i want it to be very SFF because I just don't have the space for a PC sized box (so at worst a mini-ITX build).

    Will the Atom C2358 and 4GB of RAM suffice do you think or should I be looking more at a system with the C2558?



  • pfsense is actually really great for home use.  It does a better job with most of the simi-advanced features that a home user would like.  Has a much better state table than DD-WRT. There are lots of home users that want something that will allow alot of state tables for p2p etc, wants user friendly vpn (like openvpn) and likes to be able to set DHCP static addresses etc.  Maybe set some timers for kids internet access or whatever.  Its good for home.



  • pfSense for home use is brilliant. See the thread here: https://forum.pfsense.org/index.php?topic=73518.0;topicseen
    Small box, uses 10W when running and laughs at my broadband (160/12).

    It manages 5 VPN clients and a number of inbound VPN connections with ease. Using OpenVPN connected to PIA in Netherlands I get 200+Mb/s download according to speedtest (due to compression - pointless number). During the tests though the CPU barely moves….

    Learning curve? Not much. If you familiar with networking then it's simple.



  • @JimPhreak:

    Will the Atom C2358 and 4GB of RAM suffice do you think or should I be looking more at a system with the C2558?

    That would be perfectly ok



  • @FarmerB3rd:

    pfSense for home use is brilliant. See the thread here: https://forum.pfsense.org/index.php?topic=73518.0;topicseen
    Small box, uses 10W when running and laughs at my broadband (160/12).

    It manages 5 VPN clients and a number of inbound VPN connections with ease. Using OpenVPN connected to PIA in Netherlands I get 200+Mb/s download according to speedtest (due to compression - pointless number). During the tests though the CPU barely moves….

    Learning curve? Not much. If you familiar with networking then it's simple.

    What CPU are you using with your setup?



  • It's on-board. No option. It's a  Celeron™ J1900 (2.0 GHz) quad-core processor. I have not been able to get it to really slow down. it is more than enough for my home use. 160/12Mb/s does not do much. With iPerf I get 450MB/s throughput on it IIRC. That might me more to do with the "crappy" NICs though. Ample for my needs….



  • @FarmerB3rd:

    It's on-board. No option. It's a  Celeron™ J1900 (2.0 GHz) quad-core processor. I have not been able to get it to really slow down. it is more than enough for my home use. 160/12Mb/s does not do much. With iPerf I get 450MB/s throughput on it IIRC. That might me more to do with the "crappy" NICs though. Ample for my needs….

    Nice, that's good to know.  I've got 165/75 and really want to max out my site-to-site OpenVPN so I really don't want any limitations from my CPU.



  • The high end Rangeley and Avoton platforms are absolute beasts. The C2558/C2550 and C2758/C2750 are just insanely fast. Probably more than you will ever need. Even without quick assist the C2758 easily pushes 1000 mbps with firewall and NAT running, the C2558 should do the same. The AES-NI instruction set also removes most of the overhead usually associated with VPN encryption. Also, once pfSense gets quick assist support these platforms will get even faster. The C2358 might be just what you are looking for for home use. The C2550 is also an interesting option.

    However the Rangeley and Avoton platforms are considered server class and are priced as such. But that also means you get really nice server grade NICs and depending on the motherboard you go with; the stability benefits of ECC RAM and/or enterprise grade out of band remote management on its own dedicated NIC.

    These things are also small and use very little power. I just built a router out of:

    A small external power supply.
    A tiny MiniITX case.
    A C2758 server board.
    Probably too much ECC RAM.
    The cheapest hard drive I could find.
    And a little power adapter.

    I estimate this thing could compete with an ASA 5515 or maybe even a 5525, enterprise devices that go for $3000 and up.



  • @antillie:

    The high end Rangeley and Avoton platforms are absolute beasts. The C2558/C2550 and C2758/C2750 are just insanely fast. Probably more than you will ever need. Even without quick assist they the C2758 easily pushes 1000 mbps with firewall and NAT running, the C2558 should do the same. The AES-NI instruction set also removes most of the overhead usually associated with VPN encryption. Also, once pfSense gets quick assist support these platforms will get even faster. The C2358 might be just what you are looking for for home use. The C2550 is also an interesting option.

    However the Rangeley and Avoton platforms are considered server class and are priced as such. But that also means you get really nice server grade NICs and depending on the motherboard you go with; the stability benefits of ECC RAM and/or enterprise grade out of band remote management on its own dedicated NIC.

    These things are also small and use very little power. I just built a router out of:

    A small external power supply.
    A tiny MiniITX case.
    A C2758 server board.
    Probably too much ECC RAM.
    The cheapest hard drive I could find.
    And a little power adapter.

    I estimate this thing could compete with an ASA 5515 or maybe even a 5525, enterprise devices that go for $3000 and up.

    Nice build.  I'd probably go with the 2558 because it would be plenty for my needs.

    However this board looks SWEET with the 6 of the 7 NICs operating in bypass mode.  If I was gonna go all out I'd go for this one :D.

    http://www.servethehome.com/Server-detail/supermicro-a1srm-ln7f-2758-review-awesome/

    P.S.  Quick question about that case.  Is there a dedicated PSU port so you can easily mount that little power supply to so that plugging and unplugging the power adapter is easy?



  • Yes the case has a little hole that perfectly fits the external end of the power adapter. You end up just plugging the power cord into the back of the case as if it was a laptop. It's the little silver plug just below the antenna in this picture.



  • @antillie:

    Yes the case has a little hole that perfectly fits the external end of the power adapter. You end up just plugging the power cord into the back of the case as if it was a laptop. It's the little silver plug just below the antenna in this picture.

    Sweet, thanks for that.  I just wish I could find a mini-ITX board with the C2358 in it.  Looks like I'm stuck going with the C2558 even though it should be way more than I need for my home needs.  I just need a CPU that can handle a 75Mbps site-to-site OpenVPN connection and some intrusion protection.



  • @JimPhreak:

    I've been using DD-WRT routers in my home for the past 5-6 years without any issues.  I have two sites (one of which hosts a media server that is heavily accessed by 5-10 users consistently) and the other site (which is connected with a site-to-site OpenVPN connection) houses a server that backups all my media from Site A (UnRAID server via rsync).

    Site A is running a Linksys E4200 and Site B is running a Netgear R7000.  As you can probably surmise, the CPU on the E4200 is severely limiting the speed of my site-to-site VPN connection.  I'm only getting about 10Mbps when the actual connection speed is 75Mbps.  So I'm considering buying another R7000 to replace the E4200.  I'm hoping the two combined will be able to give me at least 50Mbps on the OpenVPN connection even if I have to OC them a little bit.

    My question is mainly this.  For someone who has never worked with pfSense before (I'm mainly a Windows and Cisco guy), how big is the learning curve (don't want to spend weeks configuring a new router because I can't really afford the downtime) and is it worth it to go with a solution like pfSense for home needs like my own (Vmware, Plex, Storage server, backups over VPN, etc.)?

    Any insight would be greatly appreciated.  Thanks.

    EDIT:  Assuming pfSense is this (http://store.netgate.com/ADI/RCC-VE-2440.aspx) a good option for me, would something like this serve my needs?  (75Mbps VPN connection).

    EDIT #2:  What is the least powerful CPU I can get away with that will handle a 75Mbps site-to-site OpenVPN connection without a hitch?  Will the C2358 do the job?

    I think ALIX APU4 can do what you want, the CPU has hardware AES encryption support, according to security router you should be able to achieve about 95Mbps SSL VPN throughput with AES encryption.



  • @edwardwong

    I think ALIX APU4 can do what you want, the CPU has hardware AES encryption support, according to security router you should be able to achieve about 95Mbps SSL VPN throughput with AES encryption.

    Is this a Typo, I was thought that this is an "AMD G series T40E"
    based system without AES-NI and/or Intel QA?

    AMD G series T40E tech. specs.



  • Use the opportunity to upgrade your PC. With all the parts you pulled out of your desktop, you could build a solid router.



  • I'm using an Atom D2500 with 4gb ram and it is plenty.



  • @jbhowlesr:

    Use the opportunity to upgrade your PC. With all the parts you pulled out of your desktop, you could build a solid router.

    Huh?  Not s who or what post this is in response to.

    @oppland:

    I'm using an Atom D2500 with 4gb ram and it is plenty.

    Are you using OpenVPN?  What are your connection speeds?



  • You mention you have vmware. Why not run pfsense as a virtual?

    I'm also a windows and cisco guy, and I find pfsense fairly easy to use. If you've used Cisco's ASAs, pfsense takes a bit to get used to.

    The biggest frustration with pfsense is the lack of documentation.



  • @GomezAddams:

    You mention you have vmware. Why not run pfsense as a virtual?

    I'm also a windows and cisco guy, and I find pfsense fairly easy to use. If you've used Cisco's ASAs, pfsense takes a bit to get used to.

    The biggest frustration with pfsense is the lack of documentation.

    I'm considering running it as a VM but I have some reservations about it.  First off my VM box runs my media server which is used very heavily by many users and I'm not sure how well it will work in conjunction with a router/firewall on the same box.  Also,  I like the idea that I can do maintenence on my VM box without taking down the Internet.

    As for the lack of documentation, I'm noticing that.  Hopefully I will be able to pickup the basics quickly so I can at least get my network running while I learn the more advanced features.



  • @JimPhreak

    Hopefully I will be able to pickup the basics quickly so I can at least
    get my network running while I learn the more advanced features.

    There is also a book out about pfSense and another one will be released soon
    if this would be interesting for you, to get faster skills.



  • I came to pfSense from a very Cisco focused background. I work with ASA firewalls, catalyst switches, and IOS routers every day. I found pfSense to be rather easy to learn. At the end of the day a network is a network and they all work the same way.



  • @BlueKobold:

    @JimPhreak

    Hopefully I will be able to pickup the basics quickly so I can at least
    get my network running while I learn the more advanced features.

    There is also a book out about pfSense and another one will be released soon
    if this would be interesting for you, to get faster skills.

    Lol, that new book has been going to be released "soon" for over a year now.



  • @antillie:

    I came to pfSense from a very Cisco focused background. I work with ASA firewalls, catalyst switches, and IOS routers every day. I found pfSense to be rather easy to learn. At the end of the day a network is a network and they all work the same way.

    Well, yes, it is easy to to learn, but the ASA and pfsense seem (to me at least) to require different mindsets when figuring out how to get to where you want to go.

    But you are right, at the end of the day, it is all just wrangling bits.



  • My main background is with Cisco switches and routers,  however in terms of security appliances I've never messed with any ASA's.  At work I use Sophos UTM which I actually love but from the research I've done it doesn't look like I can setup an OpenVPN tunnel to PIA with a kill switch from UTM.  It's the main reason I picked pfSense over it.


Log in to reply