pfSense computer bulid

[Val D.]

This is the only downside on my current config. The Xeon X34xx range doesn't have AES-NI.

There is information posted in Netgate Blog about AES-NI: https://www.netgate.com/blog/more-on-aes-ni.html
Yes, good to have, but not critical. It is no longer a requirement for future pfSense releases, so your system should be good.

I am interested in pfBlockerNG but also concerned it would impact performance and throughput.

Your system is probably more loaded with traffic compared to mine (looking at all the gear in your signature). Test it, but I don't think you'll notice any difference on this hardware. My CPU is way overkill, it's actually >100% faster than Xeon X3430, but to see it coming close to 50% utilization I had to run OpenVPN AES-256 with speeds about 280Mbps, Suricata with hundreds of rules (testing, everything ETOpen available) on both WAN/LAN and pfBlockerNG with like 10 heavy lists (testing again, large aggregate lists like FireHOL, StevenBlack, etc.) on both IP and DNS all in the same time. This is with TurboBoost disabled @3.4GHz max clock speed. Far from a normal working setup, though. If I leave it with the settings above, plus blocking enabled in Suricata, I get a "user complaint" in next 30 seconds. After adjusting all the settings the way I need them (not all VPN traffic through the router, specific rules and lists only, etc., i.e. "wife safe settings"), I keep the CPU @1.6GHz through PowerD (minimum) and it still doesn't reach 50% CPU load. My CPU @1.6GHz is slower than X3430 @2.4GHz, so I believe you have more than enough room in processing power.

I run pfBlockerNG_devel version. It has some extra options and is easier to setup with blocking lists ready, sorted by category, provider, false positives reputation, update frequency, etc. You can match some Suricata rules with pfBlockerNG lists in the same category, if you like to. This is how I have it setup. No perfect match between the rules and the lists, as expected, but it works well.

 

[Xentrk]

This is the only downside on my current config. The Xeon X34xx range doesn't have AES-NI. However, although it was stated initially, pfsense 2.5 would only work on AES-NI capable CPU's, this has changed and 2.5 will also support nonAES-NI CPU's.



I am interested in pfBlockerNG but also concerned it would impact performance and throughput. Any experiences you can share on that?

I would recommend selecting a router that supports AES-NI. The vpn servers I connect to are half way across the globe and AES-NI greatly improved by performance. It may be an insurance policy in the event pfSense changes their policy about AES-NI and decides to make it mandatory after all.

I wouldn't worry about pfBlockerNG causing performance issues. I have not seen anyone on the pfSense forums complaining about an impact. But you may want to search just in case.

 

[JoeBee]

Currently, in 2 minds here go back to my pfsense build or stick with the Asus 86u router, the Asus router is lovely for me, simple and easy to set up and solid since I disabled the AV protection so the ram does not stall it.

The Asus router everything can be set up in few minutes (openvpn client) with kill switch and policy routing at a click, no noisy fan or power hungry drain on electricity.

The pfsense route (if you got decent hardware) I noticed right off the bat my AES cpu (2.4ghz intel) is using 8-9% max core 1 when maxing out download speeds, on the Asus router 78% core 1 and 30% core 2, I thought the Asus 86u AES was supposed to be good?

The pfsense box is very stable also and probably good for 1gig+ broadband and id bet wireguard support will arrive in the future, you can easily set up port forwarding on any VPN provider but yes a steep learning curve, you can take a look at nord vpn guide here:

https://support.nordvpn.com/Connectivity/Router/1089079142/pfSense-2-4-4-setup-with-NordVPN.htm

policy routing guide from them here:

https://support.nordvpn.com/Connectivity/Router/1136266682/pfSense-2-4-4-selective-Routing.htm

You can adapt most VPN providers with the above guide if you can get the openvpn settings.

 

[Val D.]

Currently, in 2 minds here go back to my pfsense build or stick with the Asus 86u router

Whatever you decide. Consumer routers are definitely easier to setup, no networking knowledge is needed in most cases. This is the idea and this is why they are made this way. pfSense is an enterprise firewall and a network guy is expected to install it and set it up. You can do much more and faster with pfSense, but you need to read how. The final results depend on where you start from, how much time you have, your willingness to learn new things, etc.

The pfsense route (if you got decent hardware) I noticed right off the bat my AES cpu (2.4ghz intel) is using 8-9% max core 1 when maxing out download speeds, on the Asus router 78% core 1 and 30% core 2, I thought the Asus 86u AES was supposed to be good?

AES helps with encryption/decryption. BCM4906 with AES support can do >250Mbps on OpenVPN. No other router application CPU could do it before. It's normal to see a router CPU jumping much higher on similar tasks compared to desktop x86 Intel Core CPU. Even though BCM4906 is a good router CPU, it can be only compared to low power/frequency entry-level x86 CPUs. Don't forget the fact that routers run 24/7 on passive cooling and power efficiency is very high on priorities list.

 

[Chrisgtl]

I finally pulled the plug and bought a Kettop Mi7200L6 (i5-7200U, 8GB DDR4, 32GB SSD).

Now I just need to work out when i'll have a window of opportunity to install it without making the family go into full-blown-nuclear-meltdown.

 

[Val D.]

Don't worry. Tell them you're performing a Nuclear Reset. You should have enough time to setup pfSense during the process.

 

[CaptainSTX]

Now I just need to work out when i'll have a window of opportunity to install it without making the family go into full-blown-nuclear-meltdown.

While you are working on setting up Pfsense double NAT the new box behind your existing router and work on getting the Pfsense setup and working.

 

[JoeBee]

I finally pulled the plug and bought a Kettop Mi7200L6 (i5-7200U, 8GB DDR4, 32GB SSD).

Now I just need to work out when i'll have a window of opportunity to install it without making the family go into full-blown-nuclear-meltdown.

Never heard of that unit but that is one impressive box of hardware, think its 2 x 3.1ghz max turbo clock also, probably means your good for 2+gig broadband

I was eyeing this one here:
https://www.ebay.co.uk/itm/133054967085?ssPageName=STRK:MEBIDX:IT&fromMakeTrack=true

but that kettop one looks much better and future proof.

 

[JoeBee]

Whatever you decide. Consumer routers are definitely easier to setup, no networking knowledge is needed in most cases. This is the idea and this is why they are made this way. pfSense is an enterprise firewall and a network guy is expected to install it and set it up. You can do much more and faster with pfSense, but you need to read how. The final results depend on where you start from, how much time you have, your willingness to learn new things, etc.



AES helps with encryption/decryption. BCM4906 with AES support can do >250Mbps on OpenVPN. No other router application CPU could do it before. It's normal to see a router CPU jumping much higher on similar tasks compared to desktop x86 Intel Core CPU. Even though BCM4906 is a good router CPU, it can be only compared to low power/frequency entry-level x86 CPUs. Don't forget the fact that routers run 24/7 on passive cooling and power efficiency is very high on priorities list.

ahh explains the AES difference, yeah will have to think things over nice to have 2 options but its tempting to go back to the Asus router where its so simple and works at a click

 

[JoeBee]

While you are working on setting up Pfsense double NAT the new box behind your existing router and work on getting the Pfsense setup and working.

I was going to post a new question regarding double nat, I currently leave my isp supplied router in router mode connected to my Asus router or pfsense box since its handy to let family have internet while I test things out but I have disabled uPnP to stop any IP/Dns leaks from router to Asus/pfsense router, just wondering if there is any other possible risk ?

could one not just leave it like this forever ?

 

[Val D.]

While you are working on setting up Pfsense double NAT the new box behind your existing router and work on getting the Pfsense setup and working.

Yes, even Triple NAT is better. It’s going to make your first pfSense setup more interesting. Let’s see how long it will take you to realize that local and public IPs are treated differently.

 

[CaptainSTX]

The only difference you see in IPs when setting up double NATed is that the Pfsense box's Public/WAN IP will be a private IP from the first router's subnet. Once the OP is satisfied that his Pfsense box is ready to put into production mode it will automatically pull a public IP when connected to the modem. I had no issues setting up my Qotom mini PC in a double NAT configuration mode.

I always setup new network hardware off line or double NATed as it eliminates disrupting the family. The OP can do as they choose but as other posters have noted setting up Pfsense can take much more time than configuring an off the shelf consumer router. Setting it up on line in the production mode is going disrupt Internet service.

 

[JoeBee]

The only difference you see in IPs when setting up double NATed is that the Pfsense box's Public/WAN IP will be a private IP from the first router's subnet. Once the OP is satisfied that his Pfsense box is ready to put into production mode it will automatically pull a public IP when connected to the modem. I had no issues setting up my Qotom mini PC in a double NAT configuration mode.

I always setup new network hardware off line or double NATed as it eliminates disrupting the family. The OP can do as they choose but as other posters have noted setting up Pfsense can take much more time than configuring an off the shelf consumer router. Setting it up on line in the production mode is going disrupt Internet service.

I have been advised by someone else that you should switch off uPnP at your first router and second router if you are using OpenVPN and to set up your port forwarding from your VPN provider instead, otherwise you risk leaking your IP address.

No sure if that is right or not though, I have run double nat before and not really experienced any issues.

 

[Val D.]

It’s interesting to see incoming advices from people who actually don’t use pfSense, just tried to run it and gave up somewhere in the process. This is a great knowledge and experience to share, I guess.

 

[Chrisgtl]

Thanks all for your help. Looking forward to setting this up.

The only thing I don't know is how to determine which physical port is assigned to WAN yet. I'm sure it will be obvious as I remember reading about a 'link up' status during initial setup. I must revisit the YouTube videos again and make some notes this time.

 

[Fingers]

Thanks all for your help. Looking forward to setting this up.

The only thing I don't know is how to determine which physical port is assigned to WAN yet. I'm sure it will be obvious as I remember reading about a 'link up' status during initial setup. I must revisit the YouTube videos again and make some notes this time.

You choose WAN and LAN ports during install

 

[CaptainSTX]

Thanks all for your help. Looking forward to setting this up.

The only thing I don't know is how to determine which physical port is assigned to WAN yet. I'm sure it will be obvious as I remember reading about a 'link up' status during initial setup. I must revisit the YouTube videos again and make some notes this time.

Depending on how the box is setup you initially may need to go into the unit using the console mode before you can access its setup using the GUI. If that's the case you will need an HDMI cable so you can use a HDTV as a monitor and a USB keyboard.

 

[Chrisgtl]

Depending on how the box is setup you initially may need to go into the unit using the console mode before you can access its setup using the GUI. If that's the case you will need an HDMI cable so you can use a HDTV as a monitor and a USB keyboard.

I am going to re-flash the latest pfSense image as I don't trust a third-party for security reasons. I have got a spare HDMI cable and USB keyboard at the ready.

 

[ddaenen1]

I finally pulled the plug and bought a Kettop Mi7200L6 (i5-7200U, 8GB DDR4, 32GB SSD).

Now I just need to work out when i'll have a window of opportunity to install it without making the family go into full-blown-nuclear-meltdown.

I had the same challenge and that actually went very ok. I installed and configured the essentials in pfsense offline and moved it into my network once that was completed. Once installed, it took literally 10 mins max. to configure the ports and get everything online. One thing you do need to take in consideration: if you have static mappings in your current config, be prepared to redo this whole piece. My RB3011 allowed static mappings within the DHCP range. Pfsense doesn't allow that so i had to narrow down the DHCP range and remap every device i wanted to have a static IP once again outside of the range which meant that many devices ended up with a difference static IP than previously which also means that any dependencies need to be updated.

 

[Chrisgtl]

I had the same challenge and that actually went very ok. I installed and configured the essentials in pfsense offline and moved it into my network once that was completed. Once installed, it took literally 10 mins max. to configure the ports and get everything online. One thing you do need to take in consideration: if you have static mappings in your current config, be prepared to redo this whole piece. My RB3011 allowed static mappings within the DHCP range. Pfsense doesn't allow that so i had to narrow down the DHCP range and remap every device i wanted to have a static IP once again outside of the range which meant that many devices ended up with a difference static IP than previously which also means that any dependencies need to be updated.

Thanks for the heads-up. I only have about 10 devices with static IP's so shouldn't take long.

Just reading about Suricata and pfBlockerNG. I can see my wife divorcing me by mid-March!