Return to Level1Techs.com

Pfsence 10Gbe Router recommendation

pfsense
#1

Hi.
I want to buy (probably not build) a pfsence appliance/router.
I was looking at the Netgate XG-7100. But it has not enough 10GbE ports.
Otherwise exactly what i need.

Requirements:

  • low power consumption (DIY PCs probably need to much power). I have to pay 0,29€/kwh cries in german
  • it’s for our office. So unfortunately it needs to be quiet.
  • min. 4x SFP+ 10GbE LAN ports for our 2 switches + 1 Server + 1 NAS. (And maby 2x 10GBase-T for the future. But thats a nice to have)
  • min 4x 1GBase-T Ports
  • fast enouth CPU for 1GbE VPN + Firewall etc. But not too much else.
  • WAN Gigabit Base-T or higher
  • pfsence (i can install it myself if not preinstalled)

So i guess what i’m asking for is a XG-7100 with more ports. Ideally for sub 1000 €.
If there is no applience i can buy for this. That would be the best parts for a pc build? I don’t really want to have more than 25W idle power.

Thanks in advance.

0 Likes

#2

Are you sure that the 4x 10gbe sfp+ ports is essential? Can’t you get a 10gb switch for that?

3 Likes

#3

My first question is, do you really need 4x 10Gb ports on the router?

The reason I am asking is what you list as your requirements.
You’re in an office environment and you state that you have 2 switches, a server and a NAS.

Which then would lead me to ask additional questions.
Are your switches stackable or are they acting as two independent switches?
If they’re independent, are they serving two parts of the network that need to remain segregated from each other or are they linked into each other?

The reason I ask this is it sounds like you may be confusing pfSense with an all in one home router. All in one home routers aren’t strictly routers, they’re a monstrous amalgamation of a router, rudimentary firewall, a switch and access point. pfSense and the hardware netgate offer are just firewalls/routers (with the exception of the SG3100).

Each port is a separate network to another unless you setup LACP and port bind interfaces (which requires compatible switches or host machine setup).

For the sake of simplicity and management you would be better to take two ports (or just one if you’re switch doesn’t support LACP) from the router to a switch. (Or one to each switch if you have a stacked setup (it helps with failover)). Then use VLANs from the switch to the router if you need to restrict access from the network to the server and NAS. This leaves your switch doing switching and your router doing routing and firewall.

If you want a better idea of what I would recommend doing, please give some additional information regarding what switches you have, what your network topology is and how it is separated (eg Subnets).

If all you’re interested in is MOAR PORTS on the XG-7100, it does have a PCI-e x8 expansion slot that you could drop in something like an Intel X520-DA2 for an additional 2x 10Gb SFP+ interfaces.

3 Likes

#4

You’re right. I might be confusing something than.
I need 4 SPF+, but they don’t need to be on the router.
So i will probably buy a cheaper pfsence router/firewall and have switches connect to it if i don’t need the ports on a router level.

Backstory:
We basically are a very small/young company. So we don’t have an IT guy. And the external IT company we hired let us down on multiple occasions.
For example, we used and still use consumer grade routers to this day. Originally the IT guy set up a cheap tp-link router (we weren’t happy with) for us. That died after just 10 months. We asked for help. The guy missed 3 appointments and couldn’t help us after 6 weeks. They probably are horribly short-staffed and we aren’t nr. 1 customers. Meanwile we were using mobile hotspots until i fixed it myself after 3 weeks with my own old Netgear WNDR3700v2 (2010/11) i flashed with dd-wrt to keep it updated and get more functionality out of it.
But that router is not cutting it anymore. Also we now have a server that shouldn’t be “protected” by a old consumer router.

I saw the pfsence video from wendel a while ago and always wanted to try it. (As a backup for now.)
Also i heard the name pfsence from multiple people by now.
So no experience with pfsence and other enterprice networking equipment.
Just dd-wrt, FreeNAS, ESXi, Portainer, generell networking from High School Computer Science etc.

.
Current Setup:

ISP Box as a Bridge -> Netgear Router with 4 GbE ports
LAN 1: Mikrotik CRS305-1G-4S+IN as Switch
LAN 3+4: Office PCs

Switch Ports:
Port 1 SFP+ switch with 8 Ports (have to check what it is) (6 ports used)
Port 2: Server
Port 3: NAS
Port 4: My PC

All are in the same Network. It was the routers default setting when plugged in. And i need all pcs to access the server and the NAS.
I bought a bunch of pcie sfp+ mellanox cardes used for 30€ each so that everyone can have 10 GbE to the NAS/Server.

.
My goal: (don’t really know how to achieve it)

  • Have a more potent and stable router.
  • A firewall for the web stuff (Mail, Nextcloud, Website, Redmine, open ftp etc.)
  • Server has 2 SPF+ Cards. Want to isolate the web facing applications running in a VM from the internal Network (PCI card passed to guest ->connects to isolated net)
  • Have the NAS & Server available in the internal network for all the PCs. However all the PCs need internet. So i would like to use a VPN for internet traffic and isolate/protect it as best i can.

I guess i am better of using the cheaper SG3100 and another switch.
What do you think? is there anything that is definitely not doable with the planned setup? Other suggestions?

Btw i will install pfsence on a pc at home and test it before i deploy it in the office. So i guess i have allot to learn next weekend.

0 Likes

#5

I’d recommend something like a Ubiquiti EdgeRouter 4 as your router, which is cheap but good.
Add a Unifi Switch with 12 10gbit SFP+ ports and 4 10gbit RJ45 ports and you should have everything you need well within budget. The switch is a noisy one though according to reviews.
If you already solved it another way I’d be interested to know how.

2 Likes

#6

Most of the beginners are needing these recommendations to choose the best brands of Routers. They can check from Netgear EX6100 Setup that will guide in a proper manner.

0 Likes

#7

This is 3 months old… welp… I already wrote my comment, so for anybody else wondering:

I made my own pfSense box using an AsRock J3455M* + a quad-port 1 Gbps PCI-E card. You can get a 10 Gbps card instead, but it will sure be more expensive. This CPU support AES, which pfSense will start using with version 2.5. The PC uses less than 10W, but there’s no room for expansion in the future (I don’t intend to upgrade this anyway). I got a BeQuiet! 500W PSU, which is absolutely overkill, but it’s the only decent SFX PSU I could find and I couldn’t get a picoPSU (I got a SFF case).

I’m not sure if a quad-core Celeron (based on Atom cores) would be enough for a larger network, so I suggest at least getting a low-power consumption Core i3 8100T or downclock a Ryzen 3 (and get more PCI-E lanes, which are very welcome), but the CPU in full load would use around 35W by itself. Also, keep in mind that as long as you don’t use your CPU intensively, it won’t suck up more juice from the wall than it needs, so you won’t see 35W pulled constantly from the wall. But I think even my Celeron can keep up with a few servers and PCs and a VPN connection if they aren’t full throttled simultaneously.

0 Likes