I want to build a pfsense box so that I can use caching and have a good and powerful firewall and antivirus. But I was wondering which parts I should get. Should I buy new components or should I look for used parts on ebay? I don't need wireless because I have a ac AP with 1300MBp/s.
I already found a Intel quad Gigabit NIC which I really want to use because so I can make a VLAN for the guest-AP and LAN.
Maybe some of you can help me. My Budget is around max. 250€ (because I am in Germany with sucking VDSL)
Thanks for your help!
In general, the more ram the better, although you will reach the point of negligible improvements somewhat quickly so for a home network, not sure the size of your network, don't rush out to buy quad xeon with 128[gB] of RAM. You wont need a large quantity of disk space although faster could be advantageous. CPU horsepower probably wont be a huge factor either unless you are servicing a larger, well utilized infrastructure. For a home user, I'd acquire a second hand PC that someone is getting rid of and has a PCI(e) port compatible with your NIC. I'm thinking a good decent size SSD and 4ish [gB] of RAM should work.
I dont have much experience with PFsense itself but have configured OBSD and FBSD as firewalls using IPF, PF, etc and other utilities. I've not configured squid since like version 2.2 (year 2000???). I assume PFSense uses squid for web caching. Don't remember. While you are at it, on a side-note, add snort to you experimenting. Interesting things can be done judging by the documentation. Again, I have not touched snort since at least 2000 as well.
I'm currently utilizing an OBSD PF firewall for my home FW and it's pretty decent for streaming netflix, generally at least one CVS update running somewhere, etc. I dont really game, so not sure how throughput hungry that would be.
I'm not utilizing any web caching or VPN. I'm using a PC Engines embedded board with 4 [gB] RAM and a 32 [gB] USB 3 thumb drive for main store. I've been using my current firewall for over a year now. It just runs and runs.
Incidentally, I used an ancient 486DX for like 10 years using OBSD and IPF. It just ran and ran as well. Took like a week to 'make world' over NFS and stayed at 97% utilization the whole time but did not seriously effect the throughput which dial-up and then DSL when it first became available is dwarfed in comparison to today's home connection and cellphone throughput. Kinda funny; it took like 30 seconds to get username/password challenge from an implied SSH connection, though.
Someone with PFsense/Squid/network gaming may want to chime in if I'm on crack about this.
You can get squid to work with https but not with pfsense. I had a lot of trouble with it and discovered that pfsense comes with outdated CAs which prevent https traffic from working when using a squid proxy. I've run squid on a Linux server to cache https and it works fine.
Although there is little value is a caching proxy for a single or small group of users.
The current version of squid on pfsense (squid 3 I think) has built in antivius but It can be a little tricky to get working. Personally I wouldn't worry about it but knock yourself out if you want to have a go with it. You don't need much in the way of hardware. 4gb or ram is heaps, even if you use snort which is ram hungry you will be fine with 4gb. As for CPU pretty much anything will be fine for less that a 1gbps WAN connection. Single core performance is probably of more benefit than more cores so keep that in mind when choosing a CPU. But you don't need anything crazy.
I've heard that modern SSDs are okay but I'd still stick with a mechanical hard disk to avoid wear issues. Your cache will no benefit from an SSD, as a single user or small group of users you won't see any benefit anyway but small files which would benefit from an SSD are already cached in ram anyway so unless you have one laying around it's not really worth the money.
If you want to use snort there are plenty of guides that will help you set it up, but you might want to have a read through the thread as well.
To use it with https you have to build it with an option enabled which isn't in the regular package. Other than that it's the same set up just with some extra settings in the config.
Have a look at some guides on how to set it up but essentially you create a self signed CA certificate for the squid server and then add the CA to your trusted root on all your devices. So you connect to squid over https using the dodgy cert and squid connects to the webserver using the real cert. So it's sort of a man in the middle attack except you're the man in the middle. You won't be able to manually verify the webserver certificates anymore but you can set it up so that it passes any errors through to the user so you can still choose to trust a website with an invalid certificate.
I can post my squid configuration if you'd like.
Also worth noting that applications that use certificate pinning will not work if you do this.
Thanks for your replies!
I looked around for good deals and got a ASUS N3150M-E Board for around 50€ and my Quad Gigabit Intel NIC for around 30€
The other parts I had laying around. A nice Fractal Core 1100, BeQuiet 80+ Bronze power supply (will be replaced with picoPSU soon) and finally a 250G notebook hard drive (not the best performance I know)
I installed pfSense and Snort and first had problems getting it working because when I accessed my own Domain I would get blocked and could not access google and youtube because Snort blocked 1e100.net (a Domain owned by Google). But with the help of a good friend I got it finally working.
The only thing I am not proud of is that I have 2 NATs because I planned to use a FRITZ!Box I had laying around from my dad as a Modem but that didnt work because the modem option was removed with the firmware version the router was shipped with and there is no older version. So I have to run it as a router with the pfSense box as Exposed Host until I find a good and cheap VDSL Modem.
Frankly I'd keep the Be Quiet if it's a good PSU. Unless you need it for something else, replacing it with a PicoPSU is probably going to sacrifice efficiency since I'm guessing you'll use it with a generic 12v power brick from China. Other than that, the build sounds great though, that's awesome that you got Squid working!
@Logan and @wendell, could we maybe see a pfSense tutorial with setup for Squid caching? I've tried a few times and had bad luck with it, but for those of us running routers on ridiculously oversized 200-500GB drives it'd be nice to have a guide.