• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Hardware for PfSense

B

Burner27

Supreme [H]ardness
2FA
Joined
Oct 23, 2000
Messages
6,859
I was looking into using this as my PfSense router, but am wondering if it will be under powered? I have Spectrum's top tier service (300 down/20 up); I will be using Squid and other 'website filtering' techniques available on PfSense as well. Possibly VPN down the road.

http://ipc.msi.com/product/pages/ipc/MS-9A65.html

If I am under powered, what do you recommend? Not opposed to building a PC for this purpose either.

Thank you in advance.
 
That should be fine for your needs. I've read a number of people running the J1900 with several hundred Mb down, squid, VPN, and a few other services. If you want something with a little more oomph, I've seen the Lenovo RS140 on woot for ~$300.
 
bds1904 said:
It'll work, but the wireless is pointless and the form factor is a little large for what it is.

https://www.amazon.com/gp/aw/d/B01C...+4+lan+4gb&dpPl=1&dpID=51JfwLeaK2L&ref=plSrch

That for $200 shipped with 4gb memory and 32gb SSD is the way to go. That's what i use, and that's the same seller i got it from.
Click to expand...

That's a nice little box! I went with a custom built system using the AM1 quad core athlon. With the local Microcenter discounts, I got either the CPU or the motherboard free, so only about $30-$40 for MB/CPU. I had some DDR3 RAM and a spare hard drive, picked up a used HP server NIC from fleabay for about $15.00. When I found a sale, I splurged on a 2U rackmount case. All told, I have less than $100 for the router. If you had to purchase all parts, it would come up a bit more.

The reason I went with the AM1 platform is because it has built in AES encryption acceleration, something missing from the J1900 platform, was cheap and relatively low powered. I am setup in a closet in the basement, so small was not a requirement.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
jardows said:
That's a nice little box! I went with a custom built system using the AM1 quad core athlon. With the local Microcenter discounts, I got either the CPU or the motherboard free, so only about $30-$40 for MB/CPU. I had some DDR3 RAM and a spare hard drive, picked up a used HP server NIC from fleabay for about $15.00. When I found a sale, I splurged on a 2U rackmount case. All told, I have less than $100 for the router. If you had to purchase all parts, it would come up a bit more.

The reason I went with the AM1 platform is because it has built in AES encryption acceleration, something missing from the J1900 platform, was cheap and relatively low powered. I am setup in a closet in the basement, so small was not a requirement.
Click to expand...


Am curious, how important is the AES encryption acceleration ?
 
Burner27 said:
Am curious, how important is the AES encryption acceleration ?
Click to expand...

AES acceleration on pfSense is hit and miss. It helps quite a bit with CPU usage on IPSEC but generally doesn't speed things up much, unless you are talking about underpowered CPU's like the old AMD's. OpenVPN normally sees minimal speed increases, and in some cases sees a speed loss.

It's all how OpenVPN (and different processes) handle AES acceleration.

Basically, unless you have an internet connection with a 100mbit upload speed you'll never notice the difference
 
jardows said:
That's a nice little box! I went with a custom built system using the AM1 quad core athlon. With the local Microcenter discounts, I got either the CPU or the motherboard free, so only about $30-$40 for MB/CPU. I had some DDR3 RAM and a spare hard drive, picked up a used HP server NIC from fleabay for about $15.00. When I found a sale, I splurged on a 2U rackmount case. All told, I have less than $100 for the router. If you had to purchase all parts, it would come up a bit more.

The reason I went with the AM1 platform is because it has built in AES encryption acceleration, something missing from the J1900 platform, was cheap and relatively low powered. I am setup in a closet in the basement, so small was not a requirement.
Click to expand...


So go for the box I posted in my first post or go with something beefier? I have a Linux box for my Plex server that I could do without. It has the following specs:

Intel 6700K
16GB Ram
Gigabyte Z170i Mobo
Samsung 960 Pro 512GB
Intel Dual port 1Gbe NIC

Overkill?
 
Last edited:
pfsense really doesn't need a ton of power. It depends more on how fast your connection is. The J1900 with 4gb of ram will be more than fine with <300Mbps connection and several packages running. pfsense would rather have more RAM than CPU.
 
Farva said:
pfsense really doesn't need a ton of power. It depends more on how fast your connection is. The J1900 with 4gb of ram will be more than fine with <300Mbps connection and several packages running. pfsense would rather have more RAM than CPU.
Click to expand...

My connection now is 300/20. I just dont want to hardware limit myself when/if i upgrade to faster service.
 
Thanks to everyone for their input. Still not sure if I should just virtualize pfsense and Plex on the 6700K box instead. Only expense would be to get a dual/qhad port NIC instead of buying a whole box. Does anyone see any pitfalls with virtualzing pfsense? Use ESX or HyperV?
 
Should be fine. Just be very careful that you properly separate your WAN and LAN virtual switches/VLANs/etc. so you don't accidentally expose other guests directly to the Internet. I'd also set the boot order to make sure that if you have to restart the host the pfSense guest is first to come up.

Main drawback is that you're reliant on your VM host for Internet access.

If you have a VLAN-capable switch you don't even need multiple NICs on the VM host. Simply create a VLAN for the WAN and assign it to a single port to which the modem/etc. is connected, then trunk it and any other VLANs to the VM host. Internet throughput could suffer if you have more than a few hundred Mb available to you, however.
 
There's a big difference between pfSense as a firewall and pfSense as a "UTM" (Unified Threat Management) - turn on Suricada/Snort, Squid proxy and Squidguard, and another security package or three and you are putting a lot more strain on your pfSense hardware.

That's why I wouldn't touch that J1900 crap. It's not that expensive to get an Intel CPU with AES-NI and QuickAssist - get that with 2+ cores and 2+ GHz speed and you will be in pretty good shape. There's a reason why pfSense sells Intel Atom Rangeley-based units.

If you want a vanilla firewall, get their $150 unit (https://store.pfsense.org/SG-1000.aspx) complete with support. Otherwise, if you want to use security features I'd get an Intel CPU as I described above. My buddy has one of these and he has been happy (https://store.pfsense.org/SG-2220/) - but no QuickAssist so YMMV.

If you prefer to build your own, take a look at what SuperMicro offers with pre-builts with IPMI built-in - real cool stuff.
 
sk3tch said:
There's a big difference between pfSense as a firewall and pfSense as a "UTM" (Unified Threat Management) - turn on Suricada/Snort, Squid proxy and Squidguard, and another security package or three and you are putting a lot more strain on your pfSense hardware.

That's why I wouldn't touch that J1900 crap. It's not that expensive to get an Intel CPU with AES-NI and QuickAssist - get that with 2+ cores and 2+ GHz speed and you will be in pretty good shape. There's a reason why pfSense sells Intel Atom Rangeley-based units.

If you want a vanilla firewall, get their $150 unit (https://store.pfsense.org/SG-1000.aspx) complete with support. Otherwise, if you want to use security features I'd get an Intel CPU as I described above. My buddy has one of these and he has been happy (https://store.pfsense.org/SG-2220/) - but no QuickAssist so YMMV.

If you prefer to build your own, take a look at what SuperMicro offers with pre-builts with IPMI built-in - real cool stuff.
Click to expand...


Thanks for your input. i was thinking the j1900 my be under powered if I start activating packages. I dont want to get a unit from pfsense as I would rather control/upgrade the components as I see fit. Can you link me to some of those SuperMicro units you spoke of please?

Thank you
 
I have a 150/20 connection from Comcast. I'm running a j1900 with 4gb of memory with suricata and pfblockerng with no problems. I wouldn't try to run more than a 250 connection on it with those packages running.

Also, for the record AES-NI and quickassist have absolutely no effect on the overall throughput of the device, including running IDS packages. The only thing AES-NI and quickassist affect is IPSEC performance.
 
Agree - not much real/practical benefit from AES-NI or QAT for most home users. More of a "feel good" effect.

QAT will also assist SSL sign/verify when pfsense 2.4 is released (with OpenSSL 1.1). So if you running HAProxy with SSL offload on the pfsense box it might help a tad - but unless you are landing some especially active web sites you probably won't notice.
 
sk3tch said:
There's a big difference between pfSense as a firewall and pfSense as a "UTM" (Unified Threat Management) - turn on Suricada/Snort, Squid proxy and Squidguard, and another security package or three and you are putting a lot more strain on your pfSense hardware.

That's why I wouldn't touch that J1900 crap. It's not that expensive to get an Intel CPU with AES-NI and QuickAssist - get that with 2+ cores and 2+ GHz speed and you will be in pretty good shape. There's a reason why pfSense sells Intel Atom Rangeley-based units.

If you want a vanilla firewall, get their $150 unit (https://store.pfsense.org/SG-1000.aspx) complete with support. Otherwise, if you want to use security features I'd get an Intel CPU as I described above. My buddy has one of these and he has been happy (https://store.pfsense.org/SG-2220/) - but no QuickAssist so YMMV.

If you prefer to build your own, take a look at what SuperMicro offers with pre-builts with IPMI built-in - real cool stuff.
Click to expand...


Why do they sell the Atom Rangeley CPUs with their stuff? On paper it looks to be an inferior CPU compared to the J1900. At least that's what it looks like from CPUBOSS website. Did I miss something?
 
Burner27 said:
Why do they sell the Atom Rangeley CPUs with their stuff? On paper it looks to be an inferior CPU compared to the J1900. At least that's what it looks like from CPUBOSS website. Did I miss something?
Click to expand...
Rangerly is inferior to J1900? I don't think so...at least not the C2558/C2758. At the lowest end, C2358, perhaps. But I don't think anyone here was suggesting the 2 core Rangerly. Except for the little one Rangerly offers more clocks/core, more ram, more PCIe, more SATA ports, more (and better) native GigE ports, etc., etc.
 
Burner27 said:
Thanks for your input. i was thinking the j1900 my be under powered if I start activating packages. I dont want to get a unit from pfsense as I would rather control/upgrade the components as I see fit. Can you link me to some of those SuperMicro units you spoke of please?

Thank you
Click to expand...

If you want to run your home lab off of something - this is awesome. For around $2500 you can have an 8 core Haswell-E Xeon with 128GB ECC RAM and a lot of nice, fast storage. :) Virtualize your pfSense security gateway, your NAS, etc. all in one bad-ass unit.

For just a firewall, this is $500 - but you could easily do ESXi on this and run your firewall on it and a few other commodity things (depending on the memory and storage configuration you opt for).

Sites like CPUBoss are pretty much garbage because they do not take a lot of things into account outside of raw speed. AES-NI, QuickAssist, Intel Virtualization technologies (VT-x, etc. - to help with VMware) - all can make a HUGE difference with your application, depending on what you want to do.

The pfSense/Netgate stuff may seem expensive but if you really want to control everything and do it on the cheap - just go with some old hardware you have laying around and toss pfSense on it. It supports most x86 systems. Even old appliances from vendors like WatchGuard, Infoblox, etc. can make great repurposed pfSense boxes.

It's all in what you want to do and what you want to spend.

bds1904 said:
I have a 150/20 connection from Comcast. I'm running a j1900 with 4gb of memory with suricata and pfblockerng with no problems. I wouldn't try to run more than a 250 connection on it with those packages running.

Also, for the record AES-NI and quickassist have absolutely no effect on the overall throughput of the device, including running IDS packages. The only thing AES-NI and quickassist affect is IPSEC performance.
Click to expand...

Good point. The Atom Rangeley stuff just buys you a lot of niceties over the J1900 IMO. VPNs are a big use case these days - but if you're not going that route you can save some coin.

I overbought (just pulled the trigger today) with a SG-4860 (C2558) so I can run whatever packages I want and use the little device for various projects. Right now it is going to do some sniffing and snooping on a public wi-fi spot I am setting up with a captive portal (along with a FortiWiFi-90D). In the future it may have to replace my current primary firewall (Palo Alto PA-500) if I can't get a new NFR license from my employer.

I also picked up an SG-1000 to play with - at $150 it has a lot of potential for parents/friends houses or even for one offs like running pihole or something.

pfSense/Netgate appliances fit my need and I get to help the project - so it's a win-win.
 
Last edited:
As an Amazon Associate, HardForum may earn from qualifying purchases.
Look at post #7. Although overkill, it has been suggested I could use that for hosting VMs--one of them being pfsense. Rather than spend the $$ on either of the firewalls you suggested--wouldnt that work?

So in my original post (post #1) I should forget that machine i was thinking about?
 
Burner27 said:
Look at post #7. Although overkill, it has been suggested I could use that for hosting VMs--one of them being pfsense. Rather than spend the $$ on either of the firewalls you suggested--wouldnt that work?

So in my original post (post #1) I should forget that machine i was thinking about?
Click to expand...

The MSI all-in-one J1900 is not well suited for firewall/security gateway work - plus, it's over $400. There are better options - like that SuperMicro that I linked to.

The 6700K box can go crazy and handle everything - VM and your virtual pfSense or whatever. If you already own it - toss pfSense in there and see how it goes and how you like it. If you're looking to drop $400 on a box like that MSI one you may as well just buy something from pfSense/Netgate in an appliance. Or go a bit further and get a SuperMicro box based on C2558 - search for SuperMicro and C2558 and you can get SOC/motherboards only or get ones that include a case and everything but memory/storage...

EDIT: if you need add'l NICs in that 6700K box - these are dirt cheap on eBay and work great. They're Intel 82571EB Gigabit NICs and are fully supported in VMware ESXi should you go that route. Shows up as a "Intel(R) PRO/1000 PT Dual Port Network Connection" in Windows 10 with the default Microsoft drivers and they're fully supported by Intel in Windows 10. Just bought 2 more of 'em on eBay for $10 each lol.
 
Last edited:
sk3tch said:
The MSI all-in-one J1900 is not well suited for firewall/security gateway work - plus, it's over $400. There are better options - like that SuperMicro that I linked to.

The 6700K box can go crazy and handle everything - VM and your virtual pfSense or whatever. If you already own it - toss pfSense in there and see how it goes and how you like it. If you're looking to drop $400 on a box like that MSI one you may as well just buy something from pfSense/Netgate in an appliance. Or go a bit further and get a SuperMicro box based on C2558 - search for SuperMicro and C2558 and you can get SOC/motherboards only or get ones that include a case and everything but memory/storage...

EDIT: if you need add'l NICs in that 6700K box - these are dirt cheap on eBay and work great. They're Intel 82571EB Gigabit NICs and are fully supported in VMware ESXi should you go that route. Shows up as a "Intel(R) PRO/1000 PT Dual Port Network Connection" in Windows 10 with the default Microsoft drivers and they're fully supported by Intel in Windows 10. Just bought 2 more of 'em on eBay for $10 each lol.
Click to expand...


I happen to have that NIC as well--maybe I was destined to build it myself? Which VM host route do you suggest?
 
Burner27 said:
I happen to have that NIC as well--maybe I was destined to build it myself? Which VM host route do you suggest?
Click to expand...

VMware ESXi is free if you're willing to blow away the whole box and let VMware take it over - http://www.vmware.com/products/vsphere-hypervisor.html. You can always virtualize a Windows desktop for yourself - there's even pretty cool stuff being done with NVIDIA GPUs that make gaming via virtual environments no longer a joke.

Otherwise, I'm a VMware guy so Workstation (Windows) or Fusion (OS X) is a solid route if you need to have one of those OS' running and can't let VMware take over at bare metal.

On the free side, I've seen good things from Virtual Box - but not a ton of experience there. Even Microsoft's Hyper-V or whatever it is now is supposed to be pretty awesome if you have access to Server code.
 
Out of curiousity, do you happen to know if the latest version of pfsense will install directly onto a PCIe based m.2 SSD?
 
I ask because I tried in the past and it didnt work. If you use a SATA-based m.2 SSD it works. But not a PCIe based one.
 
Burner27 said:
I ask because I tried in the past and it didnt work. If you use a SATA-based m.2 SSD it works. But not a PCIe based one.
Click to expand...

Another reason why it's nice to just buy a pfSense/Netgate appliance. :)

You're not going to gain anything from a firewall/security-perspective by having PCIe versus SATA, anyway.
 
I know but if I dont have to spend the money and I can use the box I stated in post # 7, why not--right? ;)
 
Burner27 said:
I know but if I dont have to spend the money and I can use the box I stated in post # 7, why not--right? ;)
Click to expand...

You'd have better luck with VMware - run the Hypervisor on that box and then virtualize pfSense (and many other VMs).
 
  • Like
Reactions: klank
like this
I run my pFsense virtually on ESXi. Runs great.
 
I have been buying used Dell 1U rack servers on craigslist for PFSense. I swap their hard drive for whatever the smallest SSD I can get - usually a 40GB and attach it however possible. I do this for reliability not speed.

I look for dual core xeons (core 2 duo era) with 2-4gb of ram and a dual Intel 1gbps NIC.

I typically pay $20-40 for the server tested and working (these are basically worth nothing).

I have deployed about 10 of these units. The most "taxed" is serving 80 people on a 150/150 connection. CPU and memory usage are well within acceptable. Knock on wood I have yet to have a unit fail, but noise is a concern if it were in a home office.

faac7f68eebe5ab4f69a467a5be67749.png
 
You must log in or register to reply here.
Back
Top