pfSense build - advice

C

Churnd

n00b
Joined
Feb 3, 2005
Messages
54
It's my first build & I could use some guidance. What I hope to do:

  1. Firewall
  2. DHCP Server
  3. Local DNS Server & DNS forwarder (caching maybe?)
  4. OpenVPN Server
  5. Snort

Right now I have an Apple Airport Extreme base station which is my primary router. I'd turn it into an access point & let pfSense handle DHCP stuff.

Here's my parts list:

1 - SYBA SY-ADA40050 Mini-SATA to 2.5" SATA Adapter

1 - StarTech PNL9M16 9 Pin Serial Male to 10 Pin Motherboard Header Panel Mount Cable

2 - Crucial 1GB 204-Pin DDR3 SO-DIMM DDR3 1066 (PC3 8500) Laptop Memory Model CT12864BC1067

1 - Wintec 4GB mSATA Solid State Disk 33100003

1 - OEM Production 2550L2D-MxPC Intel NM10 Black Mini / Booksize Barebone System - OEM

My home network is 30Mb/s down, 3Mb/s up & I actually get those rates.

My two main concerns:
  1. Is this enough horsepower for what I want to do?
  2. Will my throughput be affected at all?

I'm also still learning pfSense, so if some of the stuff doesn't make sense, that's why.

I don't plan on having multiple vLans or the need for more than one WAN & one LAN port on this appliance. I have the Airport Extreme LAN ports & also a Netgear GS108T switch. The Netgear isn't doing anything other than basic "switching" right now.

Truth be told, I might want to play around with other options later as I discover them, so if you think I might get bit by that, tell me now.

Thank you, sirs & madams
 
I'd double the memory if using snort and use an old laptop HDD for storage to keep costs down. pfSense loads into memory and doesn't really use storage for more than logs while running. The serial port is not strictly needed- I've never actually bothered accessing my pfSense boxen over serial.
Horsepower is more than enough.
You actually only need 1 physical NIC with pfSense 2.x- you can configure all of your nets as VLANs and essentially make your L2 switch into a kick-ass L3 switch. At home, I'm too cheap and lazy to throw a spare 3COM 905b in my pfSense box, so I just have WAN and LAN on VLANs connected to my switch. If I want to set up a separate LAN for testing, I just create a new VLAN and go to work.
 
RocketTech said:
I'd double the memory if using snort and use an old laptop HDD for storage to keep costs down. pfSense loads into memory and doesn't really use storage for more than logs while running. The serial port is not strictly needed- I've never actually bothered accessing my pfSense boxen over serial.
Click to expand...

How much space am I going to need to keep logs? 4GB drive isn't enough? I just hate the idea of setting up a new appliance with a spinning disk.

I read on pfSense's forums that the GPU card on that box's chip isn't fully supported with freeBSD 8.1, so I might need the serial cable during initial setup.

Horsepower is more than enough.
You actually only need 1 physical NIC with pfSense 2.x- you can configure all of your nets as VLANs and essentially make your L2 switch into a kick-ass L3 switch. At home, I'm too cheap and lazy to throw a spare 3COM 905b in my pfSense box, so I just have WAN and LAN on VLANs connected to my switch. If I want to set up a separate LAN for testing, I just create a new VLAN and go to work.
Click to expand...

Well thing is it's only an 8 port switch & I also have a ESXi/ZFS All-In-One & I'm thinking I might want to save the switch for ESXi stuff, but I can see how it might be handy to have with pfSense. Or get a bigger switch. I hate being broke. Also, I read that using VLANs taxes the CPU more?
 
goodcooper said:
i'd just get a slim mount USB thumb drive and put the OS on there... forget all the adapters....

http://www.newegg.com/Product/Product.aspx?Item=N82E16820171587
Click to expand...

That's what I was trying to get at- saving you money. All of that stuff simply isn't necessary.
I can't give you any specific CPU usage numbers on VLANs, but it is negligible- you may be thinking VPNs, which can be taxing, depending on encryption type and bit strength.

As to the video, it is hard to imagine no video- you only need it for text-mode setup, and that doesn't exactly need alot of graphics features...
 
RocketTech said:
As to the video, it is hard to imagine no video- you only need it for text-mode setup, and that doesn't exactly need alot of graphics features...
Click to expand...

no, there is a bug with the newer intel graphics, i've heard of what he's talking about... not experienced it myself though...
 
goodcooper said:
no, there is a bug with the newer intel graphics, i've heard of what he's talking about... not experienced it myself though...
Click to expand...

Hadn't heard that one- how do you screw-up VGA compatibility? Must have been a case of the Mondays.
The serial port is probably the cheapest option- PCI-e is only x1, so unless you had a x1 video adapter laying around, the only other option I can think of would be to get a barebones with IPMI/remote management and use the screen viewer.
 
My only thought is about the NICs in that unit. Broadcom 57788's, I didn't see them on BSD's compatibility list.
 
Nate7311 said:
My only thought is about the NICs in that unit. Broadcom 57788's, I didn't see them on BSD's compatibility list.
Click to expand...

It says FreeBSD compatible: http://www.oemproduction.com/products/2700L2D-MxPC.asp

However, it might not be in the latest stable release: http://forum.pfsense.org/index.php?topic=49292.0

I wonder when 2.1 will drop? I don't even see it.


edit

Ah, http://snapshots.pfsense.org

Good catch... looks like if I want that unit, I'd need the latest 2.1 snapshot. Good thing is it's RC status. Bad thing is I have no idea how stable that is for pfSense. Can anyone comment?
 
I've run 2.0RC1 for quite a while. No specific issues, just read the release notes and see what's known as non-functional.
 
RocketTech said:
You can always run pfSense on spare hardware- a P4 is more than enough for your plans.
Click to expand...

Yeah but don't have any spare hardware. Plus, I need something somewhat reliable than old clunky hardware so the wife doesn't get upset from it going down all the time. :)

You could also make the argument that putting a low power device in place will pay for itself over time versus a full blown, power hungry PC.
 
Last edited:
Churnd said:
Well, I found that the OEM Production box will work fine with 2.0.1, or 2.1 RC... either one.


Now I'm wondering if I want to spend $100 more for Intel NICs vs Broadcom: http://www.newegg.com/Product/Product.aspx?Item=N82E16856107095

I know Intel NICs are better, but I'm poor & it's $100.
Click to expand...

i run 20 or so of those jetways w/ untangle and they run great... problem i have with them as a router is that the setting for auto power-on after a power failure doesn't work (i can't say i've tried updating the bios lately) so that really sucks for places that have power outages... have to have somebody on site to hit the power button on the front... only one LED on the front as well and by default it's plugged into the HDD activity header... i always swap that over to the power header....
 
I'm running pfsense on a P3 server that used to be a netscreen appliance. I have trouble getting the cpu or ram above 20%. I think it has 1GB of ram, but it might actually be less.

With 50 ping -f sessions going on simultaneously, the cpu is at 19%. That's an insane amount of packets being processed. Most of them being lost because I'm saturating my internet feed.
 
I used to run my on an older Watchguard x2500 but the fans are just WAY to loud for that. I currently have it on a 2ghz celeron with 1gb of ram and it runs fine.

I'm just debating getting the D2500CCE myself because I'd imagine (without doing the numbers) that I would save on both heat (cooling) and electricity using a lower wattage source than a big old box that should have been retired long ago.
 
Churnd said:
You could also make the argument that putting a low power device in place will pay for itself over time versus a full blown, power hungry PC.
Click to expand...

You could, but you'd probably be wrong. Unless your electric costs are exorbitant (higher than California) the actual power consumption costs will be on the order of $5-$10/month (for 'old inefficient' machine). Power consumption becomes an issue when you multiply small differences across an Enterprise.
Anything else is just an argument to buy a new toy to play with. You'll save FAR more energy switching to energy star HVAC,Fridge, and Lighting than you will running an old computer vs new.
If you really are THAT concerned about energy draw, use a donor laptop.
 
I'd be saving about 55 dollars a year on electricity going with a 30w over a desktop (say 100w) at .09c kWh...but that's not really my concern as much as heat is.

At this point in my life I've pretty much broken down my VMware labs and sold them off in favor of running everything on one big win7 desktop box which runs my ESXi labs ontop of VMware 9 - All of this so that the room doesn't feel like an oven when I step into it. :)

Between my gaming computer (lab box), my wife's computer and the firewall it can get pretty hot in the room until things start getting turned off or powered down.

Add in how much the AC costs to cool the room and the prices start going up a bit as well. For me it's more comfort (and less fan noise) over the silly $50 a year that I'd save.
 
gerdawg said:
I used to run my on an older Watchguard x2500 but the fans are just WAY to loud for that. I currently have it on a 2ghz celeron with 1gb of ram and it runs fine.

I'm just debating getting the D2500CCE myself because I'd imagine (without doing the numbers) that I would save on both heat (cooling) and electricity using a lower wattage source than a big old box that should have been retired long ago.
Click to expand...

Yep, I think I will end up building one myself or waiting for the newest generation of atoms to release first. I really like the fact that you can get this down to probably ~15w idle and have no moving parts. That is if you install a small SSD and it has no fans.

I am running pfsense off of a Thinkpad T60 right now. I have an Intel gigabit card running off of this in the min PCIe slot. http://www.buydvb.net/pm2c-pcie-mini-pcie-adapter_p17.html I just had to remove the keyboard, but it workings great and only has around ~20W idle numbers just using the old Core 2 Duo.

Heres another cheap case option.

http://www.directron.com/emc600bl.html
 
As of now, I have two different decisions to make:

  1. Broadcom vs Intel NICs
  2. Buy OEM/JetWay or build from Supermicro parts

I know Intel NICs are better, but will I actually notice a difference in this case? I guess it boils down to the driver. Thoughts?


If I do go the Intel NIC route, I'm considering building the whole thing myself. I'd go with a SuperMicro Mini-ITX board w/ an Atom proc, then get a decent case. If I go the Intel route, I'm going to pay for it some other way, so might as well do it right.
 
yea, the supermicro boards tend to start at $180 and go up from there... i use those in all my rackmount equipment (routers + PBXs)

that board linked from logic supply is all intel for < $100... no reason not to get it tbh

if i have more of those jetway boards NICs get struck by lightning, i'll pick up some of those to replace it... wish newegg carried them...
 
goodcooper said:
yea, the supermicro boards tend to start at $180 and go up from there... i use those in all my rackmount equipment (routers + PBXs)

that board linked from logic supply is all intel for < $100... no reason not to get it tbh

if i have more of those jetway boards NICs get struck by lightning, i'll pick up some of those to replace it... wish newegg carried them...
Click to expand...

Good point, I just looked at the logic supply stuff a little harder & it'll save me quite a bit if I build. No way can I build from NewEgg... it'd be almost $300.

So it boils down to if I want the Intel NICs or not & if it's worth the extra $100.
 
Everything else being equal, I prefer Intel NICs over Broadcom because of the driver support. Broadcom Server NICs are good and have some nice features, but for me Intel NICs are the gold standard.
I've used several Supermicro builds for customer builds and have been happy. The documentation can be a little iffy, but the boards are solid.
As far as pfSense is concerned, I've had 0 problems with Intel OR Broadcom Server NICs- I wouldn't hesitate to use a net eXtreme series NIC in my pfSense build.
 
Well, here's what I got:

  1. OEM Production 2550L2D-MxPC
  2. 4GB Kingston RAM
  3. 30GB Kingston SSDNow SSD

Some build notes:

  • A single RAM chip in that box must be on in the slot closest to the motherboard or the device won't even POST.
  • pfSense 2.0.1 64-bit has a known bug with that model GPU, where VGA mode shows text garbled on the screen.
  • Using the embedded install won't allow you to install packages.

To work around the text being garbled, I installed in a VM on my laptop simultaneously along with the new box. This let me duplicate the keystrokes on the box without being able to see the screen. I was able to pull it off successfully. pfSense 2.1 will have this fixed, but I wanted to stick with a stable release at this time.

I took one of the SSD's from my ESXi box & re-used it in this build. Glad I did for a few reasons:
  • I like keeping logs & historical data regarding performance.
  • A full install on a USB drive would have been a bad idea… the write cycles would have worn out much quicker than an embedded install.
  • Extra space for Squid cache is a good thing. :) Bonus points that it's on an SSD

So far, running PF, DHCP, DNS, VPN, Squid Cache, & SNORT without any problems.

Verdict: very happy! :)

Total $ spent: $145 shipped.
 
You must log in or register to reply here.
Back
Top