PFSense / Home Router - Hardware Suggestions

[danb35]

Come to think of it, I'm having some trouble with the OpenVPN server on my pfSense box-my iPhone and iPad can connect just fine, but my laptop and Android phone can't. Not (yet, anyway) getting much (i.e., any) help on their forums for that; maybe I'm not looking in the right places.

 

[Dice]

Come to think of it, I'm having some trouble with the OpenVPN server on my pfSense box-my iPhone and iPad can connect just fine, but my laptop and Android phone can't. Not (yet, anyway) getting much (i.e., any) help on their forums for that; maybe I'm not looking in the right places.

My android connects just fine. Perhaps you've not exported a suitable file? or ...not using the best client app. one works for me, another doesn't. This one works for me.
https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

 

[danb35]

That's the one I'm using. I don't think it's unique to the Android app, as my MacBook behaves the same way (with two different clients). I suspect it has to do with the Let's Encrypt certificate I'm using on the pfSense box, since the error coming up in the client logs is "VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" -- but the issuer certificate is also installed on the pfSense box. More detail, logs, and a bunch of screen shots at https://forum.pfsense.org/index.php?topic=131284.0.

 

[Dice]

okay. I've no experience with Let's Encrypt certificates.

 

[D-Tijori]

Almost narrowed down to couple of systems finally,
The one in my OP:

Motherboard: Supermicro Mini ITX A1SRI-2558F-O Quad Core DDR3 1333 MHz Motherboard and CPU Combo
RAM: Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8
SSD: SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) [Newest Version]
PSU: SilverStone Technology 300W SFX Form Factor 80 PLUS BRONZE Power Supply with +12V single rail, Active PFC (ST30SF)
Cabinet: Silverstone 0.8mm Steel Body Tek Acrylic Front Panel for Mini-ITX Media Center/HTPC Case Cases ML05B

or, in name of picking up something thoroughly contemporary, the one below:

Motherboard: https://www.amazon.com/gp/product/B01N1MOJE4/ref=ox_sc_act_title_3?smid=AR65LILXUWDP0&psc=1
CPU: https://www.amazon.com/gp/product/B01MZ9GJ1N/ref=ox_sc_act_title_4?smid=ATVPDKIKX0DER&psc=1
RAM: Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8
SSD: SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) [Newest Version]
PSU: SilverStone Technology 300W SFX Form Factor 80 PLUS BRONZE Power Supply with +12V single rail, Active PFC (ST30SF)
Cabinet: Silverstone 0.8mm Steel Body Tek Acrylic Front Panel for Mini-ITX Media Center/HTPC Case Cases ML05B

If it weren't for the C2000 series bug red flags, would pick the Supermicro C2558 myself. However, cannot find any update except for the recall from Intel and there is no way to know what one might end up getting from Amazon.

So, questions:
1. Is it still ok to get the C2558 motherboard? Anyone recently bought one and/or experienced the bug?
2. Comments on ASrock motherboard + i5 7400T combination? Worth to go in for it? Any functionality one might miss out on given its not server grade, no ECC RAM, no IPMI?

Note: Do understand its ultimately a personal choice and risk and home/personal data is indeed irreplaceable. However, just would like hear some opinions/comments.

 

[danb35]

okay. I've no experience with Let's Encrypt certificates.

You know, I'm sure I'd tried this before, but... Generated a new self-signed cert for the router. Set the OpenVPN server to use that cert. Downloaded the config to the Android phone, and it connected right up. Downloaded the config to my MacBook, connected it to my phone as a hotspot, and it connected right up as well. So I have a connection. Doesn't answer why it won't work with the LE cert, but that is a lesser issue. Threadjack over.

 

[danb35]

Any functionality one might miss out on given its not server grade, no ECC RAM, no IPMI?

Now that I've used it, I'd really like to not have a headless machine without IPMI or some other comparable technology--the remote console is really useful.

 

[rogerh]

Almost narrowed down to couple of systems finally,
The one in my OP:

Motherboard: Supermicro Mini ITX A1SRI-2558F-O Quad Core DDR3 1333 MHz Motherboard and CPU Combo
RAM: Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8
SSD: SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) [Newest Version]
PSU: SilverStone Technology 300W SFX Form Factor 80 PLUS BRONZE Power Supply with +12V single rail, Active PFC (ST30SF)
Cabinet: Silverstone 0.8mm Steel Body Tek Acrylic Front Panel for Mini-ITX Media Center/HTPC Case Cases ML05B

or, in name of picking up something thoroughly contemporary, the one below:

Motherboard: https://www.amazon.com/gp/product/B01N1MOJE4/ref=ox_sc_act_title_3?smid=AR65LILXUWDP0&psc=1
CPU: https://www.amazon.com/gp/product/B01MZ9GJ1N/ref=ox_sc_act_title_4?smid=ATVPDKIKX0DER&psc=1
RAM: Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8
SSD: SanDisk SSD PLUS 120GB Solid State Drive (SDSSDA-120G-G26) [Newest Version]
PSU: SilverStone Technology 300W SFX Form Factor 80 PLUS BRONZE Power Supply with +12V single rail, Active PFC (ST30SF)
Cabinet: Silverstone 0.8mm Steel Body Tek Acrylic Front Panel for Mini-ITX Media Center/HTPC Case Cases ML05B

If it weren't for the C2000 series bug red flags, would pick the Supermicro C2558 myself. However, cannot find any update except for the recall from Intel and there is no way to know what one might end up getting from Amazon.

So, questions:
1. Is it still ok to get the C2558 motherboard? Anyone recently bought one and/or experienced the bug?
2. Comments on ASrock motherboard + i5 7400T combination? Worth to go in for it? Any functionality one might miss out on given its not server grade, no ECC RAM, no IPMI?

Note: Do understand its ultimately a personal choice and risk and home/personal data is indeed irreplaceable. However, just would like hear some opinions/comments.

I can't directly answer your question. But Supermicro's policy is to replace C2000 boards with the fault, and if you buy them from an approved dealer then they will replace them on a return after replacement received basis. So it is pretty clear that an approved Supermicro dealer is going to be selling a board built after the fault was cleared, otherwise you could immediately demand they send a new one pending return of the old one! This is theory rather than practice, but I would feel pretty safe buying a C2000 board from an approved Supermicro dealer.

Edit: when I say they will replace them with the fault, I mean they will replace them even when working normally if they were purchased before the fault was discovered, you don't have to wait until they fail.

 

[Jailer]

They don't replace them they repair them and return them.

 

[rogerh]

They don't replace them they repair them and return them.

Maybe they supply repaired ones, but they definitely agreed to send me a working one with my dealer's cooperation before I had to send mine in. Haven't got round to it yet, may or may not work.

 

[Jailer]

Some as yourself have reported luck getting an advance RMA but it's not the norm. Granted that based on what users on the pfSense forum are reporting, not any actual data that I have any knowledge of.

 

[rogerh]

Some as yourself have reported luck getting an advance RMA but it's not the norm. Granted that based on what users on the pfSense forum are reporting, not any actual data that I have any knowledge of.

Fair enough, I only have my individual experience. I am in Europe, does this make a difference?

 

[Jailer]

Not sure but it looks like it worked out good for you.

 

[rogerh]

I still think it unlikely an official Supermicro dealer would sell an unfixed board, especially if you specifically asked them before buying it. Certainly in Europe, and to a consumer, regulation may be more permissive elsewhere.

 

[D-Tijori]

I still think it unlikely an official Supermicro dealer would sell an unfixed board, especially if you specifically asked them before buying it. Certainly in Europe, and to a consumer, regulation may be more permissive elsewhere.

Well, in terms of customer care, Amazon in the U.S is probably one of the better companies. They will do almost everything short of giving you $'s to make sure your demands are met (at least in my experience) and precisely the reason why I got to them first.

However, in general, the level of service* is higher in EU. But then you are also charged/taxed higher for it.

*Service is used broadly here to encompass both - tangible and intangible goods.

 

[D-Tijori]

Now that I've used it, I'd really like to not have a headless machine without IPMI or some other comparable technology--the remote console is really useful.

This can be mitigated by using Putty or a similar tool once Pfsense is installed and we have an IP address, yes? Or is there another missed scenario?

 

[danb35]

This can be mitigated by using Putty or a similar tool once Pfsense is installed and we have an IP address, yes? Or is there another missed scenario?

SSH doesn't get you into the system BIOS, or otherwise give you console access. That can be very helpful for troubleshooting. Once the system is up, and you have a network connection to it, yes, SSH is very helpful, but it doesn't do everything.

Edit: Handy though it is, my pfSense box doesn't have IPMI. It does have a USB/serial console port which could be used for a similar purpose, but I'd need to hook it up to another computer. A Raspberry Pi would do the trick, but I haven't set that up yet.

 

[Dice]

Virtualizing pfsense would give you the equivalent of IPMI ;)

 

[danb35]

Virtualizing pfsense would give you the equivalent of IPMI ;)

True, and I hadn't especially considered that. My pfSense box (a Netgate SG-2440) is a bare-metal install, and one of the reasons I moved to pfSense was that my former routing solution (a Linux-based server/router) had horrible routing performance under Proxmox. But I also wanted the router to be its own box, so any work on my Proxmox host didn't interrupt the Internet. But there are always pros and cons.

 

[Dice]

@ Danb35
I tend to look at virtualization more so to bring flexibility to hardware.
In this case, bringing IPMI functionality is more than enough argument to put pfSense on a virtualization host.

I've ran a separate little box described in #56 on ESXi when it could just as feasibly been running on bare metal.
In retrospect that setup add the capacity to have a "less elaborate" version, already loaded, ready to start be the case the primary pfSense gets borked from experimental settings.
Something I've come to value a lot. Troubleshooting can very shortly be resumed rather than the typical nightmare experience where one starts reverting numerous settings causing a blind mess before getting <back online>. Having a <working pfsense VM> already registered in the host grants me piece of mind.

I'd suggest that your experience with 'horrible routing performance' occured with virtual NICs rather than a passthroughed physical NIC?
Once I reconfigured to a passthrough NIC, a boatload of "why the hell doesn't shit work as planned?" ...just let go. On top of that a hefty <percieved> performance boost all across the board (I think it was related to latency through network stacks?).

PSSST!
viirtuuaaaliiizzhee!