First meaningful network "upgrade" with pfsense

My current setup includes a crappy 100 Mbps WiFi router and I suffer 4% packets every hour over WiFi. It’s a tp-link archer c20. I troubleshot the issue by pinging google from multiple devices - some on 2.4 GHz and some on 5 GHz at the same time and they would all face 1 to 4 second network outage every 2 minutes or so.

I’m already getting a new computer for Deep Learning, so it is a beefed up computer. My motherboard has a single 1Gig port, but I will get a 4 port nic if I need.

So coming to my question, I intend to use Pop!_OS on my machine and make a bridged connection from my WAN port to a pfsense VM.

  1. Is it safe to expose my computer to internet like this?
  2. Will this work properly, considering pfsense will run in a VM?

People have done it, but I definitely recommend against it. Router should be on dedicated hardware whenever possible. Also not sure how this solves your WiFi problem.

1 Like

No. as said earlier, you’d be best off with a dedicated router/firewall device. A Raspberry Pi 4 would probably work (and gives you WiFi to boot!)

It’ll probably work, but it’s not the safest nor best solution.

If speed, security and/or reliability are important to you, ditch WiFi. Pull cables between the devices in your network and only connect wirelessly by mobile devices like phones or tablets. A box-standard Gbit connection is many times faster, considerably more reliable and infinitely more secure then a wireless signal can ever be.

1 Like

My new computer will be wired directly to the ISP’s fiber. That won’t be a problem. Regarding WiFi, I’ll still use it for low priority work like watching videos on YouTube - where 1-4 second connection drop doesn’t mean anything.

A Raspberry Pi 4 would probably work (and gives you WiFi to boot!)

I do have a RPi 4 4GB but realising WiFI is not as good, I don’t want to take any chances. And knowing USB is not stable enough for 24x7 operation. I don’t want to plug and unplug USB to Ethernet adapter everytime my machine faces a connectivity problem. If my Pi had 2 ethernet ports, I would have gone the easier “route”. :stuck_out_tongue:

I’ll try to see if there are any old computers available as there are security problems with exposing my computer like this on the internet. Do you have any recommendations for a cheap small form factor computer with X86 (as A64 is not yet supported) with dual gigabit ports? TIA!

Come to think of it, should I connect a dumb ethernet hub to my RPi’s gigabit port and use it like that? Would you recommend that?

If you want to use the pi as a router you will need to connect it to managed switch and use VLANs to use the same ethernet port for WAN and LAN. I’m not sure if pfSense supports ARM, it’s probably better to get a low power onboard CPU motherboard. Either one with 2 LAN ports already or with at least one PCIe slot. Or, “router on a stick” like I mentioned before

What is providing the wifi in this setup?

Yeah, I would get that and pass the whole device to the VM. Get a 1’ ethernet cable and plug it into your onboard nic. That will help with some of the possible security issues with having a bridge touching WAN.

Still recommend not doing any of that though to be clear.

Pfsense does work with arm, netgate sells a device that is arm based.

You can get a managed switch and use vlans to isolate wan from lan. Just make sure to test the isolation, I’ve bought some cheaper managed switches that say they vlan but don’t work right.

For an x86 pfsense system I bought a fitlet2. Not exactly cheap, but low power and small. 2 nics standard, expandable to 4.

What is providing the wifi in this setup?

The motherboard has built in wifi. Yes, I know it might/might not be crappy but even if it is, I will still only need wifi for streaming videos where I don’t care about the annoyances.

Still recommend not doing any of that though to be clear.

Yeah, I’m planning to get a “good” wireless router and get OpenWRT on it instead of a 200 watt pfSense machine /s

What I mean by pfSense doesn’t support arm is that RPi 4 is not officially supported yet. I tried looking for fitlet2 but it’s a niche product in India and currently out of stock on

Also, I checked the pricing on fitlet2’s website and yeah, it ain’t cheap. :frowning:

What does a man gotta do for good home internet without paying for enterprise gear :pensive:

How many devices do you plan to connect at once? You can use a PC as a hotspot but the WiFi hardware isn’t the same as an access point. You can only have one or two devices connected at a time (so probably just your phone).

Yeah, that is not a problem. I’ll use my current potato router as a wifi extender and connect it to one of the nic ports of my computer.

1 Like

Have you considered something like a Ubiquiti USG? Run the controller software wherever it makes sense. Add a switch of your choice on the LAN side if you need more ports.

Using your plan to virtualize pfSense as a starting point, here are my thoughts:

  1. Don’t virtualized you main router. If your computer is down then so is your Internet. Use the KISS principle: Keep it simple. Have your router on its own dedicated hardware. If you’ve got a home lab type situation, sure, virtualize the psSense instance that separates your home lab from the rest of your network.

  2. You need a setup that is inherently secure, to the extent that anything can be “inherently secure.” Because of that, I would absolutely avoid the “router on a stick” layout where you rely upon one Ethernet port on the routing device combined with a managed switch. For someone new to networking, it’s complex to configure properly.

  3. You’re new to networking. Just have a dedicated device with at least two Ethernet ports, WAN and LAN. Again - KISS

  4. You were going to virtualize psSense so the obvious thing to suggest is to run pfSense on dedicated hardware

  5. There is an ARM version of psSense that Netgate use in their model 1100 router. But it is not publicly available. So running it on a Raspberry Pi is out. Its got to be Intel or AMD.

  6. For routing you don’t need much processing power. There are a bunch of boards with embedded CPUs available. Or use any old pc you have lying around to start.

  7. Also popular, and what I have done, is using an HP T620 Plus thin client. Specifically the “Plus” version because it has a PICe slot where can pop in one of the Ethernet cards that are on the pfSense compatibility list.

  8. They’re old enough that they are relatively affordable on eBay. (See below) And new enough that they have enough processing power to route a 1 gig connection at almost full line speed if you’re not using processor intensive plugins.

  9. They have a four core AMD CPU, and use around 15-17 watts under load with a four port Intel Ethernet card installed.

  10. You can find them used on eBay, typically with 4GB RAM, and a 16GB SATA SSD, both of which are quite sufficient. Often with a four port Intel Ethernet card already installed. A year ago you could pick one up for about $100 USD. Right now they’re closing in on double that price.

  11. pfSense doesn’t like Realtek Ethernet ports. You need Intel NICs. See the compatibility list.

  12. I had one of those TP-Link Archer C20 wireless routers. I live in a wifi jungle and it couldn’t handle it. I bought a Unifi AC/LR and that put an end to my wifi problems. You don’t need the more expensive AC Pro. You probably don’t need an AC/LR. The cheaper AC Lite would likely be just fine.

  13. Buy a switch. If you like when things work together seemlessly, buy a Unifi switch. It’s a managed switch and is run from the same software controller as the Unifi wifi access points.

  14. If you don’t need a managed switch, go on Amazon and buy the cheapest switch with enough ports for what you’re planning from any brand you recognize.

  15. Since you were already planning to use pfSense, I would strongly urge against buying a Unifi router. The configuration via the GUI is extremely limited compared to pfSense and you’ll regret buying it.

I came to these conclusions after four years of buying lessor stuff to “save money.” I would have saved a lot of money if I’d just bought this to begin with.



For the moment, I’ve got a Linksys EA7500 as a temporary solution. It cost me around 10,000 INR (around 137 USD) incl of taxes and considering the pricing, the stupid box doesn’t even have QoS. The 30 USD Archer C20 had it. But it manages itself under heavy load and that is the only thing I want it to do. I’ve hooked up C20 (with OpenWRT) where I need to use QoS and it works very well.

Anyways, I am planning of upgrading to 10 gig for my home network soon (as soon as I get a reasonably priced 10-gig switch), and will try your solution out.

I’ll probably get a “dedicated” pfSense router once I make my home lab big enough. Thanks for the advice :’)