pfSense hardware

[pirateghost]

I built the following to use as a Sophos UTM but after having troubles getting it working with my router I may turn it to pfSense:

- Supermicro X10SLV-Q - a very nice mini-ITX board with two onboard Intel network interfaces (i217 & i210AT, much like my X10SLM used for FreeNAS)
- Intel Core i3 4370...the consensus was that quad-core was overkill so I went with the fastest dual-core to date. Yes it's massive, massive overkill but it should use the same amount of power at idle as any dual-core Haswell.
- 2 X 4 GB Crucial Ballistix DDR3 SODIMM
- 128 GB Crucial M550 mSATA SSD
- Antec ISK-110 VESA mini-ITX case. It's about the smallest case you can get. It can hang off the back of a monitor with VESA mounts. It comes with a 90 W DC-DC power supply powered by an included laptop-style brick. I believe it's discontinued, unfortunately.
- Noctua NH-L9i low-profile cooler. This just fits the case and is silent even at full speed.

I had my doubts that the 90 W PS would be enough but it works fine.

I got Sophos UTM to install fine on it but had troubles integrating it into my network so I tried pfSense on it. pfSense runs fine but gives indications during install that it does not like the mSATA drive. It will only run off a USB key. I haven't tried the most recent pfSense build or done extensive troubleshooting though.

It should be extremely powerful and doesn't consume a whole lot of power - 10-15 W idle, 65 W peak. The Core i3-4370 should have no problem at all with Snort or just about anything else I can throw at it.

What trouble did you have with Sophos? I have set up Sophos UTM many times.

 

[Fraoch]

What trouble did you have with Sophos? I have set up Sophos UTM many times.

I can't get it to play nicely with my Ubiquiti EdgeRouter Lite. It wants to act as a router as well.

I haven't done extensive troubleshooting though. It's tricky as I'm working on my own live network so if I lose Internet connectivity I also lose access to help. ;-)

 

[pirateghost]

I can't get it to play nicely with my Ubiquiti EdgeRouter Lite. It wants to act as a router as well.

I haven't done extensive troubleshooting though. It's tricky as I'm working on my own live network so if I lose Internet connectivity I also lose access to help. ;-)

You need to put Sophos in bridge mode. Transparent Bridge mode is best.

I have my Sophos UTM set up behind my Edge Router Lite.

 

[Fraoch]

Thank you very much @pirateghost! I thought I had looked through every setting but I seem to have missed that one. I'll try it out, thanks.

 

[pirateghost]

Thank you very much @pirateghost! I thought I had looked through every setting but I seem to have missed that one. I'll try it out, thanks.

yep.

just go into 'interfaces and routing', 'interfaces' and make your 2 nics a bridge, and give the bridge an IP in your subnet, so you can manage it.

 

[Crotalus]

Wow, yea with that CPU, who needs AES-NI?!? I imagine, even under load its at idle....lol

Any idea on power usage?

No I don't. I keep putting off buying a Kill A Watt meter. One of these days if I happen to see one somewhere I will pick one up.

 

[Z300M]

Hi all,

I've read a few things about pfsense. However, i can't seem to find a decent answer to my question about hardware requirements. Every time i ask (for example in the pfsense forum), i get VERY different answers. Since there is a lot of knowledge on hardware and of course FreeBSD here, and quite some folks using some kind of pfsense box, i'm hoping to get educated answers here.

My current situation is (i think) a pretty common home network scenario:

WAN
|
ISP Router
|
managed switch
|
--> NAS (FreeNAS...duh)
--> 2x Rapberry Pi B (1x Plex Home Theater, 1x XBMC)
--> TV (using Plex)
--> PlayStation 3
--> Wii (yep, still in use)
--> WAP 1
- Several phones (Apple & Android) & laptops (Windows & Linux)
- iPad
--> (W)AP 2
- TV (using Plex)
- Raspberry Pi B 2 (Plex Home Theater)
- PVR
- Several phones (Apple & Android) & laptops (Windows & Linux)

Of course all these devices need internet access, which currently is 150Mbit, will soon upgrade to 500Mbit. All is gigabit network hardware, except for some of the clients.

Even the "business" plan offered by my ISP (in the US Midwest) is only 60Mbps down and 4Mbps up.

 

[Z300M]

Hi all,

I've read a few things about pfsense. However, i can't seem to find a decent answer to my question about hardware requirements. Every time i ask (for example in the pfsense forum), i get VERY different answers. Since there is a lot of knowledge on hardware and of course FreeBSD here, and quite some folks using some kind of pfsense box, i'm hoping to get educated answers here.

My current situation is (i think) a pretty common home network scenario:

WAN
|
ISP Router
|
managed switch
|
--> NAS (FreeNAS...duh)
--> 2x Rapberry Pi B (1x Plex Home Theater, 1x XBMC)
--> TV (using Plex)
--> PlayStation 3
--> Wii (yep, still in use)
--> WAP 1
- Several phones (Apple & Android) & laptops (Windows & Linux)
- iPad
--> (W)AP 2
- TV (using Plex)
- Raspberry Pi B 2 (Plex Home Theater)
- PVR
- Several phones (Apple & Android) & laptops (Windows & Linux)

Of course all these devices need internet access, which currently is 150Mbit, will soon upgrade to 500Mbit. All is gigabit network hardware, except for some of the clients.[/QUOTE]

Even the "business" plan offered by my ISP (in the US Midwest) is only 60Mbps down and 4Mbps up.

 

[Rilo Ravestein]

Here we can get Fiber 500/500Mbit for 62 Euro/month, including HDTV (also online) and radio. :p

 

[Ericloewe]

Here we can get Fiber 500/500Mbit for 62 Euro/month, including HDTV (also online) and radio. :p

500 up... I wish.

I get 100 down/10 up for 25€ (including discounts and free add-ons, since we're also paying for three phones, one POTS landline and four 4G internet connections), with TV, VoIP and an assortment of servies collectively best described as "meh" or "doesn't really work".
List prices for 400 down/40 up and 1 000 down/ 50 up are, respectively an 80€ or 150€ surcharge.

A couple of years ago, the local Comcast-equivalent (big evil cable provider with a reputation for threatening people with phony bills and lawsuits) offered a 1Gbit symmetric connection for 250€, in the few places where they had fiber instead of coax.

 

[Sebastian Thörn]

I pay 469 SEK ~55.58 USD for 100/100 mbit
Can get 1000/100 for 106.65 USD, but that is a bit to costly I think.

 

[anodos]

I pay 469 SEK ~55.58 USD for 100/100 mbit
Can get 1000/100 for 106.65 USD, but that is a bit to costly I think.

Cox business charges $180 for 50/10. :(

 

[Ericloewe]

I pay 469 SEK ~55.58 USD for 100/100 mbit
Can get 1000/100 for 106.65 USD, but that is a bit to costly I think.

Our connections might not be symmetric, but at least they're underrated. 100 down/10 up is actually 112ish down/12ish up.

Still, I'd really like a symmetric connection, since I'm preparing to set up an offsite FreeNAS server for backups.

 

[Jailer]

Be happy with what you have. My lousy 4 down/1.4 up is $60/month from a local WISP. And the only reason I get 1.4 up is because my ISP likes me and I groveled for more upload bandwidth and they gave it to me. It's my only option too besides dial up so I have to deal with it or go without.

I wish I could get better internet but I love my rural setting and I'm not moving back to civilization to get it.

 

[Z300M]

Be happy with what you have. My lousy 4 down/1.4 up is $60/month from a local WISP. And the only reason I get 1.4 up is because my ISP likes me and I groveled for more upload bandwidth and they gave it to me. It's my only option too besides dial up so I have to deal with it or go without.

I wish I could get better internet but I love my rural setting and I'm not moving back to civilization to get it.

A few years ago there was a TV piece about a man way out in the "boonies" of Japan with a 100mbps fiber connection.

Many countries take the view that fast broadband everywhere possible is necessary for national development and have an overall plan for the extension of such broadband.

 

[JJT211]

Here we can get Fiber 500/500Mbit for 62 Euro/month, including HDTV (also online) and radio. :p

My goodness, that's ridonkulous! I'm paying about the same ($60 USD) for 50/5. It's crazy to hear what some people are able to get in some of the smaller countries. The US will always be relatively behind, we just have too much damn space!

Anyways, back to the OP, have you made a decision yet?

I fired away about a month ago and purchased the below for my pfSense build:

Supermicro C2558 Rangeley (2.4 ghz, 4-core, AES-NI and Quickassist enabled, 4 ports)
4gb ECC RAM (Had to go ECC here as non-ECC isnt supported on this board)
30GB mSata w/ 2.5in adapter
80W pico PSU and PS
M350 Mini-ITX Enclosure

Total cost = $380 USD

All parts from Amazon except board (Ebay $250) and RAM (Newegg $40)

A bit pricey for a Router/Firewall I know, but AES-NI was a must as I planned to move my traffic over VPN.

My only other cheaper AES-NI options were:

Netgate RCC-DFF 2220 System (1.7 ghz, dual core, 2 ports, AES-NI only) ($280) *Not yet available, date keeps getting moved back

and

Netgate RCC-VE 2440 System (same as above except 4 ports w/ Quickassist) ($350)

I figured I'd future proof myself a bit more for an extra 30-100 bucks. If you stretch that cost differential over an few years of blazing Routing and uber-Firewalling, then its worth it IMO.

I turned my old Netgear R7000 running DD-WRT into a WAP and was also able to use it as a managed switch to VLAN my guest/neighbor (we split bill) network.

So far, I've got my OpenVPN running both ways, getting my full 50/5 ISP speeds. I'm also running Snort and experimenting with a few other packages. The highest CPU utilization I've seen so far with everything running full blast is about 15-20%. And from what I understand, pfSense hasnt even implemented AES-NI w/ OpenVPN or anything with Quickassist yet!

So im feeling really good about my purchase and that I'll get many years out of this bad boy!

 

[Fraoch]

My goodness, that's ridonkulous! I'm paying about the same ($60 USD) for 50/5. It's crazy to hear what some people are able to get in some of the smaller countries. The US will always be relatively behind, we just have too much damn space!

LOL, try Canada - we have that disadvantage plus monopolies. $64.99/month for 30/5.

 

[JJT211]

Yea, yall got it even worse, its a bunch of frozen space

 

[Z300M]

LOL, try Canada - we have that disadvantage plus monopolies. $64.99/month for 30/5.

We're paying about that in US$ for 18/4 (although the "18" is often considerably better than that). We have monopolies too, although I think they are technically called "exclusive franchises": our only cable co. is Charter, but a couple of miles away their only cable co. is Comcast (I feel sorry for the people that live there: my wife had to deal with them at work); our only non-cellular phone co. is AT&T (whose U-Verse is fiber to somewhere in the general vicinity, I think, and copper from there), so we don't have the option of Verizon's FiOS (fiber to the curb, I think).

Edited to correct "18/5" to "18/4"

 

[Arwen]

I guess I should not mention that I have 1Gbps up/down via Google fiber for $70.00 US :).

My pfsense hardware will probably re-use my fitlet-iA10, (quad AMD 64 @1.2Ghz). It does
have dual Intel i211 Ethernet ports. (Another model has 4 x Intel i211 ports.) Here is a link to
the one I have;

http://www.fit-pc.com/web/products/...ls-specifications/?model[]=FITLET-GI-C67-WACB