Return to Level1Techs.com

Home networking pfsense & vm host

Hello LevelOne community. I have begun researching for a future build and am looking for recommendations or insight into a few things I am new to.
-the wants
I want to have my own router, something like pfsense.
I want something like pihole.
I want network storage.
The ability to run some remote linux distro for whatever reason.

-the problem
As a 20-something year old with a second baby on the way this has to be the tightest budget. No more than $400, though less is always better.

What I assume so far. With this budget it has to be a single machine and all my wants will have to be virtual-ized. This is where I reach unfamiliar territory. I have come across Proxmox, it looks perfect at the 0$ price point. I ask the community for guidance here. Will I run into issues running virtual machines for routing, dns server, nas, and random virtual machines. I don’t know if I’ll add storage capacity in the future or not. Any nic’s that work better than others?

As far as I know I’m looking for the highest core count cpu that supports virtualization at a low cost. cough… ryzen cough… Ram speed is not an issue so looking to go cheaper on those. ecc??? HDD win at Gb/$, but I don’t need a lot of storage, around 2 to 4TB with some redundecy. I might anger some people but here goes, 1Gb network speed is fine.

Also wondering if anyone has used air filters to keep dust down.

Thanks for any advice.

  1. Don’t put all your eggs in one basket.

  2. Don’t virtualize pfsense, unless you reeeally know what you are doing, its not a fun experience.

  3. PiHole runs best on a raspberry Pi, or Pi Zero

  4. NAS - There about a million different ways that you can do something like this, best is to find a good used office workstation that supports multiple drives,in your budget range you’ll probably have to forget about hotswap bays, but that’s not too big of a deal.

  5. If you are still dead set on having it all in one machine for the sake of space saving then Ryzen is a great platform to build off of. You can build a great machine for $500 if you are going to avoid gaming on it.

Here’s a quick thrown together template to go off of, the motherboard can definitely be changed for something cheaper, but make sure it has enough SATA ports for adding drives later.

https://pcpartpicker.com/list/xmGcb8

I would highly recommend looking at old Xeon towers though. Great CPUs, a beefy solid metal case with plenty of drive options and motherboard has all the ports you need. Something like this can hole up to 5 drives and has plenty of horsepower.

Dell Precision T5500

(At my last job we used one of these up until this year as a backup for a financial system running on a vendor managed box that always crashed. Very reliable)

Thanks for a quick response. The pcparts is similar to what I have been looking at myself. Assuming I were to go with vm’s, what would the b450 chipset offer over a cheaper one?

I am running pihole on a pi at the moment. Its fantastic, it’s the right amount of power for the task, but coincidentally I just replaced the sd card 2 days ago. the first card just died. I have a few other pi’s and they are replacements themselves. they are fun but not as reliable as I’d like for a 24/7 machine.

Like I said, this is new territory and I think I’d still like to run all of this on one machine. If pfsense is a pain to run virtual is there an alternative, like freebsd? I still would have my consumer router to fall back on.

Lastly, how much longer could I trust a used T5500 to last me?

Chipsets don’t really matter all that much tbh, they all support virtualization. You can go cheaper if you like or go Intel, if you want virtualization all you want is good core count with decent power and that CPU was the first I saw that did it.

As for Pfsense it can do everything a pihole does and way more. It’s got a robust firewall that you can go as in depth as you like as far as filtering and blocking, so I’d say you don’t need it at all if you have a pfsense.

The only real benefit is the updated community whitelist/blacklist but there are tons of those around.

And the T5500, I can’t really say, I’ve never really seen a dead one in my life they just kind of keep going on forever. I’d say bet on at least a few years of function, but I still have one in my closet I bought 4 years ago that won’t die.

You don’t have to get one through eBay if it sketched you out, can find others in better places.

I have really on looked at pfsense and freebsd, any other os’s to look at? that can run on consumer hardware. And nic recommendation. Do I really need an expensive intel nic?

pfsense is really the way to go, and no you don’t have to buy an Intel nic.

Something like this works fine https://www.amazon.com/StarTech-com-Express-Gigabit-Adapter-Network/dp/B00E4KZDJ0/ref=sxin_3_ac_d_pm?ac_md=1-0-VW5kZXIgJDIw-ac_d_pm&keywords=gigabit+nic&pd_rd_i=B00E4KZDJ0&pd_rd_r=5df6ce9e-1cde-45e4-a697-91d88f5080ad&pd_rd_w=9aOLz&pd_rd_wg=uAWcj&pf_rd_p=24d053a8-30a1-4822-a2ff-4d1ab2b984fc&pf_rd_r=EFEMK6HT29HNRJJWPZ2C&psc=1&qid=1574781530

Thanks for the advice. I still would rather have one machine. Pfsense seems to take care of all but 2 of my wants, network storage and random vm instances.

If you have time, invest it in research on proxmox, I've tested all except pfsense on it, works flawlessly. Also it doesn't require highspec machine to run on.

Also just throwing in, you don’t really need pihole if you have pfSense. Just use the pfBlockerNG (I think that’s the name? It’s been awhile)

1 Like

I like the idea of a quiet system, one of the reasons I’d like to invest in relatively new hardware, that is efficiency is important. I feel confident in my knowledge of what hardware is available, but these systems; proxmox, pfsense not so much. An important consideration I have pushing this project is to get control of my data. I’d like to lower the amount of consumer hardware with proprietary code running on it. I want to add more privacy and security to my home network and anonymize my connection to the internet.

My only fear is the hardware passthrough, a single port router is not much of a router. Maybe I just need to deal with it and get a test machine.

why not puting in more ethernet cards? also wifi

I meant to say, I am concerned about the nic hardware pass through from proxmox to the pfsense vm. I occasionally come across people trouble shooting pfsense vm not using or seeing the nic the host is trying to pass. If that makes sense.

Maybe I should just get a cheap low spec machine to test on

Don’t do it. It’s a pain in the ass. Get something that manages your internet separately. And if the money isn’t there for that, stick to what you have now.

The first time your host machine needs an update, everything will stop and you’re deadlocked.

Well if the meme says so…

So is there any pfsense “addons” to look for?
can it encrypt all the traffic?

Anything https is encrypted anyway, that is most of the internet these days.

PFSense has a pretty long list of stuff you can add. You can totaly spin it up in a VM to take a look, I just wouldn’t want to deal with it on a daily basis.

Also take a look at IPFire, not as feature rich but linux and … feels less corporate.

that was a silly question, just rambling thoughts down. I know should definitely pair this with a VPN, any recommendations on that front? I hear that Private Internet Access does not keep logs.

Unfortunately not everyone is up to https.

Just weighing in on the virtualizing PFSense thing: I’ve been doing it for years, never had a problem aside from having to rig up a substitute if I ever need to do maintenance that requires turning off the host box for more than a reboot.

This doesn’t make sense to me. Your host should be able to run its update, then reboot (if necessary), and the only internet outage will be during the reboot.

1 Like

I think OP was referring to virtualizing through a desktop Linux or Hyper-V as opposed to esxi or proxmox which shouldn’t ever really cause problems due to updates.

In terms of efficiency, you could just install any Linux distro, e.g. Debian and have it do routing/nas/pihole/… 1core and 1G ram are would be plenty for that (although a bit sad but it’ll work fine)

No docker or VMs are necessary to use a single system for multiple purposes, and you don’t need to worry about performance loss due to virtualization or spending money on fancy network cards (due to freebsd having poor driver support). It’s really cheap and efficient.

e.g. it’s not that hard to enable nat for ipv4

iptables -A OUTPUT -t nat -o <my_eth_wan> -j MASQUERADE

or to enable a connection tracking firewall so that services on your server host are firewalled from the internet by default:

# track new connections from this host or from lan
iptables -A OUTPUT -o <my_eth_wan> -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i <my_eth_lan> -m conntrack --ctstate NEW -j ACCEPT
# accept all tracked connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# accept all localhost and lan stuff regardless of tracking
iptables -A INPUT -i <my_eth_lan> -j ACCEPT
iptables -A INPUT -i lo0 -j ACCEPT
 # drop everything else by default
iptables -P INPUT DROP
iptables -P FORWARD DROP

You don’t need to learn pfSense or proxmox or docker or any of that stuff really - it’s not always easier to help yourself by using extra things.