Newbie pfSense build questions

  • Hi there,

    Looking to build a pfSense box; figured I'd ask the community for advice before I put in any orders.

    About me: I've never used pfSense before, but I've got plenty of experience building computers and installing various *nix-family OS's.  I don't have a Dremel and don't want to do any casemods, but short of that I'm not worried about building my own pfSense box if that's the best way to go, and I'm comfortable on a command line.

    About my WAN: Currently I've only got a 50Mb/s connection, but they're upgrading to gigabit in my neighborhood so that will be an option in the near future.  50Mb/s is good enough for most of our use; this is residential and it's just my wife and me.  But occasionally we have company and three or more people might be trying to stream video at once, and you notice the connection bogging down on those occasions.

    About my LAN: we've got 4 desktops connected to the network by cable, and various laptops, phones, and tablets connected by wifi.  The most frequently-used desktops are my main workstation and an HTPC in the living room.  My workstation has Intel network ports, the HTPC has Realtek; both are onboard and both are gigabit.  My workstation is a fairly recent build (Haswell i7); my HTPC is a few years old (a Pentium that I put together around 2010).

    I don't get very good speed on my LAN.  I'm using CAT6 cable, the house is wired with CAT6 cable, and my current router (a Belkin N1 Vision running DD-WRT) has gigabit ports and supports wireless-N.  But when I'm making a large file transfer from one computer to another, the speed seems to top out around 10MB/s.

    I also sometimes use Steam to stream games from my workstation to the HTPC in the living room.  They run well but there are noticeable compression artifacts on the video.

    I'm getting good speed on my WAN – at least, I'm getting what I paid for.  I'd like to get better speed on my LAN, and I wouldn't mind having more features and better logging and diagnostics in my router/firewall.  pfSense seems like a good way to go.

    I don't have any plans to run a VPN at this time; I've thought about subscribing to a third-party VPN for privacy purposes, but haven't put much thought into running my own VPN.

    I've used network diagnostic tools like Snort and Squid before (I used to run a local ISP).  I don't foresee having much reason to use them on a daily basis; I can see them coming in handy in those occasional situations where my network is saturated and I can't figure out why, but I don't think I'd leave them on most of the time.

    I've also seen some talk about virtualization, which I don't have a lot of experience with.  Is there a reason why I should run pfSense inside a VM instead of just installing it as the primary OS on whatever box I get?

    I'm interested in something that's small and quiet.  I've seen a number of recent posts recommending the ZBOX CI323, and it looks like a decent machine.  Are there any other good alternatives?  I noticed a box called a Qotom-Q180S that comes with 32GB of storage and 2GB of RAM; it only has one review, but the reviewer said it was a good pfSense box.  What advantages does the Zotac model have over the Qotom one?  Or would I be better off looking at something else entirely?

    And if I go with the Zotac, or some other barebones model, what are recommended RAM and SSD specs?  I was thinking 4GB RAM should be enough.  I don't think I need much storage space either, but the reputable mSATA SSD brands (Samsung, Sandisk, etc.) don't seem to have much available below 120GB, or at least not at a price that's much lower than what they want for 120GB.  I've seen some talk about TRIM; is there anything special I need to know in purchasing a drive

    I'll also need a switch, and I've seen people recommend getting a separate WAP rather than try to use pfSense to control wireless.  I'm looking at an 8-port Netgear switch and a Ubiquiti Unifi; do those seem reasonable for my needs?

    I think those are all the questions I've got at this point, but please let me know if there's anything else I should be thinking about that I haven't mentioned.  Thanks!

    (Disclaimer: All links are Amazon Associate links.)

  • Squid, Snort, pfBlockerNG and perhaps other packets might be for 4 devices and perhaps later 4 users
    not really the problem, it is more on what you need as throughput at the end of the LAN!

    I'm getting good speed on my WAN – at least, I'm getting what I paid for.

    And for your hardware that will be true too.

    I'd like to get better speed on my LAN, and I wouldn't mind having more features and better logging and diagnostics in my router/firewall.  pfSense seems like a good way to go.

    Netgear GS108Tv2 ~$75
    Netgear GS108PE ~$114
    Netgear GS110TP ~$165
    Netgear JGS524PE ~$237

    My personally choice would be a Cisco SG300-10 or Cisco SG300-20 or as a budget solution the
    D-Link DGS1510-20 they are Layer3 switches and gives you two things what the others don´t do.
    They are routing between the VLANs and that with wire speed in the entire LAN.

    The pfSense store is offering hardware such the SG-2440 and SG-4860 and this with a looking eyes
    towards to the Internet line speed upgrade. Please note that AES-NI and/or Intel QuickAssist having
    is more future orientated but not a must be. Its helping now and in the near future much but not
    even needed if VPN is not the main concern of your doings.

    and my current router (a Belkin N1 Vision running DD-WRT) has gigabit ports and supports wireless-N.

    This can be turned into the WiFi AP mode and could run as a WAP connected to the Switch.

    You could also go with the following older or newer hardware parts;

    • Intel G3260T @3,2GHz
    • Intel Quad Port GB NIC (server grade)
    • Intel Core i3 or i5 or for more power saving Xeon E3 (all 4 core CPUs) @3,0GHz
    • Intel Quad Port GB NIC (server grade)
    • Intel Atom C2000 (Rangeley) based mini-ITX boards

    • 2 GB RAM firewall only

    • 2 GB - 4 GB RAM firewall, Snort, PfBlockerNG, VPN

    • 4 GB - 8 GB RAM firewall, Snort, Squid, SquidGuard, SARG, VPN

    • 8 GB - 16 GB RAM firewall, Snort, Squid, SquidGuard, SARG, VPN, ClamAV + much users and connections

    • 30 GB HDD/SSD, mSATA, M.2 or SATA-DOM firewall only

    • 60 GB firewall, Snort

    • 80 GB firewall, Snort, squid

    • 120 GB firewall, Snort, Squid as caching proxy

    This are not all must be´s, more can be or should be´s but is also and even pending on the offered services,
    entirte configuration, used options and enabled features of pfSense. I mean how more and exactly you are tell
    here around what is going on in your LAN you will be able to get nearly as it can be done to the right hardware.

  • Quickly as I don't have a lot of time:

    1. You do need a switch, but I don't know how many ports you need based on your email. I like Mikrotik switches and have a CCR226 but I think it'd be overkill for you.

    2. Wifi - would probably be a better suited access point, it has wireless AC so will be quicker with devices which support it.

    3. If file copy speeds are topping out around 10MB/s there is something wrong.  You might have network cards on autodetect speed - this sometimes sets it down to 100Mb/s unnecessarily.

    4. If you're going for gigabit, then you need decent specs, please search the forum here, there's a lot of discussion about what will and will not run 1 gbit.

Log in to reply