Totally new to PFSense, home build need advice



  • Before I go out and drop a couple of bucks on hardware for my build I'd like to get some input here. This is my first PFSense build and I do not have a ton of networking experience.

    -This is intended to be my home router
    -I get 150/150 Mbps from my ISP
    -I want to run Open VPN with dynamic DNS to point to my dynamic IP.
    -I also want it to be capable enough to comfortably run snort and run squid caching to an SSD.
    -I intend to connect an AP for AC wireless, so I'm thinking I need an Intel 4x NIC.

    Q's:
    -It seems like Intel Atom is the preferred platform. Can anyone share some ideal builds for my purposes?
    -For caching ssd, does this need to be on a separate drive from the OS? If so how should i store OS? I'm thinking ~120 GB for caching.
    -Is it best to connect the AP to the router or to my network switch?



  • @joshroz2:

    -It seems like Intel Atom is the preferred platform. Can anyone share some ideal builds for my purposes?
    -For caching ssd, does this need to be on a separate drive from the OS? If so how should i store OS? I'm thinking ~120 GB for caching.
    -Is it best to connect the AP to the router or to my network switch?

    pfSense is optimized to use AES-NI and Quick Assist Technology for encryption acceleration.

    No experience with Question No. 2.

    I have a Ubiquiti Lite AP and it's a work in progress while trying different configurations (NIC and network switch).



  • Before I go out and drop a couple of bucks on hardware for my build I'd like to get some input here. This is my first PFSense build and I do not have a ton of networking experience.

    To go deeper inside you might be have a look on this;

    -This is intended to be my home router

    pfSense is a software firewall and not only a plain router software and needs fairly his
    hardware basis to act smooth and liquid. What is your real budget?

    -I get 150/150 Mbps from my ISP
    -I want to run Open VPN with dynamic DNS to point to my dynamic IP.

    This can be done on the cheapest x86_64 hardware you can find.

    -I also want it to be capable enough to comfortably run snort and run squid caching to an SSD.

    Ok this might be needing then some more horse power as I see it right, owed to the circumstance what you
    really want to come out to your LAN side as the throughput.

    -I intend to connect an AP for AC wireless, so I'm thinking I need an Intel 4x NIC.

    Why, if the appliance is coming with many enough LAN ports this will be not really needed.

    Q's:
    -It seems like Intel Atom is the preferred platform. Can anyone share some ideal builds for my purposes?

    SG-2220, SG-2440 or SG-4860 from the pfSense store would do the job for you with ease. Alternatively
    you could have a closer look to the Netgate store that offers RCC-VE units for some less coin. And for the
    really self made engineer you should perhaps have a closer look to the SuperMicro Intel Atom C2x58 boards.
    They comes together with AES-NI and Intel QuickAssist and would be future proof and easy to assemble.

    But you will be happy also with any Intel Core i3 & i5 set up to handle your firewall as you want it to
    install and run. Perhaps an Intel Xeon E3-12xxv3 is more power saving but with enough power on the
    other side. This all would be depending on your budget, needs and willing or plain based your wish how
    your new appliance will be looking.

    -For caching ssd, does this need to be on a separate drive from the OS? If so how should i store OS? I'm thinking ~120 GB for caching.

    120 Gb is really huge but if there are many family members or friends or whatever in your household
    you would be glad to have enough space to serve them. It all depends on what kind of things should be
    cached and for how long time.

    -Is it best to connect the AP to the router or to my network switch?

    There are two camps on thinking about this. I personally would never connect a device directly to the
    router or Firewall, I would love to install even a switch between them, to spread the entire network load
    over many more devices as only the router or firewall. Others might see this in a different way or terms
    but I would suggest you to install the WiFi AP to the LAN switch and the LAN switch to the pfSense.

    I personally would go with the SuperMicro C2558 or C2758 (Rangeley) platform or a SG-xx unit from the
    pfSense or Netagte shop if this is not a budget problem. Not the cheapest but time is money and this
    things are working well for many peoples, so it could not be bad for you.


  • LAYER 8 Netgate

    If you have 150/150 why do you care about squid caching? Just don't.

    I personally would go with the SuperMicro C2558 or C2758 (Rangeley) platform or a SG-xx

    Way overpowered for 150/150. Any APU will do it easily. Any Atom 525 will do it.



  • Way overpowered for 150/150. Any APU will do it easily. Any Atom 525 will do it.

    What is today "up to date" might be in some years not really working, like the Alix boards! They
    were fine for 6 - 7 years and then not strong enough, but ok I will consider to your suggestion
    this APU2C4 from PC Engines will be fine for sure to handle this load really fine.



  • My estimate based upon data from https://blog.pfsense.org/?p=1866 :

    If (SG-2220 @84 Bytes/packet == 123 kpps) or (C2758 @84 Bytes/packet == 270 kpps) then
    Alix @84 Bytes/packet == 17 kpps; Apu1 @84 Bytes/packet == 72 kpps; Apu2 @84 Bytes/packet == 90 kpps



  • Thanks for all the replies

    to clarify a few things:
    I'd like to keep it under $300 with the ideal sweet spot being anywhere around $200.

    I do have a i5-6500 i could use but i think it would be overpowered and a power hog.

    On Amazon I saw A1SRI-2558F-O with an atom C2558 included for $260ish, so that would put me only a little over budget with everything else.

    I wanted to eventually use squid to cache game patches when I have multiple friends over for game night, It would be cool to be able to cache that so as they roll in they can get the patch downloaded super fast. SC2 has pretty much weekly patches and we have 4-6 players every friday. Also I would like to cache GIS data for working at home so I can speed things up without having to manage the files locally.

    More Q's:
    Is 8gb a good balance of price and performance or overkill? maybe 4?
    How important is ECC?
    What form factor PSU for a Mini ITX case? ATX is cheap and will probably fit but they all seem way overpowered or low quality/efficiency.





  • @nib01:

    I might getting one of this. Let me know what you guys think? Thanks.

    http://www.amazon.com/Fanless-pfSense-Firewall-2-16Ghz-Pre-Loaded/dp/B0124G9S64/ref=sr_1_1?s=pc&ie=UTF8&qid=1457736096&sr=1-1&keywords=725407180123

    http://www.jetwaycomputer.com/NF9VT.html

    Jetway N2930 board ~$205



    in total = $440 cash

    • with WiFi
    • more RAM
    • more SSD capacity
    • 100% pfSense compatible
    • enough to run pfSense & Snort & Squid & SquidGuard & pfBlocker-NG & WiFI AP + Captive Portal

    But ok, the named above APU2C4 by @Derelict is able to get here in Germany for something around
    Board ~180 €
    Case & wall mount ~20 €
    PSU ~10 €
    mSATA ~80 €
    WiFi card ~25 €
    ~320 € and it does the job also nice for the 150/150 it could really be a good choice or alternative.



  • Jetway N2930 board

    Celeron N2930 doesn't have AES-NI support. In case of OpenVPN this is crucial. Maybe N2930 may handle 128Mbs of AES-256-CBC, however at very high cost, like power consumption, heat and performance. Note that OpenVPN is single threaded so it may utilize up to one core. Just a warning. If You're looking for OpenVPN and security You just have to have AES-NI, even with the cost of performance.

    I wholeheartedly recommend something like Celeron N3150. It is slightly slower (4 cores, 1,6Ghz), however it has excellent AES acceleration support.

    Just to give You an example of openssl speed test aes-265-cbc

    withouth AES-NI:
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-256 cbc      25745.51k    28867.65k    29877.67k    75324.42k    76382.21k

    load average: 0,6

    with AES-NI:
    The 'numbers' are in 1000s of bytes per second processed.
    type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
    aes-256-cbc      40691.94k  164077.18k  1016619.75k  2500160.95k 42008576.00k

    load average: 0,2

    Difference (for 8k blocks) is like 500 times faster. Yes, 500 times faster with AES NI.

    I have very good experience with Gigabyte GA-N3150N-D3V board with this processor. I built my router with VPN in mind and i'm very happy. Drawbacks though, this board has Realtek NICs, however for me they works just fine, zero problems. A plus is that this board has full-size PCI so it's possible to put some cheap intel card and go with it if somebody likes it.



  • Celeron N2930 doesn't have AES-NI support.

    For sure and now? As I am informed AES-NI will actually support only AES-GCM but not AES-CBC
    and OpenVPN is only using AES-CBC! And the starting point to get a strong enough hardware for
    the following parts are not only based on OpenVPN alone.

    -This is intended to be my home router
    -I get 150/150 Mbps from my ISP
    -I want to run Open VPN with dynamic DNS to point to my dynamic IP.
    -I also want it to be capable enough to comfortably run snort and run squid caching to an SSD.
    -I intend to connect an AP for AC wireless, so I'm thinking I need an Intel 4x NIC.

    In case of OpenVPN this is crucial. Maybe N2930 may handle 128Mbs of AES-256-CBC, however at very high cost, like power consumption, heat and performance.

    ??? What is here high cost? It is using only 7,5 Watt and this might be not really many compared
    to the ability to set up pf, Snort, Squid & SquidGuiard, pfBlocker-NG together.

    Note that OpenVPN is single threaded so it may utilize up to one core. Just a warning. If You're looking for OpenVPN and security You just have to have AES-NI, even with the cost of performance.

    If I am personally looking for security i went with AES-NI and IPSec AES-GCM and get perhaps
    x4 or x5 of the normal rate. And that is then a super result in my eyes.

    I wholeheartedly recommend something like Celeron N3150. It is slightly slower (4 cores, 1,6Ghz), however it has excellent AES acceleration support.

    You can not only compare Cores against because not each CPU core is like the other one.
    One Intel Xeon E3 or E5 CPU Core should not be compared against the Intel Atoms lower end
    CPU Cores and vice versa. The N2930 is well performing and running pfSense in my eyes but
    perhaps with the newer APU2C4 this could be changed now.

    I have very good experience with Gigabyte GA-N3150N-D3V board with this processor. I built my router with VPN in mind and i'm very happy. Drawbacks though, this board has Realtek NICs, however for me they works just fine, zero problems. A plus is that this board has full-size PCI so it's possible to put some cheap intel card and go with it if somebody likes it.

    The N2930 comes with 4 Intel ports and I was only answering the post from @nib01.
    Because he gets less for $440 then the things I named above all in all for $429, but with double the RAM,
    SSD size, and plus WiFi on top and also Intel Ports but the M350 as case. Not more and not less.



  • @BlueKobold:

    Celeron N2930 doesn't have AES-NI support.

    For sure and now? As I am informed AES-NI will actually support only AES-GCM but not AES-CBC
    and OpenVPN is only using AES-CBC! And the starting point to get a strong enough hardware for
    the following parts are not only based on OpenVPN alone.

    If so, AES-NI only support AES-GCM but not AES-CBC which is openVPN would only be the most important for me on this purpose.

    I would love to see a list of mini-itx board with AES-NI supported, and uses external power supply only (like the Jetway N2930).

    Thanks.



  • http://www.amazon.com/dp/B0179S50UU/ref=twister_B01C9TKBO4?_encoding=UTF8&psc=1

    "Usually ships within 3 to 6 weeks." …. but it could be earlier than that based on my experience with Amazon FireTV purchase. Maybe 1 or 2 weeks times. You can try your luck if you're not urgent.

    Just another 3150 pfsense board , check out the comments there :
    http://www.amazon.com/Asus-Motherboard-Mini-DDR3-N3150I-C/dp/B0167OVET8/ref=sr_1_fkmr0_1?s=pc&ie=UTF8&qid=1457922285&sr=1-1-fkmr0&keywords=asus+n3150+mobo

    **UPDATED : I pasted in the wrong thread. Sorry. I opened multiple tabs. **

    my post above is meant for  -> https://forum.pfsense.org/index.php?topic=107997.0



  • @hardsense:

    http://www.amazon.com/dp/B0179S50UU/ref=twister_B01C9TKBO4?_encoding=UTF8&psc=1

    "Usually ships within 3 to 6 weeks." …. but it could be earlier than that based on my experience with Amazon FireTV purchase. Maybe 1 or 2 weeks times. You can try your luck if you're not urgent.

    This actually a great board with all the features except the internal power supply, it would been perfect an external PS DC input on this board.



  • I think the celerons are not that cost effective. I am not impressed with the jetway solutions. After doing more research I think the performance/cost sweet spot is around $400-500.

    I'm looking at the:
    C2750D4I with 8gb ddr3 ecc for total of $415
    or
    E3C236D2I with I3-6300 or e3-1225-v5 and 8gb of ddr4 ecc for a total of $450 or $543

    I think these are both overkill right now actually but they give me a lot more flexibility especially the 1151 socket which I already own cpus for and I think they will do more then I need for the next couple years and will be good with any network upgrades I throw at it. I choose 8gb because its only $10 more and 8gb sticks are better to have in the long run.

    I'm gonna use one of the bigger desktop style mini ITX cases so any PSU will do but it's hard to find good ones under 500W. Still looking.



  • @nib01:

    @BlueKobold:

    Celeron N2930 doesn't have AES-NI support.

    For sure and now? As I am informed AES-NI will actually support only AES-GCM but not AES-CBC
    and OpenVPN is only using AES-CBC! And the starting point to get a strong enough hardware for
    the following parts are not only based on OpenVPN alone.

    If so, AES-NI only support AES-GCM but not AES-CBC which is openVPN would only be the most important for me on this purpose.

    I would love to see a list of mini-itx board with AES-NI supported, and uses external power supply only (like the Jetway N2930).

    Thanks.

    I don't mind if you ask questions in my thread, but please don't hi-jack it for your own build. In fact, you would probably get more responses tailored to your build if you just make your own thread anyway.


Log in to reply