pfSense Box?

KCarpenter12

KCarpenter12

n00b
Joined
Nov 9, 2017
Messages
51
Hello everybody...

I've decided to run pfSense on my network. I don't know much about the best hardware to get. I purchased a 1U server on Craigslist and thought I was good to go....To my surprise...this server is so loud that I didn't even get pfSense installed before I shut it off.

So, I guess my question is....What's a good/reasonably priced 1U (I prefer rackmount) server to purchase for pfSense that is quiet?

Thanks!

EDIT: Here is a link to the loud server
 
Last edited:
What are you requirements? VPN tunnel access? What is your internet connection? 1u and quiet don't go well together..
 
Best bet is to is probably to run through the pfSense forums and see what others are using. Pick out the cases that most closely match your bandwidth and application needs and go from there.

About the only direct advise I can give is to make sure that whatever you buy its CPU supports AES-NI. v2.5 will require it.
 
Thanks for the replies...

My requirements are basic...this setup is just for a small office... basically just a router.... albough I may want to be able to connect remotely to the network via VPN to access a file server... this isn't 100% required because I can access it other ways it I need to.
 
The motherboard I have used for mine for years is an Intel D2500CC-

a good little dual core processor, I had mine packed with 4gb of ddr3 ram and it has dual gigabit nics onboard.

It is a great board runs it perfect no issues, and it is low power.

you can find them on ebay for around 100 bucks or less
 
1u, quiet, pre-built, and inexpensive? I don't think you're going to get all four. The problem with 1U rack servers is that the required cooling fans are so small, it will be nearly impossible to get a "quiet" solution. Rack-mounted devices are designed to go into server rooms, not in the office, so noise isn't a concern. You could probably mess around with disabling fans, or purchasing aftermarket quiet fans, but I don't think you'll ever get "quiet" unless it is specifically a fanless operation.

You might look into the Alix APU systems. Pre-built here, or buy the individual parts for a bit cheaper direct from the manufacturer. These are going to be more traditional sized, and not rack mountable, but should do nicely for a small office - depending on your needs.

I personally went with an AMD AM1 solution - Asus mATX board, 2 GB RAM, spare laptop hard drive, and a low profile HP server pull dual gig NIC, and am using a 2U rack case I got on a good sale at newegg. With relatively little heat generation, and 80mm fans, it doesn't make much noise. Unfortunately, the AM1 processors and boards are now scarce.
 
I run mine on a Celeron N with dedicated intel NIC. Including inbound VPN
 
Last edited:
ChRoNo16 said:
The motherboard I have used for mine for years is an Intel D2500CC-

a good little dual core processor, I had mine packed with 4gb of ddr3 ram and it has dual gigabit nics onboard.

It is a great board runs it perfect no issues, and it is low power.

you can find them on ebay for around 100 bucks or less
Click to expand...

The D2500 doesn't appear to support AES-NI, so unfortunately it's no longer a good choice for a new install. Which is too bad, because otherwise a dual-gigabit Atom board should work well for most basic home setups.
 
I love rackmount boxes and noise is not an issue for me so went with a used server I got (think it was from a member here actually) but one thing that is an issue is that a full blown PC hardware box uses a lot of power for something as basic as a firewall, so at some point I might look at something smaller.

These boxes look very intriguing: https://store.netgate.com/SG-1000.aspx
 
I've got the D2500 based intel board as well and it's been solid for the past 3 years. No AES support won't be fun, but I need to upgrade anyway as the CPU is maxed when you hit about 500-600mbit of throughput.
 
Just curious what does AES (or any other encryption) support mean in terms of a firewall? I always figured a firewall operated at a rather low layer (layer 3?) and does not care about the nature of the data, and just passes on the packets based on the basic meta information (IP, ports etc). Does it actually do any kind of decrypt/encrypting or something where not having support will slow down traffic?
 
have you checked for any settings that would allow lower fan speeds?

I have a server thats like that and I was able to turn fans down.

Also if u know wiring at all u can wire some resistors to slow them down if your ambitious enough
 
Red Squirrel said:
Just curious what does AES (or any other encryption) support mean in terms of a firewall? I always figured a firewall operated at a rather low layer (layer 3?) and does not care about the nature of the data, and just passes on the packets based on the basic meta information (IP, ports etc). Does it actually do any kind of decrypt/encrypting or something where not having support will slow down traffic?
Click to expand...

The main use of AES is in VPN encryption. If you have it, the hardware acceleration will be much faster than the software implementation of it. A lot of the other resources needed can be provided by the NICs themselves, so they handle the hardware offloading making the amount of cpu usage relatively slim. If you're not planning on using VPN encryption then just about an Intel processor should be adequate for today's needs. An old Pentium 4 is still a beefy processor compared to a lot of the low end soho devices, and I'm pretty sure can route well over 100mbps without breaking a sweat. It wouldn't surprise me in the least that the D2500 is more than capable of handling gigabit throughput, especially since you can pair it with comparatively large amounts of memory and use a lot of hardware offload if you have good NICs.

The terms Layer 2 - 3 really don't apply to devices any more IMHO. Even a "layer 2" switch can do ACL filtering that comes from layer 4 (TCP / UDP). PFSense can easily do Layer 7 filtering, and just about any soho device on the market is at least layer 4 if not up to layer 7. IIRC even a small cisco ASA can do web content filtering, which is layer 7. The thing is you don't need to enable all of those features if you don't want them. It's up to you if you want to block access to certain websites, filter out traffic, etc etc. By default the firewall is not decrypting any traffic (Nor would it be able to) so it's not attempting to decrypt traffic, filter it, then encrypt it again. If you're not doing a lot of filtering or running other services on top of the server, you don't really need to worry about CPU or memory usage.
 
bman212121 said:
It wouldn't surprise me in the least that the D2500 is more than capable of handling gigabit throughput,
Click to expand...

My D2500 is maxed out at about 600mbit going one way (using Intel NICs). No VPN or crazy rules running either...
 
Schro said:
My D2500 is maxed out at about 600mbit going one way (using Intel NICs). No VPN or crazy rules running either...
Click to expand...

Yea my bad. I was thinking closer to a Core 2 Duo than the atom part that it is. I'd have to go look now but now I'm trying to remember if that was actually faster than a Pentium D. To put into context the D2500 was released Q3 2011, meaning we're talking about a 6 year old atom processor.

EDIT: Is it bad I can't even find a review of that processor? If I had to guess the Pentium D might actually win out against one of those. The 330 dual cores were really poor, but I seem to recall the D2500 being a lot better.
 
Last edited:
bman212121 said:
The main use of AES is in VPN encryption. If you have it, the hardware acceleration will be much faster than the software implementation of it. A lot of the other resources needed can be provided by the NICs themselves, so they handle the hardware offloading making the amount of cpu usage relatively slim. If you're not planning on using VPN encryption then just about an Intel processor should be adequate for today's needs. An old Pentium 4 is still a beefy processor compared to a lot of the low end soho devices, and I'm pretty sure can route well over 100mbps without breaking a sweat. It wouldn't surprise me in the least that the D2500 is more than capable of handling gigabit throughput, especially since you can pair it with comparatively large amounts of memory and use a lot of hardware offload if you have good NICs.

The terms Layer 2 - 3 really don't apply to devices any more IMHO. Even a "layer 2" switch can do ACL filtering that comes from layer 4 (TCP / UDP). PFSense can easily do Layer 7 filtering, and just about any soho device on the market is at least layer 4 if not up to layer 7. IIRC even a small cisco ASA can do web content filtering, which is layer 7. The thing is you don't need to enable all of those features if you don't want them. It's up to you if you want to block access to certain websites, filter out traffic, etc etc. By default the firewall is not decrypting any traffic (Nor would it be able to) so it's not attempting to decrypt traffic, filter it, then encrypt it again. If you're not doing a lot of filtering or running other services on top of the server, you don't really need to worry about CPU or memory usage.
Click to expand...

Ohh right VPN, yeah so I guess that is only if you run it on PFsense directly. In my case I have a separate VM for that so it would not matter.
 
You must log in or register to reply here.
Back
Top