Pfsense assistance

hey yall - just looking for some advice
ive been planning to build a cheap box for pfsense for a while until a friend gave me an old p4 with 256mb of ram
i had a 200gb ide drive that i installe and put pfsense onto it with an added 10/100 nic
im am planning to purchase a p4 3.4 as this has a 2.8 and its like $4 on ebay
i will get 2gb of mem since its also only like $10 and is the most this board can use
lastly i will be getting a pair of dual 10/100/1000 nics for the standard PCI slots since this only has a single PCIeX1 slot and two PCI slots...i have looked it up, its cheap but should work well with pfsense
my question is - i only have three users and ten devices in the house which will have a 100Mbps connection once i upgrade
is the P4 enough for this setup to run without being a bottleneck? may be playing games occasionally, and a LOT of streaming and downloading media
i added the squid package and planned to upgrade to a SATA spinner but honestly i dont even know if that will make a difference, except for startup times possibly
i would like to try something like openvpn if it won't cause the CPU to bottleneck

any packages that simply will NOT work with this setup?
also for a typical home user, what other packages should i use? i have squid, snort, and darkstat, though about clamAV but heard its basically useless and CPU-intensive
any suggestions?
i would love to go to a pentium D at least but unfortuantely it uses a 915GV chipset so that's out of the question
yes, i could always buy something different but, if this works then, why not use it?


The thing about pfSense is that it doesn't really care if your CPU is highly single-threaded or multi-threaded, for general use it should work fine, however you may find issues when using some packages such as squid and OpenVPN. When I used to use squid (I don't anymore because I didn't see much benefit) it would peak my CPU utilisation to around 90% under heavy caching loads e.g. if somebody on the networking was downloading a game on Steam, which can't effectively be cached using squid anyway. Also using OpenVPN without AES-NI extensions will also effectively load the CPU quite heavily and could also cause a bottleneck.

Additionally the relationship between network connection speed and CPU usage is directly linked to the packets per second through the firewall so internal traffic shouldn't provide quite the same penalty vs traffic that goes through the WAN and my Athlon 5350 can handle 100mbps without very much problem at all so I'm sure a decent P4 machine could handle it.


The CPU requirement is pretty negligible, unless you plan to install a bunch of packages, or if you plan intensive VPN activity. Many of the popular pfSense appliances only contain a 600Mhz SOC. I initially used an Atom 330 CPU w/ 2GB of RAM for 7+ years at home, running Squid and an occasional VPN connection, with no problems, whatsoever and the CPU activity rarely exceeded 35%.

IMHO, the only reason to buy a special CPU for home use, is to acquire one with AES-NI support, in order to run multiple concurrent VPN connections. The money is better spent on quality Intel NICs. Now, if you are routing a 1 Gigabit connection between several subnets, while running multiple CPU intensive packages, your needs may be greater.

Just start with what you have. There are suitable tools in the pfSense dashboard which will indicate a CPU-bound situation, should it occur. Additionally, iperf is among the available packages, so you can easily measure your network throughput.


you folks are great, thank you, i wasnt sure...i mean so far i am happy but im barely using pfsense for more than a typical router could do at this point and plan to expand....sounds like i have some room to move though which is what i was wondering about so thats cool

if anyone has a list of preferred addons thatd kickass
yes, i can google it, and get the same top ten list a million times, but i trust yall a LOT more so if you have any pointers for must-haves thatd be great whoever you are reading this

thank you!

1 Like

When it comes to security, less is more. The more crap you load on your pf box, the more attack vectors you provide to the bad guys. Don't run packages because the other cool kids do. Deploy the packages because they address a need.

I started using pfSense at home in order to easily deploy Squid and traffic shaping. At the time I had a sloooow DSL connection and every time I checked my e-mail, YouTube would stutter and buffer. With pfSense, I could run multiple video streams, check e-mail, browse the 'net and play on-line games simultaneously, all without a hiccup! It was friggin magic!

I don't run Squid anymore, because it cannot cache encrypted traffic (running HTTPS Everywhere in all of my browsers), but I am running Snort. Snort will scare the hell out of you, when you see everyone banging on your firewall, but I sleep better at night with it enabled. NOTE: Snort is not for the impatient. Expect copious amounts of false positives. Therefore, it will take several weeks to get it tuned.

I also run the Unbound and NTP services, restricting my hosts from using outside sources for these services.

For security as well as educational purposes, consider running a default deny firewall policy, only allowing specifically allowed and approved traffic through the firewall.


Out of the box (without any packages installed) the firewall is what's going to use the most CPU. Routing and network interrupts and all that doesn't use too much CPU. Basically the more packets per second you have the faster a CPU you need, bandwidth doesn't matter so much as the firewall is only looking at the headers for packets not the payload. So if this is a home network and you don't plan on running a torrent client with way too many half open connections then you should be fine. RAM is similar, the more states you have (the state table is a list of connection states that the firewall keeps track of ) the more RAM you need, I think each state needs 1kb of RAM and you're not likely to have much more than 3000 or so on a home network, so you don't need much RAM.

If you use something like snort then you will need more RAM and it is also pretty heavy on the CPU, however the default search method it uses isn't too bad on resources, and you shouldn't use anything other than the default as it makes no difference to your network performance (counter intuitively).

1 Like

Here is an update to my previous comments on my home pfSense router, which should give a real world indication of hardware requirements for a SOHO system.

I started with an Atom 330 1.6GHz CPU and 2GB of RAM on one of those small Supermicro server boards. Since my needs were relatively modest, it served me well for 7-8 years and I never had a complaint. Due to its age, the desire to run Snort and the availability of a newer version of the mobo, I swapped it out for an Atom D525 1.8GHz CPU. This model has two cores and is threaded. I dropped 8GB of RAM in it, because ... it was there.

So, even with the notorious resource hog Snort running, which IIRC is a single threaded application, the CPU activity bounces between 5% and 50%, while the memory use is typically around 10%.

I recently had another server sitting idle; it was a Supermicro i3 something, or other, of recent vintage. I blew pfSense into it to tinker with a Hurricane Electric IPv6 connection. Once i got the box up and running, I swapped it for the D525 box, in order to put some traffic through the i3. I didn't make any careful measurements, because the object of the experiment was merely to play with IPv6, but seat of the pants, I didn't notice any performance differences between the two pfSense boxes, whatsoever. Perhaps if I had a 1GB fiber connection to the Internet, things would be different and the i3 would have the edge. But, in my application the only thing that the i3 did better was to make more heat.

EDIT: The i3 was a 2 core, 4 thread, 2.6GHz model, with 32GB of ECC RAM on a Supermicro server board.