pfSense Router Build

C

Cino

n00b
Joined
Oct 5, 2010
Messages
41
I've had this setup for while and would like to share with the masses.. I'm currently running pfSense 2.1 Dev on the below hardware. I've had the box up and running for almost 2 years and its gone thru many changes... Mostly software changes as this box first ran pfSense 1.2.3 then 2.0Beta to get the LCD display to work then 2.0BetaIPv6... It currently runs 2.1Dev which includes the IPv6 code. I've never had a high uptime because I'm always making changes but it did have a 36 day uptime once because I away for training with my reserve unit. My first router box running pfsense 1.2, had a year up-time since I never messed with it after its setup.

This box has 4 Intel NICs, 2 on the MB and 2 on a PCIe card. I'm using 3 ports today, WAN, LAN, and another is a VLAN trunk. The VLAN trunk allowed me to setup my Linksys/Cisco Router(running DD-WRT, AP setup only) with a Guest Wireless VLAN. I didn't want to setup another wireless AP for guests, and since I can setup virtual Interfaces on the AP and tie it to a VLAN; it just seem the right way to go about it. I plan on adding another VLAN for cameras. I use OpenVPN in 2 forms, 1 for remote access and another is a Site-to-Site to my brother's network so I can mess with from time to time... And to give remote support...lol. As a test, I was able to connect my Verizon 3G USB stick and setup a WAN fail-over. I've removed 3G USB stick since i used that stick when i'm on the road.

I use traffic-shaper to its fullest. With the setup I have, I can be VPN into work moving files, watching a Netflix stream, playing xbox 360, and downloading 5 torrents with no hiccups. Of course this is over a 50/5 cable modem pipe so that helps too. I setup the "limiter" function so guest that are using the wireless can't hog bw, they get a 5/512k pipe.

With the help of other members on the pfsense forum, I was able to get the LCD display to work. Which is why I got this case to start with... Small factor, and able to display stats on its screen.

I also setup pound on the box as a reverse-proxy. There is a pfSense packages that does this but I couldn't get it run so i found pound to just work. It allows me to have a FQDN route to different boxes on my network all via port 80. In the past I would use IIS on my server to allow me to have different web sites on the same IP.. But I also wanted to see my TED5000(electric monitoring device) thru the internet. I was able to do with assigning a different port in NAT rules then have it direct to boxes IP on port 80.. But with this setup I had to remember different port numbers and open many ports on my firewall. Now with pound, all my traffic comes in via port 80. Pound looks at the FQDN and points that FQDN to the internal IP I assigned it to. Now if you browse to my public IP on port 80, nothing is displayed because pound is looking for a FQDN to process the request. Does this make my box less secure, maybe. But i've thrown every thing I have and can't break in... Working for a ISP, we have many tools to use from ;-)

Example all using port 80:
www.homeip.net - 192.168.0.10
ted.homesip.net - 192.168.0.15
whs.homeip.net - 192.168.0.100


Power usage: about 21watts

Case: M300-LCD Enclosure with Bootable CF Reader, 1 PCI Slot and 2x20 LCD Display
MB: Supermicro X7SPA-HF-O Atom Dual-Core D510/ Intel 945GC/ RAID/ V&2GbE/ Mini-ITX Motherboard
Memory: x2 Kingston 2GB 200-Pin DDR2 SO-DIMM DDR2 667 (PC2 5300) Laptop Memory Model KVR667D2S5/2G
HD: Seagate 160GB (ST9160314AS) 5400rpm SATA2 8MB Notebook
PS: picoPSU-150-XT Power Supply 80W AC-DC Power Adapter Kit
Extras: Intel Dual Port Server NIC, PCIe (Can't remember the model as I already had it)
A special over-price PCIe ribbon riser so I can use the PCIe slot with this tiny case. Need to open the case back up and take a photo

pfSense Packages:
arpwatch
Backup
Country Block
Cron
imspector
iperf
LCDproc (hacked to get the LCD in the case to work)
mailreport
nmap
Notes (Comes in handy!)
RRD Summary
Shellcmd
TFTP
vnstat2

ntop (not running right now)
snort (not running right now)

Ports i've added to the system:
pound (resersve proxy for http/https, allows me to direct different FQDN via port 80 to differnt boxes on the network)
monit (monitors the system,re-start services if they are down)
freeipmi (allows me to access the ipmi chip for watchdog and temps within pfsense)

lcd setup:
http://forum.pfsense.org/index.php/topic,23919.msg173074.html#msg173074

pound setup:
http://forum.pfsense.org/index.php/topic,33566.0.html

watchdog/freeipmi setup:
http://forum.pfsense.org/index.php/topic,34056.0.html

Some photos:
The cable modem is the thin tall one, the other modem is for my phone..and the verizon 3G usb stick and the box off to the side my a QNAP 109-II with 2TB drive it in :)
IMG-20110702-00093.jpg

current load
IMG-20110702-00094.jpg

states
IMG-20110702-00095.jpg

uptime
IMG-20110702-00097.jpg

the dashboard
dasboard.jpg
 
Last edited:
10,000 states? boooooooo

Also install the widescreen dashboard package. Its awesomeness.

Cool setup. Love the LCD screen.
 
i have the same setup except the case and extra nic.

What does arpwatch do?

How come you don't run snort or Squid?
 
Cino said:
I also setup pound on the box as a reverse-proxy. There is a pfSense packages that does this but I couldn't get it run so i found pound to just work. It allows me to have a FQDN route to different boxes on my network all via port 80. In the past I would use IIS on my server to allow me to have different web sites on the same IP.. But I also wanted to see my TED5000(electric monitoring device) thru the internet. I was able to do with assigning a different port in NAT rules then have it direct to boxes IP on port 80.. But with this setup I had to remember different port numbers and open many ports on my firewall. Now with pound, all my traffic comes in via port 80. Pound looks at the FQDN and points that FQDN to the internal IP I assigned it to. Now if you browse to my public IP on port 80, nothing is displayed because pound is looking for a FQDN to process the request. Does this make my box less secure, maybe. But i've thrown every thing I have and can't break in... Working for a ISP, we have many tools to use from ;-)

Example all using port 80:
www.homeip.net - 192.168.0.10
ted.homesip.net - 192.168.0.15
whs.homeip.net - 192.168.0.100
Click to expand...

Just re-read this part. AMAZING. Port forward by hostname. Been looking for something like this for a long long long long long time.
 
@Jay_oasis: router doesn't need be pretty but i hear ya!

@jadams: 10,000 states is hard coded in the lcdproc pakage, i really have 299000 states avail with the memory i have in it. Its hard to see, but its in the dashboard pic. One day, i'll try to figure it out to display the correct total. I update so often that widescreen would cause me trouble. You
have to uninstall it because running updates I believe.. I gitsync daily....

@AMD_Gamer: arpwatch keeps tabs of MACs that are on the interface you bind it to. I use this on the my Guest Wireless VLAN so i have a log of the MACs to IP.. DHCP does this but arpwatch keeps it past a reboot. Once the snort package is working again, it will be on my box. Squid is next to come on for logging only... just havent gotten around to it yet. Used it on 1.2.3, but figured I would wait on 2.0 since there were changes made that broke some packages.
 
Cino said:
@Jay_oasis: router doesn't need be pretty but i hear ya!

@jadams: 10,000 states is hard coded in the lcdproc pakage, i really have 299000 states avail with the memory i have in it. Its hard to see, but its in the dashboard pic. One day, i'll try to figure it out to display the correct total. I update so often that widescreen would cause me trouble. You
have to uninstall it because running updates I believe.. I gitsync daily....

@AMD_Gamer: arpwatch keeps tabs of MACs that are on the interface you bind it to. I use this on the my Guest Wireless VLAN so i have a log of the MACs to IP.. DHCP does this but arpwatch keeps it past a reboot. Once the snort package is working again, it will be on my box. Squid is next to come on for logging only... just havent gotten around to it yet. Used it on 1.2.3, but figured I would wait on 2.0 since there were changes made that broke some packages.
Click to expand...

How do you configure squid in logging only mode? I have been having trouble with it and only really want it for lightsquid, can this logging mode still use lightsquid?
 
does pound support only http/https traffic?

I host a few Source game servers. The default port is UDP27015. I have Counter Strike on 27015, L4D2 on 27035, and TF2 on 27055. Ideally I'd like to keep them all on the same default 27015.
 
jadams said:
does pound support only http/https traffic?

I host a few Source game servers. The default port is UDP27015. I have Counter Strike on 27015, L4D2 on 27035, and TF2 on 27055. Ideally I'd like to keep them all on the same default 27015.
Click to expand...

it only supports http/https traffic.. I don't know if there is such a thing a UDP reverse-proxy since UDP is connectionless; I can't see how it would work.
 
well then I'm still looking for a true port forward by hostname solution. pound would be handy for some things I have running here though.
 
I would have set it up by directory /www /ted /whs, etc but that's just me.

But the LCD on the case, what can it do? Can you control all functions through it?
 
athlon1.2 said:
I would have set it up by directory /www /ted /whs, etc but that's just me.

But the LCD on the case, what can it do? Can you control all functions through it?
Click to expand...

What do you mean by directory? I have nothing hosted on this box, its my router/firewall. What it does, it directs inbound web traffic to the different internal IPs based on the FQDN. Now when I was having all web traffic goto the same box, i didn't need pound. IIS would handle this based on FQDN, and bring up the correct web directory.

The LCD shows me stats. CPU usage, Load, NIC Stats, NIC Status, how many states are currently being used, disk usage, memory usage, that sort of stuff. I can scroll thru the screens using the arrow pad and press the middle button to keep a screen on the display.
 
devin_m said:
I love that case, I may have to order one for my OpenBSD firewall.
Click to expand...

Depending on your ver of OpenBSD; you maybe able to use the same driver i'm using. The driver is for i386 tho... I've been meaning to compile a amd64 driver but dont have the time to research on the steps to do that right now.
 
Hi Cino - love your build! Was just in the market to begin building a pfsense router when I stumbled across your post. Would it be possible to link to each component? I'd like to do a 1:1 match and order parts from the fewest possible online suppliers as possible. Preferably Amazon or Newegg unless the place that sold your case can pre-assemble and ship much of it? I currently have a docsis 3.0 SB6120 cable modem and d-link dir-655 802.11n. Won't support dd-wrt or tomato but does have support for guest wireless. If would be possible to update your guide for us newbs to follow it would be much appreciated. Just looking to run pfsense and untangle. Thank you so much!
 
miles267 said:
Hi Cino - love your build! Was just in the market to begin building a pfsense router when I stumbled across your post. Would it be possible to link to each component? I'd like to do a 1:1 match and order parts from the fewest possible online suppliers as possible. Preferably Amazon or Newegg unless the place that sold your case can pre-assemble and ship much of it? I currently have a docsis 3.0 SB6120 cable modem and d-link dir-655 802.11n. Won't support dd-wrt or tomato but does have support for guest wireless. If would be possible to update your guide for us newbs to follow it would be much appreciated. Just looking to run pfsense and untangle. Thank you so much!
Click to expand...

I am the proud owner of this box: http://hardforum.com/showthread.php?t=1604496
 
miles267 said:
Hi Cino - love your build! Was just in the market to begin building a pfsense router when I stumbled across your post. Would it be possible to link to each component? I'd like to do a 1:1 match and order parts from the fewest possible online suppliers as possible. Preferably Amazon or Newegg unless the place that sold your case can pre-assemble and ship much of it? I currently have a docsis 3.0 SB6120 cable modem and d-link dir-655 802.11n. Won't support dd-wrt or tomato but does have support for guest wireless. If would be possible to update your guide for us newbs to follow it would be much appreciated. Just looking to run pfsense and untangle. Thank you so much!
Click to expand...

I got most of my parts from ebay expect the case and the riser. The case I got from http://www.mini-box.com/ The ribbon riser came from http://www.adexelec.com/ part # PE-FLEX16R-A-G2-3" My part list includes all the parts that i used and part #s.

You couldn't have any issues with that cable modem and as far as your AP; not sure how that could be setup unless it supported VLANs. It may have guest wireless in it may not work since internet will be on your LAN ports and not the WAN port on your AP. But I really dont know unless I had the hardware to test.

As far guides, not sure what your looking for.. Most of the custom work I did, I already linked to the post that I created on pfsense's forum.

What are you running untangle on? I tried to run pfsense and untangle on this hardware using VMware EXSi but untangle was way to slow for my liking so I removed it and went back to a straight pfSense install. Well an Atom isn't met to run VMs anyways
 
Cino said:
I got most of my parts from ebay expect the case and the riser. The case I got from http://www.mini-box.com/ The ribbon riser came from http://www.adexelec.com/ part # PE-FLEX16R-A-G2-3" My part list includes all the parts that i used and part #s.

You couldn't have any issues with that cable modem and as far as your AP; not sure how that could be setup unless it supported VLANs. It may have guest wireless in it may not work since internet will be on your LAN ports and not the WAN port on your AP. But I really dont know unless I had the hardware to test.

As far guides, not sure what your looking for.. Most of the custom work I did, I already linked to the post that I created on pfsense's forum.

What are you running untangle on? I tried to run pfsense and untangle on this hardware using VMware EXSi but untangle was way to slow for my liking so I removed it and went back to a straight pfSense install. Well an Atom isn't met to run VMs anyways
Click to expand...

OK. A couple quick questions:
1.) what would be a good, inexpensive RAM option for the Supermicro X7SPA-H-D525 Mini-ITX motherboard to take it to 4GB total?
2.) is there a card that could be added to add 802.11 a/g/n wi-fi functionality to this setup? this way I could retire my current wireless-n router and make this pfSense box an all-in-one

My goal is to have WAN, LAN and Guest WLAN all with this M-300 case or M-350? I don't actually need the LCD readout although it is a nice touch.
 
miles267 said:
OK. A couple quick questions:
1.) what would be a good, inexpensive RAM option for the Supermicro X7SPA-H-D525 Mini-ITX motherboard to take it to 4GB total?
2.) is there a card that could be added to add 802.11 a/g/n wi-fi functionality to this setup? this way I could retire my current wireless-n router and make this pfSense box an all-in-one

My goal is to have WAN, LAN and Guest WLAN all with this M-300 case or M-350? I don't actually need the LCD readout although it is a nice touch.
Click to expand...

1: newegg has the same memory i'm using which should run on the D525, I have the D510 which is similar. Somewhere on the motherboard page at Supermicro's website is a link to memory they have already tested. Here is a link to newegg, x2 2gig sticks for $50 total http://www.newegg.com/Product/Product.aspx?Item=N82E16820134513&Tpk=KVR667D2S5/2G

2: I never put wireless in my box other then a 3G usb modem. I can't recommend one but here is a link that should help you out. I see there are a couple of N cards. N standard is still new to the freebsd os but i've read stuff on pfsense forum that it does work. http://www.freebsd.org/releases/8.1R/hardware.html#WLAN.

goog luck
 
very cool build cino - I am currently starting my path into networking and this is just plain cool :cool:
I am going to be building a pfSense box once the next wave of low wattage components hits the market - any tips?
 
mrkram said:
very cool build cino - I am currently starting my path into networking and this is just plain cool :cool:
I am going to be building a pfSense box once the next wave of low wattage components hits the market - any tips?
Click to expand...

Make sure the case you use has plenty of vents for airflow. After purchasing the case I have, im not happy with the airflow as my temps are high but the temps are within the mfr specs. Having a NIC right over the motherboard doesn't help.
 
Cino said:
Make sure the case you use has plenty of vents for airflow. After purchasing the case I have, im not happy with the airflow as my temps are high but the temps are within the mfr specs. Having a NIC right over the motherboard doesn't help.
Click to expand...

Cino - thanks. I've just begin ordering the components you had suggested. So far: mobo, RAM, HDD, but decided to snag an 8-port Trend green gigabit switch since I need more ports.

However, I was about to order the M300-LCD case when I saw your recent post re: ventillation. Would you recommend the Antec Skeleton 90 ($100 USD) instead? Or perhaps one of the other Antec mini-ITX SK series cases here:

http://www.antec.com/Believe_it/product.php?id=MjEwMiY2

Lastly, I couldn't locate pfSense 2.1 Dev build on their web site. Only 1.2.3 release and 2.0 RC3.
 
miles267 said:
Cino - thanks. I've just begin ordering the components you had suggested. So far: mobo, RAM, HDD, but decided to snag an 8-port Trend green gigabit switch since I need more ports.

However, I was about to order the M300-LCD case when I saw your recent post re: ventillation. Would you recommend the Antec Skeleton 90 ($100 USD) instead? Or perhaps one of the other Antec mini-ITX SK series cases here:

http://www.antec.com/Believe_it/product.php?id=MjEwMiY2

Lastly, I couldn't locate pfSense 2.1 Dev build on their web site. Only 1.2.3 release and 2.0 RC3.
Click to expand...

Their ISK 300-65 case seems cool. It has a half slot so you can add another NIC card into it. I wonder if the front panel could be removed to add a crystalfonz LCD display to it.. I probably would had gone that route instead of the case I have.

If your new to pfSense, go with the 1.2.3 or 2.0 RC3.. I'm basically running RC3 with added code so it could break anytime I update the code.
 
Cino said:
Their ISK 300-65 case seems cool. It has a half slot so you can add another NIC card into it. I wonder if the front panel could be removed to add a crystalfonz LCD display to it.. I probably would had gone that route instead of the case I have.

If your new to pfSense, go with the 1.2.3 or 2.0 RC3.. I'm basically running RC3 with added code so it could break anytime I update the code.
Click to expand...

Thanks again Cino. Ordered my parts today. Went with the Antecedent ISK300-65. 65W should be plenty of power. seems you can add a larger power brick at get 100W+ out of the factory PSU.

I'd like to add a dual port gigabit NIC pci-E in addition to the dual on motherboard NIC of the X7SPA-HF-O. Can you confirm which Intel PCI-E dual port NIC card you have that's compatible with pfsense 1.2.3 or higher?
 
miles267 said:
Thanks again Cino. Ordered my parts today. Went with the Antecedent ISK300-65. 65W should be plenty of power. seems you can add a larger power brick at get 100W+ out of the factory PSU.

I'd like to add a dual port gigabit NIC pci-E in addition to the dual on motherboard NIC of the X7SPA-HF-O. Can you confirm which Intel PCI-E dual port NIC card you have that's compatible with pfsense 1.2.3 or higher?
Click to expand...

You have plenty of power there! My box with the display and nic is around 20-25watts i think. When you get that case, let me know if the front panel can be remove. Wondering if it does have a standard 5 1/4 opening but can't fit a full CD drive in it. If the opening is the same size as a CD drive, then I could retro fit a crystalftonz lcd display into one I think

This is the card i used. If you get one like it, it should come with the low-profile bracket:

http://www.google.com/products/cata...a=X&ei=U1QzTpv7D4jDgQfwq9GADQ&ved=0CHQQ8gIwAA

Mine was free as I took it out of a server that didn't need it
 
Hey Cino, I think you replied to a post of mine today over on the pfSense forum.

Anyway, this thread came right on time. I have been researching a mini-itx build for a pfSense install. Slick build man.

By the way, could you post links to how you got the LCD to work? That is pretty dang cool.
 
miles267 said:
I'd like to add a dual port gigabit NIC pci-E in addition to the dual on motherboard NIC of the X7SPA-HF-O. Can you confirm which Intel PCI-E dual port NIC card you have that's compatible with pfsense 1.2.3 or higher?
Click to expand...

Hi Miles, I have the same X7SPA-HF mobo and have been researching cases to put the board in. I was looking at the same exact case, the Antec ISK 300-65. It looks like a great case for exactly what you are trying to do. I noticed one thing though. I don't think you can secure the expansion NIC card to the case. If you look at the back of the M300-LCD, you can see it has a place to secure the card. I do not see this on the 300-65. Hope I am wrong because I also want to buy the Antec case.

case.png


43.png
 
Last edited:
miles267 said:
OK. A couple quick questions:
1.) what would be a good, inexpensive RAM option for the Supermicro X7SPA-H-D525 Mini-ITX motherboard to take it to 4GB total?
2.) is there a card that could be added to add 802.11 a/g/n wi-fi functionality to this setup? this way I could retire my current wireless-n router and make this pfSense box an all-in-one

My goal is to have WAN, LAN and Guest WLAN all with this M-300 case or M-350? I don't actually need the LCD readout although it is a nice touch.
Click to expand...

i bought this ram and it has worked fine with my supermicro board
http://www.newegg.com/Product/Product.aspx?Item=N82E16820231265

this is the board i bought

http://www.newegg.com/Product/Product.aspx?Item=N82E16813182243
 
amrogers3 said:
Hey Cino, I think you replied to a post of mine today over on the pfSense forum.

Anyway, this thread came right on time. I have been researching a mini-itx build for a pfSense install. Slick build man.

By the way, could you post links to how you got the LCD to work? That is pretty dang cool.
Click to expand...

small world right? Was it a Snort question? I hangout of that forum alot...lol

For the lcd setup, check this thread up http://forum.pfsense.org/index.php/topic,23919.msg173074.html#msg173074
 
Just finished building a pfSense box too. Needed something to replace an old WRT54GL and it works really well. Just need to add a wireless access point and I'm all set. Total cost was ~$300 CAN.

Supermicro X7SPA-HF-D525 Intel Atom
Corsair CMSO2GX3M1A1333C9 1X2GB DDR3-1333 CL9-9-9-24 204PIN SODIMM
MINI-BOX M350 Universal MINI-ITX
PICOPSU-80 with Power Kit


https://www.dropbox.com/gallery/9284282/1/pfSense?h=a2a260

f3fad5e.jpg
 
Now that is ace! I'm getting rid of my pfSense box and giving an 1841 A try for a bit. No doubt i'll be back to pfSense again soon.
 
I did the following hardware last September or so....Atom D510 on the mobo, 2 gigs of RAM.

Supermicro 1U case, $89.99
http://www.newegg.com/Product/Product.aspx?Item=N82E16811152107
It's a cool case with the I/O ports in the front.

Supermicro Atom D510 board with dual Intel gigabit and IPMI remote module, $219.99
http://www.newegg.com/Product/Product.aspx?Item=N82E16813182238

Seagate Pipeline drive, designed for extra quiet, extra low power, extra low noise, 24x7 running in tight spaces like DVRs. It's an ideal drive for firewall appliances. $49.99
http://www.newegg.com/Product/Product.aspx?Item=N82E16822148556

Have run ESXi on it, Untangle, Astaro, PFSense, feel like doing ClearOS again soon.
 
amrogers3 said:
Hi Miles, I have the same X7SPA-HF mobo and have been researching cases to put the board in. I was looking at the same exact case, the Antec ISK 300-65. It looks like a great case for exactly what you are trying to do. I noticed one thing though. I don't think you can secure the expansion NIC card to the case. If you look at the back of the M300-LCD, you can see it has a place to secure the card. I do not see this on the 300-65. Hope I am wrong because I also want to buy the Antec case.
43.png
Click to expand...

It does have a slot, its a half slot. Most dual nics come with this bracket.
 
Kazei said:
Just finished building a pfSense box too. Needed something to replace an old WRT54GL and it works really well. Just need to add a wireless access point and I'm all set. Total cost was ~$300 CAN.
f3fad5e.jpg
Click to expand...

love the decal! I've beed meaning to put one on my box since it has a small plate for one..I take it, you made it yourself?
 
You must log in or register to reply here.
Back
Top