I am looking for a project to work on at home and I am considering making my own PFSense router for the home and wondering if you guys could answer some questions or point me towards some resources.
From what I have read you don’t need anything crazy hardware wise but I have a gigabit internet connection at home and wouldn’t mind future proofing (i know over kill) it to that it could support 10GBs routing via a SFP+ interface. What kind of hardware would I need to do this and would PFSense be capable of doing this. From what I read it looks like PFSense cant route past gigabit efficiently? Am i correct about this? The main things I am looking for is solid router that can handle high bandwidth, supports VPN so I can log into my network remotely if I ever need to and intrusion detection.
Also on the network side of things I would want to be able to divide my devices (home network devices, iot, security, ect) into separate vlans but I assume this would be more done by a managed switch? Is that correct?
One last question is that at some point I would want to have a home server that could manage my security, NAS, media streaming and I would think that I would use set this up using virtualization but is it a good idea to have the router be a separate machine or could I just have it be a virtual instance on this server?
Good to know, I had read on reddit that they didnt design pfsense to do that well and TNSR (which isnt available for home users I think) was ment for that. Thanks for correcting me.
I would probably spec it up a bit the 2ghz would probably be an issue. Ram isnt really sold in 1gb sticks on anything worth using so that wont be an issue either.
2GHz, 3GHz? Ouch you guys, making my pfsense feel inadequate haha. I would like those specs.
OP I have a Celeron 3865U @ 1.80GHz. I run Snort on my WAN as IDS, Snort on one of my VLANs as an IPS, acme and haproxy for SSL for things like homeassistant. OpenVPN, pfBlockerNG, softflowd and ntopng… and syslog ‘all’ out to a DB + barnyard and output to DB for both Snorts.
For 1Gigbit it idles around 9%, can get it over 15% with SSL traffic from one server going)- granted I’m not really throwing a lot of traffic at it, I turned off DPI with so much SSL anyhow and my pfBlockerNG isn’t amped up much (For instance turned off its add-blocker pi-hole like feature). I can imagine 10g slamming 1.8 too hard.
Something that really surprises me is how little resources ntopng uses as it provides a webUI (port 3000) to interact with the data. I’m a Splunk snob and I’m blown away at how easy it is to use and get value from ntopng and its how I easily found what AWS servers my reolinks were using.
Crud so this post got me to log into my pfsense- its a passively cooled box on a high shelf in my closet. Its at 12% and 56c. FTML. I need to shut it down, check the thermal past and maybe throw that USB fan back on it… at the very least put the fan on it right now… brb.
OP, I’m a fan of the Amazon passively cooled boxes (like mine and the 2nd one I’ve had) but be aware their heat sinkage could be better.
I’ve never tried pfsense with 10 gigabit but routing is not a particularly CPU intensive task, what does require performance is firewalling, and that is measured in packets per second rather than actual bandwidth. So a 10gbps link on a local network isn’t going to use much CPU whereas a 10gbps internet connection at an office with many users will.
Yes a simple L2 / L2+ managed switch will do. L3 working in L2 mode is a waste of money.
You’d typically have a vlan trunk between switch and pfsense. One of these could be your wan interface.
10Gbps rules out complex matching with Suricata without a fancy CPU, or without more than one Suricata machine. But most folks are happy without Suricata, and just use DNS based filtering like adguard or pihole, or they just use 1.1.1.2/1.1.1.3 or some other DNS filtering as a service provider.
In terms of server hardware, a $200 ryzen box will do, stick a few HDDs in there and it can double as your nas.
For 10Gbps interfaces, cheap mellanox connect x3 that can run, or can be flashed to run in Ethernet mode or an Intel x520 (sr1 cards are super cheap, but 1 port only ) + some cheap switch either unifi xg1, or mikrotik css326 for example, or their crs328, depending on what ports you want/need. You’ll also need to worry about your ISP and if they’ll give you a properly provisioned sfp+ gpon onu or a full blown RJ45 multi gig ont and what their plans are. You’ll also probably want some cheap dac (direct attach cables to go SFP+ <-> SFP+) and maybe some cheap $10 10 gig optical trancievers, or some RJ45 SFP+ trancievers if you want to reuse cat6.
You can also do 40G between router and switch (e.g. CRS326-24S+2Q+RM) and get a secondary cheaper 1G managed switch for slower 1G stuff. That way you save yourself some pcie ports and get a ton of 10G capability for your storage boxes and desktops. That way if you wanted to route 10Gbps from one vlan through to another using pfsense + simultaneously do all the wifi and internet and Plex routing from nas onto your TVs, and use only one nic/cable you can, it’s no big deal.
Most iot is wireless and requires broadcasting to work or setup or discover, so isolating iot traffic from each other before it reaches your pfsense for filtering will require a moderately capable wifi accesspoint, typically ubiquiti or mikrotik or something running openwrt, so that you get dynamic vlan support and would then be able to do a filtering bridge.
How much CPU you need to “route gigabit” depends more on packets per second (i.e., how big your packets are), whether you are doing ipv6 and any sort of inspection, complexity of your rule-set, etc.
If its gigabit for a home environment some potato will probably be fine, but if you’re talking 10 gigabit LAN routing in an enterprise it may be different.
As above, if you look at what Netgate spec for their systems, they will be total and utter overkill for a home user doing the same line rate - because you don’t have a hundred or more users behind the thing with many connections. I’d wager you’d probably be fine with HALF the hardware they spec, as they’re focused on enterprise with many users.
The only time you’ll push gig at home is bulk downloads which are large packets, etc. and thus “easy” on the CPU to route.
Suricata? Unless you’re really really paranoid you probably don’t need it checking between local vLANs (especially at HOME), and only from the internet. Which if you have 10 gig internet… I’ll be surprised.
I have an I3-6100T pfSense for past two years on 1 GIGABIT fiber to home connection, and it routes at full speed and CPU is 2%. (Without Suricata, but I run OpenVPN, pfblockerNG, a persistent site-to-site VPN connection etc).
Based on my experience pfSense doesn’t require significant CPU to get the job done. I believe that is why virtualization often comes up, so you can apply only the necessary amount of RAM and CPU to it, but since I just want my internet up and working, I don’t risk it by putting t on virtualization I don’t fully understand…yet.
Mine is running on an AMD R3 1200 at 3.1ghz with 4gb of ram. It’s complete overkill and I love it.
I rarely go over 4% cpu and most of the time it sits at 1-2%.
RAM usage is currently sitting at 17%. It used to be as high as 25% back when I used to do region filtering, but ever since Maxmind now requires a license for their GeoIP functionality, I’ve turned that off since its efficacy was questionable how I had it set up anyway.
I originally built this system to replace my old core2duo system after all the Intel vulnerabilities and other security related errata on the core2duo was brought to my attention. I also did it to gain AES NI functionality since most budget Intel CPU didn’t include that at the time.
It turns out that AES NI is no longer going to be required by pfSense as it once was, but it certainly doesn’t hurt to have.
pfSense can go faster than gigabit, but does not saturate a 10 Gbps link under all conditions, even with a very powerful CPU. Memory latency can become a bottleneck to the kernel network stack before the CPU is fully utilized. This applies to both Linux and *BSD. Higher performance is possible in software but requires alternative network stacks.
Firstly thank you for the responses its much appreciated it, I had a busy few days so didn’t get to respond.
Sounds like I wont require much in terms of horse power to build what I am looking to. If I was to build out a build using the soon to be released Ryzen 3100/3300x I assume this would be overkill, but I like the fact that the processors dont seem to be having the same issues with security so I think I will try to build something using these chips.
A few more questions:
Would I be able to make a silent (or near silent) pfsense system using these chips? I know they are not out but I assume we can make some assumptions here.
I am planning on putting these in server chasies, 1u, 2u, ect. Could someone make a recomendation here? Or is it just pick out what ever.
Are there any server boards for the x470, x570, b450, ect platforms? I know Asrock makes some but that is all I have seen.
A Scythe Ninja 5 on the CPU , keep it at ~300-350rpm + a single nf-s12a case fan for fresh air intake that spins up on demand will get you near silence.
Small fans, if you need to move up to 100W of total system power, not silent. Get a cheap, short, 4u and make sure it’s dust filtered or get filters if you don’t have a centralized HVAC doing the filtering in your house.
Only ASRockRack does true IPMI with these. (windows app that talks to the motherboard firmware on x570 ace doesn’t count)
) + some cheap switch either unifi xg1, or mikrotik css326 for example, or their crs328, depending on what ports you want/need. You’ll also need to worry about your ISP and if they’ll give you a properly provisioned sfp+ gpon onu or a full blown RJ45 multi gig ont and what their plans are. You’ll also probably want some cheap dac (direct attach cables to go SFP+ <-> SFP+) and maybe some cheap $10 10 gig optical trancievers, or some RJ45 SFP+ trancievers if you want to reuse cat6.