Overkill router (pfsence)

midnight1 · August 5, 2024, 5:28pm

hi all so i will start off by saying sorry for spelling and grammer issues i am dislexic

now i am wanting to build a pfsence router but i want to have a minum of 25% more over head then i need (futer use) and if atall possable i would like a amd cup if possable (just prefer amd over intel) and want to know what you recomend

so i have 2 1gb internet conections and 1 1.4gb conection
i use a 25gb back bone for my network
i plan to run full ids and ips services all time
i plan to use pfsence as a chacheing server too
and there will be a aprox 8 vpn conections (3 continues use the rest intermitant use)
i want to build this in to a 1u case so be nice to have low power cpu for smaller heatsink

andy questions just ask

HanSolo · August 5, 2024, 5:39pm

What kind of VPN performance do you want / require?

midnight1 · August 5, 2024, 5:43pm

on two of the pernament conections 1gb
on another pernament conection minium of 600mb
the rest anything over 100mb is nice

Shadowbane · August 7, 2024, 4:46pm

@midnight1, I have a suggestion. Have you considered purchasing a Netgate appliance instead of building your own Pfsense router? I know you prefer AMD over Intel, but I thought two suggestions I am going to make might better suit your use case.

I recommend the Netgate 8200 or the 8300 for your use case; the Negate appliance I have was replaced with the current Netgate 6100, which is identical, except the Negate 6100 has 10-gigabit nics while mine only has 1-gigabit nics. I have been delighted with my unit, and even though it is old, I don’t have plans to replace my Netgate appliance until I build my new house. I know both Netgate units I recommend are pricy. I don’t think you could create a Pfsense router yourself any cheaper, considering what Netgate offers in their units.

Shadowbane · August 7, 2024, 10:02pm

Hi @midnight1, I just came across this video by @wendell in which he fixes a used 1u router that might work for you if you want to create a Pfsense router. He doesn’t recommend doing this fix for production, but it would make a good Home lab router. The only drawbacks are that doing this fix will turn off many of the IMPI functions, and you have to be handy with electronics, which I am not. But for 50 to 200 dollars on the used market, it might be worth it.

gee_one · August 7, 2024, 10:14pm

This is a shameless plug for my for sale listing. Feel free to remove it if it is in bad taste, or let me know and I’ll delete this post.

ThatGuyB · August 7, 2024, 10:36pm

Welcome to the forum!

1st, you’ve got a baller home internet (3 even!) and an even baller core backbone.

2nd, I sure hope you only plan on running the IDS / IPS on the WAN only, because on 25G, I doubt you’ll get anything fast enough to keep up with that kind of traffic pushed to the limits (not to mention the latency).

I’d say to just go for the latest 6 core ryzen you can find and if you want to make double sure the thing is going to keep up, get the X variant, the one with the higher clocks, power consumption be damned!

Don’t install pfsense, go for pure FreeBSD. You’ll thank me later. Make sure to find gigabit or multi-gig NICs that are supported by freebsd. Not to mention the 25G one for the LAN connection. If you have the NICs and they’re not compatible with freebsd, they won’t be with pfsense, go for linux (I’d say debian).

That’s going to be tough, if you plan to DIY it. Make it at least 2U (it’s also easier to find 2U cases).

And if you want the IPS to keep up with the traffic, you need a decent performing CPU, unless you are ready to take a penalty on the WAN, or only analyze certain traffic.

Otherwise, find any 1U server with a lower TDP EPYC, like maybe a 65W or 130W, with not too many cores, but cores that boost high, or just buy an appliance.

That’s a good server with not a huge power draw, but that Skylake Xeon is ancient by today’s standards (almost 10 years old). IDK if it’s going to keep up with the IPS. It is decent for other stuff, it can certainly do virtualization and normal gigabit and multi-gigabit (and 10G) without IPS just fine (probably even idle most of the time).

IDK, IDS / IPS stuff is where I lack knowledge. It’s been years since I tried to run snort and a 4 core VM was going full tilt on a single core (to be fair, it was on a test LAN and the VM was on an ancient xeon something v2, I think it was ivy bridge). Never tried suricata (which is supposed to be multi-threaded).

ThatGuyB · August 7, 2024, 10:37pm

Someone needs to buy the psfence domain and make a program level firewall for FreeBSD, kinda like Open Snitch.

Shadowbane · August 7, 2024, 10:45pm

@ThatGuyB, what are your reasons for preferring FreeBSB over Pfsense?

EniGmA1987 · August 7, 2024, 10:50pm

You will want something with a high core speed for gigabit VPN.

ThatGuyB · August 7, 2024, 11:07pm

I prefer OpenBSD, but for routers that gotta go fast, FreeBSD has better / more performing drivers.

The reason I prefer a pure freebsd base is because pfsense holds your hands to a really bad degree (particularly for ipv6 - last I tried, a few years ago, it had some insane rules that go against IEEE standards, like blocking some ICMPv6 traffic that IEEE said should be open, IIRC) and more importantly, because pfsense is buggy AF.

One of my previous employers was running pfsense and the router kept breaking. They had backups, but they got so pissed, they switched to Fortigate (). And in my own router, with no additional fancy packages or anything, basically as close to pure pfsense as you can get, a major upgrade broke the GUI and I wasn’t able to fix it.

I always updated through SSH in that Update menu (because updating through the WebGUI, guess what, was also buggy!). The original version I had was 2.4. I only upgraded through the GUI once or twice and when I saw the upgrade got interrupted in the middle, I stopped using the GUI upgrade and only upgraded via SSH through the pfsense provided upgrade menu.

Pfsense broke from 2.5 or 2.6 to either → 2.6 or 2.7, I don’t remember. I never had a broken upgrade in the CLI, but after a reboot, I was prompted by a blank web page. All my services like openvpn and the pf rules work flawlessly, but that’s thanks to the awesome freebsd backend, as the pfsense web server (probably some php pages) are toast.

I can still update via SSH just fine, but I can’t change anything in the pfsense GUI (because the web interface is broken, duh!). I don’t know if I can just change stuff on the command line, I never tried messing with packages or configurations in CLI (mostly because idk how pfsense works, like if it has some config file that always loads the saved configs during reboot, or what).

I can’t migrate it, because the server is over the pond. I could ask a family member there to slap a USB stick in a laptop to make a freebsd or openbsd installer and insert it in the server, but I’d need to literally guide them on how to install it and how to configure a VPN so I can connect to it. Which is not something I want to even deal with.

And yes, I tried the troubleshooting / repair section instructions, none worked. Which I assume would be because of the broken php configs, which do not get overwritten by the repo version (note: I never touched the web server files, in fact, the server has been running without any package or configuration change for at least 2 years, then borked itself after an upgrade).

tl;dr it’s full of bugs, don’t use pfsense. I think opnsense would be on-par on that. When it’s fresh installed, it works fine, but if you upgrade and something goes wrong, you’re SOL.

Dexter_Kane · August 8, 2024, 12:28am

You don’t want this

Shadowbane · August 8, 2024, 12:51pm

I remember Lawrence from Lawrence Systems saying you could make changes from the command line of Pfsense, but you need to know how FreeBSD and Pfsense work. What I can’t understand is why Lawrence recommends Pfsense to his customers if it is so buggy. I know why Lawrence recommends Pfsense to justify his services.

I have never heard anyone complain about Pfsense being a buggy mess before. @Dexter_Kane, what has your experience been with Pfsense like? My experience with Pfsense hasn’t been the same as @ThatGuyB’s, but I haven’t tried setting up Pfsense’s IPv6 network stack. Other than setting up my Vlans and configuring Pfsense to route my layer 2 switch’s traffic, I have left Pfsense on autopilot.

Dexter_Kane · August 8, 2024, 1:10pm

I’ve been running it for at least 10 years, probably longer, and it’s been pretty solid. I’ve had the occasional quirk but nothing too bad. I’ve never experienced a broken update but like anything you should do a config backup just incase something goes wrong and you need to do a fresh install.

Shadowbane · August 8, 2024, 1:47pm

I have always done backups, especially before an upgrade of Pfsense.

ThatGuyB · August 8, 2024, 9:17pm

Thread hijacking, complaining about pfsense

IDK what problems my previous employer had, as I didn’t manage their pfsense routers, but theirs was something to do with stability and having to reboot the router. They even planned that on a schedule, before switching platforms.

My problem is this.

I used to not have an issue with the upgrade, but now, even the upgrade seems to be broken. It’s been sitting there for 5 minutes, doing nothing.

Here’s what I get from pkg update.

2024-08-09_00-08-1723151562

Again, at this point, I’d take freebsd over pfsense any day. Maybe I am among the few unlucky ones. Again, I’ve had this since 2.4 and upgraded flawlessly until 2.6 or 2.7 (via option 13 in ssh, because the web update was hanging early on).

As you can tell, I still have access to the shell via SSH. My OpenVPN service is still working flawlessly. So is DNS forwarding and DHCP.

I was thinking if there’s any way to convert the system from pfsense to freebsd directly, with maybe just a reboot required and I found this beauty.
PF - Converting pfSense router to stock FreeBSD | The FreeBSD Forums

Read through the rules and write your own based on them, don’t use them directly. PfSense uses automatically generated rules that may have some pitfalls if you’re not careful.

So it mirrors what I was saying about implicit pfsense rules (hand-holding).

Sadly, I’d just have to suck it up and learn how everything works in freebsd, if I want to migrate my vpn and firewall setup. Which, hey, I’d probably do if I had the time, but for now, I’ll just keep using this broken pfsense box until either it’s dead, or I manage to send a Pi-KVM there to do work remotely.

DastardlyMuffin · August 8, 2024, 9:38pm

Yeah I’d recommend keeping the cache on a remote server, unless you’re ok with breaking HTTPS and making your router function as a man-in-the-middle attack

Not to go too far off subject, but why not OP try running Ubuntu Server with autoupdates/auto reboots and the necessary packages?

Save KVM for other projects on the machine like FreeNAS

I find that the further you deviate from upstream the slower the updates are and the more vulnerable your machine is

I could be wrong though, this is just what I would do

marelooke · August 9, 2024, 7:36am

There are more issues with pfSense that aren’t technical. The dev team has made some questionable decisions, including actively slandering a forked project, OPNSense, with a spoof website that was squatting on the opnsense.org domain (still to be found on archive.org, warning, not a direct linkm, and very NSFW should you decide to search for it). Lawyers had to get involved to free up the domain.

There’s been more stories of (publicly) unprofessional behaviour (to put it mildly) since, but none quite as egregious (thankfully), including how they handled the introduction of Wireguard into pfSense.

There’s also been shenanigans when they introduced the “Plus” version on top of the “CE” etc. In general I’d do some research into pfSense and its behaviour before deciding to support them.

Personally I’d either go OpenBSD, FreeBSD, or OPNSense, if i had to start over. Indeed, migrating off of pfSense to OpenBSD has been something of very very slow burn project I started when I was first confronted with the company’s past behaviour.

ThatGuyB · August 10, 2024, 4:11pm

Oh yeah, that was a sh*tshow, I remember that.

I will bring up the point I always make. Companies aren't interested in making a product useful to them, but they try to come up with products you want to buy.

And there’s all kind of marketing gimmicks, like free samples for cheese, or bundling one “free” for the price of 2 or 3, or bundling toys, or in the case of software, making the core open source to attract a following and potentially, eventually, those would become customers, or would do word-of-mouth marketing and have customers buy their products.

FOSS, at its roots, is a work of something like: hey, I needed a piece of software that does X. I made this, here, have some too, hopefully people won’t have to go through duplicating this effort - if it sucks to you, don’t use it, if you think it can be improved, go for it.

And these kind of projects usually have a decent quality. They’re simple, yet effective. So what happens when corporations try to build software? They try to cater to a market, like say, idk, car manufacturing. I don’t think all the car manufacturers would be doing their own in-house software to track and manage, say, supply chain. They might be doing their own tooling, but not always their own software, that’s expensive.

So what do they do? They go buy SAP products. And do you think SAP uses their own databases for themselves? No, they just thought of an idea of how to make money and started making the software.

Let’s take a more prominent example: linux and windows, or rather, DOS. Microsoft wanted to sell an OS for the PC and get royalties from IBM (PC-DOS) to make money. Linux was the fruit of a geek’s labor, which, initially not permitted for commercial redistribution (still free for personal use basically), shortly became FOSS, free for anyone to use. Combined with other FOSS, the GNU components, Linux became a fully fledged OS.

From that, we can compare what Linus did to what MS did. One was trying to make the best OS he could, not caring about money. The other bought an OS from someone to sell it, catering to a market.

And we can see how each evolved over the years. Windows is a popular success on PCs to this day, while its quality is really lacking. Linux is great quality (rock solid stability), but not a huge success with consumers. Funnily enough, Linux became the #1 OS used on servers, probably because server farms wanted to avoid having to pay exorbitant licenses to microsoft, but we know now that linux for servers is a no-brainer (maybe unless you want to run a BSD).

But even the quality of programs on each platform is different. Take Adobe products and GIMP. By quality, I don’t mean the amount of features, but how the code is written. Just like MS, Adobe tried to cater to a market, they aren’t using their own programs, they just sell it. How many times people complained about adobe products crashing and them losing their projects (and how many had this happen and didn’t complain online about)?

On the other hand, GIMP was made by people who wanted to edit their own images and released to the public. GTK came out of the GIMP project (yes, that GTK that GNOME Shell, Mate and XFCE use, among many other linux programs). And GIMP can run on a potato (albeit slowly, but runs).

Most of the problems with linux people have fall in one of these categories: I don’t want to learn a new thing / IDK how to do this on linux, FOSS X doesn’t do enough of what proprietary software Y does, or I don’t have drivers. None of these are the fault of the FOSS ecosystem. You might sometimes get weird localized ecosystem faults, like dependency hell, or a piece of software crashing because arch just pushes bleeding edge packages to people. In other situations, you might get an OS crash, which is usually because the distributions did something stupid, in a really bad way.

But the overall quality of free software is higher than proprietary software. Companies compensate for lack of talent with man-power and procedures. Some people call corporate wage-slaves “code monkeys,” which to some degree is true. That’s the takeaway of corporate software.

Getting back to pfsense, the above applies just as much to them. It’s not a project made someone to use it for oneself, so its quality is lacking, just like we saw with the wireguard implementation (and like we saw with what happened to me when I upgraded, no custom packages or anything running on it, just the bare basics). There’s a lot of things to not like about pfsense, I could go on and on.

Shadowbane · August 10, 2024, 4:49pm

marelooke:

There are more issues with pfSense that aren’t technical. The dev team has made some questionable decisions, including actively slandering a forked project, OPNSense, with a spoof website squatting on the opnsense. Org domain (still to be found on archive. org, warning, not a direct link, and very NSFW should you decide to search for it). Lawyers had to get involved to free up the domain.

Since then, there have been more stories of (publicly) unprofessional behavior (to put it mildly), but none quite as egregious (thankfully), including how they handled the introduction of Wireguard into pfSense.

There were also shenanigans when they introduced the “Plus” version on top of the “CE,” etc. In general, I’d research pfSense and its behavior before supporting it.

If I had to start over, I’d either go OpenBSD, FreeBSD, or OPNSense. Indeed, migrating from pfSense to OpenBSD has been a very slow-burn project I started when I was first confronted with the company’s past behavior.

People often forget that Pfsense wasn’t designed as router software. It was intended as firewall software. Although it can act as a simple router, Pfsense is really only firewall software. Right now, I prefer Unifi OS because it is simpler to configure than Pfsense and Opensense. We all know simple is better than complicated. I subscribe to the KISS principle. I admit there are some shortcomings to Unifi OS, just like there are shortcomings to Pfsense and Opensense.