PFSense Router Upgrade

[StevieC]

My motherboard died in my PFSense router I had put together a couple years ago so I dropped by the local computer shop in town and picked up a refurbished HP DeskPro slim workstation for $160 and dropped my Intel NIC (I350-T4) in it and rebuilt it, and it's working great.

The spec's (highlighted in green) are overkill for what I need but I'm happy it's back up and running. Still tweaking some of the settings and the virus it says it found on the summary screen below is me testing the ClamAv to ensure it's working.

It's running Squid Proxy with ClamAV to scan all non HTTPS content and to cache the internet for all users in the house. Really happy with how it works both on the previous setup and this one. Upgrading to an SSD in this box made a huge difference on its performance over a mechanical drive for anyone out there reading this. I'm using a Samsung EVO 850

 

[RonRonnster]

Nice! - I'm running PFSense on a Gigabyte Brix with an i5. Again, totally overkill, but it's the right form factor and works great. I echo your sentiments about installing an SSD - I picked up an inexpensive 256gb for the Brix and it cut the boot up time down significantly. I've though about installing VMware EXSi free version just so I can run one or two other systems in the Brix, but I don't know what I would use them for at this point.

 

[StevieC]

Originally Posted by RonRonnster
Nice! - I'm running PFSense on a Gigabyte Brix with an i5. Again, totally overkill, but it's the right form factor and works great. I echo your sentiments about installing an SSD - I picked up an inexpensive 256gb for the Brix and it cut the boot up time down significantly. I've though about installing VMware EXSi free version just so I can run one or two other systems in the Brix, but I don't know what I would use them for at this point.

Yeah boot time monitored from the console is pretty fast over a mechanical drive. Even when I reboot it via the web interface I can hear it jingle in the next room almost instantly whereas before it would take a few minutes to complete. It's a nice surprise.

I'm really happy with PFSense and their excellent platform. They are also really good at releasing bug fixes right away. I've encountered a couple over the years I have been using it.

I would NEVER go back to a consumer grade router after this and after using my Ubiquity UAP-AC-Pro access point. The two together is just a flawless internet experience especially now that I have Gigabit speed.

I'm using Jumbo Frame 9000 MTU on the lan side. Unfortunately on my WAN side they limit me to 1500 MTU.

 

[OVERKILL]

Nice work

I just retired my Sophos XG box and replaced it with a Cisco Meraki MX64. It seems more responsive, despite the XG box running on a quad core Xeon with 8GB of RAM and an SSD. I've finally moved on from using an ISR for my home service due to lack of visibility and filtering features. I've found the ASA's to be cumbersome, hence my trial of the Sophos rig. I ran PFSense years ago, so I'm quite impressed to see the improvements your screenshot shows.

I expect that unit will serve you well.

 

[StevieC]

Originally Posted by OVERKILL
Nice work

I just retired my Sophos XG box and replaced it with a Cisco Meraki MX64. It seems more responsive, despite the XG box running on a quad core Xeon with 8GB of RAM and an SSD. I've finally moved on from using an ISR for my home service due to lack of visibility and filtering features. I've found the ASA's to be cumbersome, hence my trial of the Sophos rig. I ran PFSense years ago, so I'm quite impressed to see the improvements your screenshot shows.

I expect that unit will serve you well.


Cool I'll have to look into those that you mentioned...

Yeah PFSense has come a long way in terms of being a polished product that even novice users can figure out. It functions great right out of the box so to speak but also offers quite a bit of advanced features for folks like me and even more advanced folks like you.

The reason I splurged for this box at $160 was because I wanted something slim that would fit nicely where I have all my equipment so I went with a little higher specs because options were limited to get the size verus a big ugly mid size tower on it's side wedged in the spot that would have been less expensive. LOL

 

[StevieC]

Here is what the hardware looks like... Just for porn value. The computer has a CD drive not shown in this picture. Onboard LAN disabled

Eth0 to Eth4 from right to left. Using Eth0 for WAN and Eth1 for LAN with as much hardware offloading enabled as possible.

 

[OVERKILL]

Those are a good little computer. HP VERY frequently releases BIOS and IME firmware updates for those. Did you check to ensure you had the latest prior to the install?

 

[StevieC]

Originally Posted by OVERKILL
Those are a good little computer. HP VERY frequently releases BIOS and IME firmware updates for those. Did you check to ensure you had the latest prior to the install?


It's running the latest one they have for this configuration. May 2018, It comes in a couple slightly different configurations from what I can see online.

 

[OVERKILL]

Excellent.

 

[StevieC]

I'm thinking of using one of the other unused ports on the Intel NIC to create a secondary LAN for devices that I need exposed to the outside to segregate them from the rest of the devices on my normal LAN that don't need to pass through the firewall with port forwarding.

That would be my camera DVR and VOIP adapter. I'd put them on a separate switch hooked to one of these additional ports with their own rules blocking them from the other LAN.

Thoughts on that?

 

[OVERKILL]

Originally Posted by StevieC
I'm thinking of using one of the other unused ports on the Intel NIC to create a secondary LAN for devices that I need exposed to the outside to segregate them from the rest of the devices on my normal LAN that don't need to pass through the firewall with port forwarding.

That would be my camera DVR and VOIP adapter. I'd put them on a separate switch hooked to one of these additional ports with their own rules blocking them from the other LAN.

Thoughts on that?


If you don't have a managed switch that allows you to utilize VLAN's, using physical separation as you've described makes sense.

 

[StevieC]

Yeah I don't have that level of gear in the house although a PFSense router.

Got lots of 4 port switches from projects gone by and friends/family that didn't need any longer and for low-grade devices like the DVR / VOIP adapter they are "performance" enough....

 

[OVERKILL]

Originally Posted by StevieC
Yeah I don't have that level of gear in the house although a PFSense router.

Got lots of 4 port switches from projects gone by and friends/family that didn't need any longer and for low-grade devices like the DVR / VOIP adapter they are "performance" enough....

I have a few managed 10/100's kicking around that I'd happily give you if you are interested, though I assume you want something Gig-E

I'm currently rockin' a 2960S w/PoE that was a hospital pull.

So yeah, as far as configuring what you are discussing, just create a separate subnet on one of the other ports, be sure to block inter-subnet routing (may have to make a rule or rules depending) and go to town!

 

[StevieC]

I appreciate the offer but yeah I would need Gigabit with the data transferring around the network regularly.

 

[pitzel]

Nice.. Only big downside is that its probably costing you 25W.

I'm basically in the process of building the same setup using a cheap industrial fanless 4th gen CPU PC that I bought last year and have sitting on the shelf. With an i5-4570T (have to use the "T" version in my particular implementation).

Ever considered using your extra Ethernet ports to increase redundancy?

What else can I suggest.... Maybe set up a tftp server so you can serve up PXE boot menus and images for client PCs? The way I have my system set up here is that I can bring anyone's PC/laptop, plug it in, enable PXE boot, and voila, it will load up a menu that I can select from any one of a number of PXE bootable utilities. Or even iSCSI targets if you install ipxe.


edit: this is what I'm using: http://www.nexcom.com/Products/mult...ce-player/1080p-signage-player-ndis-b533 . And I have 2 compatible WiFi cards I'm adding to it as well, so it will also serve as an access point for 2.4GHz/5GHz 802.11n

 

[OVERKILL]

Originally Posted by pitzel
Nice.. Only big downside is that its probably costing you 25W.

I'm basically in the process of building the same setup using a cheap industrial fanless 4th gen CPU PC that I bought last year and have sitting on the shelf. With an i5-4570T (have to use the "T" version in my particular implementation).

Ever considered using your extra Ethernet ports to increase redundancy?

What else can I suggest.... Maybe set up a tftp server so you can serve up PXE boot menus and images for client PCs? The way I have my system set up here is that I can bring anyone's PC/laptop, plug it in, enable PXE boot, and voila, it will load up a menu that I can select from any one of a number of PXE bootable utilities. Or even iSCSI targets if you install ipxe.


edit: this is what I'm using: http://www.nexcom.com/Products/mult...ce-player/1080p-signage-player-ndis-b533 . And I have 2 compatible WiFi cards I'm adding to it as well, so it will also serve as an access point for 2.4GHz/5GHz 802.11n


What, no 802.11ac? for shame!

Good work

I built something similar a few years back.

 

[StevieC]

Originally Posted by pitzel
Nice.. Only big downside is that its probably costing you 25W.

I'm basically in the process of building the same setup using a cheap industrial fanless 4th gen CPU PC that I bought last year and have sitting on the shelf. With an i5-4570T (have to use the "T" version in my particular implementation).

Ever considered using your extra Ethernet ports to increase redundancy?

What else can I suggest.... Maybe set up a tftp server so you can serve up PXE boot menus and images for client PCs? The way I have my system set up here is that I can bring anyone's PC/laptop, plug it in, enable PXE boot, and voila, it will load up a menu that I can select from any one of a number of PXE bootable utilities. Or even iSCSI targets if you install ipxe.


edit: this is what I'm using: http://www.nexcom.com/Products/mult...ce-player/1080p-signage-player-ndis-b533 . And I have 2 compatible WiFi cards I'm adding to it as well, so it will also serve as an access point for 2.4GHz/5GHz 802.11n



It has boot support built in as well as TFTP, although I don't have a need for that at this time.
Also supports SSH for the console so no hardware is needed where it is.

As for the wattage... Doesn't bother me. I'm gas for everything possible here so it's made up for. LOL

I hadn't given thought for redundancy because I don't see it being an issue and being mission critical and didn't want to add complexity if not necessary. It's a good idea though.

I went with the Ubiquity access point because of the Faraday cage my house seems to be with the metal mesh in the plaster walls. It was the only thing I tested that seemed to cover the entire house and outdoor areas placed in one central location of my house. I tested a bunch of things and nothing seemed to be as good as it was in this setup.

Thanks for the info you provided. Great discussion points.

 

[StevieC]

Originally Posted by OVERKILL
Originally Posted by pitzel
Nice.. Only big downside is that its probably costing you 25W.

I'm basically in the process of building the same setup using a cheap industrial fanless 4th gen CPU PC that I bought last year and have sitting on the shelf. With an i5-4570T (have to use the "T" version in my particular implementation).

Ever considered using your extra Ethernet ports to increase redundancy?

What else can I suggest.... Maybe set up a tftp server so you can serve up PXE boot menus and images for client PCs? The way I have my system set up here is that I can bring anyone's PC/laptop, plug it in, enable PXE boot, and voila, it will load up a menu that I can select from any one of a number of PXE bootable utilities. Or even iSCSI targets if you install ipxe.


edit: this is what I'm using: http://www.nexcom.com/Products/mult...ce-player/1080p-signage-player-ndis-b533 . And I have 2 compatible WiFi cards I'm adding to it as well, so it will also serve as an access point for 2.4GHz/5GHz 802.11n


What, no 802.11ac? for shame!

Good work

I built something similar a few years back.

I have 802.11ac with the Ubiquity...

 

[OVERKILL]

Originally Posted by StevieC
Originally Posted by OVERKILL
Originally Posted by pitzel
Nice.. Only big downside is that its probably costing you 25W.

I'm basically in the process of building the same setup using a cheap industrial fanless 4th gen CPU PC that I bought last year and have sitting on the shelf. With an i5-4570T (have to use the "T" version in my particular implementation).

Ever considered using your extra Ethernet ports to increase redundancy?

What else can I suggest.... Maybe set up a tftp server so you can serve up PXE boot menus and images for client PCs? The way I have my system set up here is that I can bring anyone's PC/laptop, plug it in, enable PXE boot, and voila, it will load up a menu that I can select from any one of a number of PXE bootable utilities. Or even iSCSI targets if you install ipxe.


edit: this is what I'm using: http://www.nexcom.com/Products/mult...ce-player/1080p-signage-player-ndis-b533 . And I have 2 compatible WiFi cards I'm adding to it as well, so it will also serve as an access point for 2.4GHz/5GHz 802.11n


What, no 802.11ac? for shame!

Good work

I built something similar a few years back.

I have 802.11ac with the Ubiquity...

haha, so do I with my current Aruba Instant

which is powered by the aforementioned 2960S Gig-E unit. It's insane overkill @ 48 ports but meh.

 

[StevieC]

More/Bigger is better.