Return to Level1Techs.com

pfSense Minumum Hardware

Just wondering what the lowest powered hardware people have been able to get away with?

I’ve got a couple strange little computers I’m thinking about trying to use for pfSense routers. These were originally for, uhm, roadway message boards, of all things. My dad works for the state and scrounged them from the garbage.

Anyway, they have a 500MHz AMD Geode processor, dual 100M NICs, 256MB RAM, a CF card slot, and a “laptop” IDE connector. I just purchased a CF to SD card adapter. Just to see what would happen. They wouldn’t need to be able to move data fast or anything. My parents house has 6Mb DSL, and my sister’s house has I think 12Mb DSL.

The board is the WAFER-LX3-800-W.

You need a CPU that supports 64 bit. if you really want to run it on that CPU pfSence 2.3 is the last version that supports 32 bit

I’m running a 64bit AMD Athlon™ Dual Core 4050e with two tplink gigabit nics in both pcie slots on the motherboard, making up three gigabit nics including the motherboard one. I then have two cheap tplink routers (wr841nv9 and wr940nv6) both running the latest release of openwrt from /index/releases and have them set up as a wds access point and repeater using the spanning tree protocol. Payed almost no money and have a professional setup. The amd processor takes just around 45w

As @DastardlyMuffin is hinting at, you could just use openwrt to do what you need to do on a 15year old 300MHz mips with 32MB of ram. You don’t need more than that for DSL like that.

If you used pfSense, you’d be spending hardware spinning FreeBSD and lighttpd and PHP to get a fancy UI.

In terms of x86 hardware ASRock n3150-itx ran a couple of VMs and ran pfSense in one of them, but the virtio drivers were super buggy in pfSense at the time, after spending a couple of weeks on their irc and mailing lists, I gave up. On a physical machine it worked fine, but it seemed wasteful to give it a whole machine.

1 Like

I run one of those little chinese pfsense routers.

A celeron 1007u (1.5 ghz ivy bridge dual core) is massively over spec’ed to load balance two 15mbit internet connections.

I guess the only real requirements are a 64 bit cpu, 512mb of ram and a 4gb disk.

I believe you need AES-NI support as well

2.5 was going to require hardware that supported AES-NI. However early this year that changed (due to no longer planning on using an REST API that required it).

So in several remote office I have Netgate SG3100 (dual core ARM processors) running 100Mb lines easily. The load does increase significantly with the use of SquidGuard, but it doesn’t reflect on the users.

My personal box is an AMD Athlon 5350 (those AM1 chips) with 2GB of RAM. It runs well also on a 100Mb line, although I have tested it going inter-VLAN with a Intel X520-DA2 (10Gb SFP+ NIC) and it sustained pretty good speeds from what I recall (somewhere in the 6-7Gbps range).

It really depends on what you need to route but in my experience, and as @abaxas said, runs pretty well on anything “modern” (aka 64bit).

2 Likes

Cool good to know (already had that support tho)

Have one of those, too. Also still have a PCengines APU1D4 somewhere that I need to sell.

But in general I like overkill more than efficiency. At home I’m running a Ryzen 3 1200 in a 2U case which is gonna be upgraded soon. Currently it has a dual port Intel NIC and a Draytek Vigor DSL modem card to do it’s job. But I decided to go with something external to make the connection itself and have my own firewall behind that. So the DSL card will go and the dual port NIC is gonna be replaced with a quad port. Also the system is gonna get a basic GPU, a 2W Sunix card with only VGA out. A fritzbox 7530 is gonna make the connection itself.

Tbchi wouldn’t build for now but build for later. Since firewalls are built on bsd typically and can last for 10-15 years buy something decent. Have AES-NI capability etc. In case you want to route some traffic through a VPN

At this point it’s sort of a curiosity. Just want to mess around. Like I said, terrible rural internet so not high demand.

Seems to be the hard part is getting an old version of pfSense. My setup is running 2.3.x or something because I haven’t updated or restarted it since I installed it. 800+ days of uptime. Looked around for that install iso, but haven’t found it yet.

So, an update to this. I tried multiple times to get pfSense as well as OPNSense to boot on this, and nothing works. All I get is BTX Halt. I tired using the Micro SD to CF adapter as well as multiple normal USB drives. Just BTX Halt.

So, I don’t know. Probably isn’t viable for use.

I did, however, get Alpine Linux installed on the 4GB SD card in the CF card adapter.

Pretty neat.

Maybe I can do a super basic router/firewall with Alpine Linux? Found this tutorial for setting up a stateful firewall. Just would need to do that and set it up as a DHCP server as well.

I wonder if this would provide a “secure” firewall solution? Also wonder how much hassle it would be to maintain this? Like if it blocks stuff I want to unblock, I’d have to manually edit conf files and stuff. I’d also need to manually setup VPN stuff so I could remotely admin it if I use it at my parents or sisters house.

Hmm.

Just remembered, you could try openwrt on it - that way you get some kind of ui.

https://openwrt.org/docs/techref/instructionset/i386_geode

http://downloads.openwrt.org/snapshots/targets/x86/geode/lede-x86-geode-combined-ext4.img.gz
https://openwrt.org/docs/guide-user/installation/openwrt_x86

It’s an option, Alpine probably comes with newer stuff.


Argh, it’s using nftables formatted rules.

Personally, if stick to iptables as that’s what I know, and objectively there’s tons of resources on iptables as it’s been around for so long. (yes, I do realize iptables gets installed as nftables underneath).

That blog is missing ipv6 connection tracking ?

As for VPN for admin, instead of VPN, perhaps an easier better option is to generate a few ssh keypairs, move ssh to port 22000 or something like that (add to yhe Listen option in ssh_config), and just open that port.

As for DHCP/DNS, you can use dnsmasq directly, or you can try to install pihole

1 Like

Very interesting info. I’ll probably mess around with it this week as I have time. Make a sort of segregated network lab environment to do some testing. OpenWRT is an interesting option, too. A web interface would definitely be useful.

In my mind I’d like to actually test the setup from a sort of security standpoint. I have no experience with pentesting, but I’d like to learn a bit about that. Use this as a learning experience. Where would I start with that? Just some simple tests to see if I can get through to the protected side. Learn about basic attack vectors, etc.

Assuming you have no open ports other than ssh, it’d probably be easier to follow a couple out of a gazillion checklists out there to configure it correctly. e.g. don’t allow login to accounts with empty passwords and so on.

Typically, as long as you’re updated every once in a while, as a home user you’re probably good.

One thing I’d be slightly worried about would be amount of writes you’re putting into your sd card. Back in the day that machine was made, all flash was SLC flash, cells were huge, and somehow all these things worked fine in many applications without wear leveling. These days you might get a year or two of non-stop use out of a good high quality SD card. Now, openwrt will use tmpfs for a lot of things, but if you want to keep Alpine, you should probably configure your logging similarly - lean and not persistent by default.

That’s definitely something I hadn’t really considered, but could be an issue laster. The longevity of the SD card.