PF Sense Netgate Device VS PF Sense Custom Build

Good Afternoon Everyone,

I have been pondering a home network upgrade for quite a while. I currently utilze a run of the mill router, consumer grade stuff. The tinker\hobbyist\dreamer\long time PC builder has me itching to design and implement a proper network at home.

PF Sense is appealing to me and I think I would like to use it. The debate I cannot seem to settle in my mind after scouring forums - should I simply buy a Netgate device with PF Sense installed or build a small PC and install PF Sense on bare metal?

I will be using 10gb networking for my PC, a home server in the future, a switch, a WAP or two. I do not plan on anything too insane and I do not think I will ever have faster internet than my current 1Gb cable from Comcast. I plan on having at least two vlans, maybe a third in the future if I ever host anything public for my friends (like a game server).

My hobbyist side thinks I should build a PC\server to run PF Sense, but the Netgate devices seem to cost less and use less electricity. I watched Wendel’s video on the Forbidden Router which was awesome (I am a VMWare guy by trade), but building a $3,000 VMWare host\cluster while appealing, is not fiscally responsible.

What are the thoughts of the community?

1 Like

Don’t you have to step up to the $800 range for the cheapest 10gb port model of Netgate products? If you have some hardware already or can buy used stuff for cheap (quad core from at least Skylake gen or newer) then that would be a better way to get 10gb IMO.

If your wan is 1gb I have a pfSense firewall I’d be happy to sell you for $50 (or make offer if that seems too much) that you can use.

The pfSense box should be based on your WAN speed. Inter-vlan routing can be handled by the switch if you have a proper one.

I think he’s planning on leaving his internet at 1G.

My thoughts:
You will be hard pressed to build something that will be as cost effective as even the SG-1100. They do a lot and sip power. Personally I’d start just running PFsense on something old you have laying around. I’m running mine on a very old Core 2 based system and it has more than enough power for the job. Uses a lot of power too, about 70 watts.

But you can try it out and see if you like PFsense before you get locked in by buying an appliance. You could also try other firewall solutions like OPNsense, or Untangle. Untangle is fun if you want layer 7 stuff, but it takes a subscription to do the fun things.

This would probably be fine as well. Might buy it myself.

Thanks folks. If I am reading you correctly, it sounds like I should save money and not go ham on a router as unless I am upgrading Internet Speed (which I am not), a low powered device will do just fine. I could spend my money elsewhere, like on a Layer 3 10GB switch.

5 Likes

Yeah, that’s about how it goes. Like even with a dual core from 2008, the highest CPU usage I see is 8%. I ran the SG-1100 for a while to make sure it would good enough that I wouldn’t have problems letting non-techy family use it. I think the max CPU I saw was 10% maybe. This is with a 300Mbit connection. If you have faster, you might see more, but the 1100 can totally keep up with gigabit line speed no problem. Unless you want to do “fancy” things, VPNs and what not, you don’t need much processing power for a firewall/router. Even if you want to do fancy things, a little bit of power like the SG-1100 goes a lot further than you might expect.

1 Like

I am glad to have found the L1 forum and Wendel videos. He is a very good presenter and has an obvious passion for all things IT. The forums remind me of my early years (1990s-2000s) when forums were all we had. Glad to be back on a forum.

Thanks again for the input folks. Have a great weekend.

2 Likes

That is another rabbit hole at least as deep as the ‘which hardware for pfsense’ one …

The current offering for Layer 3 line rate capable 10Gbit switches for homelabbers is fairly thin, especially if you don’t want 100Wplus screaming ‘things’ (you can have those for about 200USD on ebay, look for brocade ICX 66x threads here or on servethehome):
There’s Mikrotiks that have decent prices but in the 500USD range that can do l3, but not at line rate, then there’s the Mikrotik 800USD price tier hardware that can do 10Gbit l3 routing at 30-40w power draw
Then there’s the used Brocades of the 7250-x series, they can cost from 400 to 800USD depending on number of ports and POE support.
I recently went from a Mikrotik CRS312-4C+8XG-RM + Cisco SG-200 + Passive POE injector setup to a single Brocade 7250-24P that has 24 POE gigabit ports, 8 10Gbit SFPs and user 60-70w of power. It can do layer 3 at line rate on all ports if you don’t get crazy with routing policies
There’s other ex-enterprise stuff at the same price point/power draw level (Dells, Aristas) but they tend to be more available at decent prices in the US (I’m in the EU) …
YMMV, if you need ‘help’ in justifying spending some money, just create a topic, the people on this forum will always want to chip in, sometimes even too forcefully :slight_smile:

1 Like

A “dinky” ARM based platform will easily handle 1Gbit so I don’t see why you need to shell out $$$ for that. That being said, it would require you to gather some knowledge about networking…

Buy a decent switch and wifi, leave your current router.

When you get a home server, virtualize the router (put wan into a vlan).

At that point, get a raspberry pi, or some such thing to use as fallback router on a stick (that class of hardware will do basic gigabit easy peasy).

1 Like

“buy Unifi stuff”, super simple. :stuck_out_tongue:
I kid, but I like Unifi stuff personally.

I use unifi APs as well, and there’s some integration benefits in using the switches and maybe the dream machines, but I would put the L3 capability of the routers at the mikrotik low end … Either no line rate or basic support for L3 features…

Also, For someone who wants to understand how all this networking ‘stuff’ works (VLANs, STP, L3 routing vs L2 separation , stack ports, port channels…) The ubiquity UI, while getting some of these ‘jobs’ done in an intuitive way, often hides how it really works and it makes it difficult to learn it in a way that can be applied across brands…

70W 24/7 is lot of power (wasted) for a “1Gbps firewall.” People should try to get something below 5W if you can or not more than 10W (much easier target) for “1Gbps firewall.”

What pfSense good at is its GUI. If GUI isn’t important in your preferences, then no need to be pfSense or OPNsense.

Oh it’s totally a waste, but if you actually do the math it would take 2 years for a SG-1100 to save enough power to pay for itself. So the cost benefit of spending $200 now to save $10 a month going forward is a tricky decision. I only have so much “play” money a month.

1 Like

Saving energy vs saving money often work against each other and situational indeed.

This fellow member got a $15 router. I believe pay-off comes really quick in both recreational pleasure and electricity bills. It consumes about 2.5W not more than 3.1W at max.

1 Like

Great for them, but you’re missing the point that I want to run PFSense because I like it. I like the all the monitoring it’s capable of and the ease with which it allows me to troubleshoot things. That’s actually why I bought a SG-1100 for a family member’s household, the router they had was too dumb and I couldn’t figure out what was wrong. Turns out the issue was the router itself, because since I swapped it for the Netgate device their internet has been flawless. (Note, this is not a dig on the EdgeRouter, it’s fine. Like its routerness is fine, but its firewallness is meh. It works sure, but Ubiquiti’s best firewalls are kinda poor)

My 70W ancient x86 server firewall is mostly just my solution since I gave the Netgate device to them. I’ve been waiting for the right deal to come along and I’m going to buy the used firewall from @ucav117. That should get my power consumption down and still give me the features I enjoy for a cheap price.

Good to hear that you’ll get a lower-power firewall soon.

The gist is not Netgate or pfSense in this situation I would assert but a properly configured router. Almost all consumer routers come with Linux as the foundation. When properly configured, it’s flawless. Adequate enough for home environment.

I don’t know about that because I care less what values Ubiquiti added to ERX. Under the hood, it’s the same Linux people are familiar with. Can easily make it work in whatever way they want.

What’s good about ERX is the very compact form factor. Adequate HW for SOHO environment. Ultra low power consumption. Flexible enough firmware packages for users to tinker with. If people don’t like Ubiquiti, they have the option to run OpenWRT. Again specifics of OpenWRT doesn’t matter IMO but gives people the latest Linux and all the power that comes with it.

I’ve done both and there are pros can cons.

I’ve settled with a netgate 2100 for home.

I still use pfsense in VMs for internal firewalls around the place.

The netgate hardware is nice. You get support. It has some additional features in the netgate build of pfsense. The device is silent and has some status LEDs. It has a built in 4 port VLAN capable switch.

Generic hardware won’t have that.

Prior to this I did pfsense on small form factor pcs for a decade or so.