Advice for home use



  • Hi,

    I would like to build a router for home use and what I have is:
    Gigabyte N3150N D3V board
    8 GB RAM
    32 GB Supermicro DOM

    I would like to:
    Cache websites
    Cache DNS
    DNS based adblock
    Antivirus
    OpenVPN

    The most important would be to protect the LAN (the family (:)

    Since I'm pretty green, I'm not sure what packages I need, so a pointer would be welcome.

    Thanks.



  • Welcome Pippin!
    @Pippin:

    Hi,

    I would like to build a router for home use and what I have is:
    Gigabyte N3150N D3V board
    8 GB RAM
    32 GB Supermicro DOM

    I would like to:
    Cache websites
    Cache DNS
    DNS based adblock
    Antivirus
    OpenVPN

    The most important would be to protect the LAN (the family (:)

    Since I'm pretty green, I'm not sure what packages I need, so a pointer would be welcome.

    Thanks.

    Specs on that mobo seem fine and, depending on your subscribed speeds from your ISP, it should perform well. If you find that your throughput somehow doesn't match your level of service, then I would look to replace the Realtek NICs with something from Intel or Broadcom. Better in a router/firewall.

    As for your requirements:
    Cache websites - Squid package
    Cache DNS - built in; Unbound is default on new installs
    DNS based adblock - pfBlockerNG; config settings for DNSBL (blacklisting) from EasyList or others; old documentation but may be useful https://doc.pfsense.org/index.php/Pfblocker
    Antivirus - Squid package; now includes ClamAV as required and very easy to setup
    OpenVPN - built in; not hard either but I don't use it; https://doc.pfsense.org/index.php/OpenVPN



  • Hi,

    depending on your subscribed speeds from your ISP

    Currently 16/2,5 but if it can do 50/50 for future then I'm ok.

    So I would need Squid and pfBlockerNG, the rest is built in, nice…

    Would it be useful to use 8 GB RAM or would 4 GB be enough? (have enough lying around here)
    I ask because I read that one can use RAM to offload var and tmp, would it make sense or 32 GB DOM is sufficient?

    Also, would Snort make sense for home use?
    Still reading up on what is possible...

    Thank you.



  • Depending on packages using even 2gb ram can end up being wasteful for 100mb connections so no worries there. Ive got 100/100 at home on a 1gb stick of ram and it sits at about 10% memory usage with var and temp offloaded into memory, typical/default var and temp sizes are like 100mb so its not much of a burden.

    Obviously memory intensive packages like deep packet inspection stuff (suricata) or content caching will increase this requirement. But even so 4gb will satisfy 90% of those packages typical use configs on a home connection, if you're just running squid and DNS caching you shouldn't have an issue and should be able to set squids memory usage (how much cached information it keeps hot in ram) pretty liberally.

    Regarding snort, deep packet inspection/intrusion detection certainly isn't needed for home usage and is overkill 99% of the time (in a home environment), but it certainly does provide a warm fuzzy feeling and you'd be surprised how much stuff ends up in the blocked logs. If you have capable hardware (you certainly do) there's not many downsides to clicking the install package button, configuring some rules lists and going off to the races



  • I like warm fuzzy feelings so snort it is  :)
    Will put 2x 2 GB then and will look for a case which is the only thing I don`t have.

    Thank you for the useful info.



  • Ok, i read that onboard RT nic is maybe not so good?

    This board, N3150N D3V, has a PCI slot with a ASM1083 PCI Express-to-PCI Bridge

    • Support PCI bus 33 MHz
    • Support 3 PCI Masters
    • SSC Support
    • CLKRUN Support
    • PME Support

    33 Mhz 32 bit = 133 MB/s
    Does this mean that 1 Gb/s can not be reached if i put a PCI card?

    Just in case the RT does not get to 1 Gb/s LAN side or somewhere near that, would it be better to put a PCI card?

    Thank you.



  • Never mind, i think wrong way  :)
    There`s a switch, 1810 V2 in between.



  • As you notice older plain PCI bus is limited to 133MB/s, but that's megaBYTES per second.

    gigabit lan however is gigaBIT, which is 125megaBYTES per second, so an ethernet card with a single gigabit ethernet port will not be bottlenecked by a PCI slot. a card with two gigabit ports however will obviously not be able to saturate both ports at once as you're approaching double the speed of the PCI bus.

    However some good news, Realtek interfaces are hit and miss as you note, but that doesn't mean always bad. Googling for your board brought up a couple threads on this very forum, and include a fellow user that says he's using both onboard realtek interfaces with no issues at all -

    https://forum.pfsense.org/index.php?topic=105114.msg601520#msg601520
    (bottom post)

    Hope that helps!

    (but also as you note, if your house computers are connected to a gigabit switch and then the switch is connected to the router, local lan traffic will never hit the router anyway, only wan traffic destined outside of your subnet will, and only if your WAN connection is close to gigabit will it matter if you can sustain that saturated speed across them :) )



  • Yes, i found some posts, looks like i`m ok with this board.

    @fohdeesha:

    but that's mebaBYTES per second.

    Or MiB ?

    Just kidding, i know the difference  ;)
    Somewhere next week the case will arrive, then the fun can start  :)



  • that's what I get for replying on my phone  ;D

    2 inch keyboards! but yes, you're gonna have a great time with pfsense  8)



  • You know you can also talk to your phone right?  ;D



  • The case arrived and I installed PFS with USB stick after first update BIOS to latest F3.
    But first i got a ERROR 19 and a quick search seemed to indicate that it could be because of USB 3.
    So I stick it in a USB 2 port and then install went fine :)

    Decided to put a SSD instead of the DOM and now I read that TRIM is not enabled:

    :tunefs -p /dev/ufsid/57137fa8f265f119
    tunefs: POSIX.1e ACLs: (-a)                                disabled
    tunefs: NFSv4 ACLs: (-N)                                   disabled
    tunefs: MAC multilabel: (-l)                               disabled
    tunefs: soft updates: (-n)                                 enabled
    tunefs: soft update journaling: (-j)                       enabled
    tunefs: gjournal: (-J)                                     disabled
    tunefs: trim: (-t)                                         disabled
    tunefs: maximum blocks per file in a cylinder group: (-e)  4096
    tunefs: average file size: (-f)                            16384
    tunefs: average number of files in a directory: (-s)       64
    tunefs: minimum percentage of free space: (-m)             8%
    tunefs: space to hold for metadata blocks: (-k)            6408
    tunefs: optimization preference: (-o)                      time
    tunefs: volume label: (-L)
    
    

    Anyone know if enabling TRIM still works if I follow this:
    https://forum.pfsense.org/index.php?topic=97554.msg543373#msg543373

    So I would need to start at step 3.
    Are there any more tunings to be done before putting it to it`s final location?

    Edit:
    SSD does support TRIM:

    :camcontrol identify /dev/ada0
    pass0: <corsair force="" ls="" ssd="" s9fm02.6=""> ACS-3 ATA SATA 3.x device
    pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
    protocol              ATA/ATAPI-10 SATA 3.x
    device model          Corsair Force LS SSD
    firmware revision     S9FM02.6
    serial number         xxxxxxxxxxxxxxxxxxx
    cylinders             16383
    heads                 16
    sectors/track         63
    sector size           logical 512, physical 512, offset 0
    LBA supported         117231408 sectors
    LBA48 supported       117231408 sectors
    PIO supported         PIO4
    DMA supported         WDMA2 UDMA6
    media RPM             non-rotating
    
    Feature                      Support  Enabled   Value           Vendor
    read ahead                     yes      yes
    write cache                    yes      yes
    flush cache                    yes      yes
    overlap                        no
    Tagged Command Queuing (TCQ)   no       no
    Native Command Queuing (NCQ)   yes              32 tags
    NCQ Queue Management           no
    NCQ Streaming                  no
    Receive & Send FPDMA Queued    no
    SMART                          yes      yes
    microcode download             yes      yes
    security                       yes      no
    power management               yes      yes
    advanced power management      yes      no      0/0x00
    automatic acoustic management  no       no
    media status notification      no       no
    power-up in Standby            no       no
    write-read-verify              no       no
    unload                         yes      yes
    general purpose logging        yes      yes
    free-fall                      no       no
    Data Set Management (DSM/TRIM) yes
    DSM - max 512byte blocks       yes              8
    DSM - deterministic read       no
    Host Protected Area (HPA)      yes      no      117231408/117231408
    HPA - Security                 no</corsair>
    


  • Enabling TRIM worked.
    Very nice (:


Log in to reply