Questions AMD APU PFSense Build

Networking Networking Hardware
1

I have a spare computer leftover from a failed HTPC build (too weak for gaming).
I was thinking about converting this PC to become a PFSense build, but had a couple of questions as a complete beginner to the software.

Is it more power efficient to use a low wattage power supply since this will be running 24/7 and only as a router? Or will the extra wattage just not be used so a higher rated power supply is fine?

Is this APU actually bad to run as a router due to lack of processing power? And does the processor use too much power to just be used as a router?

Parts list below:
AMD Ryzen 5 2400G
Gigabyte GA-AB350N WiFi Mini-Itx
Corsair RM 650X or SF 600
SSD M.2 250GB or 500GB (whatever works better for PFSense)
Case is a Corsair 380T but make change to something more quiet
Network: Verizon FIOS 100 Mbps down and up

Thank you for your time.

1 Like
2

I am running PFSense on PC Engine APU2. WAN connection is not that great <100Mbps, but is running Suricata and pfBlockerNG/DNSBL. Works fine, currently between 5-15% while streaming video. Even pulling around 50Mbps I have not seen it eve n hit 50% CPU usage. Things that bog it down: loading and displaying suricata logs, and VPN connections with a lot of data moving through them.

I would guess that the 2400G would work fine for almost any home use cases, unless you have multiple VPN connections. Again depends on how much packet sniffing and how many VPN connections (and what type of encryption). Only way to know for sure is to benchmark your use cases.

Power consumption from the wall will be a combination of CPU + NIC (+ Mobo + storage + peripherals) and PSU efficiency. Fully loaded your system is probably <200W. Idling as a PFSense box it will draw substantially less. Have a look at 80 Plus specifications to get an idea of how the efficiency changes, for example the difference between 20% load vs 50% is <5%. If your system idled around 100W a 200W PSU would be optimal, a similarly rated 500W PSU could be 2-3% less efficient (ie 2-3W).

If you are concerned about power, use existing HW to build a PFSense box, benchmark it in your use case and then buy the most power efficient machine that gives you enough computational headroom.

2 Likes
3

Difficult question to ask, but in general power supplies have an efficiency range - a high rated (e.g., gold, platium) power supply is efficient up to a percentage of its maximum range.

If you’re not drawing much power, the power supply should still be efficient even if it is rated for a lot of watts. Also, some of them won’t run the fan when under low load so it might even be more silent.

1 Like
4

Technically yes. Worth buying a new PSU? Likely not

Power supply rating is how much it will be willing to supply, not use. Your computer will use what it requests from the Power supply, if it can supply it.

Unless you’re encrypting your connection, its more than enough

Pros and cons to this. Pro is you have the horse power for encrypting full gigabit or deep packet inspection for 1Gbps, if that winds up being a thing in your area. Con is you consume a tiny bit more system power at idle (think an extra $3-5 per year in electricity)

1 Like
5

Thanks everyone. One last question, What Network card or brand would you folks recommend? I am looking for a minimum of 2 Ethernet ports, as I have 2 entertainment rooms that need wired connection for online competitive multi-player gaming.

1 Like
6

PFSense doesn’t like RealTek NIC’s. I read on Reddit once a developer, maybe the owner, taking about the queue handling and other details. Not sure of the actual impacts, but I did read something regarding the queue handling in them also prevented multi-core maximization of the network load. Functionality binary vs gradiant performance might not matter at the Mbps your targetting, though. You can blame BSD for all of this (and it’s lack of wifi fstability) so it ‘might’ follow you to OPNsense (might not as they do bundle their BSD versions in their distro. I haven’t looked)… but not OpenWRT/Untangle as they are Linux (might still have queue/core limitations, just not compatibility) while linux fixes the wifi option… but Intel is still best hands down regardless.

In order of quality, I’d suggest Intel i350/354, Intel i210/211, and Intel 82574L. The last one I’ve heard may have minor issues, but light years past RealTek, while it’s also used on many of the mid (and low?) range qotom/protectli box’s.

NIC’s aside, I am delving into the exact same topic, but I am building the box fresh and looking at Virtualizing the router if I don’t target it’s needs to scale. Either way, I plan to use my old 800-1000 watt (can’t remember exactly) power supply that ran high end dual SLI (8800 GTX in the day… Crossfired 2xDual GPU radons… 7xxxx or whatever series) and expect it’s efficiency to be just fine.

Otherwise, my research was centered around pfsense/opnsense on Ryzen 3rd Gen’s (Zen+/Zen2 models) and I also have a 100Mbps connection with a goal for potential end-to-end VPN encrypting and plenty of CPU/Drive headroom for advanced next gen firewall features.

The below spam might convince you of a CPU upgrade; only if your interested in a virtualization scenario otherwise perhaps bolstering your current ones confidence for your use case.

NOTE: IPSec I read can multi-thread, but OpenVPN (validate this as of today; I’d like to be wrong) is single threaded which affects the core total/thread count perspective of the CPU. I have NOT itemized, expect it to be as such though, if their plugins and other features effectively utilize the other cores/threads in tandem to benefit less linearly the extra packet inspection/next gen firewall features. Zen2’s over Zen+'s can also maintain their boost levels longer which can make a big difference under transient load scenario’s for these use cases… I believe they also have a lower power profile (conditional or base I did not check, yet)

Dedicated "appliance’ builds:
Athlon 3000G (Zen+ APU) - 2c - 4t - 3.5ghz
No boost - Cute, overclockable. Core/Thread count is concerning for the above use case. Single process performance is nice, but likely once saturated the advanced use case could become bottlenecked. This guy lands in the budget category, where the value category options just eliminate all concerns for 40$ more.

Ryzen 3 3200G(Zen+ APU) - 4c - 4t - 3.6ghz/4.0ghz (Best bang for buck for this purpose)
Ryzen 5 3400G(Zen+ APU) - 4c - 8t - 3.7ghz/4.2ghz
Value range. Can handle our use cases without issues; 3400G would benefit from more per-core speed, while the thread count may help it under load saturated conditions… or bridge you into the mild Virtualization scenario where you could seperate cores/threads for firewall vs other-small-network VM’s and such for other services (minimal). I’ll get one of these if I don’t go full virtualization.

Virtualizing builds:
Ryzen 5 3600 (Zen2 CPU) - 6c - 12t - 3.6ghz/4.2ghz
Ryzen 5 3600X - out of box overclocked to 3.8/4.4… personal preference on time/cash.
Ryzen 7 3700X (Zen2 CPU) - 8c - 16t - 3.6/4.4
Ryzen 7 2700X (Zen+ CPU) - 8c - 16t - 3.7/4.3
In the end, it’s all about the other servers/services you’d have to virtualize. The 2700X is selling as cheap as a Ryzen 5 3600X right now so it’s a curious deal for a non-gaming build when the intent is to virtualize and spread sporadic rather than consistent loads. I won’t go ramble unless requested, but this lets you run servers/services for Camera’s/Home Automation, Plex media, NAS, Web/app servers, and such in the future easier. Have enough firepower in it and lots of guts? Slap a moderate to good video card in, dedicate 2-3 CPU’s to a VM, and run a gaming VM with steam streaming over the network to a steam link. There is more cost here, and it’s not really a great idea for the pricier CPU’s, but the 2700X is a darn fine deal right now for this purpose.

Virtualization allows you to salvage idle hardware a bit and create future projects. Can load balance it all by selectively sharing threads on the same CPU to VM’s that can push each other around a bit, while dedicating CPU’s for their contingent processing needs to those that care like the router.

Pardon my ramble. Maybe this was mostly to write out what’s in my head on my plans. Much more in there, but this overlaps with your curiosities. Hope I didn’t bore.

7

Intel Pro 1000/(PT/GT/MT/VT) on ebay regularly go for the $30ish range for quad 1Gpbs ports. No issues on Linux or FreeBSD

8

On the same CPU very similar build I am running my home proxmox server. If you install a network card, you can create a VM for pfsense, to handle connections and the rest of the machines compute power for LXC/VMs. 2400g is way overkill for that, simple home routers can be done with a lot of chinnesium soluitons from ebay with j1900 for ~100$.

9

Thanks for the extra info folks, and yes I did read everything (although some of it still a bit complex for a Ubuntu noob like me).

The main goal for my setup right now is as follow:
1.Verizon FIOS ONT Box Wan port connects to PFSense Build
2. Linksys Velop Parent Node (Router) connects to PFSense Build
3. Velop Child Nodes (antennas) connects to Velop Parent Node

The PFSense Build will not have WiFi. It will let Linksys Velop handle the Wifi and wired Ethernet connections. You might be thinking, “Why not just plug in the Velop directly to the ONT box?”
Well, for some odd reason the Linksys Velop doesn’t like being wired directly to the ONT Box. When it’s wired directly to the ONT Box, I lose the wired Ethernet back-haul feature of the Velop Mesh System. I spent almost a year trying to fix it, and just today figured I would try another router to act as the middle man between the two which now works.

I don’t want to get rid of the Velop router system primarily because I am too invested into it already. My dummy head thought it would be a good idea to buy 5 of them to put in each high traffic room of the house. Secondly, I really love the compact size of these Velop Nodes compared to the chunky competition, as these really do blend into the background where you place them.

Anyways, you folks have got me interested in making the PFSense build do more than just be a go between router so I have some more questions.

  1. If you run a VPN will that make a noticeable impact for Online gaming? I’ve always been afraid of running a VPN cause I read comments about how it first has to send your traffic somewhere else before connecting you to a server, so for online FPS games it would be laggy. As someone who is a ping freak this was a no-no in my head (this would also help explain the 5 router purchase). I am such a newbie when it comes to VPNs that I thought that was mostly used by streamers so they wouldn’t have their address exposed online.

  2. The virtualization stuff sounds very complex to me. All I remember is that it creates another computer system while still using the hardware of the original. If I just want a firewall and perhaps VPN services, will this be even necessary?

  3. I do have one outdoor security camera that I connect to externally using port forwarding. Can I still connect to it with a Firewall and VPN installed?

Seriously though, thank you all for your feedback. It’s pretty sad that not even the company that made this router could find out why it didn’t work.

10

@TurtleTalking, Yes if you run gaming traffic threw a VPN tunnel it will make a huge noticeable impact for Online Gaming. The answer is don’t run gaming traffic threw a VPN Tunnel.

No, it won’t be necessary, Netgate (manufacturer of Pfsense appliances) recommends not running Pfsense virtualized, at least sometime in the past, I don’t know if it is still true or not.

I will be purchasing a Pfsense appliance as soon as I can raise the 2000 dollars to upgrade my network. Now don’t panic you don’t need to spend that much. What I am doing is setting up the same network lab I have at work, so I can work from home a few days a week and save the 1-hour drive to work. But this is getting off-topic, so if you are interested in what I will be doing, just let me know and I will start a different conversation. My offer goes to anyone interested.

Yes, you should be able to still access your outdoor camera with Pfsense and a VPN service. I am not promising it will be easy, but there are quite a few network experts here in the forum ( I am not one of them, but I plan to be someday.)

1 Like
11

Awesome Thanks for the info. For the network cards, would I benefit from buying a more expensive dual port instead with my setup? I noticed the network cards sgzfsz recommended are around $30 to $40. I am willing to spend at least $80 on the network card if it makes a noticeable difference in speed or stability.

12

It depends on speed or stability no, having said that there are some advanced features (which you probably will never use) that I will use in my lab that probably cost more. It has to do with load balancing and something else, I can’t remember off the top of my head, but I need the features in my lab. Really any Intel manufactured network card will be your best bet.

13

Main recommendation is some variant of Intel 1000 PRO. The card can support maxing out all ports and has drivers that are in just about any distribution you want to go with. Rock solid

14

I easily got 1Gb on my WAN side using a kavari. your CPU is more than fine for that. BUT unless things have changed in the last week, OpenVPN only cares about a single physical cores top speed. Threads don’t count. So don’t expect to get much close to.the same speed with VPN.

Safe to virtualize? One of the co-creators of Pfsense says yes https://serverfault.com/questions/338666/is-there-danger-to-virtualizing-a-router Old schoolers will say no. At home, its the best use of resources. More complicated to set up? Oh yes.

NICs. Beware the faaaaakkkess! I went through several counterfeits when I originally started looking for a good 4 port a while back. going to guess thats the same/worse.

With a 4 port NIC you can set the WAN port as a passthrough to the pfsense vm and keep the hypervisor away from anything nasty in the great beyond.

Surricata does take advantage of hyperthreading, though you will find it a bit trickier than you may have heard as pretty much all traffic is encrypted now, and that requires some tinkering in order for surricata to be able to see the traffic as something other than encrypted jibberish. Unless there was a change recently there too.

15

I think even the 3 ports was overkill now that I have an idea of how I want this setup to work. While I wait for the network card to show up, I wanted to make sure I did the initial installation correctly.

  1. Install the network card.
  2. Install PFSense on the SSD.
  3. Plug in an Ethernet cable from the ONT Box Wan port to one of the ports on the network card.
  4. Plug in an Ethernet cable from the remaining network card port to the Linksys Parent Routers.
  5. Enjoy the system and update PFSense build with additional features later.

To be honest, I would have all devices wired directly to the PFSense build but then I wouldn’t leave the room it’s located. lol

1 Like
16

I would add back up your initial working config. Not that I totally blew up my very first install or anything…no, never. :slight_smile: Backup and restore functions are very nice.

17

My first pfsense box was http://www.kettop.com/product/Mi3150L.html worked without a hitch.

What I have now is pfsense virtualized in this bad boy https://www.amazon.co.uk/dp/B06XRHRM4K

image
image.png1379×694 43.9 KB

runs my local network, vpns, services that I have locally. All inside proxmox. The machine itself is passively cooled and does tend to heat up, needed to add an external cooler for that, but that’s besides the point.

You definitely do not need overkill hardware for a home router. Look what openwrt can be ran on… It performs on FAR less powerful machines https://openwrt.org/toh/views/toh_extended_all

18

Hello again folks. I have come across a roadblock while trying to install PFSense on the computer. When I selected the Auto Install option, it ask me if I want to use the entire disk or create a partition. I picked use entire disk, but now I get the following pop-up:

“Select a partition scheme for this volume:
APM Apple Partition Map
BSD BSD Labels
GPT GUID Partition Table
MBR DOS Partitions
PC98 NEC PC9801 Partition Table
VTOC8 Sun VTOC8”

From looking at install videos it should just start installing after I selected the Auto Install option. I think it might have to do with the SSD having Ubuntu installed, but I already agreed to delete it.

Should I go back and format the SSD before installing PFSense?

Also, I tried to download the ISO file version, but Rufus wouldn’t recognize the file to install it on the 15 GB USB Flash Drive. I ended up having to select Memstick VGA version to get Rufus to install it.

19

I always had issues using Rufus and pfsense. Go get BalenaEtcher. It will work with the ISO file and take out the ubuntu leftovers at the same time. Don’t worry about the lack of options compared to what you see in Rufus.

20

I tried BalenaEtcher and usbinstaller and both are having issues referencing a missing partition table on the ISO file which I downloaded from the CD Image installer.

I did notice that the USB had been split into 2 separate drives after the Rufus attempt, but I don’t think this is related since both installer refer to the ISO file as the issue.

Should I just go back and try the USBMemStick Installer with Console VGA again?