Starting pfsense for New Users

[xiaofan]

Hi guys, thinking of building my own pfsense box. What are the min specs in order to run 1gbps?

Option C in Post #1 is probably the option to go if you are just interested to run pfSense and not other things. I believe you can get away with 4GBRAM and 32GB SSD if you want to go "minimum".

For me I chose to go with 8GB/256GB so that I have the flexibility to run other things like Linux in the future. But at least for now I just run pfsense and nothing else. So the 256GB SSD is kind of wasted for now.

 

[xiaofan]

The price in Taobao for these mini PCs does go up quite a bit like 15-20%, probably due to global parts shortage.

1) J4105
https://m.tb.cn/h.4H6xpMw?sm=fd150d
J4105迷你电脑小主机工控机四网口intel i211网卡虚拟机NAS软路由

2) J4125
https://m.tb.cn/h.4tdh0vK?sm=4a52b9
J4125四网口i210千兆intel网卡工控主机迷你电脑4K主板软路由NAS

 

[-Grift-]

Adding on to the posts above, using one of those taobao mini pc with
4GB RAM
60GB SSD
OPNSense with plugins as seen in image, more than plenty. (Wireguard Server as well)

Spoiler

 

[pointbreak20]

Thanks guys for your replies, will look into those boxes!

Those tb mini pcs looks promising

 

[Elijahonli]

Hi Gurus!

I am setting trying to setup port forwarding pfsense.
I have already enabled the NAT reflection (Pure NAT) however i am still unable to access my nextcloud instance via the public domain. I can access it via 4G but not when im on LAN or Wifi. After changing the NAT reflection rule to NAT +Proxy, i am able to access my nextcloud instance. So actually what is the different the two?

This is my current setup
Pfsense > server (running traefik + nextcloud)

 

[TanKianW]

Hi Gurus!

I am setting trying to setup port forwarding pfsense.
I have already enabled the NAT reflection (Pure NAT) however i am still unable to access my nextcloud instance via the public domain. I can access it via 4G but not when im on LAN or Wifi. After changing the NAT reflection rule to NAT +Proxy, i am able to access my nextcloud instance. So actually what is the different the two?

This is my current setup
Pfsense > server (running traefik + nextcloud)

I will point you to the netgate documentation here on the differences:
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

*Since I do not use traefik. I am not familiar with the (proxy) server setting on it and whether it has been set up correctly.

You can look at Host Overrides. Not sure if this will be of help to you:



Sidetrack:
Another way to set up a proxy server is to install HAproxy and ACME plugins on pfsense and run it like one. You can set up as many server (http) internally, and let your pfsense running HAproxy to handle the TLS (https).

Interested, can read up here on Post #3:
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/#post-130207504

 

[TanKianW]

Updated on Post #2:

Mikrotik Switches on SwOS
Some asked what brand of switches I will prefer. For home lab/home use, I will go with Mikrotik. For beginners, I will recommend to go with SwOS instead ROS (if support dual boot) as it is less intimidating. Below are my personal pros and cons:

Pro:

• Reasonably priced (especially for 10Gbe)
• Capable and reliable (if you know how to use it, like ROS)
• Highly customizable (ROS, even for SwOS)
• Firmware is very lean, update is seamless and impressively swift (unlike U******)

Con:

• Not as user friendly and intuitive (*subjective)
• GUI is not impressive and do not have the AIO dashboard like Unifi's
• It just works, without the bell and whistle (which could be a "con" for U supporters)

*For those who wish to use a Mikrotik switch and will like to learn more on SwOS, feel free to read up here:
https://wiki.mikrotik.com/wiki/SwOS/CSS326

CRS305

CRS312

 

[Elijahonli]

I will point you to the netgate documentation here on the differences:
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

*Since I do not use traefik. I am not familiar with the (proxy) server setting on it and whether it has been set up correctly.

You can look at Host Overrides. Not sure if this will be of help to you:



Sidetrack:
Another way to set up a proxy server is to install HAproxy and ACME plugins on pfsense and run it like one. You can set up as many server (http) internally, and let your pfsense running HAproxy to handle the TLS (https).

Interested, can read up here on Post #3:
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/#post-130207504

yup thanks for sharing. Will definitely be migrating my Traefik + ACME with lets encrypt + DDNS to Pfsense at the later stage haha

 

[bert64]

Hi Gurus!

I am setting trying to setup port forwarding pfsense.
I have already enabled the NAT reflection (Pure NAT) however i am still unable to access my nextcloud instance via the public domain. I can access it via 4G but not when im on LAN or Wifi. After changing the NAT reflection rule to NAT +Proxy, i am able to access my nextcloud instance. So actually what is the different the two?

This is my current setup
Pfsense > server (running traefik + nextcloud)

NAT is a pain...
If you use reflected nat (or proxy mode/haproxy) then all the traffic will traverse the firewall and back even when you're on the internal (ie its gonna hurt performance and congest the firewall's link competing with external traffic). You'll also end up with the logs on nextcloud being useless as all connections will appear to originate from the firewall address.
There are also bugs in pfsense 2.5.1 when you have multiple routes and port forwards which may affect this scenario:
https://forum.netgate.com/topic/163070/pfsense-2-5-1-multi-wan-routing-trouble(the link refers to multi wan, but if your reflecting back from the internal interface it will be doing basically the same thing)

If the server is in a separate dmz from the clients then it's slightly different, as you'd need to apply the nat rules to the client facing internal interface as well as the wan interface.

If you use IPv6 even as dual stack this problem goes away, as your clients will prefer to access the IPv6 address, which remains the same internally or externally. It will also perform better, as internal traffic won't touch the firewall at all if the clients are in the same network as the nextcloud server.

Another hack is to use split DNS, whereby the hostname resolves to a different address internally, but this breaks if your clients use an external resolver.

 

[TanKianW]

Some forumers ask on the use of server chassis for their self-build pfsense box. For those who felt the 1U chassis to be too tight, can consider a 1.5U chassis (0.5U taller) which could house a SFX PSU, with better DIMMs and CPU cooler clearance.

(For Reference Only) A Mocked Up:

 

[TanKianW]

*If you could not get one, build one!

Netgate XG1537 10GBE Review with pfsense

 

[TanKianW]

*An Informative Watch: pfsense VS OPNSense

 

[Elijahonli]

really interesting that

*If you could not get one, build one!

Netgate XG1537 10GBE Review with pfsense

hmm only capable of running single stream ~4gbps. is there recommended specs for 10gbps stream or like he mentioned, it shouldn't matter?

 

[TanKianW]

really interesting that


hmm only capable of running single stream ~4gbps. is there recommended specs for 10gbps stream or like he mentioned, it shouldn't matter?

It should not matter.

 

[bert64]

The price in Taobao for these mini PCs does go up quite a bit like 15-20%, probably due to global parts shortage.

1) J4105
https://m.tb.cn/h.4H6xpMw?sm=fd150d
J4105迷你电脑小主机工控机四网口intel i211网卡虚拟机NAS软路由

2) J4125
https://m.tb.cn/h.4tdh0vK?sm=4a52b9
J4125四网口i210千兆intel网卡工控主机迷你电脑4K主板软路由NAS

Those look pretty decent, but is there anywhere else to order them for those of us who can't read chinese? The ones offered for sale on lazada tend to be older and/or lower spec..

 

[bert64]

really interesting that


hmm only capable of running single stream ~4gbps. is there recommended specs for 10gbps stream or like he mentioned, it shouldn't matter?

A dedicated layer 3 switch with hardware routing asics...
Just a few years ago you couldn't achieve 1gbps with a software based router/firewall at all.

Actual performance will also depend on packet size, number and complexity of rules, protocols in use etc.

When setting up stuff on a 10gbps link a while ago i had a layer 3 switch doing bgp and straight unfiltered routing, then various servers either directly connected or with their own firewalls. The switch could handle 10gb just fine, single server couldn't saturate the link but several of them going at once could.

In terms of complexity/overhead for a typical firewall or router:
Bridging is faster than routing.
Unfiltered routing is faster than filtered routing.
Filtered routing is faster than NAT.
IPv6 is faster than IPv4.

 

[xiaofan]

Those look pretty decent, but is there anywhere else to order them for those of us who can't read chinese? The ones offered for sale on lazada tend to be older and/or lower spec..

Try Aliexpress.
https://www.aliexpress.com/w/wholesale-j4105-mini-pc.html

 

[TanKianW]

yup thanks for sharing. Will definitely be migrating my Traefik + ACME with lets encrypt + DDNS to Pfsense at the later stage haha

NAT reflection may be a hack, but it will still work pretty well. I have not experience much bottlenecks or performance hit (even on the field) when the system is under constant load with multiple connections (even during torrenting tests). For a home network, I will say the impact is minimal.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#configuring-nat-reflection

DNS overrides (split-DNS) is the preferred method, but has its own pre-requisites and limitation too.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#nat-splitdns

Do refer to the Netgate documentation and select the one that best suit you needs.

Hope it helps.

 

[TanKianW]

*Update on Post #3

*Trouble-shooting for HAproxy on pfsense:

 

[Elijahonli]

NAT reflection may be a hack, but it will still work pretty well. I have not experience much bottlenecks or performance hit (even on the field) when the system is under constant load with multiple connections (even during torrenting tests). For a home network, I will say the impact is minimal.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#configuring-nat-reflection

DNS overrides (split-DNS) is the preferred method, but has its own pre-requisites and limitation too.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html#nat-splitdns

Do refer to the Netgate documentation and select the one that best suit you needs.

Hope it helps.

I am actually surprised that this is a hack, because while on my ac66u, I did not need to perform any NAT reflection configuration and it just works when accessing my nextcloud instance with ddns