(Part 2) Top products from r/PFSENSE

More pics.

Some info: I used an old IBM server with an Intel Xeon Quad-core CPU @ 2.4GHz & 16GB of RAM. I think the specs may be overkill for what I'm doing, but it's what I had on hand.

I installed a dual port Converged Network Adapter into the computer and then two 850nm MultiMode Fiber transceivers. For those who are unfamiliar, the transceivers plug into the square holes on the Converged Network Adapter. (The square holes are called "SFP+ ports".)

I then connected one side to the the switch from my ISP and the other side to the fiber switch for my home LAN.

I'd be happy to answer any questions, but if you have time, take a look at this article I wrote about my setup. The article has a lot more pictures and a video.

Edit: Also, if there are any logs I can share, or benchmarks I can run, let me know. I'd be happy to do whatever with this thing if it could provide meaningful information to the community.

Edit2: fixed link for network adapter

As u/prutseratwork stated, the pfSense store is where the official pfSense boxes are sold. I don't think that those would really meet your "ungodly amount" criteria. They are insanely expensive for what you're actually getting. Not to say that supporting the team isn't a good cause, because it is. It's a very good cause. But when you need a solution and money is tight, the official store may not be your best option.

pfSense is based on FreeBSD, which does support wifi. However, its use is generally discouraged, because it's trash. If you want to use pfSense, you should also have a separate access point. Note that you can (and likely should) use your existing router for this. You would simply disable the firewall on your current router, making it a switch with built-in wifi, and insert pfSense into your network directly after the modem. So, Modem > pfSense > old router.

Not having the technical ability to build a system is going to be a problem. Your cheapest option is to buy a system that is pre-built, but doesn't come with an SSD or memory. You'll have to purchase those separately and install them yourself. You need to ask yourself if that is going to be too much work - because if so, pfSense is not for you. It's going to be a lot of work and learning.

Pre-built systems (you install SDD, memory, and pfSense)

https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Barebone/dp/B01GIVQI3M/ref=sr_1_1?ie=UTF8&qid=1498485157&sr=8-1&keywords=qotom

https://www.amazon.com/Barebones-Firewall-Intel-Ports-Celeron/dp/B01MEGSMRZ/ref=sr_1_21?ie=UTF8&qid=1498485291&sr=8-21&keywords=qotom

I bought a Qotom box a long time ago for about $150. It had 4 Realtek ports, though. Intel is definitely the preferred solution.


If none of these sound good to you, look into Ubiquiti Security Gateway.

That sounds like way overkill, especially if you've got a decent GPU in there.

Do you know (even ballpark) what the power consumption is of your current setup?

Have you looked at something like this QOTOM box or similar? Maybe a used Netgate box?

I was looking at something like that for a long while, but eventually asked a friend to get me an HP mini-tower (though in person it ain't so mini); quad-core with AES-NI, 8GB RAM (not sure the max, but 4 slots), PCI-e quad-port Intel NIC (plus built-in Intel NIC). All for $140 + ~$50 for the QP NIC. Now I just have to get a small SSD or two for pfSense to run on :)

I think the PSU in that is ~250-300W, haven't set it up and run it as a pfSense box as yet, some infrastructure built-out is needed before I can really test it out.

I needed one in a hurry about a month ago and the Qotom model was showing a long delivery time so I bought this similar system instead. I am fairly certain it is the same system just sold under a different name. I threw in 8GB RAM and a Transcend 64GB mSATA which brough my total cost to around $265.

They work extremely well, rock solid with great throughput. My only complaint is they seem to run a little hotter than I would like.

I am using these Chelsio cards in production. they work great! they used to be the pfsense recommended cards.

https://www.amazon.com/gp/product/B00FAU898K/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

​

Intel X520-DA2 can be found on ebay for cheap as well.

https://www.ebay.com/itm/Dell-Intel-X520-DA2-10Gb-10Gbe-10-Gigabit-Network-Adapter-NIC-E10G42BTDA-Dual/323664686890?epid=1429722311&hash=item4b5beb2f2a:g:sEMAAOSwb8Vbx2UN&frcectupt=true

I've had a great experience with my Protectli box; Brent over there is extremely helpful, too.

I have this specifically: Firewall Micro Appliance with 6X... https://www.amazon.com/dp/B0741F634J?ref=ppx_pop_mob_ap_share

And added my own ram and storage:

Crucial 8GB Kit (4GBx2) DDR4 2400... https://www.amazon.com/dp/B019FRD3SE?ref=ppx_pop_mob_ap_share

Transcend 64GB SATA III 6Gb/s MSA370 mSATA Solid State Drive (TS64GMSA370) https://www.amazon.com/dp/B00K67E5DA/ref=cm_sw_r_cp_apa_i_pGWyDbF9HNGY3

I'd recommend something similar to the Dell Optiplex 3010 Small Form Factor (SFF). While it's not as small as the 3040M it does allow PCIe expansion. $280 seems like a lot. On eBay, I found the 3010 SFF for less than $100. My network is setup for Gigabit but I don't get Gigabit speeds from my ISP unfortunately.

​

• Dell Optiplex 3010 SFF or equivalent SFF
  
  • Very small while still upgradable
    
• Intel 2nd Gen or newer
  
  • I have an i5 3470 and I haven't seen it go past ~10% utilization
    
  • Even an i3 should be perfectly fine
    
• For a NIC, anything Intel that's rated Gigabit
  
  • I got an Intel PRO/1000 VT: https://www.amazon.com/Intel-1000-Server-Adapter-EXPI9404VT/dp/B002JLKNIW/
    
    Edit: I also use SNORT and pfblockerNG.

Take a look at the Qotom Q355G4 in that price range. I just set one up to replace a Zotac CI323 and it's pretty awesome.

Not quite the same price, but I have the n2930 version of this box and it works great: https://www.amazon.com/Jetway-JBC313U591W-3150-B/dp/B01I3JUC84/ref=sr_1_1?ie=UTF8&qid=1475198709&sr=8-1&keywords=n3150+jetway

https://www.amazon.com/gp/product/B004F34ONC/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

Above is the card I'm using and the below motherboard is the one I'm operating off

https://www.newegg.com/Product/Product.aspx?Item=N82E16813157729

[EDIT] So I get the Newegg board has a Realtek - is the Rosewill ok? The Amazon reviews had people saying that it worked well with pfsense. Note I can only use certain size PCI cards with the board

I ended up purchasing one of these: Firewall Appliance from Protectli

I'm supposed to have 1GB from Spectrum but have never seen speeds over 850MB even when directly connected.

I have 39 clients on my network at present moment.

Packages installed: Darkstat, pfBlockerng (Dev), Suricata (only inspecting at this time), ntopng, Syslog-ng, and arpwatch.

I'm extremely happy with my purchase as there seems to be plenty of power when I need it (4K streaming from Plex server) and can handle multiple services (vSphere/Docker homelabs).

Firewall Info

​

​

That makes more sense. That would totally work. Pretty much any router put into access point mode would work. I was using an old Asus router as an access point for a while but it overheated and eventually died. I can highly recommend a Ubiquiti access point. Its what I eventually switched to and I'm extremely happy with it overall.

https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512/

I got this jetway box with an N3150 a couple months ago for about the same price. It's been working great, but I only have 30/5 internet and it doesn't look like it's sold anymore. At the time, it was surprisingly hard to find anything like this with these newer Celeron chips.

I have one of the J1900 models in production now and it works fine. It could handle your connection speed. If you need AES-NI for VPNs, they have an i5 model that is even more powerful but still a good price.

Awesome. I put a build together and will be using the following hardware.

Motherboard

CPU

Memory

PSU

USB Boot Drive

Or just get one of these. Nice and tidy. Only if those are Intel nics though. :)

This is my pfsense board. I think it idles around 12w. Peak at boot is something like 20w. Handles my 100mbps down easily.

Intel D2500CCE Atom D2500 Dual LAN & Dual COM Mini-ITX Motherboard, BLKD2500CCE https://www.amazon.com/dp/B006ICQ3FK/ref=cm_sw_r_cp_apa_kOCiybBSPWW79

My server is a supermicro 8 core Avoton with quad gigabit NICs. There is a 4 core version as well.

Supermicro Atom C2758 64GB DDR3 PCIE SATA USB Mini ITX DDR3 1333 NA Motherboards MBD-A1SRI-2758F-O https://www.amazon.com/dp/B00FM4M7TQ/ref=cm_sw_r_cp_apa_gTCiyb913EVZA

Both have been absolutely solid performers and low power consumers.

> Zotac CI323

So for $239, I can get the CI325 running Intel 3160, with 32gb msata and 4gb ram.

Think that might help via proxy + squid?

https://www.amazon.com/dp/B01MSNGYD1/ref=psdc_13896591011_t4_B01M25WO36?th=1

I am not even sure I am using squid. I use snort and PFBlockerNG. So think the Zotac is good with those?

Your build is way overkill if you ask me and stupidily expensive. You will never see CPU usage above 25%, even with running a VPN as the AES-NI takes care of most of the CPU overhead.

Your mobo is kinda meh, as its a consumer PC board. You should be looking at server grade boards that a built for networking like some of the Supermicro ones.

The 8GB RAM is fine, although you will never see RAM usage anywhere close to 30%, even with running Suricata.

The 250GB SSD is MEGA overkill. The pfSense install is only 4 GB. I have a 30GB SSD and im at only 14% capacity. And thats only because im doing some heavy logging.

And that 400W power supply is gonna kill you on eletricity cost for a 24/7 running firewall.

Have a look at the specs on some of the Firewalls at the pfSense store to get an idea of whats good and fast but not like killing a fly with a bazooka type of system.

Here's my system:

Supermicro A1SRi-2558
Amazon $270


2x4GB RAM @ $90



Supermicro 32GB SataDOM @ $63



M350 enclosure w/ 80 watt picoPSU @ $90

All that came out to $513

I have a 200/20 ISP connection, im running all my traffic over OpenVPN with Suricata on 2 LAN interfaces and my WAN, as well as pfBlocker.

My CPU never goes over 50% and my RAM never goes over 30%.

The one issue with my board is that the although its a quad core, the single core power is kinda weak and ive heard that OpenVPN (which is single threaded) will top out around 300-400 Mbps.

If I was you I would go with this:
Supermicro Motherboard w/ Xeon-D 1508 dual core processor

The single core performance is what will get you to a gigabit VPN performance. Plus it comes with 10G NICS.

Here's a thread I made recently inquiring about that last board I mentioned. Im looking to upgrade sometime in the future when I go gigabit

EDIT: I take that back about VPN speed limit on my mobo. I just upped my ISP speed to 300/30 and I got full speed with only 50% CPU.

Point being, you're going overkill

• Intel D2500CCE Atom D2500 w/ Dual Gigabit LAN
  
• 2 GB RAM (spare part from some laptop)
  
• Antec ISK 300-150 Black Mini-ITX Case
  
• 120 GB 2.5" disk (also a spare part)
  
  Pic
  
  Probably not the most efficient or cheapest build, but it runs like a tank :). Internal power supply isn't terribly efficient, but it's been working fine so far. It's wired into a Cyberpower CP1000AVRLCD UPS.
  
  
  

Anyone ever use or know if this would be a good alternative?
Firewall Micro Appliance

I'd like the SG-2440 but price wise :\

Thoughts?

Interesting question but why not the slightly cheaper

NETGEAR 8-Port Gigabit Ethernet Smart Managed Plus Switch (GS308E) - Desktop https://www.amazon.com/dp/B07PLFCQVK/ref=cm_sw_r_em_apa_i_D-AHDbX4FZ8Z4

I'm building something similar. I'm currently running pfSense in a VM, but I'm looking to move it to its own hardware (for better reliability, since my network depends on it now).

One thing that comes to mind with your build is that the Celeron 847 does not have AES-NI (http://ark.intel.com/products/56056/Intel-Celeron-Processor-847-2M-Cache-1_10-GHz). I don't know if it could keep up with AES OpenVPN connections at 175/175 without it? (unless you're not using AES for encryption, then AES-NI is irrelevant)

I usually use Intel, but I started looking at AMD for this project because lower-end Intel CPUs don't usually have AES-NI, but lower-end AMDs generally do.

I'm looking at this Motherboard/CPU combo:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813130759

http://www.amazon.com/dp/B00IOMFAQ0/

have this installed in about 3 or 4 different offices without issue. reliable af.
also, the SG-3100 is awesome for the price.

https://www.amazon.com/ZOTAC-Fanless-Graphics-Windows-ZBOX-CI325NANO-U-W2B/dp/B01MSNGYD1

ok thanks for the info! ill probably go with the card u/ComradeRabbi recommended [link] (https://www.amazon.com/Intel-PWLA8391GT-1000-Network-Adapter/dp/B00030DEQE/ref=sr_1_3?ie=UTF8&qid=1496175397&sr=8-3)

Connect your computer to the router via an Ethernet cable and do something that causes a bad connection. If you still have problems when you're not using WiFi, it's your router (or ISP). If the problems go away, get a better WiFi AP.

Generally, it's a good idea to have separate devices for your router/gateway, Ethernet switch, and WiFi AP. If one of them breaks, you aren't 100% screwed, and you can easily replace, upgrade, or move one part without worrying about the others (like repositioning/upgrading your WiFi AP, adding a second AP for better coverage, or getting a larger switch for more devices).

If you do have issues with your router, you can buy an old Dell Optiplex 755 desktop on eBay for under $30. Throw in a second $12 Ethernet card for a WAN port, install OPNSense (it's forked from PFSense, but isn't dropping support for slightly older CPUs), connect an Ethernet switch (they're cheap, but be sure to get a gigabit one) and a WiFi AP of your choice, and you have a business-grade network for under $100.

I use this for remote users to host pfSense and create an openVPN tunnel. Works well. https://www.amazon.com/Firewall-Appliance-Gigabit-Celeron-AES-NI/dp/B07G9NHRGQ/ref=mp_s_a_1_1?keywords=protectili&qid=1573162367&sr=8-1-spell

>https://www.amazon.com/gp/product/B00FAU898K/ref=ppx\_yo\_dt\_b\_search\_asin\_title?ie=UTF8&psc=1

Thank you! What makes the Chelsio cards so great?

I do not run snort but i can say that the ram is easily upgrade-able. You could also get this version that has 4gb of ram and a quad core.

https://www.amazon.com/Firewall-micro-appliance-Gigabit-pfSense/dp/B01JHJGG5M/ref=sr_1_3?ie=UTF8&qid=1487516929&sr=8-3&keywords=pfsense

Ended up going with this:

BLKD2500CCE Intel Desktop Board D2500CC Innovation Series BLKD2500CCE

M350 Universal Mini-ITX PC enclosure PicoPSU compatible;

Mini Box PicoPSU-150-XT 12V DC-DC ATX power supply

192w AC-DC Power Adapter, 12v 16A


Edit: and grabbed this... cause ya know... maybe 8gb will work, maybe i'll use it for my sophos build after this. aw yeah.

http://www.newegg.com/Product/Product.aspx?Item=N82E16820231294

Edit:

I should def go x64 2.2 right?

Thanks, i thought I had added ECC. Changed it to this.

 

Looking into the cooling issue, seems the case supports 2x 40x40x10 fans. Not much but should be enough?

Would http://www.amazon.com/Supermicro-Atom-C2758-Motherboards-MBD-A1SRI-2758F/dp/B00FM4M7TQ fit the bill?

I have one of these:

http://www.amazon.com/gp/product/B00ESM97OQ/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1

It works really well. I have extremely complex firewall rules using pfblocker and a slew of other items and I can push about 650 Mbps between my two local networks. I also am running snort and squid+squidguard on another port and with those two in action I can push about 250 Mbps. More than enough for me. I am also running OpenVPN as well and it all runs fine. The unit was a little bigger than I had anticipated but still small overall.

Some people mention that getting Atoms is a waste because you can get a core-i3 for a bit more, but I was looking for really low power and cheap.. Whatever you get make sure it has Intel NICs as they are a lot more stable.

Ended up buying this guy? https://www.amazon.com/gp/product/B002JLKNIW/ I figured even if its wrong or not great I'm just experimenting for now on. Thanks for the help!

That card uses a Realtek chip. I've never known a realtek nic to not cause some trouble sooner or later. I'd get this instead. Link

https://www.amazon.com/Ubiquiti-Networks-802-11ac-Dual-Radio-UAP-AC-PRO-US/dp/B015PRO512/ref=sr_1_3?ie=UTF8&qid=1510088168&sr=8-3&keywords=unifi+ac+pro&dpID=31zGaGUPhaL&preST=_SX300_QL70_&dpSrc=srch

Here's intel (dual port SFP+) for $190.99

https://www.amazon.com/10Gtek-E10G42BTDA-Ethernet-Converged-X520-DA2/dp/B01DCZCA3O/ref=sr_1_7?ie=UTF8&qid=1523560615&sr=8-7&keywords=10gtek&th=1

This guy has the same core count but higher clock than netgate's SG3100

https://www.amazon.com/Supermicro-DDR4-Socket-Motherboard-X10SDV-2C-TP4F/dp/B01FYD9T5Y

I just recently switch to a quad core model on amazon total cost was $315. It was a barebones system and you had to get the ram and hdd for it. Works fine, my speeds have never been stable but I can atleast spike to 925MB/s (it averages 750 depending on where I test it). I feel my limitation is the provider not the hardware as others have stated it is fine for gigabit.

Here is the hw i got:

http://www.amazon.com/gp/product/B01MEGSMRZ/

http://www.amazon.com/gp/product/B006YG8X9Y/

http://www.amazon.com/gp/product/B00K67E5DA/

There are plenty of them.. I would stay away from the tplink ones, atleast the older models had no way to remove vlan 1
https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I
$39.99
https://www.amazon.com/NETGEAR-8-Port-Gigabit-Ethernet-Managed/dp/B07PLFCQVK/ref=pd_lpo_sbs_147_t_1?_encoding=UTF8&psc=1&refRID=9BFKWNJS9X83S2G5PWYN
$32.99
I show the new gss108e over on amazon for $29.99 does vlans
https://www.amazon.com/NETGEAR-Gigabit-Managed-Lifetime-Protection/dp/B00R92CLJA

>http://www.amazon.com/gp/product/B00ESM97OQ/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1

We carried the Jetway Atom boards for a while. We stopped. I don't think I have to explain why.

> Whatever you get make sure it has Intel NICs as they are a lot more stable.

Word. We're putting a lot of focus on the new 'Rangeley' Atom SoCs, which are nothing like the Atoms you know. They benchmark out like a Nalahem-era Xeon, but are extremely low power (< 20W TDP for the 8 core variant.)

Intel is fighting back against ARM, and the multi-core Atom is its weapon of choice.

(edit: spelling)

I installed the latest 2.5 snapshot (09-APR-2019) and it is very unstable. My gateway conx has bad packet loss and the entire pfSense box will freeze up after a couple hours, requiring a restart.

​

I'm running it on a Protectli quad core 1.8 ghz celeron with AES-NI enabled. https://www.amazon.com/gp/product/B07G9NHRGQ/ref=oh_aui_search_asin_title?ie=UTF8&psc=1

​

I'm going to go back to 2.4 I guess.