TanKianW
Supremacy Member
- Joined
- Apr 21, 2005
- Messages
- 5,884
- Reaction score
- 2,187
Hi All, decided to start a new thread on helping forumers to give them a head start using pfsense firewall.
Below are my reasons for doing so:
Below are my reasons for doing so:
- As working from home becomes the default mode of working for many of us, securing your home network becomes a major task. In fact, if you have read the recent reports on spike in network vulnerability, more home networks are compromised during this WFH period. Therefore, by deploying a quality firewall, our home network becomes more secure and safe. Of course, having a firewall is only one piece of puzzle to secure your home network.
- Provide an alternative to the more advanced mikrotik and ubiquiti routers. Actually pfsense is a "Step Up" comparing with these alternatives.
- Change the perception that pfsense is hard to configure and only exclusively to advanced users.
- With our increase demand for internet speed, IOTs, multiple home mobile devices and awareness of network security increases, OTS consumer product just lacks the capability to protect our home network
- OTS routers or even some lower end Mikrotik/Ubiquiti routers are not really build/capable for Dual-WAN. Therefore, as more subscribed to 2x 1Gbps plans or 2x ISPs plans, the demand for a multi-WAN capable router fit into place.
- An "always on" router, no need to power cycle, no need for reboot (maybe except for major updates). Enterprise class routing solutions are suited for 24/7 operations. Compare this with any top range consumer routers, where after a long period of operation, consumer routing solutions tend to "ghost" on the connection and behave extremely sluggish for most cases.
What I will try to do is:
- Provide some hardware recommendations for building your pfsense box
- What could be my personal preferred pfsense set up. This could be subjective.
- Provide good YouTube links for setting up your pfsense and some step by step configurations complementing the online resources (if any). Most of the time I will be quoting YouTube links from Tom of Lawrence System since his online tutorials are the most extensive and in my opinion...honest and less BS.
- This should not be a too complicated thread which touches on too many advanced setting where majority of the forumers here will not be using. It is to provide a head start for the new users, but still require new users to learn the interface and basics of firewall on their own to really understand the concepts of a firewall/router.
*Disclaimer: I am not in any position to market the pfsense appliance from Netgate.
*A little background of my experience on using pfsense: Been learning, using, contributing, deploying pfsense over the past few years for several enterprise and home set up environment. I dare not say I am a professional since I still has a lot to learn and still make mistakes along the way. As Albert Einstein put it simply, "A person who never made a mistake never tried anything new."
**Hardware recommendations for pfsense (updated Jul 2021)**
*Option A: Building your own pfsense box
The most important parts to take note when building your pfsense box, chassis, motherboard form factor, CPU and NIC.
- CPU: Intel CPUs preferred with support for AES-NI crypto. You can look for Intel CPUs model that ends with "U" or "T" which are low powered. If you are concerned of power usage, you can turn on pfsense native support for EIST under System->Advanced->Misc->PowerD options
- Chassis: I will go with a mini-box that house a mini-ITX or a 1U low depth chassis.
- PSU: Flex-ATX power supplies usually allows for slimmer profile chassis, SFX power supply will need bigger ones. A good power supply with >250 watt, bronze and above certification will suffice.
- Memory: I will go for non-ECC Kingston Value RAM. at least 8GB
- Storage: I will go with Suds over magnetic disk. >128GB should suffice unless you enable heavy logging.
- Motherboard: This is one of the most important component. I will go with server class motherboards like Supermicro or Asrock Rack. Good to get motherboard that comes with Intel NICs.
- NICs: Due to the nature of driver compatibility of FreeBSD, Intel NICs are preferred over Marvell and Realtek. RJ45 or Fiber through SFP/SFP+ are ok. Do get NIC with good heatsinks since it might run pretty hot under load.
A few good NIC makers comes to mind:
- 10Gtek (uses reliable Intel NIC chips)
- Chelsio (Recommended for 10Gbps set up)
- Mellanox (for >10Gbps set up)
- *Other Intel OEM (Beware of counterfeits)
*You can check out the NICs recommended on "serve the home" website/forum and the FreeBSD driver support for NICs :https://www.freebsd.org/releases/12.0R/hardware/
*Recommendation for 1U pfsense set-up (Enterprise use) - for reference only (updated on Jan 2022)
- 1U custom casing with 4x Noctua 4cm PWM fans
- Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
- Intel Xeon E3-1240L v5 (tray) at 25W (4-cores, 8 threads)
- Dynatron 1U T-06 CPU cooler
- 2x 8GB Kingston unbuffered DDR4 ECC Memory
- OEM 500W Flex-ATX PSU (Platinum Rating)
- 2x 240GB Samsung EVO SSD in ZFS mirror
- Chelsio T520 with 2x 10G SFP+ OR Quad port Intel 1G NIC
1U rack pfsense deployment:
pfSense and core switch (MikroTik CRS312):
Home office/lab (MikroTik CRS309 + CRS326) connecting to pfSense upstream
*Option B: Purchasing your Netgate firewall appliance
You will not be able to purchase a Netgate appliance directly from their website. But you can use a local carrier to deliver it to Singapore if you are really keen of getting the original appliance.
Pros: support for pfsense straight from the box.
Cons: Expensive. Might have problem claiming warranty
Check out: https://www.netgate.com/products/appliances/
You will not be able to purchase a Netgate appliance directly from their website. But you can use a local carrier to deliver it to Singapore if you are really keen of getting the original appliance.
Pros: support for pfsense straight from the box.
Cons: Expensive. Might have problem claiming warranty
Check out: https://www.netgate.com/products/appliances/
*Option C: Purchasing a third party all-in-one box with embedded (low powered) CPU and multiple NICs build in
Recommendation:
Recommendation:
- Chassis: Passively cooled with lots of fins
- CPU: embedded Intel CPU with models ending with "U". For power users and VM users, recommend a CPU that has at least 4 cores, 8threads. Most will support AES-NI unless it is the earlier J19XX atom series.
- Memory: Recommend to get a box that do not come with memory. Can purchase separately locally for warranty claims. Recommend 8GB.
- Storage: Same as above. Prefer to purchase it locally for warranty claims.
- NICs: It will usually come with Intel's. Look for one with at least 4 NICs so can run dual-WAN and LACP LAGG to your switch. But performance will not be as good as dedicated higher end NICs with bigger heatsinks.
*Recommendation of mini x86 boxes on Option C - for reference only (updated on 21 May 2021)
CPU (support AES-NI): Intel Celeron Quad Core J4105 TDP at 10W.
*UPDATED*: J4125 and J5005 are good buys too. Take note that supported memory capacity is up to 8GB only (But 8GB is more than enough for pfsense) Recommend getting one with Intel NICs.
Comparison with J4105:
J4125 VS J4105
J4105 VS J5005
**Alternative solutions from "Protectli" if you are not confident of such pc boxes from China:
https://protectli.com/
*Advantages over mini-pc boxes from China can be found here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-45#post-139621353
**Mini-pc Boxes from China (Taobao/Alibaba)
RAM: 8GB
Storage: 64GB or more
Chassis: passively cooled small chassis
NIC: at least 4 x Intel NIC i211
Price: Varies from $220-$240 (4GB-64S to 8GB-128S) including direct shipping
Typical Dashboard:
Last edited: