I need a new pfSense appliance as it appears my Netgate RCC-VE 2440 has finally been claimed by the Intel Atom 2000 series LPC clock bug.
My rough requirements / purchasing guidelines are as follows.
Must be under £300 incl. shipping / import duties but the closer to ~£200, the better.
Low power is important but not essential.
4GB or preferably 8GB of RAM.
SSD, preferably mSATA.
4 NICs (although 3 would do if the product warranted it).
COM port / HDMI / Displayport so that I can connect it to my Thinkpad T480 for troubleshooting or management.
AES-NI support.
If possible, a CPU that isn’t too weedy or ancient.
I’ve found the Protectli FW4B (https://protectli.com/product/fw4b/), albeit under another brand name, with a Celeron J3160, 4x Intel i210AT NICs, 8GB of RAM (DDR3L) and a 128GB mSATA SSD for £218.53 all in. Tom Lawrence reviewed it’s bigger brother, the FW6A (which has 6x NICs and a Celeron 3865U) and I would say he was pretty positive about the system and was impressed with the built quality. He also mention that Lawrence systems has deployed several Protectli systems but didn’t say anything negative about having done so.
So I think the FW4B looks like a fairly safe bet but I would welcome any other suggestions.
[EDIT] I’m not apposed to building something as long as it fits my criteria.
P.S. I have considered buy a used SOHO server, such as a Dell T20 or Lenovo TS140, but they wouldn’t work out much cheaper, they’d use a lot more power and whilst I could put that extra power usage and the beefier hardware to good use by using it as a Hypervisor to run pfSense and various other stuff… I’m not particularly comfortable with the idea of running my firewall on anything other than dedicated hardware, or the added complexity and maintenance that virtualising could bring.
I agree with @HanSolo virtualizing a pfsense environment is a bad idea, I would just purchase the Protectli appliance. The only reason I am purchasing a Netgate appliance is I need a rackable 1U appliance, for my new network setup.
What bandwidth are you anticipating this router needing to handle, and what packages/services are you planning to run. You can use that to get an idea by comparing the needs to the Netgate appliances, and then get something cheaper with those relative specs
I built mine with an i3-6100T and it has proven to be extremely overkill.
Presently, I’d go with pfSense official SG-1100 ($180), or SG-3100 ($399) if I was going to do it again, for the same reason you are struggling (high cost to build or high power consumption).
You could probably build PC with Ryzen 1600 “AF” ($85) and get a used 4-port card (I got used on ebay for $35) and UNDERCLOCK the CPU and disable SMT/cores and still have more than you would ever use for around $400.
It’s really the cheapest processor, but fortunately way more than you need and 1600AF is a 12mm refresh part (just not 7nm). You’d have to run pfSense in console mode since it doesn’t have built in graphics (or add a GT730 or the like) and some motherboard BIOS’ won’t boot without a graphics card.
I run sub 5% CPU with 2-core/4-thread i3-6100T and a bunch of packages (but not doing deep packet inspection) with 1Gb fiber up/down link and can easily get over 950Mb both directions.
My first thought was to go with something from Netgate, in part to support the project but the device I’d want, namely something that’d slot in between the SG-1100 and the SG-3100, doesn’t exist.
It’s possible that I’ll be getting a 200/20 connection in the near future, so nothing to heavy. I use the apcupsd, pfBlockerNG, snort (but I’m considering the switch to Suricata) and squid. I also use a VPN connection 24/7 for select clients. There are also a few other packages I’ve been looking at but nothing CPU intensive.
I know that there are devices out there that’ll do what I need for less money but I also want some room to grow and play around with one or two things. The cheaper devices either have hardware limitations such as J1900 based system noting supporting AES-NI, or they have an older, weaker processor than the Protectli… or they have three NICs or less which wouldn’t be a big issue if it weren’t for the fact that the device that support AES-NI but have three NICs aren’t all that much cheaper than the Protectli (i.e the apu2e4). I had considered the SG-1100 but from what I’ve read, it looks like it’s vendor locked / pfSense only, which is less desirable.
If the ability to load something other than pfSense weren’t an issue, I’d have no issue recommending an SG-1100. I use it for work when I need to setup an internal network to mirror another sites and NAT it behind our companies network. I know it can handle a decent amount of traffic, only issue with above usecases would be number of VPN connections, but since the upload is only 20Mbps it shouldn’t matter
You could build a (B450, 3200G, 16G, nc375, case w/psu) for ~320. It’d be way more capable/flexible system than any J3160 . Example components: https://geizhals.eu/?cat=WL-1520412
Just a quick update because I’ve got to grab dinner (but I do plan to respond to each of you later).
I found a Lenovo TS140 with an i3 4330 and 4GB of RAM for a bargain price on eBay that was too good to pass up. I plan to get a refurb Dell Intel I350-T4, which would take the total to around the ~£110 mark. It’ll eat more power than the likes of the Protectli but it’s half the price, has much more horsepower and versatility and what money I’ve saved will pay for the added power consumption for a good few years.
I might plump for another 4GB DIMM if I feel I need it.
I think the SG-1100 is a great little device but it’s just not quite what I’m after.
Thanks for the build. I think 16GB is more than enough for my needs though… hell, even 8GB is more than I need. Going wth a 3200G based new build would be a pretty viable option though, as I already have a couple cases I could dig out of storage, so rather than spending the money on the Chieftec case w/ PSU, I could get a decent PSU.
As I said though, I’ve just bought a Lenovo TS140 for a bargain price.
The 1u build would have drawn my interest as I hope to get my first rack this year. I’m running out of space where I keep my server and networking stuff so I could always rackmount the TS140 at a later date… A guy named Jon Kenzy did a case swap rack mounted his TS140, so I could always go that route.
I have a Dell R210 II with an Ivy Bridge Xeon to run PFsense. It has been way more than enough. It is pretty low power too. NetGate appliances are good if you want an off the shelf solution with a warranty and support. But you do pay a premium for it.
Haven’t seen any satisfactory answers here. I am running my home pfSense box with just an OpenVPN server on an ASRock J3455M with a HP Quad Intel Gigabit NIC. You could find the same board in different variants, like mini-ITX. The CPU, the Celeron J3455M is a quad-core atom part, similar to the J3160, but with double the cores and the slightly older architecture (which isn’t at all huge difference in performance). It also support AES-NI. Total cost should probably be under $200 (the RAM and maybe PSU would be the most expensive).
I also don’t suggest you virtualise, get physical hardware. I am not sure how many connections you intend to have behind the appliance, so it depends, but given the small CPU utilization and the fact that it is a quad-core, I think the J3455 could deal with some deep packet inspection and VPN and probably some more stuff before it even gets close to being a bottleneck.
Funny stuff, we got 2 Dell R210 IIs with quad-core Ivy Bridge Xeons and 32 GB of ECC RAM at work that we intend to migrate our current firewalls, DNS, routers, OpenVPN, some IPSecs, CA, proxy and reverse proxy to, in High Availability. No deep packet inspection though. We hope it won’t be too much for them (serving around 300 VMs, hosts and workstations in total, with around 10 VLANs). I believe the HW should be enough for the job, probably even overkill, a colleague thinks we need an insane 8 core CPU on it and 64 GB of RAM. Given the current load of each separate VM with their respective OS and services, I think it should be just fine. Still have no idea how many clients and what services OP wants to run on pfSense, if he has at least the number the clients we have, I’d probably recommend a minimum of R210 II for deep packet inspection, otherwise, with few clients and DPI, I think a J3455 will be enough.
“It’s possible that I’ll be getting a 200/20 connection in the near future, so nothing to heavy. I use the apcupsd, pfBlockerNG, snort (but I’m considering the switch to Suricata) and squid. I also use a VPN connection 24/7 for select clients. There are also a few other packages I’ve been looking at but nothing CPU intensive.”
The hardware (which I’ve know bought, see this post) is for home use. So I’m not gonna be running crazy numbers of clients but when I was looking for a low powered, passively cooled appliance, such as the Protectli, I wanted to make sure that within the life time of the device, I’d never be bottlenecked by it.
I think the Protectli would have fit the bill nicely and @Razor_Blade’s suggestion of a Dell R210 ii is another very viable option that I was just looking at funnily enough. As I said previously, I would like to transition to rackmount this year and the R210 ii being 1u would be a big plus over the now bought TS140 looking like it’d be 2u minimum but again, I can’t complain at the price I paid.
[EDIT] I’ve just bought a quad port Dell Intel I350-T4 X8DHT for £35 delivered. I could get it cheaper but not from a UK seller.
I just found the following serverfault answer from Chris Buechler (co-founder of pfSense and currently the Principal Engineer at Ubiquiti Networks), which is kind of making me re-evaluate my stance on virtualising pfSense… at least in a home environment.
The arguments people generally have against that are security of the hypervisor itself, which history has pretty much proven isn’t much of a concern. That could always change, but there haven’t yet been any really significant recurring hypervisor security issues. Some people just refuse to trust it, for no good reason. It’s not about attacking other hosts if someone owns the firewall, in that case it doesn’t matter where it’s running, and of all the things that are likely to get compromised, the firewall is WAY down the list unless you do something stupid like open its management to the entire Internet with the default password set. Those people have some irrational fear that there’s going to be some magic “root ESX” packet sent in from the Internet through one of its bridged interfaces that’s somehow going to do something to the hypervisor. That’s extraordinarily unlikely, there are millions of more likely ways your network is going to get compromised.
Numerous production datacenters run pfSense in ESX, I’ve setup probably in excess of 100 myself alone. Our firewalls run in ESX. From all those experiences, the only couple slight drawbacks to virtualizing your firewalls are: 1) if your virtualization infrastructure goes down, you’re not going to be able to get to it to troubleshoot if you aren’t physically at that location (mostly applicable to colo datacenters). This should be very rare, especially if you have CARP deployed with one firewall per physical host. I do see scenarios on occasion where this happens though, and someone has to physically go to the location to see what’s wrong with their hypervisor as their virtual firewall and only path in is down too. 2) More prone to configuration mistakes that could pose security issues. When you have a vswitch of unfiltered Internet traffic, and one or multiple of private network traffic, there are a few possibilities for getting unfiltered Internet traffic dropped into your private networks (potential impact of which would vary from one environment to another). They’re very unlikely scenarios, but far more likely than making the same kind of screw up in an environment where the completely untrusted traffic is not connected in any fashion to internal hosts.
Neither of those should keep you from doing it - just be careful to avoid scenario 1 outages especially if this is sitting in a datacenter where you don’t have ready physical access if you lose the firewall.
I argue against virtualization for 2 reasons: one, because you can’t really trust the virtual NICs. If you are going to passthrough a dual-port NIC to pfSense in Proxmox (or the hypervisor of your choice), then you are basically running pfSense on “bare metal” so to speak. Just insert the WAN in one port and the LAN switch in the other and you are good to go. Then from the switch, you can trunk the VLANs to the integrated NIC on the server(s). Not much of an issue with this setup. If you want to go with CARP, you need a quad-port NIC for each pfSense instance / host. But we are already talking about enterprise redundancy, which doesn’t make sense in your case.
The 2nd reason why I don’t like virtualizing the main router is that you may sometimes want to reboot the hypervisor for updates or maintenance, which would also mean your connection to the internet goes down with it. If something goes wrong with an update or something, or there’s an error code you don’t know about and need to look after a manual or error codes on the internet, well, tough luck, compadre. It is more of a practical reason for not virtualizing your gateway to the internet. Just because one important guy does it, doesn’t mean it is best-practice, that is an appeal to authority. And keep in mind a Hypervisor may see a lot more reboots than your main router (I rebooted my hosts at work 3 times this quarter, while our router has only seen 1 reboot for an upgrade and had 5 years uptime - my personal pfSense box at home had 129 days uptime until today, around 4 times more than the hypervisor servers at work).
By the way, today I tried for the first time Snort and Suricate (with all defaults) on my pfSense box, I have 4 clients connected and my Celeron J3455 only went from 3% to 9% utilization. Well, it wasn’t any heavy use or anything, but I did see lots of broken UDP checksums on my VPN to work. I uninstalled them afterwards, because I don’t make use of them at home. I really don’t think you need a better CPU than what I’m currently using, but then again, it is hard to argue against a 1U case.
That Protectli FW4B is probably around the same performance as my pfSense box (maybe 5% faster at most) and is nice and small. You could mount that on top of your main switch (if you have one). But since you already bought a PCI-E Quad NIC, I guess you are going for the 1U route. Still, you may be able to find a 1U ITX rack-mountable case, like, idk, iStarUSA D-118V2-ITX-DT or iStarUSA D-118V2-ITX-DT and buy an ASRock J3455-ITX (I got the J3455M, the mATX variant). Then, you’d just need a quiet PSU or maybe even a picoPSU, some RAM and a PCI-E riser.
Just a little “if you don’t I don’t laugh, I’ll cry” update.
Whilst awaiting the delivery of the TS140, my HP Microserver Gen8 (which usually serves as my seconndary, backup FreeNAS server) was pressed into action as a pfSense system… well, now that’s playing up too.
I’m curious as to why on this. I’ve been virtualizing my pfSense instances on vmware for years, so I’m a bit biased, but I’ve not had much issue with virtual NICs.
For a high availability scenario, you’d need two physical hosts and a pfSense instance on both configured for it though. Even then, that requires special considerations; Not like it’s something most people would never do. And even then, dedicated appliance in high availability for the internet access is a better idea then virtualized in HA, but if you ‘have to’ due to whatever abitrary reason, it could be done.
Virtualizing your router at home or not, I think boils down to whether you live with other people, or not, and how annoyed those other people would be if there’s a hiccup during vrrp handoff in the middle of their gaming session.
pfSense doesn’t get updates very often. It’s possible to stick onto a box and not touch it for months at a time. Which is perfect for home use.
Another option that is great for home use these days is openwrt on a raspberry pi 4 + VLAN capable switch or a usb3 nic to give you more interfaces.
With VMs or containers you need to think about updating the host which requires you to have two hosts that work well enough to allow for this complicated song and dance only to maintain internet access at home.
Even for business use, most places will sooner get a second router on bare metal, than virtualize anything.
For labs, not prod not home environment, yes go for it.
I’m not a fan of VMWare, I haven’t used it for very long or for complicated setups. All I’ve used extensively was XenServer, Proxmox and the default Linux libvirt (qemu/kvm). When live migrating hosts around, I sometimes had problems with the virtual NICs which required a VM poweroff. Admittedly, I did not install any guest drivers on them. This network bug doesn’t always happen, but when it does, not even reboot solves the issue, I have to power off, then power on the VM. As I mentioned, I haven’t tried VMWare, maybe it doesn’t happen there, or maybe the environment where people run VMs didn’t require a lot of live migrations for the bug to appear. My experience with virtualizing even normal Linux machines was mildly annoying, I wouldn’t imagine what would happen if my router, that I need to use to access the hypervisor’s admin gui to restart VMs, would crash… I’d basically have to go local (or be in the same network), login on the server and poweroff the router manually.
I have not worked in big corporations, only medium-sized businesses (from 50 to ~1500 people), so I’m used to the routers / firewalls to be physical hardware. I haven’t learned (yet) how to make an enterprise network, usually when things start bottlenecking somewhere, I usually brute-force the solution (like upgrading the main trunk for the router-on-a-stick firewall to 10 Gbps connection). I’m a jack-of-all-trades sysadmin and I don’t claim to have the best solutions, but I do have some experience behind me in all kinds of network and server related issues.
Back to the main topic, I agree with @risk, a router gets updates so rarely that it shouldn’t even be in the plan to virtualize it, because the hypervisor will need more frequent reboots than the router will need (I think I mentioned this in my previous comment).