Cheap pfSense firewall

I was thinking of using this micro PC, and wondered about its suitability as a pfSense router/firewall:

https://www.newegg.com/zotac-zbox-c-series-zbox-ci325nano-u/p/N82E16856173158

Oddly, it has an Intel AND a Realtek GigE NIC in it. And I have some doubts about how well the Celeron will handle high speed traffic. Any thoughts?

That is decent but some more firewall like:

You should probably find SBCs with Intel NICs. I am unsure how reliable Realteks are these days.

I’m using a Celeron J3455 (more specifically, an AsRock J3455M mobo) with pfSense (and AES-NI enabled for OpenVPN) and a speed test on my 1 Gbps FTTH connection doesn’t even move the CPU past 15% to at most 20% spike utilization (just ran a test to confirm and my ISP is throttling me to 515 Mbps down and 486 Mbps up, although I don’t even make use of more than 100 Mbps, I’m just paying not very much for a service that I don’t use to its fullest potential).

Edit: just did an iperf3 between my PC and a VM on different VLANs in my home network. Got 932 Mbps and the Celeron spiked to 23% utilization (mostly at 17%). I guess if you want more than 3 LANS + 1 WAN, you will be in trouble with the Celeron, but otherwise, it should be good enough.

Avoid the j1900 boxes. Lack of aes-ni is not a big deal anymore but the j1900 has the cache bug that ruins that cpu quick. My j1900 lasted about a year I think before the kernel panics started happening.

I will not get any Atom based unit now, just way too many horror stories out there of a large part of the line up.

The advice I read a lot is get intel NICs. I can’t speak from experience other than this is commonly stated much like TrueNAS and lack of ECC causes Reeee.

And not all intel NICs are created equal. My eBay pfSense box with intel NICs still could not support the newer “inline” IPS mode so I have to use legacy. It looks like a few select intel NICs are supported in the freeBSD kernel for this.

1 Like

It is about frequency and memory. Celeron today is more than enough for a medium size solution (SOHO). If you are going for large scale - you might want to optimize further.

It is getting more common with Intel CPUs. I would not buy HW with less than 3 ports.
This one can handle backups with USV BIC at least.

1 Like
links to cheaper openwrt alternatives that'll do a gigabit nat and/or VPN (or even 2.5Gbps), but won't run pfsense
  • There’s also a great RK3399 based solution: NanoPi R4S

    you can add more network ports via usb, or add a 5T 2.5" HDD and run torrents off of it, or do other stuff - plenty of oomph.


  • Odroid H2+ - dual 2.5Gbps ports, pfsense will work on this x86 board, but won’t support network - linux/windows on this board will work just fine: ODROID-H2+ – ODROID

  • Odroid N2+ - very fast arm cpu : ODROID-N2+ with 4GByte RAM – ODROID
    connect to your TV to play 4k hdr from kodi, while routing and nat-ing gigabit on the side, use the same tp-link ue-300 adapter for an additional interface.

Assume Realtek NICs aren’t there. Stick with Intel only for pfSense (BSD is NOT kind to Realtek NICs)

If you want a relatively cheap box, I’d recommend something like an old Optiplex 390/3010 SFF box and add an extra NIC card into it

Take a look at PC Engines APU2 system boards. They make a great pfSense firewall for around $200 USD (board+case). I’ve been running one for the last couple of years.

https://pcengines.ch/apu2.htm

2 Likes

Used thin clients with aes-ni and a pcie slot are typically the best value. Add any Intel NIC you want. Get 2 and setup carp.

This. I got just the two port version. In retrospect, I probably should have gotten the 4port version instead.

So I checked out pc engines, but they’re out of stock on some units until May, and some they are not sure when they’ll be in. @oO.o 's suggestion of a used thin client has some appeal, but I’m not sure where to find such boxes. Is eBay the best place to go?

I just moved and had to shed a lot of obsolete hardware in the process, so I don’t have a whole lot of spare PCs. In fact the only one I have just sitting around is an old Dell T5500. But it is a monster among power guzzlers, with 2x130w CPUs (X5687), so I’m not sure its the most economical choice for the role of firewall, either running on bare metal or in a VM.

Yeah

1 Like

I get wanting to build your own but netgates own personal firewalls aren’t that expensive SG-1100 pfSense+ Security Gateway – Netgate

I’ve got one of those and it’s been doing the job just fine. You won’t be able to run more intensive stuff like suricata on it, but for a simple setup it can work out pretty well.

I use a Dell Micro 7060 and its massive overkill for PFSense. Also I installed a 2nd (Realtek) Nic in it and its been fine.

Ironically the the dual port version has better NICs. The i210 NICs are 4 queues per port whereas the i211 is only 2 per port. There is a 3 port version with the i210. It probably doesn’t matter toooo much unless you have a complicated config or are willing to tune settings.

Fitlet2 works well in that role.

Hi guys, a newbie here and a newcomer to the forum. Do you have any experience with ebay/aliexpress firewall hardware? Something like this:

1 Like

No experience with neither this kind of hardware, nor the sites. Check if it has Intel NIC or something else. Usually Intel network cards have the least problems in both Linux and BSD (pfSense runs on top of FreeBSD).

1 Like