Return to Level1Techs.com

Want to set up pfsense firewall, not sure what hardware is best to use?

#1

So for the community I have some machines I want to plop out on the public internet and be welcoming to ppl opening accts on a few machines and fucking around with them. Idk, maybe someone builds an os on a sparc machine I have open.

Whatever it may be.

But, I obviously need to do that safely. So pfsense to save the day right? But I never really learned what a good set of hardware would even be.

Back when I was screwing with this I had a few pentium 4 boxes running my network. Since then I tore that apart because it was buggy. And even then, I don’t think a p4 is going to keep up in 2019? In 2012 it still could haha.

So, what would be best for this now? Early core i? If I could dump a g5 on this or a mac pro and know it’d run reliably I’d use one of those but idk what even supports g5 machines.

Any recommendations?

0 Likes

#2

Well considering it can still run fine on alix boards built by ancient egyptians, pragmatically you shouldn’t need to worry.
Just use whatever you have laying around you find best.

1 Like

#3

Hmmm.

Do you run it? On what for haw many clients?

0 Likes

#4

Don’t have any setups atm, but talking about a p4 I’d estimate 40 simultaneous users shouldn’t choke.

0 Likes

#5

Interesting.

0 Likes

#6

Or that estimate was considering web surfers connected to an AP, ofc a honeypot would be different.
Anywho I highly doubt the firewall hardware would be the limiting factor.

0 Likes

#7

I ran one of these (I think it was the 3100?) on a fiber connection for ~80+ people, probably about twice that for total endpoints. Ran a OpenVPN on it too. Pretty decent for the price, by comparison to other VPN and firewall offerings. Unifi is good for full feature set at a cheap cost too.
Anyway yeah I think it will run fine on whatever, but gigabit interfaces might be something you want, and more than one core (even if it’s like a arduino)

1 Like

#8

+1 for core count
But yeah hardware-wise the nics are the main focus, not to mention your bandwith depending on the usecase.

0 Likes

#9

Any CPU that supports AES-NI

3 Likes

#10

I’ve been using a i3-4130T with 8GB DDR3 that I had laying around and really cheap Mushkin 60 Gb ssd for about 5yrs now. The i3-4130T is the low power model that supports AES-NI. I through in an Intel dual port NIC that I got off ebay as well since the onboard NIC on the MB was kind of crap. I repurposed the i3 from a different small NAS project but it’s worked out pretty well. I don’t run multiple users but I have had multiple VPN’s running with a lot of firewall rules since I route most video streaming services around the VPN’s. I usually only see 3-5% cpu usage even with a gigabit internet connection so it’s way over powered for my needs. I would think a similar build could handle quite a few users when compared to some of the off the shelf Netgate boxes.

0 Likes

#11

I bought a small Netgate unit (SG-1000) for my own network. I figured it was powerful enough for my household (and it is) and cheaper than anything I could build.
Hell, even if I could build a router for free from leftover PC parts and put pfSense on that, the difference in electricity consumption alone would offset the price.

0 Likes

#12

What other people are saying, use what you have around. I’d say if the processor has at least 2 cores and is 64bit, it can handle encryption with a VPN on a copper network. If you live in Seattle like me, Comcast has made sure the only affordable thing is copper speeds.

I’m running a repurposed windows Vista amd athlon 4050e machine with 4gb of ddr2 ram and a 1tb hdd for web caching. All I did was add a fan, add 2 gigabit Ethernet nics and some dust cans to clean the the inside. Then to get wireless functionality, I took two cheap $20 tplink routers and flashed openwrt on them: the first one I hooked up directly to the the second Ethernet nic and set it up as an ap station, then set up the second one as a repeater across the room. I spent no more than $60 for the setup (the two nics and 2 routers). The amd athlon processor’s max usage is around 20%, so I have quite a bit of headroom. It’s too bad pfsense is dropping support for processors without crypto support. Mine is powerful enough to do cpu crypto without any performance loss…

0 Likes

#13

Anybody using inline on you ips? Also what NICs do we recommend?

0 Likes

#14

Nice, I’m running an i3-4160, 8GB ram, and a Intel I340-T4 Quad Port. Works great for VPN’s and light web-hosting.

I actually just upgraded the ram from 4 to 8 after adding IDS on a few vlans. Have been running off 4 for a few years.

Are you using Hyper-Threading? I have it disabled but kinda want to turn it back on.

0 Likes

#15

I agree, primary factors are ISP bandwidth, how many users/userbase, which should fall into what nics to pickup.

Things to consider;
Does the cpu support AES-NI - not sure how important this is, I’ve ran a few VPN’s off a older i3-3220 just fine.

Does the nic support Netmap - probably doesn’t matter, i can get inline mode working anyway.

Does the mobo allow itself to be rebooted without a monitor - I had to get a $5 vga display emulator to get my to reboot, lol. so annoying.

How much are you willing to spend in power consumption - do you want this on an UPS? How long do you need it to work before your IPS UPS at the street dies?

0 Likes

#16

I ran pfSense for about a decade on an Atom board, w/ 2GB of RAM and it was more than sufficient for a SOHO environment. As already mentioned, it will run on an Alix board, so it will run on darn near anything. I recently switched to an Xeon/i5 CPU, only because it looked like the developers were going to require AES-NI. I already had a SuperMicro board gathering dust and I found the Xeon second hand and very cheap, so I made the change.

If you are going to run more than one VPN connection, AES-NI is probably worth the effort. 2GB of RAM is sufficient, even when running things like Snort and Squid. If you are going to get carried away with packages, however, maybe 4GB? Other than that, the most important consideration is to get yourself some good Intel NICs.

1 Like

#17

No, mine is disabled but I don’t really need it. My cpu usage is pretty low.

0 Likes

#18

yeah, i was using a free asus eee pc 1033 with an mpcie to Ethernet adapter for a couple of years;
https://www.asus.com/us/Mini-PCs/EeeBox_PC_EB1033/

1 Like

#19

Atm I’m using the dlink nics that I have xd

0 Likes