Confessions of a pfSense Newbie ...

[sfx2000]

Interesting box - but one must consider the onboard NIC's - some of them have "issues" under load on BSD/Linux, but those boxes are getting to a very attractive price point...

I have an MSI Wind Box DC111 that is based on the Celeron 1037U, for an internal LAN server on Debian, it works pretty well for LAMP/Samba... I picked it up at Fry's with 4GB RAM/500GB spinning disk for $199 (no OS), but it must have been a special deal for them...CPU fan has gotten a bit noisy, so need to address that at some point.

Thing is - watch out for the very low end intel devices - there's a few based on Atom/Silvermont tablet chipsets - they'll work fine perhaps as clients, but I suspect they'll be pretty challenging to put something like FreeNAS/pfSense/Monowall on...

 

[Nnyan]

Since my post I actually did a bit of playing around with pfsense (and a few others). I got myself a Barracuda Web Filter 300 on ebay for cheap, I was able to install pfsense (after some install issues) and Sophos UTM on this bad boy. For a pfsense noob it took me all weekend to get it installed and up and running (keep in mind that these devices have all sorts of different hardware in them, it took me three tries to get one that would allow pfsense to install). These things basically have Atom class CPU's (some have some more powerful AMD or Intel). With basic ruleset I was able to max out the 100mbit card on this thing (it's a custom nic I wasn't able to find gigabit replacements but I didn't spend too much time with this) just routing.

I then took a turn with Sophos UTM and right away there was an improvement, it installed on the two devices that pfsense would not install on. While the interface is "pretty" I found it to be a be cumbersome and not always intuitive, but once you start learning the "Sophos" way it starts to make some sense. I just think they spread out the required settings too much. If you want to do "A" then it can mean touching 3-4 places in different areas. They would do with a move cohesive structure. BUT having said that it did take me a fraction of the time to get this up and going then pfsense. I was afraid that with the heavy UI it's performance would take a hit, but it also maxed out the 100mbit nic. I didn't have a chance to test VPN performance on these and I sold off two of them and put the third one in a friends house (he has a 50mbit connection so it was a perfect fit).

I will say that these things are LOUD. The server type "seashell" blower fan is crazy loud. I found that you can disable this on the Atom based units and it will not overheat but the versions with the more powerful CPU will have heating issues without some additional cooling.

 

[Nnyan]

Interesting box - but one must consider the onboard NIC's - some of them have "issues" under load on BSD/Linux, but those boxes are getting to a very attractive price point...

I have an MSI Wind Box DC111 that is based on the Celeron 1037U, for an internal LAN server on Debian, it works pretty well for LAMP/Samba... I picked it up at Fry's with 4GB RAM/500GB spinning disk for $199 (no OS), but it must have been a special deal for them...CPU fan has gotten a bit noisy, so need to address that at some point.

Thing is - watch out for the very low end intel devices - there's a few based on Atom/Silvermont tablet chipsets - they'll work fine perhaps as clients, but I suspect they'll be pretty challenging to put something like FreeNAS/pfSense/Monowall on...

The big issue with these is that one NIC. If you don't mind taking a bit of a risk you can find these types of fanless PC's with dual Intel NICs (ex: http://www.aliexpress.com/store/pro...-Barebone-Mini-PC-with/800900_1638834276.html)

 

[jgomberg]

Does anyone have any backplane metrics for multi NIC hardware vs the hardware offered by pfSense.org directly? The pfSense SG-8660 with eight (8) cores runs $1,028 fully tricked out (less wireless) whereas their SG-4860 with four (4) cores is $828. Both have four (4) lan ports (which I require to physically partition and isolate LAN segments).

It's hard to tell from documentation how much packet handling is being done at the physical layers vs application layers and where bottlenecks would most likely occur depending on apps.

 

[Blade Runner]

Old threads about DIY topics are common on this board. Most are content to buy the latest widget thinking it will solve whatever issues. Few are willing to think outside the box. I assembled a pfSense firewall after two Asus routers crashed/locked up. Snort, pfBlockerNG, and Squid3 are installed packages. IMO consumer-grade routers should be used as access points and nothing more.

 

[JJ Duru]

Does anyone have any backplane metrics for multi NIC hardware vs the hardware offered by pfSense.org directly? The pfSense SG-8660 with eight (8) cores runs $1,028 fully tricked out (less wireless) whereas their SG-4860 with four (4) cores is $828. Both have four (4) lan ports (which I require to physically partition and isolate LAN segments).

It's hard to tell from documentation how much packet handling is being done at the physical layers vs application layers and where bottlenecks would most likely occur depending on apps.

I'm sorry to say, but whatever hardware pfsense.org has in store is overpriced. Get a server grade Supermicro board, some ECC ram, throw an usb and hdd in the box, you have a lean mean machine that routes packets all day long. If you feel courageous, make it ESXi virtualized, so you could use the computer power for something else as well. You don't pay more than $400, and I'm being generous here.

By golly, I'm writing this post from behind my own pfsense setup - and I love it. I'm also patiently (or not) waiting for my Cisco SRW2008-K9-NA switch to finalize my home network...

 

[Nullity]

The last time I priced a comparable Intel C2358 setup, it was very close to the price pfSense charges. Actually, after quite a bit of research, if I had chose to go that route I would have bought the ~$400-500 model from pfSense. I was surprised they actually had a very competitive price. The CPU they choose is a particular one that supports AES-NI and can throw out some very impressive VPN speeds.

If there is a cheaper supplier for a similar complete setup with 4 Intel GbE NICs, please share it.

The rest of the models, I dunno.

 

[JJ Duru]

The last time I priced a comparable Intel C2358 setup, it was very close to the price pfSense charges. Actually, after quite a bit of research, if I had chose to go that route I would have bought the ~$400-500 model from pfSense. I was surprised they actually had a very competitive price. The CPU they choose is a particular one that supports AES-NI and can throw out some very impressive VPN speeds.

If there is a cheaper supplier for a similar complete setup with 4 Intel GbE NICs, please share it.

The rest of the models, I dunno.

This is my current setup. With 8GB ECC I have capacity left to deploy another 1-2 VMs inside ESXi:
Supermicro A1SRi-2558F - $239.99 (newegg, Thanksgiving price)
8GB ECC Kingston - $57 (newegg, Thanksgiving price)
M350 mini-itx + connectors - $50 (mini-box.com)
Total ~$347

Show me something in pfsense's hardware store that's Rangeley C2558, not C2358, and priced less than the above. The closest I found are:

SG-2440 - $499 - Intel Rangeley Atom C2358, RAM 4GB DDR3L, 4GB eMMC Flash
SG-2220 - $299 - Intel Rangeley Atom C2358, RAM 2GB DDR3L, 4GB eMMC Flash on board
SG-4860 - $699 - Intel Rangeley Atom C2558, RAM 8GB DDR3L, 32GB eMMC Flash on board

Their memory is probably non-ECC. In my setup I've used ECC because the Supemicro board requires it and so I could eventually deploy a Freenas in the future.

 

[coxhaus]

By golly, I'm writing this post from behind my own pfsense setup - and I love it. I'm also patiently (or not) waiting for my Cisco SRW2008-K9-NA switch to finalize my home network...

Your Cisco switch will run in layer 3 mode great with pfsense. I have run a SG300-28 switch for months behind pfsense without any down time. There is a thread on pfsense under installation for installing with a Cisco SG300 layer 3 switch which I started so if you have problems the thread should help.

 

[sfx2000]

Show me something in pfsense's hardware store that's Rangeley C2558, not C2358, and priced less than the above. The closest I found are:

SG-2440 - $499 - Intel Rangeley Atom C2358, RAM 4GB DDR3L, 4GB eMMC Flash
SG-2220 - $299 - Intel Rangeley Atom C2358, RAM 2GB DDR3L, 4GB eMMC Flash on board
SG-4860 - $699 - Intel Rangeley Atom C2558, RAM 8GB DDR3L, 32GB eMMC Flash on board

Netgate sells the same boxes at a fair decent discount - but then one has to install/configure pfSense, whereas the pre-built boxes have it already installed, and one gets some official support as a paid-up user..

 

[Nullity]

Netgate sells the same boxes at a fair decent discount - but then one has to install/configure pfSense, whereas the pre-built boxes have it already installed, and one gets some official support as a paid-up user..

Good point.

• pfSense Incident Based Support via email, chat or phone. Each purchase includes two complimentary incidents.

 

[Dennis Wood]

Here's the 2016 updated build. It's pretty inexpensive at $257 but has 8GB of RAM and a 120GB mSATA drive. PfSense 2.3.1 has come a long way, but the original boxes were due for replacement.

We've been using pfsense for some time now, and found the 5 yr old mini-itx build routers max'd out at 2GB of ram, creating some swap file issues. It was time for some hardware. We run several boxes, and require 4 network ports. These were quite inexpensive, easy to configure and work perfectly with pfsense 2.3. We're running a pretty full package compliment including Snort, Squid, Squidgard, Lightsquid, NUT, OPENVpn etc., so the RAM and SSD space was needed.

QOTOM-Q190G4 - J1900 Quad core 4 LAN 1080P Industrial computer
Intel Celeron Processor J1900(Quad-Core 2M Cache,2 GHz, up to 2.41 GHz)
NO RAM.NO SSD,NO WIFI （NO OS)
Support Windows /Linux (Can not support windows xp)
4 LAN+VGA+2 usb 2.0
Network Card:4*LAN Intel WG82583 10/100/1000M Ethernet
$159

Kingston Technology 8GB 1600MHz DDR3L (PC3-12800) 1.35V Non-ECC CL11 SODIMM Intel Laptop Memory KVR16LS11/8
$30

Samsung 850 EVO - 120GB - mSATA Internal SSD (MZ-M5E120BW)
$68

The Qotom units have zero documentation in the box, but it's pretty simple to configure them. Four screws on the bottom of the case exposes the SODIMM slot, the mSATA slot, and provided SATA/power cables in case you have a SATA SSD kicking around. The case bottom plate hosts an integrated SSD mount. These are very small boxes, with no fan or moving parts at all. They are about perfect for pfsense.

I enabled TRIM on the Samsung SSD as follows. Below is compiled from several other posters here..so thanks!

1. booted pfSense from USB stick and installed pfSense to SSD

2. Used Putty to connect to the box, fired up the shell and obtained ufsid by showing the fstab file:
[2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ufsid/576dca6e13175d08 / ufs rw 1 1

3. booted pfSense from USB stick into single-user mode

4. at the # prompt, the following was issued:
/sbin/tunefs -t enable /dev/ufsid/576dca6e13175d08 (your ufsid will be different!
/sbin/reboot

5. booted pfSense from SSD. Again using putty, ran this command from shell to see if TRIM was enabled.
/sbin/tunefs -p /

The pics below are pretty much self explanatory

Cheers,
Dennis.

 

[sfx2000]

Not clear here - are you on the 2.3 release or the 2.2 release?

Nice box - pretty similar to what I'm running with my ADI/Netgate 2440... slightly different CPU, but same general concept... and a bit cheaper ($159 vs $349)...

 

[Dennis Wood]

Not clear here - are you on the 2.3 release or the 2.2 release?

Nice box - pretty similar to what I'm running with my ADI/Netgate 2440... slightly different CPU, but same general concept... and a bit cheaper ($159 vs $349)...

I swapped the two 2011 vintage boxes over to 2.3.1-RELEASE-p5 (amd64), then backed up the configuration. The Qotoms got a fresh 2.3.1 install using USB. Restoring the old config (a lot of time invested there!) onto the new boxes was super simple. The pfsense web gui prompts you to reassign your network ports (as it detects the mismatch), it reboots, installs packages and all good. The upgrade was surprisingly simply. I only had to copy my proxy.pac, wpad.dat and proxy.pa config files (make sure you keep a copy!) over to the new install and it was done.

The PfSense crew deserves a lot of respect in terms of making this so simple. It would be pretty amazing if PC machine replacements went this well.

 

[sfx2000]

https://forum.pfsense.org/index.php?topic=114202.0

 

[sfx2000]

Show me something in pfsense's hardware store that's Rangeley C2558, not C2358, and priced less than the above. The closest I found are:

SG-2440 - $499 - Intel Rangeley Atom C2358, RAM 4GB DDR3L, 4GB eMMC Flash
SG-2220 - $299 - Intel Rangeley Atom C2358, RAM 2GB DDR3L, 4GB eMMC Flash on board
SG-4860 - $699 - Intel Rangeley Atom C2558, RAM 8GB DDR3L, 32GB eMMC Flash on board

Their memory is probably non-ECC. In my setup I've used ECC because the Supemicro board requires it and so I could eventually deploy a Freenas in the future.

Go to Netgate's store, and the prices come down quite a bit, remember with the pfSense branded devices, you do get direct support, and it does help fund the pfSense project.

And yes, those Rangley devices do not support ECC on those boards.

They're very well built (in America, jobs, eh?)

I'm running the SG-2440 equivalent ADI/Netgate device (RCE-VE 2440), works fine... I've added a mSATA card to get off the onboard eMMC, but that's not a requirement.

 

[sfx2000]

@Dennis Wood - if they're intel NIC's, don't forget to add the following to your /boot/loader.conf.local

legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1

 

[Dennis Wood]

@Dennis Wood - if they're intel NIC's, don't forget to add the following to your /boot/loader.conf.local

legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1

Thanks for that. Does this ack actually enable any features, or is just suppress an error? I mod'd the conf.local file and the error is gone...just not sure if it changed anything.

 

[sfx2000]

Thanks for that. Does this ack actually enable any features, or is just suppress an error? I mod'd the conf.local file and the error is gone...just not sure if it changed anything.

Not sure - but what was interesting - after I added those to lines, the nmbclusters line was added by pfSense (or FreeBSD perhaps?) - which does make a difference for the intel driver...

$ less /boot/loader.conf.local 
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1

 

[oletuv]

Not sure - but what was interesting - after I added those to lines, the nmbclusters line was added by pfSense (or FreeBSD perhaps?) - which does make a difference for the intel driver...

$ less /boot/loader.conf.local
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1

If one makes a local version of a system configuration file, e.g. loader.conf -> loader.conf.local, is the original file loaded first and then the code in the local version, or just the local version?

Ole