Share your pfSense / OPNsense builds

B

blackmomba

Gawd
Joined
Dec 5, 2018
Messages
774
I've been wanting to repurpose some old hardware into a pfSense box for the longest time but I've gotten to the point where I don't have anything much that doesn't serve a purpose :happy:

I haven't got any leftover chips with AES-NI and the only board I've got is an M3A78-EM which is working but ancient. Ive got some DDR4 though, a power supply, an mATX case.

I'm suffering from a lack of inspiration so I thought I'd start this thread knowing there's a lot of creative folks on here... So share your pfSense rigs!
 
Supermicro X10SDV-6C+-TLN4F (Xeon D-1528 w/ dual 10GbE) w/ 32GB ECC, 256gb nvme ssd, and a titanium psu in a 1U rack.

Bulletproof and way overkill for the packages / services I am running, but I got an absurd deal on the main board and had most of the rest laying around. Also fits nicely into my 12U network-depth rack, hah.
 
longblock454 said:
My current box is now 11 years old, need to get this upgraded as well.

Might just say screw it and order one of their appliances, the 6100.
Click to expand...
If it's not broken, don't try to fix it. :D

Net gate and I believe Firewalla also has great appliances if you're going that route. You can also roll your own sophos for home use for free. I've been tempted to try that since I need IPsec vpn tunnels, but I also need appliance simplicity and don't have time to do a build.
 
When I still ran pFsense, I ran it on a PCEngines APU2C2. I got a lot of happiness out of the fact that my edge device consumed less than 10W, was PoE powered (so I could power cycle it from my switch just by disabling and re-enabling PoE on that port), and still was able to push through about 800Mbps up / 40Mbps down (though my service was faster, just not quite enough compute thrown at FreeBSD to get there with the 2C2). Was a decent little box that served me well, til I upgraded to Mikrotik instead. I built little rack ears for the chassis so it took up 1U in my rack, just above my core switch.
 
Machupo said:
Supermicro X10SDV-6C+-TLN4F (Xeon D-1528 w/ dual 10GbE) w/ 32GB ECC, 256gb nvme ssd, and a titanium psu in a 1U rack.

Bulletproof and way overkill for the packages / services I am running, but I got an absurd deal on the main board and had most of the rest laying around. Also fits nicely into my 12U network-depth rack, hah.
Click to expand...
That's a beautiful overkill. :) I bet the updates will make you upgrade the hardware before your wan connection will, haha.
 
A couple of years ago I got a SFF Dell with an i5-3470 for $50 and added a low-profile dual-port Intel gigabit nic. It's been solid ever since.

Before that, I ran it on a Core2Duo e6400 system for a long time. Then at one point it was said that only CPUs with AES-NI would work with what was then the upcoming version 2.5. Of course, they dropped that requirement at the last moment. If it wasn't for that I'd probably still be using the Core2Duo.
 
Was running it on a PCEngines APU2C4. Upgraded to an old Dell Optiplex 9020. Not as power efficient, but it’s WAY faster.
 
Last edited:
Dell T20 server, Xeon 1225 v3 cpu, 32 GB Ecc non-registered memory. Running Windows Server 2019 and Hyper-V. Virtualized PFsense with dedicated gigabit NIC for WAN. 2.5 GBps LAN port shared with VMs for file server and NVR/DVR. One server for all my home needs. The important data, virtual machines, is all portable to a new server whenever I need to replace it.
1x Sata SSD boot drive
1x U.2 7.68 TB data drive
1x HDD for server backups
1x 2.5 PCIe NIC

48 watts steady, 64 watts writing backups, 84 watts max power draw I saw after a full month of monitoring. Bought this server new about 7 years ago with a Celeron or Pentium CPU. Upgraded via Ebay several times. CPU is finally feeling weak with 4k surveillance camera playback. Otherwise it does my 500 mbps symmetrical fiber connection just fine and it will do a full 2.5 gbps iperf3 test fine. Not sure if it would actually route/inspect 2.5 gbps of internet traffic but I have no need for that.
 
Last edited:
I picked up a RSA branded Dell R620 server as the foundation.
nc_ohc=hKQ_dZ9OPowAX-Ezf-7&_nc_ht=scontent.fosu2-1.jpg


Stuff i changed:
Intel x520/i350 2x SFP+ 10g/2x gb RJ45 Removable Network Daughter Card(Dell Part: C63DV) for downstream.
Dell-C63DV-1.jpg

Intel x550-T1 1x RJ45 1g/2.5g/5g/10g NIC for upstream.
819MyKwQsVL.jpg

Intel Xeon E5-2630L V2 60w 2.8GHz cpus.
System already had 32GB of DDR3-1600 in it from initial purchase.
Started with a 120GB 2.5 Inland SSD plugged into a sata port and laid it on top of the NIC and it lasted two years but a few months ago the drive started corrupting. I think this is was due to laying on top of the NIC. I pulled the backup and tossed in two 900GB 10k RPM HDDs that i had laying here as a spare. I put them into a Raid1 and did a fresh install of OPNSense and pulled in the backup and life has been good.

This has been rock solid reliable and its only broken cause of stuff ive done. Other then that its never went down or had any issues itself. It is pretty overkill but thats my style. I am also running Zenarmor as a content filter which is turned off and im using crowdsec for ips. I also am geoblocking basically every country outside of the US/Canada right now.
I have been looking for something newer and more power efficient but that can deliver the same horsepower. I was just given a R630 so i might change over to that.
 
Last edited:
I might try a Virtual version just to mess around with. I have a Xeon Gen 3 4C 8T and 16GB ram server with SSDs hosting my ProxMox server. I would just need to add a dual 1GBe Intel nic to pass directly to the VM.
 
Repurposed an old desktop and stuck a quad port intel i350 in it. Intel 7700K w/ Z270G STRIX motherboard w/ 32 GB DDR4 something... and a cheap 128 GB NVME.

It can handle anything I throw at it and is extremely stable for being a 2016 - 2017 build, and fairly compact for being mATX.

Edit: and quite low power/heat too
 
My home pfSense install is running as an ESXi virtual machine on one of these. I gave it 4 CPU cores and 4 GB of RAM. The whole box has 32 GB of RAM and a 1 TB SSD. Works very well.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
Current is a VM on ESXI as well. 4core/8gb ram using L5638 in an HP DL380 g6. running a 2 node cluster to allow for vmotion.
upgraded from an old amd athlon x2 shuttle with 4gb ram.
 
I'm gonna bump this bad boy cause I finally had time to repurpose an old build.

I went with a Ryzen 2400g, 8GB ram and a small nvme boot drive.

I'm gonna make some time during the night to install it (my LAN's maintenance window hehe)

I currently run a fairly basic setup using an Asus AX58U running Merlin, guest network, bout 30 clients or so.

So if I understand correctly, to install the firewall before this Asus router, I need to put the router in AP mode and disable DHCP? Will I still be able to have a WLAN from the Asus router and have pfsense or opnsense assign IPs to its clients? Fairly new to me all this
 
Yes, it should still work.

Also, since you're using a small ssd for your pfsense, make sure to enable ram disk for your tmp and var folders. There's enough writing to wear out a drive.
 
Grebuloner said:
Yes, it should still work.

Also, since you're using a small ssd for your pfsense, make sure to enable ram disk for your tmp and var folders. There's enough writing to wear out a drive.
Click to expand...

I’ve been tempted to enable a RAM disk on mine but haven’t yet. I’m using a shitty old SATA SSD.
 
Grebuloner said:
Yes, it should still work.

Also, since you're using a small ssd for your pfsense, make sure to enable ram disk for your tmp and var folders. There's enough writing to wear out a drive.
Click to expand...
Thanks, appreciate it. I just enabled both options

Everything is working right out of the box which is nice. Enabled AP mode on the router and after it reset it picked up its IP from opnsense, WLAN working nicely too. Really happy.

One thing I noticed was that with the Asus router, I always used to get a 192 address from my ISP (never noticed what connection type it was using). With opnsense, I see it autoconfigured a DHCP connection type and picked up a totally different addresses (I think it's the first time I get a different address in like 2 years) I wonder why that is.
 
Stugots said:
I’ve been tempted to enable a RAM disk on mine but haven’t yet. I’m using a shitty old SATA SSD.
Click to expand...
It's a quick config setting and a reboot. Set the amounts to be ~500 MB as a good buffer (assuming you have the memory to spare. I have 8GB total which is way more than I need)
 
Really starting to look into a Pfsense build since my current isp provided xb7 will not run a vpn. If i am going to do it i might as well jump off the deep end, how crazy of a cpu would i need to run a 2.5gb network since i am most likely going to put my storage serve in the same box if at all possible.
What is recommended for a boot drive?
 
Harvestor said:
Really starting to look into a Pfsense build since my current isp provided xb7 will not run a vpn. If i am going to do it i might as well jump off the deep end, how crazy of a cpu would i need to run a 2.5gb network since i am most likely going to put my storage serve in the same box if at all possible.
What is recommended for a boot drive?
Click to expand...
So you want to run a storage server off of your firewall/router?
 
German Muscle said:
So you want to run a storage server off of your firewall/router?
Click to expand...
I was thinking of running pfsense in a Vm if possible, I have just started looking into pfsense so I am not very familiar with it.

If it cant be done i have no problem throwing a dedicated system into a a 1u server chassis i have.

I guess my biggest question is how old of a cpu is too old to handle a 1GB connection with vpn duties as well.

I have a 4970K and 64gb of ecc ram if its not too old
 
Harvestor said:
I was thinking of running pfsense in a Vm if possible, I have just started looking into pfsense so I am not very familiar with it.

If it cant be done i have no problem throwing a dedicated system into a a 1u server chassis i have.

I guess my biggest question is how old of a cpu is too old to handle a 1GB connection with vpn duties as well.

I have a 4970K and 64gb of ecc ram if its not too old
Click to expand...
During my research, I learned that you want a chip that supports AES-NI, you can find a list here

I'm running a 50/400 connection with roughly 20 clients on the LAN and the 2400g im using is generally idle for now
 
Harvestor said:
I was thinking of running pfsense in a Vm if possible, I have just started looking into pfsense so I am not very familiar with it.

If it cant be done i have no problem throwing a dedicated system into a a 1u server chassis i have.

I guess my biggest question is how old of a cpu is too old to handle a 1GB connection with vpn duties as well.

I have a 4970K and 64gb of ecc ram if its not too old
Click to expand...
You can run it as a VM but its kind of a catch 22. I would suggest looking at opnsense. pfsense has a history of extremely shady practices.
I would suggest running it baremetal for simplicity.
Most any cpu you would use at this time is fine. My first was a X58 era Xeon. Ive never ran over 32G for RAM. 32G is complete overkill as is. Intel NICs also will ensure things go smooth. That applies to BSD in general.
 
German Muscle said:
You can run it as a VM but its kind of a catch 22. I would suggest looking at opnsense. pfsense has a history of extremely shady practices.
I would suggest running it baremetal for simplicity.
Most any cpu you would use at this time is fine. My first was a X58 era Xeon. Ive never ran over 32G for RAM. 32G is complete overkill as is. Intel NICs also will ensure things go smooth. That applies to BSD in general.
Click to expand...
Good to know about the Intel NIC , i have a asus 2.5 one here that i got a really good deal on that i was going to use but if intel will make my life easier i will start looking for one thanks
 
blackmomba said:
During my research, I learned that you want a chip that supports AES-NI, you can find a list here

I'm running a 50/400 connection with roughly 20 clients on the LAN and the 2400g im using is generally idle for now
Click to expand...
Great list thankyou, i see that my 4970 is on the list so i will dig it out of storage and get a system built and start playing around
 
German Muscle said:
I picked up a RSA branded Dell R620 server as the foundation.
View attachment 542335

Stuff i changed:
Intel x520/i350 2x SFP+ 10g/2x gb RJ45 Removable Network Daughter Card(Dell Part: C63DV) for downstream.
View attachment 542336
Intel x550-T1 1x RJ45 1g/2.5g/5g/10g NIC for upstream.
View attachment 542337
Intel Xeon E5-2630L V2 60w 2.8GHz cpus.
System already had 32GB of DDR3-1600 in it from initial purchase.
Started with a 120GB 2.5 Inland SSD plugged into a sata port and laid it on top of the NIC and it lasted two years but a few months ago the drive started corrupting. I think this is was due to laying on top of the NIC. I pulled the backup and tossed in two 900GB 10k RPM HDDs that i had laying here as a spare. I put them into a Raid1 and did a fresh install of OPNSense and pulled in the backup and life has been good.

This has been rock solid reliable and its only broken cause of stuff ive done. Other then that its never went down or had any issues itself. It is pretty overkill but thats my style. I am also running Zenarmor as a content filter which is turned off and im using crowdsec for ips. I also am geoblocking basically every country outside of the US/Canada right now.
I have been looking for something newer and more power efficient but that can deliver the same horsepower. I was just given a R630 so i might change over to that.
Click to expand...
Nice overkill! Like using a nuke to squash a fly! :D
 
blackmomba said:
With opnsense, I see it autoconfigured a DHCP connection type and picked up a totally different addresses (I think it's the first time I get a different address in like 2 years) I wonder why that is.
Click to expand...
Different MAC address being sent to the isp, so different address. You normally can have the same IP by changing the MAC address to match the previous router, but in your case I think it could cause problems since the MAC is still on the physical network.
 
SamirD said:
Different MAC address being sent to the isp, so different address. You normally can have the same IP by changing the MAC address to match the previous router, but in your case I think it could cause problems since the MAC is still on the physical network.
Click to expand...
Thanks very much man!
 
I renamed the thread to include OPNsense builds

I don't know exactly why, but I get the impression that a lot of home labbers and hobbyists are moving away from pfsense and recommending OPNsense. I'm not sure why (something about licenses ?)
 
blackmomba said:
I renamed the thread to include OPNsense builds

I don't know exactly why, but I get the impression that a lot of home labbers and hobbyists are moving away from pfsense and recommending OPNsense. I'm not sure why (something about licenses ?)
Click to expand...
There are alot of reasons.
Im just gonna paste the links to the lore

website and reddit hijacking
https://opnsense.org/opnsense-com/
https://old.reddit.com/r/OPNsenseFirewall/comments/93s8px/spreading_lies_20/
https://old.reddit.com/r/OPNsenseFi...test_beef_with_pfsense_and_wireguard/gr8hhis/
https://old.reddit.com/r/homelab/comments/ss6w3j/made_the_switch_to_pfsense_and_pretty_happy_with/

The wireguard fiasco
https://arstechnica.com/gadgets/202...olations-and-bad-code-freebsd-13s-close-call/

Netgate issues a blog post trying to perform damage control for the wireguard fiasco. Poor reception from community.
https://oldreddit.com/r/PFSENSE/comments/m6k20q/painful_lessons_learned_in_security_and_community/

Netgate announces pfsense+ and is also poorly received. Netgate lashes out at community.
https://old.reddit.com/r/PFSENSE/comments/l21c67/announcing_pfsense_plus/

More discussion from 1 year ago.
https://old.reddit.com/r/homelab/comments/ssk8zj/til_in_2017_pfsense_netgate_had_to_hand_over/
 
Last edited:
Just put together an OPNsense box using a Dell 5070 Extended and a dual port i350 server NIC, 8GB ram, Intel Pentium Silver J5005 and a 120GB M.2 SSD. I also improvised a ghetto cooling solution using a piece of think plywood and a squirrel cage fan. Works surprisingly well.
 
Nice ^^

How's the firewall running? Discover any cool features?

If ever you wanna have a nice dashboard for it in grafana, this guy put together something really nice https://github.com/bsmithio/OPNsense-Dashboard

I got it running on my end and it looks good, I can't get the map to show the origins of the IPs that the firewall is blocking though. Not sure why

I also starting experimenting with CloudFlare tunnels which are really nice. They allow you to expose local services to the outside world without poking holes in your firewall. Really worth checking out if you want a expose your homelab stuff
 
blackmomba said:
Nice ^^

How's the firewall running? Discover any cool features?

If ever you wanna have a nice dashboard for it in grafana, this guy put together something really nice https://github.com/bsmithio/OPNsense-Dashboard

I got it running on my end and it looks good, I can't get the map to show the origins of the IPs that the firewall is blocking though. Not sure why

I also starting experimenting with CloudFlare tunnels which are really nice. They allow you to expose local services to the outside world without poking holes in your firewall. Really worth checking out if you want a expose your homelab stuff
Click to expand...

Been running great. No issues.

I like that dashboard. How do I install it?
 
You must log in or register to reply here.
Back
Top