Advice for home use
-
Hi,
I would like to build a router for home use and what I have is:
Gigabyte N3150N D3V board
8 GB RAM
32 GB Supermicro DOMI would like to:
Cache websites
Cache DNS
DNS based adblock
Antivirus
OpenVPNThe most important would be to protect the LAN (the family (:)
Since I'm pretty green, I'm not sure what packages I need, so a pointer would be welcome.
Thanks.
-
Welcome Pippin!
@Pippin:Hi,
I would like to build a router for home use and what I have is:
Gigabyte N3150N D3V board
8 GB RAM
32 GB Supermicro DOMI would like to:
Cache websites
Cache DNS
DNS based adblock
Antivirus
OpenVPNThe most important would be to protect the LAN (the family (:)
Since I'm pretty green, I'm not sure what packages I need, so a pointer would be welcome.
Thanks.
Specs on that mobo seem fine and, depending on your subscribed speeds from your ISP, it should perform well. If you find that your throughput somehow doesn't match your level of service, then I would look to replace the Realtek NICs with something from Intel or Broadcom. Better in a router/firewall.
As for your requirements:
Cache websites - Squid package
Cache DNS - built in; Unbound is default on new installs
DNS based adblock - pfBlockerNG; config settings for DNSBL (blacklisting) from EasyList or others; old documentation but may be useful https://doc.pfsense.org/index.php/Pfblocker
Antivirus - Squid package; now includes ClamAV as required and very easy to setup
OpenVPN - built in; not hard either but I don't use it; https://doc.pfsense.org/index.php/OpenVPN -
Hi,
depending on your subscribed speeds from your ISP
Currently 16/2,5 but if it can do 50/50 for future then I'm ok.
So I would need Squid and pfBlockerNG, the rest is built in, nice…
Would it be useful to use 8 GB RAM or would 4 GB be enough? (have enough lying around here)
I ask because I read that one can use RAM to offload var and tmp, would it make sense or 32 GB DOM is sufficient?Also, would Snort make sense for home use?
Still reading up on what is possible...Thank you.
-
Depending on packages using even 2gb ram can end up being wasteful for 100mb connections so no worries there. Ive got 100/100 at home on a 1gb stick of ram and it sits at about 10% memory usage with var and temp offloaded into memory, typical/default var and temp sizes are like 100mb so its not much of a burden.
Obviously memory intensive packages like deep packet inspection stuff (suricata) or content caching will increase this requirement. But even so 4gb will satisfy 90% of those packages typical use configs on a home connection, if you're just running squid and DNS caching you shouldn't have an issue and should be able to set squids memory usage (how much cached information it keeps hot in ram) pretty liberally.
Regarding snort, deep packet inspection/intrusion detection certainly isn't needed for home usage and is overkill 99% of the time (in a home environment), but it certainly does provide a warm fuzzy feeling and you'd be surprised how much stuff ends up in the blocked logs. If you have capable hardware (you certainly do) there's not many downsides to clicking the install package button, configuring some rules lists and going off to the races
-
I like warm fuzzy feelings so snort it is :)
Will put 2x 2 GB then and will look for a case which is the only thing I don`t have.Thank you for the useful info.
-
Ok, i read that onboard RT nic is maybe not so good?
This board, N3150N D3V, has a PCI slot with a ASM1083 PCI Express-to-PCI Bridge
- Support PCI bus 33 MHz
- Support 3 PCI Masters
- SSC Support
- CLKRUN Support
- PME Support
33 Mhz 32 bit = 133 MB/s
Does this mean that 1 Gb/s can not be reached if i put a PCI card?Just in case the RT does not get to 1 Gb/s LAN side or somewhere near that, would it be better to put a PCI card?
Thank you.
-
Never mind, i think wrong way :)
There`s a switch, 1810 V2 in between. -
As you notice older plain PCI bus is limited to 133MB/s, but that's megaBYTES per second.
gigabit lan however is gigaBIT, which is 125megaBYTES per second, so an ethernet card with a single gigabit ethernet port will not be bottlenecked by a PCI slot. a card with two gigabit ports however will obviously not be able to saturate both ports at once as you're approaching double the speed of the PCI bus.
However some good news, Realtek interfaces are hit and miss as you note, but that doesn't mean always bad. Googling for your board brought up a couple threads on this very forum, and include a fellow user that says he's using both onboard realtek interfaces with no issues at all -
https://forum.pfsense.org/index.php?topic=105114.msg601520#msg601520
(bottom post)Hope that helps!
(but also as you note, if your house computers are connected to a gigabit switch and then the switch is connected to the router, local lan traffic will never hit the router anyway, only wan traffic destined outside of your subnet will, and only if your WAN connection is close to gigabit will it matter if you can sustain that saturated speed across them :) )
-
Yes, i found some posts, looks like i`m ok with this board.
but that's mebaBYTES per second.
Or MiB ?
Just kidding, i know the difference ;)
Somewhere next week the case will arrive, then the fun can start :) -
that's what I get for replying on my phone ;D
2 inch keyboards! but yes, you're gonna have a great time with pfsense 8)
-
You know you can also talk to your phone right? ;D
-
The case arrived and I installed PFS with USB stick after first update BIOS to latest F3.
But first i got a ERROR 19 and a quick search seemed to indicate that it could be because of USB 3.
So I stick it in a USB 2 port and then install went fine :)Decided to put a SSD instead of the DOM and now I read that TRIM is not enabled:
:tunefs -p /dev/ufsid/57137fa8f265f119 tunefs: POSIX.1e ACLs: (-a) disabled tunefs: NFSv4 ACLs: (-N) disabled tunefs: MAC multilabel: (-l) disabled tunefs: soft updates: (-n) enabled tunefs: soft update journaling: (-j) enabled tunefs: gjournal: (-J) disabled tunefs: trim: (-t) disabled tunefs: maximum blocks per file in a cylinder group: (-e) 4096 tunefs: average file size: (-f) 16384 tunefs: average number of files in a directory: (-s) 64 tunefs: minimum percentage of free space: (-m) 8% tunefs: space to hold for metadata blocks: (-k) 6408 tunefs: optimization preference: (-o) time tunefs: volume label: (-L)Anyone know if enabling TRIM still works if I follow this:
https://forum.pfsense.org/index.php?topic=97554.msg543373#msg543373So I would need to start at step 3.
Are there any more tunings to be done before putting it to it`s final location?Edit:
SSD does support TRIM::camcontrol identify /dev/ada0 pass0: <corsair force="" ls="" ssd="" s9fm02.6=""> ACS-3 ATA SATA 3.x device pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes) protocol ATA/ATAPI-10 SATA 3.x device model Corsair Force LS SSD firmware revision S9FM02.6 serial number xxxxxxxxxxxxxxxxxxx cylinders 16383 heads 16 sectors/track 63 sector size logical 512, physical 512, offset 0 LBA supported 117231408 sectors LBA48 supported 117231408 sectors PIO supported PIO4 DMA supported WDMA2 UDMA6 media RPM non-rotating Feature Support Enabled Value Vendor read ahead yes yes write cache yes yes flush cache yes yes overlap no Tagged Command Queuing (TCQ) no no Native Command Queuing (NCQ) yes 32 tags NCQ Queue Management no NCQ Streaming no Receive & Send FPDMA Queued no SMART yes yes microcode download yes yes security yes no power management yes yes advanced power management yes no 0/0x00 automatic acoustic management no no media status notification no no power-up in Standby no no write-read-verify no no unload yes yes general purpose logging yes yes free-fall no no Data Set Management (DSM/TRIM) yes DSM - max 512byte blocks yes 8 DSM - deterministic read no Host Protected Area (HPA) yes no 117231408/117231408 HPA - Security no</corsair> -
Enabling TRIM worked.
Very nice (:
