Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

pfSense hardware

Rilo Ravestein

FreeNAS Experienced
Joined
Mar 6, 2014
Messages
685
Hi all,

I've read a few things about pfsense. However, i can't seem to find a decent answer to my question about hardware requirements. Every time i ask (for example in the pfsense forum), i get VERY different answers. Since there is a lot of knowledge on hardware and of course FreeBSD here, and quite some folks using some kind of pfsense box, i'm hoping to get educated answers here.

My current situation is (i think) a pretty common home network scenario:

WAN
|
ISP Router
|
managed switch
|
--> NAS (FreeNAS...duh)
--> 2x Rapberry Pi B (1x Plex Home Theater, 1x XBMC)
--> TV (using Plex)
--> PlayStation 3
--> Wii (yep, still in use)
--> WAP 1
- Several phones (Apple & Android) & laptops (Windows & Linux)
- iPad
--> (W)AP 2
- TV (using Plex)
- Raspberry Pi B 2 (Plex Home Theater)
- PVR
- Several phones (Apple & Android) & laptops (Windows & Linux)

Of course all these devices need internet access, which currently is 150Mbit, will soon upgrade to 500Mbit. All is gigabit network hardware, except for some of the clients.

What i want:
- A decent firewall of course
- VPN access to my home network
- Use a VPN subscription service for private internet browsing on selected clients
- Per device internet filter to protect the kids (from illegal & adult content)
- Time-based internet acces per device - again for the kids of course
- The switch can manage VLANs, so that doesn't necessarily need to be done on the pfsense box i guess, but maybe it needs to be VLAN aware
- The Playstation generates a lot of traffic, which i want to separate from the rest of the network.
- I think i better put the media devices on a separate subnet
- I would like to be able to easily switch internet acces profiles (filter & time access) to be able to give the my friends and family full access, but not the kids' fiends that come (sleep) over. Or maybe there is some easier solution to achieve this?

So.... To get the maximum throughput for my current/future network setup, my main question would be: What hardware do i actually NEED? I am on a budget, since i already way overspent on my FreeNAS box:cool:

Second question would be how you guys would setup this network (VLANs, security, etc.)

Thanks!
 

Rilo Ravestein

FreeNAS Experienced
Joined
Mar 6, 2014
Messages
685
You are kidding, right?
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,107
pfSense works well with most hardware, if you take into account general advice such as "Use Intel NICs".

Even my ancient Core 2 Duo with 1GB RAM (used to be a WHS v1 box) worked well.

Buying new, I'd definitely recommend server stuff. 4-core Avoton (C2558) is enough for most, I'd guess.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,279
The hardware requirements are pretty light for pfsense but you're going to need more than the minimum for all the packages you'll want to run. Specifically you're going to need RAM and a bit of it too.

I'm running an old P4 2.4D with 1GB of RAM with Snort and traffice shaping and it suits my needs just fine.
 

Rilo Ravestein

FreeNAS Experienced
Joined
Mar 6, 2014
Messages
685
I really appreciate yout help guys, but i think i didn't formulate my question well enough. If you say "it suits my needs" i still know nothing, because i don't know your needs. Also, i'm not just trying to find out on which hardware the software will run, but also what hardware i will need for the throughput and packages i need to run to accomplish the things i mentioned in the OP. Before i started the thread here, i was getting advices varying from $2000+ enterprise-grade hardware to old cunsumer-grade P4 boxes.

@Jailer and @Ericloewe : What (WAN) throughput do you accomplish with that setup and connected to how many clients simultaniously? What packages do you run? Are you using VPN services also?
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,107
WAN throughput easily exceeded 120Mb/s (ISP download limit). I only ran NUT, no VPN. A handful of clients and a crapton of embedded stuff (printers, consoles, phones...).

servethehome.com did some tests with Avoton and VPN on pfSense. I don't have a link right now, but it's an interesting read for you.
 

Rilo Ravestein

FreeNAS Experienced
Joined
Mar 6, 2014
Messages
685
I've tried searching it on that website, also tried Google, cannot find it o_O
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,107

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,279
If you want low(is) power and future proof a C2558 board as Ericloewe suggested will be more than enough to suit the needs you stated. Add about 8GB of memory and you should be future proof and be ready for 1GB+ speeds if it ever comes your way.

I'm on a crappy WISP with just a few devices and 1 WAP so my needs are paltry compared to most.

ETA: I think a C2758 would be ridiculous overkill for a home network. Hell anything with a C2358 and a fair amount of memory would be more than enough but the price points would steer one towards a c2558 board.
 

Rilo Ravestein

FreeNAS Experienced
Joined
Mar 6, 2014
Messages
685
Thanks guys.
Does that 1GB+ speed include VPN (not hat i need that high VPN throughput, just curious) and the other packages i might need for my setup?

EDIT: How do you guys know all this? Usually my searches and questions on pfsense hardware always lead to really widely varying answers. o_O
 
Last edited:

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,107
If you want low(is) power and future proof a C2558 board as Ericloewe suggested will be more than enough to suit the needs you stated. Add about 8GB of memory and you should be future proof and be ready for 1GB+ speeds if it ever comes your way.

I'm on a crappy WISP with just a few devices and 1 WAP so my needs are paltry compared to most.

ETA: I think a C2758 would be ridiculous overkill for a home network. Hell anything with a C2358 and a fair amount of memory would be more than enough but the price points would steer one towards a c2558 board.
VPN really pushes requirements up, though.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,107
Thanks guys.
Does that 1GB+ speed include VPN (not hat i need that high VPN throughput, just curious) and the other packages i might need for my setup?
C2758 could do multi-100Mbit VPN a while back. If QuickAssist support is properly implemented, I'd expect that number to grow.
This according to servethehome's data, of course.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,279
Thanks guys.
Does that 1GB+ speed include VPN (not hat i need that high VPN throughput, just curious) and the other packages i might need for my setup?

EDIT: How do you guys know all this? Usually my searches and questions on pfsense hardware always lead to really widely varying answers. o_O
I don't personally "know" this information but there are some extremely knowledgeable members over at the pfsense forums. Pf even offers their own appliance based on the 2358 and it's reasonably priced for the individual who doesn't want to roll their own and wants a support package that comes with it.
 

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,153
We have been running gear such as Pentium 4 Prescott 3.0's as routers handling large packet traffic at gigabit speeds for a decade. "Router" in this case means actual router, not "NAT gateway" which is what most people actually mean when they say "router" ... so NAT adds a little overhead.

The killer issue with routing (and NAT gateways) is small packet traffic. This has a lot more overhead and can be crippling - but not for a home user. Unless you're trying to DoS someone, you're never going to be running a million packets per second on a consumer grade Internet connection. Most recent hardware should punch 1Gbps of large packet traffic easily.

So, if you want to do pfSense, cheap, find yourself a decent, well-built oldish PC (HP business PC's are great), that can be configured to power on after power loss, and drop an Intel ethernet or three in it, and be on your merry way.

I am *guessing* that a J1900 would be able to do Gbps, but may lack ports. http://www.supermicro.com/products/motherboard/celeron/X10/X10SBA-L.cfm People report these can probably do a Gbps: https://www.reddit.com/r/homelab/comments/2fmt0t/pfsense_mitx_quadcore_1gbit_20w/

Another alternative, which isn't pfSense but rather Vyatta based, is to pick up something like a Ubiquiti EdgeRouter. The low-end device has three ports, is $99, and can route a million packets per second. While it has a reasonable GUI, it is not a beginner's device, in the same way that FreeNAS is not a beginner's NAS.
 

cyberjock

Moderator
Joined
Mar 25, 2012
Messages
19,148
I'm using an old Intel Atom (prior gen to the Avotons). It wouldn't be able to do what you want, but keep in mind two things:

1. Even a CPU like a Pentium 4 will provide good performance for what you want.
2. You'll probably need 4GB of RAM (minimum).
3. You should do Intel NICs, period.
4. Power should be minimized when possible. (like one of the new Avotons)

When I built my box I tested a Pentium 4 for a week to make sure I had a clue before I bought hardware. The P4 used so much power compared to the Atom I have now that the Atom paid for itself in power savings in something like 3 years.
 

jgreco

Resident Grinch
Moderator
Joined
May 29, 2011
Messages
12,153
2. You'll probably need 4GB of RAM (minimum).
Only if you're going to be running extensive fat userland apps. For an actual router, 64MB is sufficient. pfSense adds a lot of web crap on, same as FreeNAS, but I'd be shocked if it needed more than 512MB for the things a home user was going to want to do.

That being said, more RAM generally doesn't hurt.
 

Wolf666

Newbie
Joined
Mar 20, 2015
Messages
14
C2758/C2558 are more than enough for 500Mb/s and VPN. RAM requirement depends on the additional apps you are going to run, like Snort, pfBlockerNG etc. On pfSense forum you can find tens of threads with HW suggestions.


Sent from my iPad using Tapatalk
 

Oko

FreeNAS Experienced
Joined
Nov 30, 2013
Messages
132
So, if you want to do pfSense, cheap, find yourself a decent, well-built oldish PC (HP business PC's are great), that can be configured to power on after power loss, and drop an Intel ethernet or three in it, and be on your merry way.
I profoundly disagree with this statement. Parameter firewall is critical peace of the network infrastructure and I would never deploy used old PCs. That even doesn't make economic sense as old PCs significantly higher electric consumption. Unless you want to deploy something really cute and overpriced like http://axiomtek.com/Default.aspx?MenuId=Products&FunctionId=ProductInfo&Cat=296&C=Industrial Firewall I would go with Atom motherboard 2-4 GB of RAM and 16GB SSD HDD and 1 Gigabit Intel controllers regardless of your current ISP speed.. I have bunch of such machines (purchased/built for under $250) running OpenBSD in production. One of them is OpenVPN gateway for about 50 road warriors which are connected 24/7 to my main file server (memory consumption on the firewall never exceeds 40% of 4GB and CPU use is pretty light.) . Hopefully by this time next year we will have at least several open hardware good quality ARM devices as an option. Raspberry PI neither open hardware nor good quality. BeagleBoard look promising but they yet to start shipping them with dual gigabit NIC. It is true that for a home situation anything more than a single core Atom and 256MB of RAM is way overkill.


I am familiar with pfSense and it is very nicely done turnkey appliance for those who don't want to spend too much time tinkering with the real thing. I personally don't use it nor recommend it but I see that is popular with FreeNAS community.
 
Last edited:

9C1 Newbee

FreeNAS Experienced
Joined
Oct 9, 2012
Messages
482
I had the same issues getting information on pfSense. This forum proved to be my best resource.
 
Top