pfSense HW 2019 - Appliance or DIY?

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
Hey!
I need to have some of my devices behind VPN and instead of handling this separately on the devices i wanted to do that on my RB450G (Mikrotik) via prerouting/mangle. Technically the setup is not that hard but I've realized two major issues.

- ROS (still) does not support OVPN over UDP neither sha256 so no-go
- L2TP with IPsec catapults the CPU usage to 100% and it is not capable to handle throughput over 8Mbps. With no mangle and prerouting it hardly gets to 9Mbps. The CPU power w/o AES-NI is simply not enough.

So after a decade i am looking for new solution for my home network. I like Mikrotik/Routerboads but the absence of OVPN is just big step-back for me. And with ROSv7 not being released anytime soon i need to change the brand. SOHO/plastic crap is not going to happen (overpriced devices with limited usage). That basically limits the area significantly. As i already have UniFi AP AC i was checking the USG from Ubiquiti but the HW specs are just sh!tty for my needs. And the FW capabilities are limited as well. So the only way is the pfSense which seems to be the perfect match for me...
//Edit: Final HW + cooling post HERE

So now for the main question ... "DYI or Appliance"? I don't have any spare-parts which would have necessary power with AES-NI capabilities (Not really necessary for now but still) so i would need to buy the parts which could get quite expensive. More over the whole build would probably not fit into the existing cabinet sooo ... currently i am more for the Appliance solution.

Meaning second question is "Which device for pfSense"? I've read the pfSense HW requirements and i see they have own HW (Netgate). Aside of these i found TekLager providing quite nice hardware as well. And there are also some other brand boxes (but better to avoid most of these i guess :D)

My requirements are:
- Capability of handling ~100Mbps over OVPN (sha256)
- 3 clients with high bandwidth over WAN (up to 100Mbps but maybe more in future)
- 3-5 clients with low requirements from WAN perspective (I have 1Gbps L2 switch handling internal network)
- 4-5 VLANs (trunk port on Router side)
- Approx 100 FW and NAT rules
- In the future i might need IGMP proxy but this is optional for now

So currently i am considering one of these
- APU2D0 for sweet $228 but "only" 2GB RAM and no internal SATA port
- APU2D4 for fair price $278 with 4GB RAM and SATA slot for storage expansion
- SG-3100 price $349 seems quite high considering the fact that it has only ARM with no AES-NI :/ and the RAM/CPU is nothing extra.
- SG-5100 which seems to be nice piece of HW but the price tag is just crazy ! ( $699 ) no way i pay that much for a home router.

Thank you in advance for any comments, ideas or hints.

Note: I know there is pfSense forum but i guess our community has something to say as well :]

Thanks !

Alex
 
Last edited:
Joined
Dec 2, 2015
Messages
730
I'm running pfSense on an APU2C4 (earlier revision of the current APU2D4), and am quite happy with it. I was using OpenVPN before I moved to place where that is no longer practical, and it worked well, but I never measured the performance. I purchased my APU2C4 directly from the board manufacturer, so I cannot comment on TekLager.
 

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,110

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
I have the Netgate version (i.e., didn't come bundled with pfSense) of the SG-2440, which at the time was $200 cheaper. It's a nice little box and would seem to do all you mention--but last time I looked, the price had gone up to where it didn't make sense (and now I see they've discontinued it and "replaced" it with an ARM-based box that only has two NICs--no thanks). I've seen some pretty good press about the Protectli boxes, though; those are probably where I'd be looking if I needed new hardware today.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
I'll check for the prices of individual parts. I see they have several boards in stock. Thanks Kevin

@HoneyBadger I just quickly checked but for me it is not practical... Cheapest quad-core i found on ebay is for $120 + $40 shipping into Europe. Then approx $40-50 for Intel PCIe NIC (free shipping). So in total it would be $200++ for old used thing with active FAN inside (not sure if i could afford to cut that off). Compared to $228 ($278) + $20 shipping for a new product with half of the size ... not so huge difference :/
 

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,924
I've seen some pretty good press about the Protectli boxes, though; those are probably where I'd be looking if I needed new hardware today.

I have the Protectli Vault FW4A-0 running pfSense and am very satisfied with it. Protectli seems to be supporting it well with good tech info directed specifically to running pfSense.
 

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,110
Cheapest quad-core i found on ebay is for $120 + $40 shipping into Europe. Then approx $40-50 for Intel PCIe NIC (free shipping)

Ouch. Didn't realize you were in the EU, that kills the deal for sure.
 

Alecmascot

Guru
Joined
Mar 18, 2014
Messages
1,175
There are some nice Optiplex 790 SFF s going in the uk at the moment.
Many of them have a I5-2400 which has AES, add an intel nic and you are good to go.
Mine runs 250Mbps across a VPN on a 350Mbps Virgin Media line.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
@Alecmascot Heh sounds interesting but quite overkill i guess. See i have all of these (router, switch, Vero4k, ...) in table right under TV so having this would be either noisy or i would burn that down with FAN removed. I'll rather stick with some passive solution.

I am going to dig more details about the Protectli and TekLager. The Netgate is nonsense...
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458

silverback

Contributor
Joined
Jun 26, 2016
Messages
134
I have the Protectli Vault FW4A-0 running pfSense and am very satisfied with it. Protectli seems to be supporting it well with good tech info directed specifically to running pfSense.


I run this too, simple and reliable. Low power obviously.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
They sell fairly nice kit, but I don't think they're at all price-competitive.

That's like saying a TrueNAS unit isn't price-competitive with the bare Supermicro hardware. It's true but kinda misses the point.

Netgate isn't trying to be price-competitive. They're selling devices to help fund development.

- APU2D4 for fair price $278 with 4GB RAM and SATA slot for storage expansion - current favorite

I was recently looking at this for various reasons and came to the conclusion that the APU2D4 was probably the best device to run FreeBSD on for a high speed NAT/VPN gateway application in the low-watt category, where I really wanted something that was a true appliance and not a hack. My requirements include things like "must autostart reliably" and "needs console port that isn't duct tape and jumper wires or USB."

4GB RAM is ridiculously large for a basic NAT/VPN gateway (only need about 128-256MB if you roll it on normal FreeBSD) which leaves you a massive amount of free resources to run more complex stuff on it if you want.
 

Arwen

MVP
Joined
May 17, 2014
Messages
3,600
Some people are using fit-pcs, various models, for pfSense. I have 2 fitlets, (first gen), and while I am happy with them, (for the application, tiny size, fanless design and low power consumption), I can see they may be too under powered for higher performance firewalls. You might check them out. Later models can be bought without memory & storage, so you can select the amount you need.

https://www.fit-pc.com/
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
They sell fairly nice kit, but I don't think they're at all price-competitive.
Netgate isn't trying to be price-competitive. They're selling devices to help fund development.
Let me rephrase what i said ... It would be nonsense from my side to buy product with that HW specs for that price tag for my needs.

Anyway i did more research and bellow are few points:
- OpenVPN is single-threaded (!)
- APU2D4 is 1.2 GHz / core (TekLager build here )
- OVPN performance on APU2 with pfSense 2.4 -> HERE ( AES-256-GCM ~ 96 Mbit/s, AES-256-CBC ~ 62 Mbit/s )
- WireGuard VPN is multi-threaded but still in "not for production use" state. Once it gets stable it will be kick-ass (~600 Mbit/s)
- Protectli FW4B has Intel Celeron J3160 (1.60 GHz /core (2.24GHz turbo))
- Protectli FW4A has Intel Atom E3845 (1.91 GHz /core, no turbo)
- J3160 and E3845 - Intel ARK compare
- https://www.reddit.com/r/PFSENSE/comments/8fnc91/hardware_recommendations_for_pfsense/
- https://www.techpowerup.com/forums/threads/pfsense-use-and-hardware.251691/
- https://www.reddit.com/r/homelab/comments/9133kt/hardware_selection_for_pfsense_homelab/

So Basically:
TekLager APU2D4 = Quad 1.2 GHz/core + 16GB mSATA + 4GB RAM - $278
Protectli FW4B = Quad 1.6 (2.24) GHz/core + 16GB mSATA + 4GM RAM - $303

Protectli seems like winner here BUT they want $75 (!!) for standard Shipping while TekLager wants only $20 (as they're in EU as well). Which makes like $80 difference ... eeeh :/
 
Last edited:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
I run a APU2C4 with pfSense and I've been very pleased with it. It's a bit limited with OpenVPN but it's otherwise a good product. If you live in a place where you can order direct from pcengines it will likely be cheaper to go that route. Mine shipped with 16Gb SSD, case, power supply and console cable was around $174.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
@Jailer Hehe they have a nice statement on their shop page:
"Because of unbelievably bureaucratic recycling regulations, PC Engines will NOT sell directly to end users within the EU. "

Anyway I've checked their distributor list and found that two of them in CZE have all parts in stock for ~ $202 (w/o cable). I guess that seals the deal for me...
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
I've asked "PC Engines" if they have any plans for new boards with GX-420MC (2GHz/core) or GX-424CC (2.4Hz/core) CPUs and the answer was "No". So the "GX-412TC" (1.2GHz/core) is the top one available.

Also I've sent email to Protectli if they have any partner/distributor in EU (to bypass the crazy shipping) and luckily they just sealed the deal with one o the company in Poland. So their products should be available in EU soon :]

//EDIT: Prices are even more crazy with all of the taxes and electrical waste EU c*ap ... wtf...
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
So I just got one of these babies for 150 bucks + shipping and small import tax (w/o RAM and mSATA as i already had these lying around). It is basically the Protectli FW4B with $100 discount (lol). The only difference i found is that i have "LAN1, LAN2, LAN3, LAN4" labels instead of "OPT1, OPT2, LAN, WAN" but whatever. Secondly one of the RJ45 ports is a sliiiiiightly misaligned but it works so it is really just a cosmetic flaw (i don't care).

And the last difference is that it has AMI bios and not the Coreboot (With Protectli splashscreen). But I've dropped message to Minisys and they were willing to flash the coreboot for me before shipping. Sadly there were some issues with downloading the latest coreboot release and i did not want to wait longer so i asked them to forget about that and just ship me the new toy so i can play with it ^^ Maybe i will flash it by myself one day.

The build quality of the MiniPC itself is pretty neat. It has 491grams (mSATA and SO-DIMM included) and i would say more than half of it is the crazy heatsink on top. The mounting kit is just simple and cool. What i don't like much is the laptop-size power source. It has half of the size of the PC itself :D ... BUT (!) it has a shiny green LED "YANLING" logo (Which i will cover by a black electrical tape tomorrow as i hate LED crap anywhere near my TV). And the power cord feels really cheap. Will replace that with another one (as it is a standard IEC320 and i have full box of these).

So much about rebranding/reselling products from China ^^
 

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
have you considered ESXi and combine your freenas with pfSense?

see signature of my main system, I did the same and it runs quite okay
 
Top