What's new

pfSense computer bulid

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Well, i have experience with an RT-AC88U as my main router (for many years), Ubiquiti Edgerouter Lite 3, Mikrotik RB2011 and RB3011 and now pfsense (for only a couple of weeks but intensively worked with it). When my network in the house was as simple as everybody having internet access and having a network repository (read: Windows PC) to save some personal stuff on, the RT-AC88U was great and pretty reliable (except with the issue with 5-8 port dropping).

However, as more things came into play, increasing the complexity of my network such as better wifi coverage needed throughout the house, increased number of devices on the network, Windows PC replaced by NAS, the Asus became increasingly less reliable. More freezes and reboots, decreased speed throughput, wifi drop-offs so i went to search for a more reliable solution which which quickly brought me to a wired router/switch combo. After reading alot around it, i bought an ERL3 and a Netgear switch. The ERL3 had a very steep learning curve and i never really got the hang of it. Partially because the GUI/CLI combo to get everything set up properly and partially due to my lack of understanding and knowledge.

The RB2011 that i picked up almost for free offered a much better setting up experience than the ERL3. I had this set up in no time and it worked great and rockstable. The only issue with it was that is wouldn't support 1Gbps throughput and since i was planning to upgrade my ISP subscription, i picked up an RB3011 that could do that. I ran the RB3011 for about a year without any issues except getting IPv6 running but it turned out lateron, this was an ISP-side issue. It is only recently when looking at solutions to get secure external access to my Nextcloud server, that pfsense came into play as it offered several solutions to set up let's encrypt certificates and a reverse proxy. Something that i could also do directly on the server but that would add complexity to the installation on FreeNAS.

After an extensive offline testing period on an old Supermicro server, i moved pfsense over to a Dell R210 server and started setting up the ACME certificate generation which caused some issues that were related to the guide i used but the guide publisher helped me out and once i got this up and running i move pfsense into my network which happened end of last week and was virtually flawless. Installed and configured HAProxy as reverse proxy over the weekend and now have secure access to my Nextcloud.

Now in the process of migrating everything and re-linking devices as i had to change the IP addresses of a number of fixed devices to move them out of the DHCP range as pfsense is in some aspects different from RouterOS as you cannot have static mapping within DHCP range but all in all, up until now, my experience with pfsense is extremely positive. It is fast (i literally notice a difference in network responsiveness and speed) and flexible with a bunch of usable features and the ability to be future-proof for quite some time. I reckon with the current setup, i would only need to add a dual 10Gbps NIC to be good for a very long time.

Sorry for the long text but considering the different opinions above, i wanted to provide my insights.
 
@ddaenen1
[hijack] I’m curious about your issues with the 3011, SSL Certs etc. I’m using a Mikrotik hEX S and have been considering a similar setup w/Let’s Encrypt certs & Nginx for reverse proxy. If you’ve come across any road blocks with RouterOS I’d like to hear about it before I get too far down that road. [/hijack]

Well, as stated, i moved away from Mikrotik to Pfsense to do this as Router OS doesn't support doing something like that within the router. I have successfully set up Let's Encrypt certificates in pfsense and set up a reverse proxy using HAProxy which also redirects any http to https. Works like a charm!
 
@ddaenen1, your story may lead me to try out pfSense again this year. Thanks for sharing your experience. :)
 
A lot of interesting views, thanks all for your time.

I don't have a problem with the 86U. It has served me well and very rarely gives me any problems - but I often get itches and I love to learn new skills, it gives me something to concentrate on instead of binge-watching Netflix and the like. I guess a lot of my technology interests turn into hobbies and give me a sense of satisfaction/achievement.

The reason why I started looking at pfSense is due to me having a computer sat idling serving Plex and Steam. I completely overspecced it when building it for futurebility and flexability of adding addtional software onto it.

My computer is headless so I rely on VNC to access it - this works fine on Windows but whenever I feel brave and try Linux on it I always find stumbling blocks. I've never got VNC to work perfectly on Linux apart from Raspbian/DietPi on my RPI4. Either I get it to connect and the display stays blank or it connects fine first time and then refuses to connect afterwards requiring a reboot.

Also, not sure abou the state of Steam/Remote play on Linux. I know Windows gets a good bashing but it just works.

If I want to review my pfSense route again I have various options;

1) Format Windows and give Linux another try running pfSense, Plex, Steam and SABnzbd (one box solution)
2) Get a dedicated pfSense box like Netgate (they seem expensive for what they are)
3) Buy another micro-PC and run pfSense from that (seems silly when I already have hardware raring to go)
4) Keep the Windows PC as is and run Hyper-V pfSense
 
1) Format Windows and give Linux another try running pfSense, Plex, Steam and SABnzbd (one box solution)
2) Get a dedicated pfSense box like Netgate (they seem expensive for what they are)
3) Buy another micro-PC and run pfSense from that (seems silly when I already have hardware raring to go)
4) Keep the Windows PC as is and run Hyper-V pfSense

1. pfSense is FreeBSD based, not exactly Linux. If you go this way, make sure the rest is FreeBSD compatible.
2. Doesn't have to be Netgate hardware, pfSense works properly on all supported by FreeBSD hardware.
3. This is the way I would go. I wouldn't share my main Internet security gate with entertainment services.
4. You can do it, but see 3 and you may have issues with some pfSense services requiring direct access to hardware.

I guess a lot of my technology interests turn into hobbies and give me a sense of satisfaction/achievement.

Then run your RT-AC86U as a router to keep your Internet alive and play with pfSense, Plex, Steam, etc. until you get what you need. Running a big power hungry desktop 24/7 though may affect your electricity bill. It's a good PC for gaming, I guess, but way too much fire power for everything else. You'll be probably using 10-20% of what this hardware is capable of. Avoid All-In-One solutions. Much harder to setup, diagnose and fix if something goes wrong. You don't want to lose all the services at once, including your Internet access.
 
@ddaenen1, your story may lead me to try out pfSense again this year. Thanks for sharing your experience. :)

Much appreciated. I am still at the point that i realize that the setup i have at home is not what the average domestic user needs and there is an element of a hobby that went a bit out of control but i can share that the entire family enjoys it. A fast internet experience with fast WIFI and similar coverage in the entire house, watching movies and series on Plex has become a given, a seemless storage pool that can house all the data we need and last but not least, everyone has bought into the concept of having our own cloud, never needing to worry about storage space or loss of any type of mobile data which now has really materialized now that it is externally accessible to all users. These are the things that keep me going to make it faster, better and more secure. :)
 
setup i have at home is not what the average domestic user needs and there is an element of a hobby that went a bit out of control

Warning:
Networking is addictive, use responsibly. Some people start with DIY pfSense, OPNsense, Untangle, Sophos, etc. box or an off-lease refurbished server and end-up with full-blown server rack, or so called "home lab".

:D
 
1) Format Windows and give Linux another try running pfSense, Plex, Steam and SABnzbd (one box solution)
2) Get a dedicated pfSense box like Netgate (they seem expensive for what they are)
3) Buy another micro-PC and run pfSense from that (seems silly when I already have hardware raring to go)
4) Keep the Windows PC as is and run Hyper-V pfSense
Note that pfSense is an "appliance" and you will quickly be finding that you cannot easily run Plex, Steam, and much of anything else not specifically ported to pfSenses being functional. You will either need to go down the dedicated hardware path and/or VM path.

The biggest challenge of the VM path is how often do you need to reboot your "server"? Anytime you reboot that box, your Internet goes down until the VM comes back up. This means that for the first few minutes after a reboot, your Windows "host/server" won't have an Internet connection because the pfSense VM hasn't come back up yet. For toying around with something, this isn't a huge issue. When trying to provide a stable Internet connection to not anger the residents of the household...especially the wife....this is rarely the proper path forward here.

I have made sure nothing on my network requires any of my VMs to be up and running. My VMs are utility boxes at this point in time, but have no direct ability in my wife being able to do what she wants to accomplish via the Internet.
 
Here is what I may end up doing.

Remove the GPU from my computer to make it more energy efficient or simply sell it and replace it with a micro-pc (I don't play games much anymore). Then buy a standalone box to run pfSense which leads me to my next question for you folks running pfSense;

Do you have any recommendations for hardware?
 
Do you have any recommendations for hardware?

It depends on what you plan to run on this pfSense box, but in general an Intel dual/quad-core CPU with AES-NI is recommended, 4GB RAM, 32GB storage, 2 x Gigabit Intel NICs...

I run packages pfBlockerNG (for IP and DNS blocking), Suricata (wife safe settings), ntopng, Service_Watchdog, apcupsd; my caches are 2X default installation; RAM usage is about 3GB, CPU usage without VPN is always below 15% (i5-3570 CPU 3.4GHz, way too fast); with OpenVPN on speeds >250Mbps and everything else running in the same time up to 50%, etc. An i5-5200U CPU, 8GB RAM, 64GB SSD, 2-4 x Gigabit Intel NICs Qotom/Protectli box or similar should be plenty for years to come, for example. You don't need WiFi on the box.
 
Last edited:
Granted my pfSense experience was from back from 2008-2012 but I ran two old Dell rack servers in failover setup both with pfSense. I had approximately 600 users behind them on a 200/200 connection, yes I know, small by today’s standards but they ran flawless. I had tunnels to 8 remote offices, each with a pfSense box. Not sure about the “steep” learning curve but then again, I was using FreeBSD to host game servers on. :)
 
Last edited:
It depends on what you plan to run on this pfSense box, but in general an Intel dual/quad-core CPU with AES-NI is recommended, 4GB RAM, 32GB storage, 2 x Gigabit Intel NICs...

I purchased a mini PC from Qotom. I over built it with an I7 processors, 8GB ram and a 64G MSATA SSD in case I decided not to use it as a router box but as a mini desktop instead. Probably paid about $60 more than needed for a larger SSD and an I7 vs I5 processor but my cost delivered was just $354.
 
Here is what I may end up doing.

Remove the GPU from my computer to make it more energy efficient or simply sell it and replace it with a micro-pc (I don't play games much anymore). Then buy a standalone box to run pfSense which leads me to my next question for you folks running pfSense;

Do you have any recommendations for hardware?

I wanted a setup that would fit my server rack. I am running pfsense on a Dell R210 server with an Intel Xeon X3430 quad-core @ 2.4GHz, 16Gb ECC RAM and 2 OCZ Deneva 100GB SSD's running in zmirror. What i like about this setup is that it can easily handle everything i throw at it right now and i could add a quad intel 1Gbe NIC or even a 10 Gbe dual NIC on the PCIe port if ever needed.

I deliberately chose not to have fpsense running on a shared device as it is the core of my entire network. and i wanted it to be able to run in an uncomplicated as possible environment. To date, flawless run.
 
Still weighing up my options but after endless reading and many YouTube reviews I am down to the following scenarios;

1) Netgate 5100 (like the specs of this and would look good next to my other gear)

2) Netgate 3100 (only 2GB RAM and non-upgradeable is putting me off plus I've read some people having poor performance with pfBlockerNG enabled)

3) Protectli Vault 4-Port (I'm in the UK and having trouble finding a good supplier plus unsure as to the performance of the CPU's on offer)

Basically, it looks like Netgate is the most likely to work 100% as they test software updates on these models before releasing to the community. I doubt I would have any problems with the Protectli but not really an issue as I'd be local to the router.

I do definitely want something good on running costs and silent.
 
It depends on what you plan to run on this pfSense box, but in general an Intel dual/quad-core CPU with AES-NI is recommended, 4GB RAM, 32GB storage, 2 x Gigabit Intel NICs...

This is the only downside on my current config. The Xeon X34xx range doesn't have AES-NI. However, although it was stated initially, pfsense 2.5 would only work on AES-NI capable CPU's, this has changed and 2.5 will also support nonAES-NI CPU's.

I run packages pfBlockerNG (for IP and DNS blocking)

I am interested in pfBlockerNG but also concerned it would impact performance and throughput. Any experiences you can share on that?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top