pfSense - thinking of taking the plunge

[therealnickdanger]

Current use case:
50/10 Comcast Business
Motorola SB6120 modem
WHS file/media server (mostly internal access)
Misc. game servers (int/ext)
Misc. application servers (ext)
Heavy Netflix/Amazon/YouTube/MMO traffic
Frequent VPN use

Reasons to switch to self-built router:
1. I have a couple machines (C2D, C2Q, SNB i3/i5) and several GbE and Wi-Fi NICs that are all collecting dust
2. Web caching is very enticing from an efficiency/speed aspect (Windows updates, Steam updates, videos, etc.)
3. Centralized ad blocking/security/anti-virus
4. Most routers I've used freeze and need rebooting from the stress
5. With newer AC routers in the $200-300 range, I figure I can build something more robust for less (free)
6. Fun project!

Questions:
1. The machines I have might be overkill for my needs, but would you recommend I use the Q8400, E6320, i3-2120, or i5-3570K?
2. I only have 8GB DDR2, but I have 12-16GB DDR3 sitting around, does that influence the CPU choice at all?
3. Power usage isn't a major concern, but this will be running 24/7
4. What should I use for storage? I don't have any spare SSDs (wouldn't that be nice!), but I have to believe that any old HDD would be fast enough? Yes, no?
5. Any other questions I should be asking?

Thanks!

 

[imagoon]

I would use the lowest power of the bunch. (1) Q8400 is going to burn through power so even with pfsense being free, it will cost you significantly more than a $250 router now (with DDWRT if you are in that) over about 1 year of usage. People also build pretty beefy PFSense routers on Intel Atom chips and a NIC card.

Things to note:
(2)Web cache only really works on HTTP connections on sites that do not you something like akamai for delivery. PFSense will not be able to cache Windows update for example because each machine that looks for patches will be given a different DNS address and link and rarely have it be the same one. Tools like WSUS are for this use. I believe steam is similar so your mileage will vary.

(3) I have had mixed results with this. Mostly the ad blocking nailing things it shouldn't. May work fine for you.

(4) never had this issue with decent routers
(5) addressed above but they are often cheaper than "free pfsense" purely from the cost point of view.
(6) No argument here.

I do like pfsense. I use it often as a basic IP router when I am testing applications "over the wan" in VMWare. vNetwork to vNetwork since it can route IP and have throttle rules to simulate the speeds in our WAN sites.

Q(1) See above. The one that uses the least power. All of those chips are over 100x the needs of pfsense.
(2) If you need it, DDR3 just because it is cheaper and lower power.
(3) See above.
(4) Cheapest/slowest HDD you have. No need to waste an SSD on pfsense.

 

[Ertaz]

Current use case:
50/10 Comcast Business
Motorola SB6120 modem
WHS file/media server (mostly internal access)
Misc. game servers (int/ext)
Misc. application servers (ext)
Heavy Netflix/Amazon/YouTube/MMO traffic
Frequent VPN use

Reasons to switch to self-built router:
1. I have a couple machines (C2D, C2Q, SNB i3/i5) and several GbE and Wi-Fi NICs that are all collecting dust
2. Web caching is very enticing from an efficiency/speed aspect (Windows updates, Steam updates, videos, etc.)
3. Centralized ad blocking/security/anti-virus
4. Most routers I've used freeze and need rebooting from the stress
5. With newer AC routers in the $200-300 range, I figure I can build something more robust for less (free)
6. Fun project!

Questions:
1. The machines I have might be overkill for my needs, but would you recommend I use the Q8400, E6320, i3-2120, or i5-3570K?
2. I only have 8GB DDR2, but I have 12-16GB DDR3 sitting around, does that influence the CPU choice at all?
3. Power usage isn't a major concern, but this will be running 24/7
4. What should I use for storage? I don't have any spare SSDs (wouldn't that be nice!), but I have to believe that any old HDD would be fast enough? Yes, no?
5. Any other questions I should be asking?

Thanks!

I tried PFSense 2.1 on a Dell T20 for a little while. I had hardware issues with the built in Haswell NIC. Like you, I had plenty of extra network hardware laying around, so I just threw in a compatible NIC and drove on. I could never get it to work reliably, but I have issues with the limited amount of bandwidth available from my rural ISP. It seemed like things would completely shutdown as the pipe would start to saturate. I ended up using ClearOS and it seems to more gracefully handle network congestion and rate limiting things like Netflix. I really like the ease of use and visibility into who is using what traffic. (It's not netflow or anything, but hey, it's free.)


Now that Pfsense 2.2 is out and the Hardware compatibility is supposedly fixed, I think I will make another run at it. Especially with the enhanced multithreading that came with upgrading the underlying OS to BSD10. The forums over there are great for getting questions answered.


To answer your questions from my limited experience:

1. Review your hardware against the HCL on the pfsense/BSD site. That will save you a lot of headaches. You don't *need* a lot of horse power, but if you want to turn on a lot of extras then it might be good to have.
2. I only run 4gb on mine, but I'm not pushing the throughput you are.
3. The power numbers will almost always be in favor of the small dedicated devices. How much cost difference there is depends, but it's definitely a few dollars a year.
4. I used a 5400 RPM laptop drive for mine. It works OK, but then again I'm not under the load you are. If you are doing packet captures or something taxing, then you will need better storage that can keep up with the line rate of the NIC.
5. Other questions:

Do you have a lot of time to spend doing this? It's gratifying work, but it's a definite time sink. It adds an order of complexity to your home network, so if there are other folks in your house and they have issues, you may have to talk them through some troubleshooting when you're away. It's a lot easier to tell your wife/child "Power down the blue router, power down the black cable modem, power up the black cable modem, plug the blue router back in." than "I'm going to need you to open up putty and SSH into the router..."

 

[joutlaw]

pfSense was pretty picky about NICs. Not sure if that is still the case with 2.2.

I tried a slew of the UTM type solutions. I have had great luck with Untangle with my old Zotac Ion mini-itx machine and USB NIC. It's been rock solid for over a year. It doesn't have a lot of neat ad ons pfSense does, but I prefer the simpler UI.

 

[therealnickdanger]

Thanks for the input so far, everyone. I'll dig into these suggestions and read up on them. I thought I had read that Squid could be manually configured to cache just about any update from an IP range or service, but I'll look into it again.

 

[SunnyD]

I'm currently using pfSense in an ESXi guest and have been doing so for over a year. Works great, can't complain at all.

 

[XavierMace]

I'm currently using pfSense in an ESXi guest and have been doing so for over a year. Works great, can't complain at all.

Ditto.

 

[drebo]

Waste of time and money.

Not even really good to learn on, either.

 

[Red Squirrel]

Currently running it on a Core2Duo 1U box and it's been rock solid. It has much more options and configuration and is much more robust than any SOHO router you'll ever find.

If building a new box from scratch I'd recommend a supermicro 1U Atom box. They're about the size of a switch. Mine is a full length 1U which is kind of overkill but got it for cheap.

 

[CubanlB]

I ran pFsense on a Duron in a shoebox with a 100mb 3com and dlink nic for a year and it was plenty fast for what I was asking it to do. (Not be a VPN server or any other service other than basic ACLs and routes)

Have also ran Vyatta core and Sophos UTM in VMs on Hyper-V.

If you have relatively beefy hardware sitting around just make the box a hypervisor as others have suggested and run whatever software router/firewall you want, as well as get some other benefits of learning a hypervisor platform.

 

[JoeMcJoe]

I use it on an:
Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads
4GB ram.
Isp connection 20/2.
The cpu usage is hardly readable, even with a few OpenVPN connections.

2.2-RELEASE (amd64)
built on Thu Jan 22 14:03:54 CST 2015
FreeBSD 10.1-RELEASE-p4

Pretty good bandwidth monitoring, lots of packages to choose from.

I replaced an Edge Router lite, which was rumored to get pfsense once day, but might never happen.

 

[gsaldivar]

I have several boxes in production, mixed C2D, i7, etc. I have found PFsense to be a remarkably stable and flexible firewall platform. Hardware incompatibility is typically solved in a few minutes by swapping out a NIC. Release 2.2 brings AES-NI hardware crypto acceleration support. Features are easily extended through the many 3rd party packages which can be installed with a single click from within the web interface.

 

[Emulex]

why not use Sophos UTM home edition? It supports many more features and actually can handle SSL virus scanning with optional SSL caching (!dangerous!) to reduce bandwidth!

 

[Zargon]

the only problem I had with pfsense was the 2.5" hdd in the box dying on me

 

[Emulex]

thank god for 120gb samsung evo's for $59 shipped! perfect for a home firewall and then some!

 

[XavierMace]

why not use Sophos UTM home edition? It supports many more features and actually can handle SSL virus scanning with optional SSL caching (!dangerous!) to reduce bandwidth!

Does UTM provide routing functionality as well? I see no mention of that on their site.

 

[Phaetos]

Ditto.

Ya'll are running it as a virtual machine?

 

[CubanlB]

Does UTM provide routing functionality as well? I see no mention of that on their site.

It most certainly does.

 

[XavierMace]

Ya'll are running it as a virtual machine?

Yep. Dedicated one NIC on the hosts as for the WAN port and VLan'd that off so it can't reach the rest of the network.

It most certainly does.

Hmmm, I'll have to check it out then. Thanks.

 

[Emulex]

Does UTM provide routing functionality as well? I see no mention of that on their site.

Yes sophos utm is a full fledged all-in-one that runs in hyper-v/vmware/bare metal and does it all! I don't even use all of the features but the ssl scanning picks up virii in payload now and then which helps a ton!

PITA to setup properly no doubt! but awesome sauce!