PFSense / Home Router - Hardware Suggestions

[tvsjr]

Keep in mind that Sophos UTM9 is limited to 50 IP addresses behind the NAT (in any zone)... which is a real issue for some of us. I've got almost 300 IPs behind NAT. UTM9 is also basically EOLed, in favor of the new Firewall XD - which has no IP limits but is limited to 4 cores and 6GB RAM.

If you're looking for more advanced stuff like email filtering, web content filtering, etc. the Sophos product will do that far better/easier than pfSense. If you're looking for just a great stateful firewall with maybe a touch of advanced features, pfSense works well.

Sophos doesn't do OpenVPN, which is a bummer... that's how I'm picking up public IPs (from a VPS) on my residential cable circuit.

 

[joeschmuck]

I've got almost 300 IPs behind NAT.

This is for home use?

UTM9 is also basically EOLed, in favor of the new Firewall XG - which has no IP limits but is limited to 4 cores and 6GB RAM.

Very true statement. 4 cores and 6GB RAM is more than enough for any home user. I've breifly used XD but that was last year and it was buggy back then. I'm sure it's more mature now but I'll still wait to move to XD and let others work any bugs out. I really hate hearing "Dad, the internet is down again". I like a turn-key system where I set it up and forget it. Sophos can be that if you want basic firewall features, more advanced features may require periodic work if you run into a site which gets automatically blocked and you need to add it to the exceptions. Dang, no I'm going to grab me the latest copy of XG and spin it up. Damn you @tvsjr :D

 

[Linkman]

. . . The one pitfall is the video output is a Display Port connection which means that if you do not have this type of connection, you would need to buy an adapter which would cost you anywhere from $6 to $20 depending on where you buy one. I'm not sure if the ML10 has the adapter so you could either buy one up front or wait to see if it comes with one . . .

FYI, the ML10 does not come with a DisplayPort to X adapter. If you are, for example, going to go to DVI-D you'll need an active DP->DVI adapter. I tried a passive adapter at first, which worked on my Dell T20 but didn't work on the ML10. Active adapter worked fine. Once you've got the hardware installed, it's a nice box for nice price.

 

[tvsjr]

This is for home use?

Yes, although I'm not exactly normal :p
It adds up faster than you might think. Just in the untrusted zone, which houses my Nest Protect smoke/CO detectors, Nest thermostats, TVs, TiVos, game systems, BluRay players, other IoT stuff, I've got about 40 IPs used. Add a SQL cluster, a few web and proxy servers, an HA Graylog instance, Splunk, some radio stuff, etc. Oh, and normal client devices... laptops, tablets, phones, work computers, work phone, etc.

Very true statement. 4 cores and 6GB RAM is more than enough for any home user. I've breifly used XG but that was last year and it was buggy back then. I'm sure it's more mature now but I'll still wait to move to XG and let others work any bugs out. I really hate hearing "Dad, the internet is down again". I like a turn-key system where I set it up and forget it. Sophos can be that if you want basic firewall features, more advanced features may require periodic work if you run into a site which gets automatically blocked and you need to add it to the exceptions. Dang, no I'm going to grab me the latest copy of XG and spin it up. Damn you @tvsjr :D

HA. I'm probably going to do the same just to play with it. I just need to figure out how to get my public IPs routed across some sort of VPN tunnel. I'm much happier paying $100/mo. for 200/20 Internet plus $13/mo. for a VPS (8ms round-trip from home) than $300/mo. for business-class Internet service. :)

 

[garym]

Roughly, how many hours/days of hands-on time to dial in SOPHOS UTM? Any additional complications as aganist running on dedicated hardware?

Depends on you and how many features you need to turn on. Once UTM9 is setup it runs on it's own. Then the odd update that only takes a few minutes.
Best on dedicated hardware, and that is based on usage requirements.

 

[Ericloewe]

If you are, for example, going to go to DVI-D you'll need an active DP->DVI adapter.

So what? They're less than 10 bucks these days. I don't think anybody's sold a passive adapter in the last ~5 years, the compatibility problems aren't worth it.

 

[Linkman]

So what? They're less than 10 bucks these days. I don't think anybody's sold a passive adapter in the last ~5 years, the compatibility problems aren't worth it.

Someone sold me one, it's what was hanging on the rack :) Still works fine on the T20, so I purchased a second one for dual display - together both cost the same as the one active one on the ML10, though I agree that none of them could be called expensive.

 

[joeschmuck]

Yes, although I'm not exactly normal :p
It adds up faster than you might think. Just in the untrusted zone, which houses my Nest Protect smoke/CO detectors, Nest thermostats, TVs, TiVos, game systems, BluRay players, other IoT stuff, I've got about 40 IPs used.

I have 33 IPs at this point in time and I'm sure it will go up and down as my daughters friends come and go. They get on the WiFi for the cell phones. Of course I create VMs and there go a few more. So I understand how many IPs there could be but 300 sounds like a bit much for a home setup. Either away now I'm going to look into XG and see how it's working today. I have two WAN IPs so the second one will have this to test.

 

[tvsjr]

Well, it varies based on what sort of lab stuff I have stood up at any given time. I would say ~150 IPs are "base load"... the rest float up and down. But, 50 IPs wouldn't even cover my basic needs.

Most people aren't running a full AD environment, HA Zimbra mail servers, AD CS, full HA Graylog, Splunk, etc. at home either :)

 

[joeschmuck]

Most people aren't running a full AD environment, HA Zimbra mail servers, AD CS, full HA Graylog, Splunk, etc. at home either :)

So true and that would never be my house. My internet bandwidth is 50/5 and I pay $57/Month with is terribly high. I only have this speed becasue I wanted a faster upload speed so I could VPN without too slow of a connection. I'd be fine with a 10/5 bandwidth, or a 10/10 would be perfect. Such is the life of living where the Cable company has you by the .... neck.

 

[tvsjr]

So true and that would never be my house. My internet bandwidth is 50/5 and I pay $57/Month with is terribly high. I only have this speed becasue I wanted a faster upload speed so I could VPN without too slow of a connection. I'd be fine with a 10/5 bandwidth, or a 10/10 would be perfect. Such is the life of living where the Cable company has you by the .... neck.

We're somewhat in the same spot here... fortunately, Suddenlink/Altice has deployed some decent speeds. I can get up to 1,000/50 (currently have 200/20). Nearest competition are fixed wireless in the 30/30 range and AT&T's lovely DSL product at 6/0.75. Or, I suppose, LTE. I pay about $140/mo. for internet and a decent TV package (including a Tivo and several Minis).

 

[Blade Runner]

Hello chaps,

While I understand there are many threads where this precise subject has been tackled, I would like a more up-to-date list of suggestion(s). Also, this is perhaps not the best forum to ask this but the other forum is a bit of a mess (sometimes, incoherent mess) and I am a little short on time.

In no way a networking pro, or even intermediate. Probably more like amature. Given this, if you are suggesting something, do please make sure to explain the rationale if the suggestion contains advance networking terms.

Criteria:
Use - Protection of home network: Firewall, possible VPN (future proof capability). Once the initial dial-in period is done, would ideally like to 'fit it, forget it' (in terms of hardware). Open to consistent learning of how to properly utilize PFSesne and its features. Would just like general sense of peace knowing home network and its security in is good hands.
Cost: =<550 all in (including taxes)
Network Bandwidth: Should be able to handle 1Gbe speeds (or at least have the capability to do so as and when it become resonable for homes connections)
No. of Devices: Ability to handle 25 devices (mixture of desktops, laptops, mobile phones, tablets, other smart devices)

Would appreciate some manner of organized suggestions if possible (for comparision sake).

Update: The following configuration is based on some research. Comments/opinions solicited.
Motherboard: Supermicro Mini ITX A1SRI-2558F-O Quad Core DDR3 1333 MHz Motherboard and CPU Combo
RAM: Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8
SSD: SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) [Newest Version]
PSU: SilverStone Technology 300W SFX Form Factor 80 PLUS BRONZE Power Supply with +12V single rail, Active PFC (ST30SF)
Cabinet: Silverstone 0.8mm Steel Body Tek Acrylic Front Panel for Mini-ITX Media Center/HTPC Case Cases ML05B

Your proposed system will run pfSense without issues. The Atom CPU could be a bottleneck. IMO Kaby Lake CPU and motherboard would be a better value. Please advised that CPU clock speed will be more important for VPN, IDS/IPS, pfBlockerNG, and future releases.

My router is pfSense on Supermicro X10SLL-S, E3-1220v3, 8GB ECC RAM, 120GB Patriot SSD, and Supermicro CSE-732D4-500B case. I've have VPN, pfBlockerNG, and Suricata. System runs like Usain Bolt.

No rush to buy until the devs configure AES-NI into the firmware.

VGA is good enough for a router.

I have plenty of server grade equipment (thanks to this forum). Assembling a router was no biggie.

Another option is buying a used Dell Optiplex SFF on Ebay. Add a dual Intel i350-T2 NIC and save money.

 

[D-Tijori]

The Atom CPU could be a bottleneck. IMO Kaby Lake CPU and motherboard would be a better value. Please advised that CPU clock speed will be more important for VPN, IDS/IPS, pfBlockerNG, and future releases.

My router is pfSense on Supermicro X10SLL-S, E3-1220v3, 8GB ECC RAM, 120GB Patriot SSD, and Supermicro CSE-732D4-500B case. I've have VPN, pfBlockerNG, and Suricata. System runs like Usain Bolt.

Good insight. So, to push >gigabit data, one should have a higher Ghz rated CPU vis-a-vis lower Ghz? In other words, hypothetically, a Intel 4 core 3.00 Ghz CPU would be better suited than a Intel 8 core 2.1 Ghz, yes?

Correct me if wrong, but a higher Ghz CPU would also have higher TDP and therefore consume more power and produce more heat (requiring more/active cooling).

This would, in effect, defeat the purpose of having a small, low power, relatively silent router/firewall.

There are some very nice deals on refurbished Dell Optiplex SFF servers on Amazon indeed. Really tempting.

However, lets say would like to stick to the Silverstone cabinet I have picked - its small enough but not too small to create heat issues, fits a SFX PSU and has space for ITX motherboard + couple of SSD's and if required a 120 mm fan - any suggestions for a CPU+ITX motherboard from Supermicro, ASRock, or ASUS under the $250 mark of motherboard in my OP? Would prefer SOC but separate CPU+Motherboard will also do.

 

[Blade Runner]

Good insight. So, to push >gigabit data, one should have a higher Ghz rated CPU vis-a-vis lower Ghz? In other words, hypothetically, a Intel 4 core 3.00 Ghz CPU would be better suited than a Intel 8 core 2.1 Ghz, yes?

Yes.

Correct me if wrong, but a higher Ghz CPU would also have higher TDP and therefore consume more power and produce more heat (requiring more/active cooling).

This would, in effect, defeat the purpose of having a small, low power, relatively silent router/firewall.

TDP rating is not a concern when the A/C is on.

There are some very nice deals on refurbished Dell Optiplex SFF servers on Amazon indeed. Really tempting.

However, lets say would like to stick to the Silverstone cabinet I have picked - its small enough but not too small to create heat issues, fits a SFX PSU and has space for ITX motherboard + couple of SSD's and if required a 120 mm fan - any suggestions for a CPU+ITX motherboard from Supermicro, ASRock, or ASUS under the $250 mark of motherboard in my OP? Would prefer SOC but separate CPU+Motherboard will also do.

If I were assembling a new pfSense box, it would be a Dell Optiplex SFF configured with an i5-4590 and 8GB RAM. An Intel i350-T2 would be the NIC. I prefer M/B have Intel NIC (thanks to this forum). More often than not, I'm buying Supermicro although occasionally Asus has Intel NIC on some consumer boards. I don't have any insight on other M/B.

I'm not a fan of ITX cases because of limited cooling options. IMO SOC is entry level for pfSense. If you're planning to use VPN and other packages, the better option is CPU+M/B combo.

 

[D-Tijori]

Yes.

TDP rating is not a concern when the A/C is on.


If I were assembling a new pfSense box, it would be a Dell Optiplex SFF configured with an i5-4590 and 8GB RAM. An Intel i350-T2 would be the NIC. I prefer M/B have Intel NIC (thanks to this forum). More often than not, I'm buying Supermicro although occasionally Asus has Intel NIC on some consumer boards. I don't have any insight on other M/B.

I'm not a fan of ITX cases because of limited cooling options. IMO SOC is entry level for pfSense. If you're planning to use VPN and other packages, the better option is CPU+M/B combo.

Thanks much for the input.

 

[Dice]

I was in OP's situation last year.
I set out to build a silent small formfactor box, ideally passively cooled during regular use but with a latent fan ready to kick in.
A i3-6100 was coupled with a consumer grade mITX motherboard from Asus. The ASUS bios allows for setting fan speeds to be completely shut off when not needed as opposed to the commonly "low speed". This was THE selling point for getting a consumer grade and ASUS board. I use a Pure Rock cooler, 120mm fan.
16GB RAM went in along with a 120GB SSD.
For PSU I went for a picoATX in combination with a ~120w laptop brick. Both off ebay.
Case is the very lovely little Raijintek Metis, color red for firewall.
Now, the Asus motherboard was "featured" with the regular junky Realtek NIC. In the only PCIe slot I got myself a Intel Quadport NIC.

Once getting to install the system I heard about ESXi - freeware. I said, if I don't know anything about either ESXi or pFsense, I might aswell start off trying to get it to run on ESXi. It did. Super solid performance.

At this moment I've moved to an AIO system, leaving this box without duties.

As for pfsense user experience:
- It is a lot to handle for a newcomer. Luckily most works decently with very minimal initial efforts and 'open rules'. However, once you want to do some slightly more fancy stuff, and start to care a little bit more about what traffic passes through your machine ...it is instantly overwhelming. You will get past that if committing.

Little by little additional functionality can be added. However, starting out by expecting having full firewall rules in place, VPN provider configured, your own VPN server perhaps, some squid, snort or alike, perhaps running pFblockerNG etc, you ....must lower your expectations and realize that adding to many things at once will cause too much problems and break too many things. I've been in and on, off and out, round and about the various blocking and proxy alternatives to figure out what is a suitable level of security to not turn every day use to a ...constant troubleshooting experience. That is easier done than you'd think.

 

[D-Tijori]

Once getting to install the system I heard about ESXi - freeware. I said, if I don't know anything about either ESXi or pFsense, I might aswell start off trying to get it to run on ESXi. It did. Super solid performance.

At this moment I've moved to an AIO system, leaving this box without duties.

As for pfsense user experience:
- It is a lot to handle for a newcomer. Luckily most works decently with very minimal initial efforts and 'open rules'. However, once you want to do some slightly more fancy stuff, and start to care a little bit more about what traffic passes through your machine ...it is instantly overwhelming. You will get past that if committing.

Little by little additional functionality can be added. However, starting out by expecting having full firewall rules in place, VPN provider configured, your own VPN server perhaps, some squid, snort or alike, perhaps running pFblockerNG etc, you ....must lower your expectations and realize that adding to many things at once will cause too much problems and break too many things. I've been in and on, off and out, round and about the various blocking and proxy alternatives to figure out what is a suitable level of security to not turn every day use to a ...constant troubleshooting experience. That is easier done than you'd think.

How was the experience running it in a virtual environment? And, if I may ask, why the change over to AIO? Was it something related to running it in a virtual environment?

Looking more so for a standalone system.

Frankly, do not mind the learning curve. My approach is more hands-on. More so - If you failed/frustrated x number of times, that just means remaining failures/frustrations are N-x (where N=no. of remaining failures/frustrations; N is a finite number).

Or, you know, whichever self motivation process flow works for you.

 

[Dice]

How was the experience running it in a virtual environment? And, if I may ask, why the change over to AIO? Was it something related to running it in a virtual environment?

AIO = All in One system, that is, Im still running pfSense virtualized.
I see no reason to let pfsense sit on bare metal. It consumes quite little resources for the "non-complicated tasks". I run mine at 8GB RAM at the moment, but will look for a reduction down to 2-3GB, based off the RAM usage pattern. There is a lot of resources sitting not being utilized when running pfSense on metal. That can be mitigated with ESXi ;)

The key to piece of mind for virtualizing the firewall is how it interacts with WAN. I've run it both through a virtual NIC in ESXi, which worked fine. Yet however then traffic seems to be forced through the ESXi network stack/firewall. I'm not sure to what extent (I've not dug into it) but once I decided to passthrough a dedicated physical NIC to that VM, I was under the impression that some things quickened up considerably. Perhaps it was so, or maybe pure placebo. None the less, I do recommend passing through a physical NIC. Doing so, disables the typical arguments on security worries related to virtualizing firewalls (ie, exposing the host for a slim surface for attacks, that ..was problematic a couple of years ago, but since then has not surfaced again, on later versions of ESXi). Clearly, the industry moves towards increasing virtualization meanwhile there are a set of core oldschool users still vouching for <keep the firewall physically separated>.

At the end of the day it is a question of getting enough piece of mind from the security solution.

Or, you know, whichever self motivation process flow works for you.

We're sharing that property to some extent. However, at one point or another we all attempt something we don't anticipate the amount of energy and time that needs to be invested in the software and technology to reach our intents.
I'd say FreeNAS comparatively speaking, is straight forward and easy to setup decently. Where as pfSense is a confusing mess, with an abundance of dated guides and recommendations that no longer can be followed blindly - options have changed, layouts have been reworked and functionality has evolved to require additional or fewer steps to reach the same goal. Their forum is a complete mayhem and the wikimanual (probably except for the paid book) ...could use a lot of clarification. It is not as dumbed down as the FreeNAS documentation is, far less complete too.

Problems quickly get stacked once one is following guides blindly and suddenly settings described in the guide no longer matches what you see in the configuration.
The way I've gone about to get where I want to be at with pfSense has been to merge a couple of 3-4 dated guides (since none of them appear to follow the same steps, nor the same options) for general concepts to TEST what seems to work, then start reducing rules and options until stuff breaks again to figure out what are the minimum required settings. Tedious don't even begin to explain the experience I've had.

However, that is probably what to expect when not being familiar with most of the concepts used. Particularly how to read and interpret what order settings are applied to make correct adjustments for functionality is ...still an upphill battle I come across often once I try to get something else done.
So ehh, the hurdle to get into FreeNAS is sort of stepping up on a chair compared to climbing the Everest of pfSense.
-Once you want to get into stuff.

Now, this might sound dis-encouraging but it really isn't. Peoples miles do vary.

 

[Blade Runner]

I'd say FreeNAS comparatively speaking, is straight forward and easy to setup decently.

We’ll agreed to disagree. I could not correctly configure FreeNAS permissions until mon0key posted his YouTube video. pfSense was easy.

Where as pfSense is a confusing mess, with an abundance of dated guides and recommendations that no longer can be followed blindly - options have changed, layouts have been reworked and functionality has evolved to require additional or fewer steps to reach the same goal. Their forum is a complete mayhem and the wikimanual (probably except for the paid book) ...could use a lot of clarification. It is not as dumbed down as the FreeNAS documentation is, far less complete too. Problems quickly get stacked once one is following guides blindly and suddenly settings described in the guide no longer matches what you see in the configuration.

I agree that most guides are outdated, ambiguous or based on developmental versions. The RC either changes or omits selection options. I do not agree that their forum is a complete mayhem. IMO most posters attempt to do stuff above their skill/knowledge level. The Wiki manual is only as good as the contributors’ input. The e-book is marginally better than the Wiki manual.

The way I've gone about to get where I want to be at with pfSense has been to merge a couple of 3-4 dated guides (since none of them appear to follow the same steps, nor the same options) for general concepts to TEST what seems to work, then start reducing rules and options until stuff breaks again to figure out what are the minimum required settings. Tedious don't even begin to explain the experience I've had.

If you can teach someone how NOT to make mistakes, please explain the method because people make mistakes when learning.

However, that is probably what to expect when not being familiar with most of the concepts used. Particularly how to read and interpret what order settings are applied to make correct adjustments for functionality is ...still an upphill battle I come across often once I try to get something else done.
So ehh, the hurdle to get into FreeNAS is sort of stepping up on a chair compared to climbing the Everest of pfSense.

FreeNAS has higher hardware requirements and requires more configuration (scrubs, creating users/groups, permissions, SMART test, etc.) than pfSense.

 

[Dice]

IMO most posters attempt to do stuff above their skill/knowledge level.

For sure. Tell us how to avoid doing so while still learning? ;)

If you can teach someone how NOT to make mistakes, please explain the method because people make mistakes when learning.

Agree, However, the fundamental problem to my experience that I tried to portray rather circled around the issues of finding enough relevant, updated guides to follow blindly to <reach a configuration state>. I don't think everyone needs to <learn> all steps from scratch. Some steps are more critical to others, as often preached in our forums.
I had the same experience with permissions as you. monkey's video was the first one that saved my botched setup to something a little more elegant, it felt like. Huge improvement for convenience and satisfaction with my own system, yet no improvement in practice for my use case.
So my point is sort of to accept a distinction between deep learning and blindly following guides to reach the same outcome. Some would frown upon that, most happily just clicks along. The FreeNAS experience is by far easier to follow guides blindly and reach a solid outcome than I've seen in pfSense.

FreeNAS has higher hardware requirements and requires more configuration (scrubs, creating users/groups, permissions, SMART test, etc.) than pfSense.

That <REALLY> depends on what you want to accomplish on each system.
To make an effort in agreeing with you on something, I'd agree that in the absolute most basic form to get any sort of internet through a pfSense vs accessing a SMB share on FreeNAS, I'd agree pfSense would be less of a hurdle.

Let's take the case of setting up your own VPN server which only allows access to a select range of IP's once a client connects. The level of understanding of concepts involved, how they interact, where the settings are, which ones to play with, which ones will break things or perform unintended restrictions for you, is ....vastly more difficult to grasp in the realm of pfSense than ...any sort of comparable haxx done on FreeNAS - which is mostly documented in abundance on the forum to a level where no real understanding is required for implementation. More often than not.