Future Proof pfSense Router Build

Kesl · April 16, 2017, 1:04am

Hi guys, so I recently watched the L1Tech video on pfSense routers, and that along with the recent privacy law changes have inspired me to protect myself. However, I do not have any spare or surplus hardware at home, and after researching some of the "out of the box" solutions (from pfSense or other bare bone style systems), I have decided it would be a fun project to build my own. This is particularly relevant, because I would like to build a router that I can have for years to come (that will easily support a true gigabit connection). I am hoping you all can help me with some advice.

My goals are explicitly to:
* Learn networking fundamentals
* Build a router myself (for fun and great justice!)
* Insulate my network traffic from my snoopy ISP
* Have a future proof device that can support gigabit (I left Austin, TX, recently and I miss my fiber dearly)

My build list is primarily looking to be future proof, thus keeping with this chart (https://www.pfsense.org/hardware/):
10-20 Mbps We recommend a modern (less than 4 year old) Intel or AMD CPU clocked at at least 500MHz.
21-100 Mbps We recommend a modern 1.0 GHz Intel or AMD CPU.
101-500 Mbps No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters.
501+ Mbps Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.

Here's three approaches to the build:
MAXIMUM - $670
https://pcpartpicker.com/user/Kesl_Vrys/saved/GsdWZL (not all of the actual parts shown on the list)
$205 - Intel Core i5-6500 3.2GHz Quad-Core Processor
$20 - be quiet! Pure Rock Slim 35.1 CFM CPU Cooler
$80 - ASRock H170M-ITX/DL Mini ITX LGA1151 Motherboard
$100 - G.Skill FORTIS 16GB (2 x 8GB) DDR4-2133 Memory
$55 - Plextor M6M 64GB mSATA Solid State Drive
$65 - Corsair Obsidian 250D Mini ITX Case
$100 - Corsair RMx 550W 80+ Gold Certified Fully-Modular ATX Power Supply
$45 - I350-T4 PCI-Express PCI-E Four RJ45 Gigabit Ports Server Adapter NIC

Obviously, with this approach I would be doing much more than just running pfSense. This box would likely be virtualized and broken apart by cores, likely splitting it in half so 2x cores for pfSense and 2x cores for a web server or maybe a home media server/file server. Something along those lines.

MEDIUM - $440
https://pcpartpicker.com/user/Kesl_Vrys/saved/HhCcf7 (not all of the actual parts shown on the list)
$60 - Intel Pentium G4400 Skylake Dual-Core 3.3 GHz
$20 - be quiet! Pure Rock Slim 35.1 CFM CPU Cooler
$80 - ASRock H170M-ITX/DL Mini ITX LGA1151 Motherboard
$55 - Crucial 8GB (2 x 4GB) 288-Pin DDR4 SDRAM DDR4 2133
$55 - Plextor M6M 64GB mSATA Solid State Drive
$65 - Corsair Obsidian 250D Mini ITX Case
$60 - SeaSonic SSR-360GP 360W ATX12V v2.31 80 PLUS GOLD
$45 - I350-T4 PCI-Express PCI-E Four RJ45 Gigabit Ports Server Adapter NIC

This is the middle of the ground approach, not optimizing for performance or function or cost, but instead trying to be in the middle of both. Honestly, I dislike this approach generally. I feel like you should go one way or the other and just 'own' that choice, instead of trying to ride in the middle.

AFFORDABLE - $250
$170 - APU3a4 Board - https://www.pcengines.ch/apu3a4.htm
* AMD GX-412TC CPU - 4x cores @ 1.2 GHz
* 4 GB DDR3-1333 DRAM
* 3 i211AT LAN
$55 - mSATA Kingston SMS200S3/60G
$15 - case1d2-U BLK Enclosure
$10 - 15v/1.2A 18W AC-DC Power Adapter

This is optimized for cost, but a key question remains for me. Could this push a gigabit connection (true fiber) for a home network with 3-4 boxes on it? If it can, then I think this is clearly the choice as all the future proofing I will ever need is already there. If it cannot, then I am prone to go with the MAXIMUM choice.

Which one would you go with? Why? Would affordable be sufficient for pushing a true gigabit connection?

Thank you for your help and input!

Yockanookany · April 16, 2017, 1:46am

Buy a surplus workstation a business or entity is selling that has an i3 or something in it. You can drop a second NIC in it and it'll last you forever. I'm using something similar to your "maximum" build with ESXi hosting my PFSense + my file server and it's more than enough for my 80 Mbps internet. I have no doubt it'll hold up to gigabit with 3ish virtual cores and 8 gigs of ram.

tiramisu · April 16, 2017, 2:37am

I picked up an old dell optiplex with an i5 for very little
Added 8gb of ddr3, a 120gb ssd and a intel dual gb nic.
It already had an onboard intel nic for the inbound and I have used link aggregation to my switch with the other two.

There is another pci slot left for a 10gbe when I add a 10gbe switch to the lab and more than enough horses/ram/cpu to drive a ton of pfsense.

noenken · April 16, 2017, 4:32am

Wait a bit for ryzen 3. Those chips might be pretty powerful, cheap and energy efficient. Also ryzen supports ECC. Other than that used stuff is a great option, like mentioned.

commodore256 · April 16, 2017, 6:36am

Get a Krups Coffee Grinder and a 1981 DMC-12 and go to the year 2045. They should a shit load cheap ass Dell Computers from the year 2030 at your local thrift store or recycling center.

BarkingMad · April 17, 2017, 8:30am

Unless you are planning to run multiple, concurrent VPN connections into your router, go to the local Goodwill store and buy a $20 5-year-old machine that has an open PCIe slot. Buy a genuine Intel 4-port gigabit NIC and stick it in there and Bob's your uncle. If you do have big VPN plans, make sure that the CPU in that $20 machine has support for AES-NI. You can then spend the left over $$$ on a proper server, that does groovy server things.

I have 8GB of RAM in my pfSense box, which is running Snort and a few other things and it only uses ~10% of the available RAM. Many pfSense boxes are based on 600MHz SOC's, which is more than adequate for a SOHO scenario. While I would not want to wager that a 600MHz SOC could keep up with a fiber connection, the answer isn't a 3.2GHz quad core i5, unless you're the kind of guy who lights his cigars with fifty dollar bills. $20 will buy you a cheap education and in the VERY unlikely event that the used machine is incapable of doing what you need, you still get to keep the $20 education and the Intel NIC. Once you have a box deployed and you can measure its performance in your environment, you will have a much better idea of whether, or not it is truly necessary to spend nearly $700 on a firewall, or if spending that money on a groovy new server wouldn't be much more fun and interesting.

While you can virtualize pfSense I am of the old school when it comes to a security device. It should be wholly dedicated to the task at hand and as minimal (in terms of running services - AKA attack vectors) as possible. A virtualized install would be fine as a learning tool, or for an internal deployment, but I would not have it externally facing. That's just me and if you disagree, that doesn't make you (or me) a bad person ... just different.

I usually recommend this series of vids to the new pfSense user.

Garfield · April 17, 2017, 2:14pm

^
|
|
|

This. The hardware requirements on the pfsense page have not changed in forever. The 2Ghz requirement should be read as: Your Pentium 4 should have at least 2 Ghz.

Azulath · April 17, 2017, 3:38pm

I'd get an AMD Ryzen 5 1600; it might be 10$ more expensive, but you get 6c/16t compared to 4c/4t.

noenken · April 18, 2017, 3:43am

Oh, did I mention this?

sirjaymz · January 12, 2018, 1:59am

So I am running an APU2C4… basicall identical specs as the APU3…

I just got the ATT fiber to the house…1gig down, 1 gig up…running it parrallel with Comcast 200 down / 12 up so I can test the fiber with iperf, etc… speedtest.net is a joke., but at least it’s a number to use for comparison…

Overall the APU2 (APU3) can not keep up… if I run direct… no firewall in place into a Dell Opti 9010, Intel I-5 with 8 gig DDR3-1333, I can get during non peak hours, 950-970mbit down and 930mbit up…
performing the same test on Dell E6430, I-7 , DDR-3… etc… I can get 750 to 785mbit during peak hours…

As soon as I plug in the APU2C4 inline… etc…etc… standard config…
I get consistent 575 to 580mbit down, and 570 up… pretty consistantly over the last 5 days…

So much so… that I thought that the fiber had issues… additonally, I have changed out the modem 3 different times… ATT is sick of coming to my house… it’s only been 6 days, and they have been here 3 times for about 20 hours.,… all troubleshooting…btw… I use IP-Passthrough on their router as well and disable all of there settings… I told them I just want RAW internet…

Anyway… I am going to run with it for now… .as it fits inside my 28" DirectConnect Residential cabinet built into the wall in the 3rd bedroom closet… I really don’t wanna stuff a big machine in there to replace it at the moment…then have to figure out a heat issue in such a tight space… PC Engines at least has that going right… low power… low heat…
I like your list allot, but I am not impressed that PCEngines didn’t improve the processor on their new APU3 model… kinda disappointed…I like that it runs 2.4.2_1 64 bit and has the AES-NI encryption built into it… all turned off during testing… but at least it’s there… if you are running less the 600 mbit/s, PC Engines will work fine…

wolfleben · January 12, 2018, 2:21am

9 month later necro. Thread is locked.