Lookin to Build a PFsense Box

A

acoda

n00b
Joined
Mar 24, 2009
Messages
13
I recently switched jobs to and my new employer uses a lot of PFsense for firewalls, I am lookin to build one for home use, so I can get used to it, that could hopefully serve up routing both wired and wirelessly. Would like it to be no bigger than a slim desktop (hopefully smaller) I know that it does not take much to run but was looking for suggestions from people doing the same or similar thing. Also, what NIC would you recommend for this box?
 
I run mine on a vm. I pass through a dual Broadcom nic. Obviously an intel dual nic would be best.
 
is it your dedicated firewall handling routing as well? and what OS are you using for external shell? specs?
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
Pretty much any mini-ITX board with an available 4x PCIe slot in which you can stick a dual port Intel Pro/1000 NIC should do the job. You don't need much RAM or CPU speed. An Atom or Zacate board would be ideal due to low power usage. A gig or two of ram would probably be overkill too.

The NIC's are very affordable as server pulls on eBay. Usually you can find a dual port one for $20 to $30. (new they cost waay to much)

Another route you can go down is to build a beefier server, throw VMWare ESXi on there, and use it for more OS:es than just pfSense. This is what I do.

My VMWare server hosts pfSense, FreeNAS and Ubuntu Server on a regular basis, plus whatever experiments I am working on at the time.
 
I would go with a Giada N70E-DR.

Comes with dual intel nic's, pci-e slot running at 4x so you could throw a 4 port nic in at full speed. It'll route at wire speed easily.

Add your case of choice, 2gb of ram and a SSD and you'll have a super low power powerful router.
 
Zarathustra[H];1040431066 said:
Pretty much any mini-ITX board with an available 4x PCIe slot in which you can stick a dual port Intel Pro/1000 NIC should do the job. You don't need much RAM or CPU speed. An Atom or Zacate board would be ideal due to low power usage. A gig or two of ram would probably be overkill too.

The NIC's are very affordable as server pulls on eBay. Usually you can find a dual port one for $20 to $30. (new they cost waay to much)

Another route you can go down is to build a beefier server, throw VMWare ESXi on there, and use it for more OS:es than just pfSense. This is what I do.

My VMWare server hosts pfSense, FreeNAS and Ubuntu Server on a regular basis, plus whatever experiments I am working on at the time.
Click to expand...

I am wanting to possibly run pfsense on my ESXi box as well. The only thing I don't understand is that if you have pfsense running on the ESXi box and it gets shut down, doesn't that lock you out of using the vsphere client? The pfsense DHCP is giving the ESXi box an IP, so wouldn't that cause everything to go down?
 
rekd0514 said:
I am wanting to possibly run pfsense on my ESXi box as well. The only thing I don't understand is that if you have pfsense running on the ESXi box and it gets shut down, doesn't that lock you out of using the vsphere client? The pfsense DHCP is giving the ESXi box an IP, so wouldn't that cause everything to go down?
Click to expand...

Static IPs bro.
 
Uh, you don't let the ESXi box give itself its IP address, Sherlock. :)

Run a Raspberry or something as your local DHCP, DNS, NTP, i.e. all basic services.
 
/usr/home said:
Static IPs bro.
Click to expand...

so just set a Static IP in the network configuration on the ESXi box? I am just so used to using the DHCP reservations in the router. I can just set my router as 192.168.1.1 and ESXi as 192.168.1.2 for example and they will stay separate from each other ? Does it need to be 192.168.2.1?

Sorry I'm still learning on this, I learned everything on my own by just playing around and no schooling.
 
bds1904 said:
I would go with a Giada N70E-DR.

Comes with dual intel nic's, pci-e slot running at 4x so you could throw a 4 port nic in at full speed. It'll route at wire speed easily.

Add your case of choice, 2gb of ram and a SSD and you'll have a super low power powerful router.
Click to expand...

SSD in a router is not a good move, the amount of writes a firewall does with logging has shown to bring down pfsense boxes in literally months with SSD in them.

I guess pending on your traffic and if you disable logging or not.
 
Even if you log your complete Internet traffic at 100Mbps, that's a tiny 11-12MB/s. If you log all connections being established, it's WAY less. And finally, if you log what a firewall normally logs (blocked packets), it's nothing.
 
MrGuvernment said:
SSD in a router is not a good move, the amount of writes a firewall does with logging has shown to bring down pfsense boxes in literally months with SSD in them.

I guess pending on your traffic and if you disable logging or not.
Click to expand...

I've found that this REALLY depends on the activity of said router and it's logging levels. I've run pfSense in multiple locations off of CF/IDE cards for years at a time.
 
Good to know, i tend to log alot, i did a few weeks of reading on people who used SSD's in business level firewalls and they were dead with in weeks to months.
 
MrGuvernment said:
SSD in a router is not a good move, the amount of writes a firewall does with logging has shown to bring down pfsense boxes in literally months with SSD in them.

I guess pending on your traffic and if you disable logging or not.
Click to expand...

Been running my VMWare ESXi server off of an old OCZ Octane SSD for about a year and a half now, with the following guests:
- pfSense
- FreeNAS
- Ubuntu Server (running among other things Unifi)

It's still going strong. I haven't disabled any logs or anything.
 
My first pfsense box was a Pentium 3 1U dell server. It worked well till I switched to fibre internet. In fact when I updated to pfsense 2.0 it had trouble keeping up with my dsl. But this is a P3 we are talking about, Even windows 98 was bloody slow on that. :p Now I run a core2duo 1U box and it runs great.

Basically any cheap 1U server you can find will probably do. If building new, I would get one of those 1U supermicro atom boxes, they're quite nice and compact. About the same size as a switch.

Personally I'm not a fan of running a gateway firewall in a VM. I rather have physical separation between internal network and internet. While it should be safe if setup properly there is always a slight chance that somehow traffic gets on the vm server itself or internal network and then can bypass the firewall. Ex: an exploit in the vm software.
 
Red Squirrel said:
Personally I'm not a fan of running a gateway firewall in a VM. I rather have physical separation between internal network and internet. While it should be safe if setup properly there is always a slight chance that somehow traffic gets on the vm server itself or internal network and then can bypass the firewall. Ex: an exploit in the vm software.
Click to expand...

I was originally a little concerned about that, but through a combination of this security concern and an interest in the most performance, I got a dual port Intel server NIC that I direct IO forward to the pfSense guest, so the guest sees the hardware and runs the drivers for the NIC natively.

I guess it is theoretically possible for some IOMMU based exploit, but it seems rather unlikely. It seems more likely that someone would find an exploit in pfSense directly or a port I accidentally forwarded or something.
 
rekd0514 said:
so just set a Static IP in the network configuration on the ESXi box? I am just so used to using the DHCP reservations in the router. I can just set my router as 192.168.1.1 and ESXi as 192.168.1.2 for example and they will stay separate from each other ? Does it need to be 192.168.2.1?

Sorry I'm still learning on this, I learned everything on my own by just playing around and no schooling.
Click to expand...

I finally did try this and can't get it to work properly. I have 2 physical NICs pass through in ESXi to the pfsense VM. When I disconnected the my previous physcial pfsense router and put the one in ESXi into action I could no longer access the vcenter client without manual entering in the IP of ESXI 192.168.1.2 like so.

30hq4af.jpg


Once I did I could get pfsense up and running with both the LAN and WAN showing UP links. I could not get the DHCP server to say it was started though and I think that was what was causing the issue. If DHCP was up I should be able to switch my NIC settings back to automatic and it should connect, correct?

I'm not sure what is preventing the DHCP server from starting if that is even the problem. Thanks for the help.

EDIT: It was the dhcpd service causing the issue. I found this error message pgrep: invalid pid in file '/var/dhcpd/var/run/dhcpd.pid' and i was able to delete the contents of that file, restart the DHCP server, and everything is up and running!
 
Last edited:
Just_Visiting said:
This looks pretty good:

http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007

I'm thinking about picking up two to use for a fw w/ ipsec vpn.
Click to expand...

i got 2 or 3 of these out running untangle and pfsense, work great, unbeatable price.... look good too

bought them as replacements for the 25 or so jetway miniitx routers i have out and about... the jetways were much more expensive and ran dual intels... those no name boxes work great, i probably should have just got them in the first place... the jetways ran well, but over the years due to power surges and lightning strikes i lost the red interfaces on several... they just sit in my office, i hate to throw them away because the green nic still works fine...
 
You must log in or register to reply here.
Back
Top