First pfsense build advice

  • Hi everyone,

    Looking to build my first pfsense box, and I'm having a little trouble navigating all of the advice that is strewn about the Internet.  I'm finding that once I try to incorporate all of the good ideas and notes, I end up significantly over-engineering and ending up with something that is way more expensive than I probably need.

    My needs:

    My current router is starting to exhibit 'flakiness' and it's old enough that it's time to replace it.  I've decided that in light of all of the security vulnerabilities that I've been reading about it's no longer worth the convenience to just go buy another ASUS, Linksys, or Netgear SOHO router.  I suppose I could put Open-WRT on one of them but I've never felt that it's performed very well and I'd really like to have something running FreeBSD.  My perception is that the build quality of these devices is getting worse and worse anyway, so it may not be entirely the software's fault, but in any case that's where I've landed.

    My current Comcast ( :-\ ) connection is 50/10.  If it can be built for a reasonable price I'd like to be able to handle a gigabit, but if I'm being honest it probably doesn't need to support anything faster than 250/250 – Google isn't coming to town anytime soon.

    I'm pretty set on an ITX board - I want the end product to be as small as possible.  I certainly don't have room to put another mini-ATX tower anywhere.

    Realtek NICs are a nonstarter, which really cuts down on the available options.  I guess the question I have is, do I really need the QuickAssist or advanced AES features on some of the higher-priced atom chips like the C2558?  When you take a ITX board like the A1SRi-2558F, add memory, an SSD and case, I keep coming up with builds that are $450-$500 which seems pretty expensive when I think about what I really need to accomplish.

    Where should I be looking to cut some costs?  I've always known that this project would cost more than just going and getting something from BestBuy, but I was thinking I would be spending something closer to $250-$300.

    Thank you all in advance - I'm sure that these questions get asked all the time.  Unfortunately, the more I read, the more expensive the project gets, so I really need someone familiar with the software to walk me back from the ledge and tell me what the performance is like in the real world.

  • but I was thinking I would be spending something closer to $250-$300.

    It mostly depends on many things you where telling us nothing about, and so it should ending up
    in a so called guess work! Sorry, but what we know about your needs and what you are willing to
    install and run on the pfSense box?

    Do you need or usage or be willing to install or use;

    • Squid + SquidGuard
    • Snort
    • WiFi card
    • mSATA SSD
    • SSD
    • OpenDPI
    • CaptivePortal
    • OpenVPN or IPSec VPN

    So this would bring us all nearly the point to point you to the right hardware.

    • Alix APU 4 GB RAM bundle with 16 GB mSATA 250 €
      If VPN is not the real goal of your action it should be good enough.

  • Hi Everyone,

    I'm sorry that my initial post was not detailed enough in the right areas.  I hope that you'll all understand that I don't yet know which things I don't know.  ;)

    BlueKobold, thank you for identifying so many areas for follow-up.  I'll address each of the items you've identified and hopefully this will help.

    • Squid + SquidGuard:  I don't anticipate that I would deploy squid.  I don't think I have enough users/devices in my network to reap much benefit.
    • Snort:  I think I will want to deploy snort, if only to achieve educational goals.
    • WiFi Card:  No, I do not need WiFi in this box - I already have a wifi access point which serves my current needs.
    • mSATA SSD (and SSD):  I would like to use SSD for the device's OS drive, as it doesn't need to be very large and the cost is negligible. It's hard to imagine a case that doesn't have room for a 2.5" SSD but if that was the deciding factor I would go mSATA.  Otherwise I have no preference between the two.
    • OpenDPI:  If I'm honest with myself, probably not.
    • Captive Portal:  No, don't need it.
    • OpenVPN or IPSec VPN:  Not currently, but I do see that as a potential future need.  If I was to deploy it I would need to operate multiple route tables or perhaps have a split-tunnel where one VLAN was exempt from VPN traffic*.

    I've seen the PC Engines Alix and APU boards, but was dissuaded by the RealTek NICs.  What throughput do they achieve in practice?  :-\

    My other new concern is that having thought about VPN, I mentioned possibly utilizing multiple VLANs.  I have a server that probably will not enjoy being tunneled by the VPN, so I would need to exempt its traffic somehow to ensure that it goes straight out.  However, if I put it on a separate VLAN, I suddenly have a lot more inter-VLAN routing occurring for the local clients.

    Obviously this is not the easiest thing to optimize.  :(

  • I think if you have a solid connection and pfsense installed you should definitely install openvpn unless you have some reason not to.  Once its up and running you will find plenty of reasons to use it unless you never travel and never use wifi on untrusted networks.

  • @kejianshi:

    I think if you have a solid connection and pfsense installed you should definitely install openvpn unless you have some reason not to.  Once its up and running you will find plenty of reasons to use it unless you never travel and never use wifi on untrusted networks.

    D'oh!  :o

    Of course you guys were referring to a VPN server, and not a VPN client!  The answer then is, "Of course I want to do that!  Please excuse my earlier stupid response!"

    BlueKobold's reply indicates that the APU doesn't have the horsepower for this purpose.  Where do I go from there?  Is there any way to do it without doubling the price?

  • An apu can run a vpn just fine as long as the bandwidth being used by the client isn't overwhelming.

    Most people won't need more than the ability to VPN netflix or email or other stuff like that.

  • It looks like the APU is out of stock for at least 2 months.  I'm not in a huge rush, but I am noticing that the build I spec'd on the Celeron J1900 is only $80 more than the APU build.  Both utilize RealTek chipsets (not a plus, but if I don't count it against the APU it seems unfair to count it against the J1900).  Neither support AES-NI.  The J1900 build has twice as much RAM in it and the chip is much more powerful (4 cores instead of 2).

    Aside from the $80, the only real potential drawback is that the Gigabyte GA-J1900N-D3V motherboard has some really mixed reviews on Newegg (Amazon seems a little nicer).  The problems that are being reported seem pretty bizarre to me… user reports that his USB keyboard works intermittently.  UEFI problems seem pretty common, and the BIOS update process gets a lot of hate.  I'm ready to discount both of those as they tend to be common issues that are often solved by "doing it the right way" (I'm pretty sure that every motherboard has some people out there who will complain about updating the's not always the easiest thing to do and it would be nice if there was a standard way to do it, but every board has it's own quirks).

    I'm going to keep thinking about it and will certainly appreciate any other advice that you might want to provide, but I think you've helped me narrow it down to these two options.  Thank you all very much for the help, and once I've moved forward I'll post an update with news of my success (or failure).  ;)

  • I have an APU2 running nanoBSD on my 50/10 Comcast connection.  It works great.  I have OpenVPN back to the office, kids streaming crazy screaming anime videos, me streaming Comcast movies, phones, tablets, etc.  The CPU never breaks a sweat, and I never experience any sort of latency.

  • @uvillx:

    It looks like the APU is out of stock for at least 2 months.

    Says in stock when I looked this morning.

    NanoBSD is good enough for most home users, and what I would recommend in your case, unless you just want an SSD and the ability to run SQUID and SQUIDGuard, and have other benefits of persistent storage.  With an SSD and the non nano distribution of pfsense you REALLY need to have a UPS to plug your firewall in to.  A couple of nights ago I had to reload the OS on one that sustained several power failures which hosed the filesystem.

Log in to reply