Custom built PC vs Netgate SG-3100

LFaWolf

Gawd
Joined
Aug 7, 2016
Messages
743
I am looking to either building a simple PC using spare parts vs buying the Netgate SG-3100. This is for home office and we are getting lots of DDOS attacks and I am having concern if my current router NETGEAR 4-Stream Wifi 6 Router (RAX15) can handle it well.

Custom PC parts, and I believe should be adequate -
Intel i7-3700S or 3770t, both can handle AES-NI
ASUS Rampage IV Gene Gen3 M-ATX
16GB DDR3
250GB SSD

Here is where I don't know how to start -
1. Do I need to buy an Intel NIC? I read and found Intel i350-T4 to be compatible. So do I plug in from the Comcast modem (WAN) to any one of the ports?
2. Do I connect one of the ports to my local LAN switch?
3. I need WiFI, so do I connect another port to my WiFi Router LAN port?
4. What is the correct way of doing this - should I enable DHCP and DNS from this machine and disable DHCP/DNS of my current Router, or should I continue to use DHCP/DNS of my current Router?

My concern is I have never used pfSense before, and I wonder how easy is it to install (via a bootable USB drive I believe?) and configure it, vs using the SG-3100 that has all the settings preset? And how long does it take to set up a very tight configuration? Any "preset" configuration that I can download?

Thanks in advance for any help or pointers.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
36,660
Intel NICs work best. You still need to configure the correct NIC for your WAN and LAN interfaces. You'll want to connect your LAN interface to your switch if you want to use more than one device at a time.

If you have a SOHO router, you can do DHCP forwarding from pfsense and you'll need to change your default IP on your SOHO router. So if pfsense is 192.168.1.1, you'll want to make your SOHO router's IP 192.168.1.2.
 

LFaWolf

Gawd
Joined
Aug 7, 2016
Messages
743
Yes, I read about setting associated the right ports with WAN and LAN, but is the Intel NIC that I listed a compatible one? Again, looking for someone who is using SG-3100 or pfSense and shares some experience and info.
 

Farva

Extremely [H]
Joined
Feb 3, 2004
Messages
36,660
That NIC will work fine. I haven't used any Netgate product, but they are pretty expensive for what you can find in some other whitebox product, or even building your own.
 

LFaWolf

Gawd
Joined
Aug 7, 2016
Messages
743
Cool. Yes I was thinking the netgate appliance is pretty expensive for what I get.
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,194
Get the quad 1gb pcie cards off eBay for cheap. But always Intel for server applications
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
Am using an SG3100 currently. It’s‘okay, but if you intend on running multiple packages like Snort or pfblockerng at the same time, you’re going to tax the thing. You‘d be better off sticking with that custom pc as it has more horsepower than the sg3100. Granted, you’re going to use more power than the sg3100, but you will be able to run multiple packages. Definitely get an intel NIC as those work best. For WiFi, I am using a ubiquiti WAP. Setup is uber easy for pfsense. During the setup, it will ask you to plug in your wan first, then lan, and then provide you with the IP address for you to logon to router. After that it’s all GUI based.
 

LFaWolf

Gawd
Joined
Aug 7, 2016
Messages
743
Am using an SG3100 currently. It’s‘okay, but if you intend on running multiple packages like Snort or pfblockerng at the same time, you’re going to tax the thing. You‘d be better off sticking with that custom pc as it has more horsepower than the sg3100. Granted, you’re going to use more power than the sg3100, but you will be able to run multiple packages. Definitely get an intel NIC as those work best. For WiFi, I am using a ubiquiti WAP. Setup is uber easy for pfsense. During the setup, it will ask you to plug in your wan first, then lan, and then provide you with the IP address for you to logon to router. After that it’s all GUI based.
Thank you! That is helpful. I am planning to use Snort, pfBlocker, and OpenVPN. Looks like it might be too much for the SG-3100. Thought about SG-5100 and that was $700 and I think a bit overpriced. Guess I will give the custom PC a shot with pfSense.
 
Joined
Mar 3, 2017
Messages
571
I am looking to either building a simple PC using spare parts vs buying the Netgate SG-3100. This is for home office and we are getting lots of DDOS attacks and I am having concern if my current router NETGEAR 4-Stream Wifi 6 Router (RAX15) can handle it well.

Custom PC parts, and I believe should be adequate -
Intel i7-3700S or 3770t, both can handle AES-NI
ASUS Rampage IV Gene Gen3 M-ATX
16GB DDR3
250GB SSD

Here is where I don't know how to start -
1. Do I need to buy an Intel NIC? I read and found Intel i350-T4 to be compatible. So do I plug in from the Comcast modem (WAN) to any one of the ports?
2. Do I connect one of the ports to my local LAN switch?
3. I need WiFI, so do I connect another port to my WiFi Router LAN port?
4. What is the correct way of doing this - should I enable DHCP and DNS from this machine and disable DHCP/DNS of my current Router, or should I continue to use DHCP/DNS of my current Router?

My concern is I have never used pfSense before, and I wonder how easy is it to install (via a bootable USB drive I believe?) and configure it, vs using the SG-3100 that has all the settings preset? And how long does it take to set up a very tight configuration? Any "preset" configuration that I can download?

Thanks in advance for any help or pointers.
hardware should be fine. I’m in a dell optiolex sff with a 4590 and it sits at 1%. That nic is what I have in my pfsrnse box as well and is great. I seem to remember something about pfsense wearing out SSDs though there is a setting to deal with that. Something about log files but I don’t remember.
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
Thank you! That is helpful. I am planning to use Snort, pfBlocker, and OpenVPN. Looks like it might be too much for the SG-3100. Thought about SG-5100 and that was $700 and I think a bit overpriced. Guess I will give the custom PC a shot with pfSense.
For the amount of money I spent on the Sg3100 and the amount of money being asked for the SG5100, you can build a more powerful machine. Your machine is definitely better than either of the Netgate options.
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
I recently put together a pfsense box. I based my build off of Netgate's XG-7100 which is listed for $799 on thier site. The parts i used are as follows :
Supermicro Motherboard MBD-A2SDI-4C-HLN4F-B Intel Atom Mini-ITX PCI Express SATA USB Brown Box Along with some TimeTec DDR4 2400mhz ECC Unbufferred 2x 8gb kit for around $110.
I got this for a boot drive Silicon Power 256GB - NVMe M.2 PCIe Gen3x4 2280 SSD (SP256GBP34A60M28) . The performance is really good and it comes in cheaper than $899 dollars plus you can add way more ram or storage down the road. Even adding a powersupply and a case it's still cheaper. You can always add a 10Base-T Intel X550 PCie 3.0 x4 card down the road if you need 10Gb
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
The only thing bad about the supermicro board i suggested in my post is that they give you a x4 slot and most SFP+ network cards are x8 physical slot. So you are limited to RJ45 10-BASE-T NIC. That's if you were thinking of running direct attached copper cable.
 

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
11,812
You are seeing DDOS attacks on a consumer based ISP connection? Are you hosting something?

The upper echelon of PFSense netgate boxes are merely just rebranded supermicro servers. I bought this earlier this year for a box to handle a 1G/1G connection: https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E200-9B.cfm

Performs fine and low power to boot with support for AES-NI. Don't forget to adjust IPMI settings when you get a box like this as the IPMI failover option can cause ARP to fail on the shared interface if PFsense and IPMI are fighting over use of the interface.
 

LFaWolf

Gawd
Joined
Aug 7, 2016
Messages
743
You are seeing DDOS attacks on a consumer based ISP connection? Are you hosting something?

The upper echelon of PFSense netgate boxes are merely just rebranded supermicro servers. I bought this earlier this year for a box to handle a 1G/1G connection: https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E200-9B.cfm

Performs fine and low power to boot with support for AES-NI. Don't forget to adjust IPMI settings when you get a box like this as the IPMI failover option can cause ARP to fail on the shared interface if PFsense and IPMI are fighting over use of the interface.
Nope, not hosting anything. The attacks come and go, lasting a few minutes each, and happens maybe 2 to 3 times a day. It seems like the attackers are poking or looking for vulnerabilities, but I am not sure.
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
You are seeing DDOS attacks on a consumer based ISP connection? Are you hosting something?

The upper echelon of PFSense netgate boxes are merely just rebranded supermicro servers. I bought this earlier this year for a box to handle a 1G/1G connection: https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E200-9B.cfm

Performs fine and low power to boot with support for AES-NI. Don't forget to adjust IPMI settings when you get a box like this as the IPMI failover option can cause ARP to fail on the shared interface if PFsense and IPMI are fighting over use of the interface.
That's a nice box. I upgraded from a n3700 cpu. The n3700 it's fine until you want or need to do an openVPN connection. The C3558 is much faster for openvpn.
 

scrappymouse

Weaksauce
Joined
Mar 18, 2016
Messages
124
Nope, not hosting anything. The attacks come and go, lasting a few minutes each, and happens maybe 2 to 3 times a day. It seems like the attackers are poking or looking for vulnerabilities, but I am not sure.
Those may just be shodan scanners, there is a decent guide on blocking them here I block those on my inbound WAN port, in addition I block all inbound private IP address attempting to come into my WAN port as there should never be a need for that. I get hits on those firewall policies very often. If you haven't used it check out Shodan.io it's essentially a scanner for the internet.
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
I am wondering if I should just sell my SG3100 and get one of those super micro boards
 
Last edited:

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
I am wondering if I should just sell my SG3100 and get one of those super micro boards
It's cheaper to just buy the supermicro board and ram than to buy any of the netgate routers. Netgate is selling you a warranty with it as well. The higher end ones let you use their TSNR software. Which is not really meant for home users. Just invest in a good 2U Server case and power supply. Then you only need to upgrade the motherboard and ram in the future.
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
Any thoughts about running pfsense as a vm? I have the following machine sitting dormant and I think it would be cool (and way friggin’ overkill) for a pfsense machine:

Intel Xeon E5-2650L cpu
16GB DDR4-3000
256GB SSD
gigabyte mATX motherboard
 

LazyGamer

Weaksauce
Joined
Sep 1, 2020
Messages
125
Any thoughts about running pfsense as a vm? I have the following machine sitting dormant and I think it would be cool (and way friggin’ overkill) for a pfsense machine:

Intel Xeon E5-2650L cpu
16GB DDR4-3000
256GB SSD
gigabyte mATX motherboard
I've seen people do it and I've played with it a bit, biggest issue is making sure that your logical isolation is as bulletproof as it can be relative to the physical isolation that an on-metal installation would provide. Choice of the NIC and host OS need to be taken into consideration.
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
Makes me think I should just make it overkill and install pfsense directly on it then. NIC is an quad port i350 card
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
i would
Makes me think I should just make it overkill and install pfsense directly on it then. NIC is an quad port i350 card
i would seel the i350 card and get a X550 T2 10-base-t nic , The supermicro boards will have multiple ports on them usually 4.
 

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
865
i would

i would seel the i350 card and get a X550 T2 10-base-t nic , The supermicro boards will have multiple ports on them usually 4.
Ugh, no. If you don't have >1Gbps service, there's no need to put a faster, power hungry nic in the system, it's just a waste of money. I have the i350-t4 in my own pfsense box (among others), and it works wonderfully.

Also relevant to an older unanswered question in the thread as well as the SSD specs from Burner: Yes, if not set up correctly, pfsense can wear out an SSD. It's the stupid log files, mostly, writing several gigs a day at least. There is a setting to use a ramdisk for /var and /tmp. Make sure they have at least 400MB of space available, each. I found with the new update that the default 200MB wasn't enough and it caused problems.
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
Ugh, no. If you don't have >1Gbps service, there's no need to put a faster, power hungry nic in the system, it's just a waste of money. I have the i350-t4 in my own pfsense box (among others), and it works wonderfully.

Also relevant to an older unanswered question in the thread as well as the SSD specs from Burner: Yes, if not set up correctly, pfsense can wear out an SSD. It's the stupid log files, mostly, writing several gigs a day at least. There is a setting to use a ramdisk for /var and /tmp. Make sure they have at least 400MB of space available, each. I found with the new update that the default 200MB wasn't enough and it caused problems.
Yeah i was thinking of future proofing . The i350 T4 is a good card. I'm in a situation where i can get 1gbps service but the modems now have 2.5gbps ports and there are no intel nics that are 2.5gbps or 5gbps. You have to get a 10base-T nic
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
Yeah i was thinking of future proofing . The i350 T4 is a good card. I'm in a situation where i can get 1gbps service but the modems now have 2.5gbps ports and there are no intel nics that are 2.5gbps or 5gbps. You have to get a 10base-T nic

Do you guys know of any 2.5gbps or 5gbps nic cards that can fit in x pcie 3.0 x4 slot and work in pfsense well ?
 

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
865
Do you guys know of any 2.5gbps or 5gbps nic cards that can fit in x pcie 3.0 x4 slot and work in pfsense well ?
The only one available that works in pfsense is the Intel X550-T1 or -T2 (single/dual port) at a cost in the $300 range for either model. It is a 10G capable N-base-T card. The Marvell/Aquantia AQ10x cards won't be supported until FreeBSD13 is the base OS.

The new Intel i225's haven't made it to AIC's yet. It's still too early in the market, even 2.5G/5G switches are just coming around.

Realtek has a cheap single port 2.5G PCIe 1x card ($30), but they're not great for pfsense.

Networking hardware development for the home (or even business) isn't exactly fast paced. Product lifecycles are over 10 years long. The i225 is expected to be produced until 2034. The same stuff only gets cheaper if you wait and of course there's the lovely enterprise pennies-on-the-dollar used selloffs.
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
The only one available that works in pfsense is the Intel X550-T1 or -T2 (single/dual port) at a cost in the $300 range for either model. It is a 10G capable N-base-T card. The Marvell/Aquantia AQ10x cards won't be supported until FreeBSD13 is the base OS.

The new Intel i225's haven't made it to AIC's yet. It's still too early in the market, even 2.5G/5G switches are just coming around.

Realtek has a cheap single port 2.5G PCIe 1x card ($30), but they're not great for pfsense.

Networking hardware development for the home (or even business) isn't exactly fast paced. Product lifecycles are over 10 years long. The i225 is expected to be produced until 2034. The same stuff only gets cheaper if you wait and of course there's the lovely enterprise pennies-on-the-dollar used selloffs.

There is no bsd driver for Realtek has a cheap single port 2.5G PCIe 1x card ($30), but they're not great for pfsense. I was hoping to throw one of these in a get a 2.5gbps connection to the cable modem's 2.5gbps port. but no dice it seems.

The difference in cable internet 1gbps service speed is 940mbps vs 1.2gbps 1gb port vs 2.5gbps port
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
It seems the intel x550 10base-t nic doesn't auto negoiate 1gb/2.5gb/10gb in bsd?
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936
It does work, it just says "unknown" in the autonegotiated speed. There seem to be some oddities in the driver as well as a weird lack of official support from pfsense itself (even in upcoming 2.5.0).

Netgate forum thread on the matter.
[
It does work, it just says "unknown" in the autonegotiated speed. There seem to be some oddities in the driver as well as a weird lack of official support from pfsense itself (even in upcoming 2.5.0).

Netgate forum thread on the matter.

Seems like the only option x550T1 do think this 10gtek card is fine or do i need offical Intel ? 10Gb PCI-E NIC Network Card, Single Copper RJ45 Port, PCI Express Ethernet LAN Adapter Support Windows Server/Linux/ESX, Compare to Intel X550-T1
 

123Lanoix

2[H]4U
Joined
Nov 13, 2005
Messages
3,936

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
865
i just needed someone to connect to my cable modems 2.5gbps port to my router. I already have 4 port 1gb intel nic
Yeah, prices are way up there, but this is new tech territory and working in a tight open source ecosystem like pfsense/FreeBSD can really limit options for us regular people. The good news is that 2.5Gb is always backwards compatible with 1Gb, so it will work, no matter what. This is why I suggest you just wait until you have >1Gb service. By that time, you'll be able to get the cards and infrastructure at a better price as 2.5/5 adoption flourishes.
 

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,436
I am gonna stick with my i350-t4 card for now. I don’t have 1Gbps service now nor do I think it is worth it for the asking price where I live.
 

bigddybn

Supreme [H]ardness
Joined
Nov 21, 2006
Messages
7,204
Their is a Realtek driver for their 2.5gbps for freebsd it was just released in August. You just need to add it to pfsense. It's really easy by using this command under "Diagnostics-Command Prompt" Excute this command ---> " pkg add https://pkg.FreeBSD.org/FreeBSD:11:amd64/latest/All/realtek-re-kmod-v196.04_2.txz" Once installed Pfsense will recongize the card.
There is a world of difference between "the card is recognized" and "the card performs worth a damn." Stick with Intel here.
 

bigddybn

Supreme [H]ardness
Joined
Nov 21, 2006
Messages
7,204
Any thoughts about running pfsense as a vm? I have the following machine sitting dormant and I think it would be cool (and way friggin’ overkill) for a pfsense machine:

Intel Xeon E5-2650L cpu
16GB DDR4-3000
256GB SSD
gigabyte mATX motherboard
Aside from the physical security concerns listed above I found it to be a pain in the ass simply because "messing" with the VM host risked taking the internet down and the associated family wrath. That's a service that's best run on dedicated hardware.
 
Top