pfSense

Soldato
Joined
13 Jan 2004
Posts
20,929
Is the absolute bomb......no idea why I did not do this sooner.

It has also totally resolved an issue my router/modem combo had which would see it drop the connection for a millisecond (Line still trained/Authentication still up). Would boot me from games/IM but reconnect seconds later. Very very annoying.

I'm running it off an ancient lenovo desktop, P4 3GHz, 1GB RAM with the onboard NIC and 1 PCI expansion NIC.

Ontop of that you would expect out of a router/firewall (DHCP etc) pfsense is now running:

PPTP VPN endpoint (Road warrior connection back home for remote access or secure net usage on mobile devices)
SSH Server (Road warrior port tunneling where VPN cannot be connected or SSH client is only option)
Traffic Shaping (More than myself uses the internet connection)
Nice custom rulesets to disallow connections to unauthorised DNS servers as specified by me (Quick and easy block against any DNS hijack exploits)

If anyone has ever considered building their own router/firewall on kit they have laying around I say go for it - It's powerful and fun to do anyway! Does not even need to be super powerful hardware although headroom helps when you start loading up the filters, services and any extra packages. The Antivirus and peerblocking packages look pretty interesting and will have to give them a try.

Having a proper PPTP VPN endpoint is a godsend for my Android devices :cool:
 
Soldato
Joined
6 Sep 2008
Posts
3,974
Location
By the sea, West Sussex
Been running it for years, started out on an old Compaq Deskpro with a 500Mhz PIII then upgraded to old Watchguard X700 which I installed 1.2.3 on. Even managed to get the LCD working with the help of the guys on the pfsense fourms. I upgraded it to a P4 1.4Ghz and maxxed out the RAM and all this was running the embedded version on a small 40GB laptop HDD installed inside. Only down side was that it was either really noisy, or it got really hot if you slowed the fans. I modded the top of the case and fitted a quieter socket 370 cooler and it run right up until the release of 2.0.

I've currently got 2.0.1 running as a VM on my HyperV box. It's running Snort with some really basic rules, pfBlocker with the "top spammers" lists active, bandwidthd for monitoring (this helped me spot a a machine whose AV update was failing) & VPN endpoint. I want to be running this as the NTP server for my network too, but there are time drift issues in HyperV which means it's not practical until I move it back to a hardware box.

I've been eyeing up for some time a a Supermicro X7SPA-HF Atom based mini itx board - but like most things I dont really have the time!!

Glad you are loving it - it's been great for me.
 
Associate
Joined
23 Sep 2007
Posts
1,160
I've been running pfsense for years too - on a zotac mini-itx atom board with a pcie slot connected to a dual intel pro/1000 expansion card. Hardly ever reboot it.

Used to have problems with routers and number of connections and having to reboot often. This just works and isn't expensive to setup.
 
Soldato
OP
Joined
13 Jan 2004
Posts
20,929
Sounds awesome, but the price / performance / leccy bill seriously holds me back. :(

Leccy isnt an issue if you get a small embedded system or mini-itx. No more than a consumer router really.

pfSense also supports power states so it downclocks CPU etc when not needed. This desktop ticks over at 300Mhz most of the time.
 
Last edited:

aln

aln

Associate
Joined
7 Sep 2009
Posts
2,076
Location
West Lothian, Scotland.
Leccy isnt an issue if you get a small embedded system or mini-itx. No more than a consumer router really.

pfSense also supports power states so it downclocks CPU etc when not needed. This desktop ticks over at 300Mhz most of the time.

It was more the combination I was referring to. Feel free to correct me, because I'd like to be running it at home to get my feet wet, if anything.

I looked into a couple of the embedded systems (alix boards, they weren't cheap, but I can forgive that because decent routers costs a bit), and whilst the power requirments were fine they seemed to be topping out at like 80Mb throughput. VMs 100/10 is a total of 110, so it basically falls short of whats desirable.

My understanding is my consumer **** should be pulling a couple of watts max, but I'll need to check this. You checked what kind of draw your desktop has with a kill-a-watt?
 
Soldato
Joined
7 Jul 2010
Posts
3,581
It was more the combination I was referring to. Feel free to correct me, because I'd like to be running it at home to get my feet wet, if anything.

I looked into a couple of the embedded systems (alix boards, they weren't cheap, but I can forgive that because decent routers costs a bit), and whilst the power requirments were fine they seemed to be topping out at like 80Mb throughput. VMs 100/10 is a total of 110, so it basically falls short of whats desirable.

My understanding is my consumer **** should be pulling a couple of watts max, but I'll need to check this. You checked what kind of draw your desktop has with a kill-a-watt?

My D-link DIR-635 uses 5 watts and my microserver fitted with 3 drives uses 40Watts when drives are spun up if drives are spun down then its 30Watts.
 
Soldato
OP
Joined
13 Jan 2004
Posts
20,929
My desktop is basically a full ATX so drawing much more than a mini-itx or embedded system but I do not really care overly much about the draw. THis was more of an experiment in the first instance but I am so happy with it I plan to keep it as my permanent firewall/routing system. In the coming weeks/months I am going to research a nice low power Mini-ITX with headroom for a FTTP 1Gbit/100Mbit connection.

The difference between 5 watts and 30watts is next to nothing over the course of a year though.
 
Soldato
Joined
6 Sep 2008
Posts
3,974
Location
By the sea, West Sussex
An Alix is about 5-10w draw and will top out at around 60-70Mb/s, a little more if you tweak it.

A dual core Atom will draw 20-30w but will easily do 200Mb/s, I've seen claims of over 350Mb/s

By my calculations you are looking at about 8p/day to power an Atom.
 
Soldato
OP
Joined
13 Jan 2004
Posts
20,929
1 annoying thing with pfsense.

Will not take a WAN gateway outside of the assigned interface IPs subnet. Rather annoying seeing as my ISP issues IPs in 213.133.215.x and has a gateway on 213.133.195.x

It can be fixed by manually adding -net and default routes but those routes get over-written whenever the interface has a state change. That completely rules out using DHCP to assign the WAN IP.

Sucks big time as I just finished writing my DHCP script on a DG834GT with a half-bridge setup. My new DHCP script dishes out my WAN IP on DHCP whenever the PPP connects instead of issuing useless LAN subnet addresses to my pfsense WAN interface.

Apparently it's a limitation of freeBSD not allowing you to use gateways in a different subnet. :(

Bizzare really as Windows will do it no worries and even add the routes for you.
 
Soldato
Joined
28 Dec 2002
Posts
6,579
Location
South Coast
I'm now looking at one of these to have in this install:

Sky FTTC connection
--------------------
Sky Router
--------------------
pfSense
--------------------


Plan is for Sky box, Vodafone SureSignal, Humax , sony blu raybox etc. to all sit in DMZ in front of the pfSense box with all my other kit sat on my main LAN

3 x laptops (XP, Vista, 7)
1 x printer
1 x desktop (7)
2 x iphones
1 x apple TV
1 x apple ipad
1 x AV Amp
1 x Wireless AP
1 x NAS


Can anyone recommend a base box for pfSense, I don't have anything at present, thought about a laptop, but of course not enough NIC ports.

My other thought was a HP Microserver and getting ESXi up and running on it etc. and then trying snort and other tools etc.

Obviously I'll have to determine what ports are needed to be open for the various appliances to work etc.
 
Soldato
Joined
6 Sep 2008
Posts
3,974
Location
By the sea, West Sussex
1 annoying thing with pfsense.

Will not take a WAN gateway outside of the assigned interface IPs subnet. Rather annoying seeing as my ISP issues IPs in 213.133.215.x and has a gateway on 213.133.195.x

Are you sure? I screwed things up by setting the wrong IP on the WAN gateway once.....so I had a fiddle and BANG....screwed things up again but I'm not sure in a way that helps you.
Even reverted back to the correct settings and that didn't work until I cycled the interface. Back online now :D

Long and short - static IPs FTW with pfsense.
 
Soldato
OP
Joined
13 Jan 2004
Posts
20,929
Are you sure? I screwed things up by setting the wrong IP on the WAN gateway once.....so I had a fiddle and BANG....screwed things up again but I'm not sure in a way that helps you.
Even reverted back to the correct settings and that didn't work until I cycled the interface. Back online now :D

Long and short - static IPs FTW with pfsense.

Yes, positive.

It's a documented issue with the manual input of routes listed as the workaround.

Gateway being in a different subnet to the WAN IP is a rare and strange setup but it does exist.

I have to tell FreeBSD which interface to find my WAN gateway on (wan interface) then set the default route to that gateway.

Basically:

route add -net WAN-Gateway-IP/32 -iface WAN-Interface
route add default WAN-Gateway-IP
 
Last edited:
Soldato
OP
Joined
13 Jan 2004
Posts
20,929
[RXP]Andy;21940951 said:
Have you looked at Alix sys-boards for pfSense as these are a neat all in one solution.

They are neat but only have Fast Ethernet, no Gigabit. As long as your connection to the outside world is less than 100Mbit you should be fine, although even with Gigabit Ethernet I am not sure an Alix board could route much faster than 100Mbit anyway, especially not when adding additional filters like snort.
 
Back
Top Bottom