Updated 2016 PfSense build with 4 Intel LAN,8GB RAM,120GB SSD, 10 watts - $257

[Dennis Wood]

It's been some time since posting here, but I'd figure I'd post an updated build to compliment the "Confessions of a PfSense newbie" sticky: http://www.snbforums.com/threads/confessions-of-a-pfsense-newbie.5379/

The build in 2011 used 29 watts, the 2016 Qotom version uses only 10 watts (max of 13) measured with an EM100 with RAM and SSD onboard, running under load.

We've been using pfsense for some time now, and found the 5 yr old mini-itx build routers max'd out at 2GB of ram, creating some swap file issues running several instances of Snort. PfSense has been rock solid in our two locations now for 5 years. It was time for some updated hardware. We run several boxes, and require 4 network ports. These were quite inexpensive, easy to configure and work perfectly with pfsense 2.3. We're running a pretty full package compliment including Snort, Squid, Squidgard, Lightsquid, NUT, ClamAV, OPENVPN etc., so the RAM and SSD space was needed. The PfSense boxes manage all of our DHCP, static reservations, DNS and autoproxy config files as well. We run dual WAN in both locations, so the boxes keep busy with load balancing, traffic limiters and guest WIFI access as well as the packages themselves.

The build was very easy this time..just plugged in the RAM and mSATA drive:

QOTOM-Q190G4 - J1900 Quad core 4 LAN 1080P Industrial computer
Intel Celeron Processor J1900(Quad-Core 2M Cache,2 GHz, up to 2.41 GHz)
NO RAM.NO SSD,NO WIFI （NO OS)
Support Windows /Linux (Can not support windows xp)
4 LAN+VGA+2 usb 2.0
Network Card:4*LAN Intel WG82583 10/100/1000M Ethernet
$159

Kingston Technology 8GB 1600MHz DDR3L (PC3-12800) 1.35V Non-ECC CL11 SODIMM Intel Laptop Memory KVR16LS11/8
$30

Samsung 850 EVO - 120GB - mSATA Internal SSD (MZ-M5E120BW)
$68

The Qotom units have zero documentation in the box, but it's pretty simple to configure them. Four screws on the bottom of the case exposes the SODIMM slot, the mSATA slot, and provided SATA/power cables in case you have a SATA SSD kicking around. The case bottom plate hosts an integrated SSD mount. These are very small boxes, with no fan or moving parts at all. They are about perfect for pfsense.

I enabled TRIM on the Samsung SSD as follows. Below is compiled from several other posters on the pfsense forum so thanks to those who posted.

1. booted pfSense from USB stick and installed pfSense to SSD

2. Used Putty to connect to the box, fired up the shell and obtained ufsid by showing the fstab file:
[2.2.4-RELEASE][root@pfSense.localdomain]/root: cat /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ufsid/576dca6e13175d08 / ufs rw 1 1

3. booted pfSense from USB stick into single-user mode

4. at the # prompt, the following was issued:
/sbin/tunefs -t enable /dev/ufsid/576dca6e13175d08 (your ufsid will be different!
/sbin/reboot

5. booted pfSense from SSD. Again using putty, ran this command from shell to see if TRIM was enabled.
/sbin/tunefs -p /

In terms of the hardware swap, it was suprisingly simple. I did our work install in the 30 minutes during lunch. I had previously updated the two 2011 vintage boxes over to 2.3.1-RELEASE-p5 (amd64), then backed up the configuration. The Qotoms got a fresh 2.3.1 install using USB. Restoring the old config (a lot of time invested there!) onto the new boxes was super simple. The pfsense web gui prompts you to reassign your network ports (as it detects the mismatch), it reboots, installs packages and all good. The upgrade was surprisingly simply. I only had to copy my proxy.pac, wpad.dat and proxy.pa config files (make sure you keep a copy!) over to the new install and it was done.

The PfSense crew deserves a lot of respect in terms of making this so simple. It would be pretty amazing if PC machine replacements went this well.

The pics below are pretty much self explanatory

Cheers,
Dennis.

 

[L&LD]

So for roughly $250 (retail) we get a router that is properly appointed, huh (hardware-wise)?

For another $250 or so, (if for nothing other than to match the $500 price of the RT-AC5300) Asus, QNAP, Synology or any other router manufacturer could easily add the WiFi components to the above and still make a profit when these start flying off the shelves faster than they could stock them.

http://www.snbforums.com/threads/how-much-ram-is-enough-in-a-router.33304/page-3#post-267892

Dennis, great upgrade and thanks for sharing!

 

[Dennis Wood]

L, they do I believe have Wifi versions of this box..just not sure on the tech. I'm using a few EX7000 units as wired access points, which allow me me place them more appropriately to provide AC class wifi for the home office... and a few EAP 600 units at the office.

The 8GB of ram means we can run SNORT on three interfaces without running out of RAM and requiring a swap file. SNORT is memory hungry in its higher performance configurations. One can also increase the proxy server RAM usage if you have some to spare. A 30GB SSD would be plenty (we never came close to its limits on the old router)...so the 120GB just lets us save a lot more of the web logs, increase proxy cache size, and gives us some future proofing.

Because Pfsense and the packages are open source, there is no added cost other than the hardware. Web logging/reporting is important in the work environment, as is SNORT and the proxy services. Guest network access and limiters on that traffic was another requirement which pfsense handles well. We use iOS and PC based VPN a lot..so again, openVPN has worked very well. I simply couldn't find anything that would do all of this in a low cost box with multi wan load balancing...that now only uses 10 watts and has zero moving parts.

 

[sfx2000]

The 8GB of ram means we can run SNORT on three interfaces without running out of RAM and requiring a swap file. SNORT is memory hungry in its higher performance configurations. One can also increase the proxy server RAM usage if you have some to spare. A 30GB SSD would be plenty (we never came close to its limits on the old router)...so the 120GB just lets us save a lot more of the web logs, increase proxy cache size, and gives us some future proofing

How many users are being supported if I might ask?

 

[Dennis Wood]

How many users are being supported if I might ask?

It ranges between 10 and 25 users or so on the business side, plus a fair amount of rsync and RTRR traffic between sites. The business site is getting 80/25 Fibre in a week or so, so the dual WAN requirement will go away. I maintain the identical router configuration at the home office, so everything gets tested there first.

 

[Trip]

Thanks for the details on the build, Dennis. I've been looking at little units like this Qotom and more powerful Intel i-core variants as well as more powerful ways to run fq_codel QoS on WAN-LAN traffic, with a distro like IPFire or similar. Would love to find someone whose actually tested it and has some benchmarks.

 

[Dennis Wood]

I generally just look at pfsense packaged hardware offerings and their suggestions for throughput, load etc. The box I built would be appropriate for a small to medium office.

We had fiber installed today and we're pretty happy to upload finally at 25Mbps speeds. We can dial up the speed quite a bit for more $$, but the 50/25 will be fine for now

 

[sfx2000]

I generally just look at pfsense packaged hardware offerings and their suggestions for throughput, load etc. The box I built would be appropriate for a small to medium office.

More than enough - nice build

 

[sfx2000]

Intel Celeron Processor J1900(Quad-Core 2M Cache,2 GHz, up to 2.41 GHz)
NO RAM.NO SSD,NO WIFI （NO OS)
Support Windows /Linux (Can not support windows xp)
4 LAN+VGA+2 usb 2.0
Network Card:4*LAN Intel WG82583 10/100/1000M Ethernet

Pretty similar to my AID/Netgate box - the J1900 has two more cores, the C2358 has AES-NI and no GPU, but the ethernet's on the SoC - waiting to see what happens with Intel QuickAssist integration into pfSense (work in progress there).

Silly how cheap mSATA drives have gotten - and while 120GB might be overkill, it's actually not that expensive compared to smaller drives, and the 850EVO is a very nice drive - I'm running the same drive myself.

The QOTOM Unit does appear to be a right and proper box for pfSense, and adding the RAM/Storage still puts one into a good zone for price/performance.

 

[sfx2000]

Don't forget to check out the options under System/Advanced/Miscellaneous for PowerD (I'm running HiAdaptive for PowerD), and Thermal Sensor (choose on-die sensor there).

I also enable "Use memory file system for /tmp and /var"...

nice tip on enabling TRIM support, thanks for that one!

 

[Dennis Wood]

SF, I was pondering the absence of AES-NI, but I've found the few sessions of OpenVPN we typically run don't seem to tax the box anywhere close to capacity.

Thanks for the PowerD tips..I was using this on the old boxes but need to revisit on the new build.

I had an interesting time with the fibre install yesterday as our upload speeds were terrible at first. Turns out I snuck a 1000Kbps limiter on upstream traffic likely several yrs back and forgot about it. 50 Mbps down and 25 Mbps up are the fastest speeds we've been on, ever. My media guys were pretty thrilled with how fast media was uploading today! For the first time in about six yrs we're using a single WAN (vs dual) connection, now over fibre.

 

[Dennis Wood]

To answer the question of resource use, here's what I'm seeing as "max" CPU load so far with the WAN connection at max DSL for the home office. The work 50/25 fibre connection is much faster..CPU load there hits 31% or so with max bandwidth.

There are no fans in/on either of the routers..temps are pretty much stable at 40-43C with passive cooling. After a few weeks of 24/7 operation at two locations, I'm super happy with the build.

 

[bayern1975]

are the pfsense routers have support for IPTV, udpxy inside?

sent from Kodi 17 Krypton

 

[sfx2000]

To answer the question of resource use, here's what I'm seeing as "max" CPU load so far with the WAN connection at max DSL for the home office. The work 50/25 fibre connection is much faster..CPU load there hits 31% or so with max bandwidth.

There are no fans in/on either of the routers..temps are pretty much stable at 40-43C with passive cooling. After a few weeks of 24/7 operation at two locations, I'm super happy with the build.

Nice... here's mine - pretty quiet today, as it's just me at the house right now... ambient temp here is 84F/29C - and I'm passively cooled as well.

 

[Dennis Wood]

are the pfsense routers have support for IPTV, udpxy inside?

sent from Kodi 17 Krypton

Here's a thread that might help answer that question..I have zero experience with IPTV: https://forum.pfsense.org/index.php?topic=100444.0 and he moves to this thread: https://forum.pfsense.org/index.php?topic=100464.0

SF, not running SNORT sure saves a lot of RAM

 

[sfx2000]

SF, not running SNORT sure saves a lot of RAM

No doubt... not really needing Snort here at Casa de SFX, while I'm a telecommuter, the company's latop has hella end-point security

As for IPTV, pfSense can handle the VLAN's needed for some operator/carrier multi-play options - really depends on needs - and as for udpxy, not sure if there's a need or not - not seeing a good use case for it. Why would I want to push even more multicast traffic, which is counter to IGMP snooping/proxy (which is handled not by my router, but by my switch in any event.)

udpxy is a UDP-to-HTTP multicast traffic relay daemon: it forwards UDP traffic from a given multicast subscription to the requesting HTTP client.​

 

[CiscoX]

Hi, I have been testing pfSense for some days now after latest update (before that I was running the v.2.3.1_5 for 1 week) no problem at all. And I'm quit happy with it.

 

[occamsrazor]

Hi,

Just wondering if you are still happy with your Qotom? I'm about to buy the i5 version with 5250U CPU. A fair bit more expensive but I'm overspeccing in case I repurpose it as something else later.
Just wondering if you are still happy with it? Also what would you recommend in terms of how much RAM/SSD these days. I was reading 2.4 uses ZFS and uses a bit more RAM. I want to be on the safe side and have plenty enough, but not excessive.

Thanks.

 

[sfx2000]

4GB is plenty for most pfSense sites, but with prices like they are - 8GB

(comes in handy if using Squid/Snort/other packages)

 

[CaptainSTX]

I looked at their site. Be sure about the processor speed and the number mentioned isn't the speed that it can be overclocked to.

I have never had a great experience as far as stability if I overclocked a processor.

FYI If you plan on running a VPN client on out pfsense box based on what has been said elsewhere on this site 2.4 Ghz will limit you to about 100 Mbps down. Not many people have a high enough speed ISP connection and run VPNs to post a lot of actual real world results so your results may vary.