New build for dedicated PFSense unit



  • Hi All,

    I've been using PFSense for quite some time but have only recently joined the forums. I have been running PFSense on KVM for the last year. It's run extremely well, but now I've decided to move it over to dedicated hardware and put it in "Full production". By that i mean as the families primary gateway from the "House LAN". My plan with the unit is to have it as the primary gateway for my lab network and our home LAN. I'll use two VLANs on the PFSense box to segregate the traffic.

    The following services will be activated on the unit initially:
    1. Packet filter
    2. Snort
    3. OpenVPN

    I already have some components (SSD, PSU, RAM, NIC), so all I need is to buy the motherboard and CPU (and a case, but I'll buy that later on.)

    So with that in mind and picking up a few parts from the store I've ended up with the following system.

    CPU: i3-4170 (2c/4t 3.7Ghz) http://ark.intel.com/products/77490/Intel-Core-i3-4170-Processor-3M-Cache-3_70-GHz
    RAM: 16GB DDR3 1600Mhz
    SSD: Intel 520 - 250GB
    MOBO: ASUS H81I-PLUS https://www.asus.com/Motherboards/H81IPLUS/
    PSU: 500W Corsair http://www.corsair.com/en-us/cx-series-cx500m-modular-atx-power-supply-500-watt-80-plus-bronze-certified-modular-psu
    NIC: Intel I340-T4 (4 port) http://ark.intel.com/products/49186/Intel-Ethernet-Server-Adapter-I340-T4

    I think the build will turn out really well. I'm not too worried about the on board NIC not working as I'll have the 4 port adapter. 16GB RAM is definitely overkill, but it was unused RAM so no bother. I'm hoping this unit will last around 5 years. But no biggie if it doesn't. However my estimates is that it should do well over that time frame, maybe longer.

    We have the standard set of internett connected devices in house: Mobile phones, TV, tablets. In addition I run the following services from home (On a i5 NUC):
    Owncloud
    Confluence
    Gitlab

    I currently have a 100/100Mbps internet connection, can upgrade to either 500/500Mbps or 1000/1000Mbps if I wish. I'm pretty confident the box will be able to push 500/500.



  • Perfect config. The i3 will handle all your needs well.

    If you are planning for gigabit WAN in the very near future, you may wanna go for a Xeon processor.



  • I'm not sure if you already bought the motherboard, but I think I would prefer something more server oriented in the same price range. For example, it will be handy to have a IPMI port, or dual/quad LAN. It seems it will have a lot of features that you won't use and the money could be better spent on server components or features for a network oriented machine.

    Hope it helps!



  • @bluepr0:

    I'm not sure if you already bought the motherboard, but I think I would prefer something more server oriented in the same price range. For example, it will be handy to have a IPMI port, or dual/quad LAN. It seems it will have a lot of features that you won't use and the money could be better spent on server components or features for a network oriented machine.

    Hope it helps!

    Appreciate the input, but I don't agree for a machine at home.

    The chosen mini-ITX board is the cheapest in its class and is also a board with extremely few features. You mention "Dual/Quad" LAN, but I've got a 4 port Intel NIC in the list? Additionally if i get a server board then I'll need to buy ECC memory, something I do not have on hand which would mean I need to spend more money and it would increase my initial outlay.

    As much as I'd love to dump the extra dollars into server components for this system, I'm not convinced it would give me anymore RTO than using consumer grade parts (The Intel NIC in the list is a server class NIC)



  • a 4 or 8 core atom build would cost cnear the same and probably be a better candidate



  • I would more like to go with a good sorted Intel Atom C2558 or C2758 likes the SG-4860 or SG8860
    or perhaps a self made box based on this SoCs. As a number to count with or on, the SG-4860 is routing
    1 GBit/s at the WAN port and delivers nearly 500 MBit/s VPN throughput.

    Appreciate the input, but I don't agree for a machine at home.

    Could be, but a machine with a 500 Watt PSU is also not the regular home firewall size, or?
    The money that could be saved over the lower electric power consuming might be paying the
    entire Intel Atom C2x58 based unit over 5 years. Also the existing parts could be sold by you
    to finance the new box also. AES-NI and Intel QuickAssist will be given and perhaps on top
    DPDK (enabled software) over the AVX/AVX2 CPU registers. This might be more future proof
    then the Intel Core i3.



  • @BlueKobold:

    I would more like to go with a good sorted Intel Atom C2558 or C2758 likes the SG-4860 or SG8860
    or perhaps a self made box based on this SoCs. As a number to count with or on, the SG-4860 is routing
    1 GBit/s at the WAN port and delivers nearly 500 MBit/s VPN throughput.

    Appreciate the input, but I don't agree for a machine at home.

    Could be, but a machine with a 500 Watt PSU is also not the regular home firewall size, or?
    The money that could be saved over the lower electric power consuming might be paying the
    entire Intel Atom C2x58 based unit over 5 years. Also the existing parts could be sold by you
    to finance the new box also. AES-NI and Intel QuickAssist will be given and perhaps on top
    DPDK (enabled software) over the AVX/AVX2 CPU registers. This might be more future proof
    then the Intel Core i3.

    In a perfect world I'd sell off the components I had and buy something smaller. But to be honest I'd be lucky to get $100 for 16GB (4x4) of used DDR3 RAM and a 500W PSU. The 4 port Intel NIC is server grade and I would have kept it for the build anyway.

    With that being said the 500w PSU won't be pulling 500w from the wall. Any savings from a lower power PSU would be marginal. Maybe a few dollars a year savings at most. Keeping in mind I saved maybe $100/200 using used parts.

    I did consider the PFSense branded hardware, but it was too expensive for a small project like this. With import fees it would have been 3.5x the price of the build above.

    @messerchmidt:

    a 4 or 8 core atom build would cost cnear the same and probably be a better candidate

    Unfortunately the only options I have here are the 4 or 8 core ASRock mini ITX motherboards. They are $350 and $450 respectively. $150/$200 more than the motherboard and CPU I purchased for this build.



  • @JBNixx:

    Appreciate the input, but I don't agree for a machine at home.

    You should agree with bluepr0. Even if it's a home lab/network router, the requirements for a stable environment are as high as the ones for small business production environment, hence a server class mainboard should be your aim/makes sense.

    ECC memory won't break your wallet, even if it's more expensive. Once you figure out what server class mainboard is able to handle ESXi correctly (VT-d capable), 72 heavenly virgins are going to open up in front of you when it comes to the possibilities of what you can do with your new toy. And really the dedicated vs virtualized debate should not exist in 2016.

    And that 500W PSU, for a 24/7 server that does only pfsense, it's really the eye opener (read total overkill). With proper hardware you could get by with no issues with just 12V/5A/60W charger adapter.



  • pfSense is a software firewall and could or should not be compared to any kind of home router equipment
    that is doing only SPI & NAT and mostly pushed by an FPGA/ASIC, so that the real work is done in Silicon!
    And calling it for a home build is in the most countries something with 50 MBit/s down and 10 MBit/s upl
    and NAT together with some firewall rules. This is for me a home set up able to realize with ~$200.

    If you have other or more needs and need to install more packets or activating more services, you should not
    start then call it home set up, because you are at home using this construct!!! So if this will be ending then
    as a half or fully featured UTM device with 500 MBit/s to 1 GBit/s that must be fully routet at the WAN interface
    and half of this throughput must be the VPN throughput on top, I think this might be answered by others then me.



  • @jjduru:

    @JBNixx:

    Appreciate the input, but I don't agree for a machine at home.

    You should agree with bluepr0. Even if it's a home lab/network router, the requirements for a stable environment are as high as the ones for small business production environment, hence a server class mainboard should be your aim/makes sense.

    ECC memory won't break your wallet, even if it's more expensive. Once you figure out what server class mainboard is able to handle ESXi correctly (VT-d capable), 72 heavenly virgins are going to open up in front of you when it comes to the possibilities of what you can do with your new toy. And really the dedicated vs virtualized debate should not exist in 2016.

    And that 500W PSU, for a 24/7 server that does only pfsense, it's really the eye opener (read total overkill). With proper hardware you could get by with no issues with just 12V/5A/60W charger adapter.

    The problem here is you're all missing the point.

    This was built with cheap and parts I already had. Buying ECC memory, Buying a server grade motherboard, buying a Xeon CPU, buying a SFX PSU ect. would push the price up. It also wouldn't give me any more measureable stability or reliability.

    As for the 500W PSU, sure it's overkill, but why buy a new smaller unit when i already a PSU on hand? Additionally I’d like to qualify exactly how much the whole unit pulls from the wall:

    30W “Idle”
    47W under load.

    Pump that up to 50W an hour (Full load 24/7). That comes out to $20USD a year, but lets double it to be unfair. $40 bucks a year if the price of electivity doubles - My little PFSense box will be the last of my worries.

    Regarding virtualization - I already use KVM on an Intel NUC that runs: Gitlab, Owncloud and Confluence. 2 Boxes that pull minimal electricity and they run the lot.

    @BlueKobold:

    pfSense is a software firewall and could or should not be compared to any kind of home router equipment
    that is doing only SPI & NAT and mostly pushed by an FPGA/ASIC, so that the real work is done in Silicon!
    And calling it for a home build is in the most countries something with 50 MBit/s down and 10 MBit/s upl
    and NAT together with some firewall rules. This is for me a home set up able to realize with ~$200.

    If you have other or more needs and need to install more packets or activating more services, you should not
    start then call it home set up, because you are at home using this construct!!! So if this will be ending then
    as a half or fully featured UTM device with 500 MBit/s to 1 GBit/s that must be fully routet at the WAN interface
    and half of this throughput must be the VPN throughput on top, I think this might be answered by others then me.

    Where i live "Homes" have fiber up to 1Gbps. So no, a "Normal" home in my area doesn’t have a 50/10 connection. They have maybe a 100/100 connection. Also i don't live in "Most countries" I live in MY country, so i have to make sure that the Firewall can support a 1Gbps connection.

    Additionally I run some services behind this PFSense firewall such as Confluence, Owncloud, GitLab and VPN among other things. Maybe It’s not a "Typical" home firewall, but it's MY home firewall. I'm still a home user even though I have chosen to host my own services at home. A power user if you will.

    **With all that being said. And taking given limitations and constraints of the project into account I now have a 5 port PFSense firewall. It's quiet, it's cool, it pulls little electricity and it does exactly what I want it to do for very minimal cost.

    And I never ever said it was the best most awesome PFSense box in the entire solar system :)**



  • Double Post



  • @JBNixx:

    @jjduru:

    @JBNixx:

    Appreciate the input, but I don't agree for a machine at home.

    You should agree with bluepr0. Even if it's a home lab/network router, the requirements for a stable environment are as high as the ones for small business production environment, hence a server class mainboard should be your aim/makes sense.

    ECC memory won't break your wallet, even if it's more expensive. Once you figure out what server class mainboard is able to handle ESXi correctly (VT-d capable), 72 heavenly virgins are going to open up in front of you when it comes to the possibilities of what you can do with your new toy. And really the dedicated vs virtualized debate should not exist in 2016.

    And that 500W PSU, for a 24/7 server that does only pfsense, it's really the eye opener (read total overkill). With proper hardware you could get by with no issues with just 12V/5A/60W charger adapter.

    The problem here is you're all missing the point.

    This was built with cheap and parts I already had. Buying ECC memory, Buying a server grade motherboard, buying a Xeon CPU, buying a SFX PSU ect. would push the price up. It also wouldn't give me any more measureable stability or reliability.

    As for the 500W PSU, sure it's overkill, but why buy a new smaller unit when i already a PSU on hand? Additionally I’d like to qualify exactly how much the whole unit pulls from the wall:

    30W “Idle”
    47W under load.

    Pump that up to 50W an hour (Full load 24/7). That comes out to $20USD a year, but lets double it to be unfair. $40 bucks a year if the price of electivity doubles - My little PFSense box will be the last of my worries.

    Regarding virtualization - I already use KVM on an Intel NUC that runs: Gitlab, Owncloud and Confluence. 2 Boxes that pull minimal electricity and they run the lot.

    @BlueKobold:

    pfSense is a software firewall and could or should not be compared to any kind of home router equipment
    that is doing only SPI & NAT and mostly pushed by an FPGA/ASIC, so that the real work is done in Silicon!
    And calling it for a home build is in the most countries something with 50 MBit/s down and 10 MBit/s upl
    and NAT together with some firewall rules. This is for me a home set up able to realize with ~$200.

    If you have other or more needs and need to install more packets or activating more services, you should not
    start then call it home set up, because you are at home using this construct!!! So if this will be ending then
    as a half or fully featured UTM device with 500 MBit/s to 1 GBit/s that must be fully routet at the WAN interface
    and half of this throughput must be the VPN throughput on top, I think this might be answered by others then me.

    Where i live "Homes" have fiber up to 1Gbps. So no, a "Normal" home in my area doesn’t have a 50/10 connection. They have maybe a 100/100 connection. Also i don't live in "Most countries" I live in MY country, so i have to make sure that the Firewall can support a 1Gbps connection.

    Additionally I run some services behind this PFSense firewall such as Confluence, Owncloud, GitLab and VPN among other things. Maybe It’s not a "Typical" home firewall, but it's MY home firewall. I'm still a home user even though I have chosen to host my own services at home. A power user if you will.

    **With all that being said. And taking given limitations and constraints of the project into account I now have a 5 port PFSense firewall. It's quiet, it's cool, it pulls little electricity and it does exactly what I want it to do for very minimal cost.

    And I never ever said it was the best most awesome PFSense box in the entire solar system :)**

    Sunshine, if you're dead set on this config, why are you still asking questions here? If you need a debate to clarify your thoughts on the hardware build, this is the place to do it, but this is increasingly not looking like a debate, but more like an one-sided axiom.

    YOUR home firewall is wonderful and perfect. Have at it.



  • @jjduru:

    @JBNixx:

    @jjduru:

    @JBNixx:

    Appreciate the input, but I don't agree for a machine at home.

    You should agree with bluepr0. Even if it's a home lab/network router, the requirements for a stable environment are as high as the ones for small business production environment, hence a server class mainboard should be your aim/makes sense.

    ECC memory won't break your wallet, even if it's more expensive. Once you figure out what server class mainboard is able to handle ESXi correctly (VT-d capable), 72 heavenly virgins are going to open up in front of you when it comes to the possibilities of what you can do with your new toy. And really the dedicated vs virtualized debate should not exist in 2016.

    And that 500W PSU, for a 24/7 server that does only pfsense, it's really the eye opener (read total overkill). With proper hardware you could get by with no issues with just 12V/5A/60W charger adapter.

    The problem here is you're all missing the point.

    This was built with cheap and parts I already had. Buying ECC memory, Buying a server grade motherboard, buying a Xeon CPU, buying a SFX PSU ect. would push the price up. It also wouldn't give me any more measureable stability or reliability.

    As for the 500W PSU, sure it's overkill, but why buy a new smaller unit when i already a PSU on hand? Additionally I’d like to qualify exactly how much the whole unit pulls from the wall:

    30W “Idle”
    47W under load.

    Pump that up to 50W an hour (Full load 24/7). That comes out to $20USD a year, but lets double it to be unfair. $40 bucks a year if the price of electivity doubles - My little PFSense box will be the last of my worries.

    Regarding virtualization - I already use KVM on an Intel NUC that runs: Gitlab, Owncloud and Confluence. 2 Boxes that pull minimal electricity and they run the lot.

    @BlueKobold:

    pfSense is a software firewall and could or should not be compared to any kind of home router equipment
    that is doing only SPI & NAT and mostly pushed by an FPGA/ASIC, so that the real work is done in Silicon!
    And calling it for a home build is in the most countries something with 50 MBit/s down and 10 MBit/s upl
    and NAT together with some firewall rules. This is for me a home set up able to realize with ~$200.

    If you have other or more needs and need to install more packets or activating more services, you should not
    start then call it home set up, because you are at home using this construct!!! So if this will be ending then
    as a half or fully featured UTM device with 500 MBit/s to 1 GBit/s that must be fully routet at the WAN interface
    and half of this throughput must be the VPN throughput on top, I think this might be answered by others then me.

    Where i live "Homes" have fiber up to 1Gbps. So no, a "Normal" home in my area doesn’t have a 50/10 connection. They have maybe a 100/100 connection. Also i don't live in "Most countries" I live in MY country, so i have to make sure that the Firewall can support a 1Gbps connection.

    Additionally I run some services behind this PFSense firewall such as Confluence, Owncloud, GitLab and VPN among other things. Maybe It’s not a "Typical" home firewall, but it's MY home firewall. I'm still a home user even though I have chosen to host my own services at home. A power user if you will.

    **With all that being said. And taking given limitations and constraints of the project into account I now have a 5 port PFSense firewall. It's quiet, it's cool, it pulls little electricity and it does exactly what I want it to do for very minimal cost.

    And I never ever said it was the best most awesome PFSense box in the entire solar system :)**

    Sunshine, if you're dead set on this config, why are you still asking questions here? If you need a debate to clarify your thoughts on the hardware build, this is the place to do it, but this is increasingly not looking like a debate, but more like an one-sided axiom.

    YOUR home firewall is wonderful and perfect. Have at it.

    I asked if it would do the job. No more.

    I already had everything except for motherboard and CPU. I picked up the cheapest board and CPU that would do the job.

    That's why it's strange when the "feedback" I get is "omg 500w PSU". " buy server board" ect..

    But its fine. I get the point. There are higher quality/better suited components out there. But I already knew that.


Log in to reply