pfSense hardware

[jgreco]

NVMe or bust!

Don't say things like that. These are computers. They like to break. You're tempting the inevitable "NVMe and bust".

 

[Rilo Ravestein]

You have entirely too many toys to play with.

Boys and their toys

 

[jgreco]

Boys and their toys

Well, you know what they say, make your hobby a business... the pay's better and you get to write off your toys.

 

[joeschmuck]

Pretty sure we'll hit your 40c/GB next year for NVMe.

Next year does sound good to me.

 

[jgreco]

Next year does sound good to me.

And how convenient, it's only days away.

 

[sremick]

I really want to integrate pfSense into my network. I keep looking around at modern hardware options for small size and low power, but at the end of the day after adding up all the pieces I still can't seem to beat pfSense's own SG-2220 (which is just a rebranded Netgate RCC-DFF 2220 for $25 more).

Sure I could go with old PC hardware lying around but size and power usage matter to me. And I want enough CPU (and AES) to run VPN. I only need 2 NICs and my internet is 50 down/ 25 up (and not likely to increase).

Thoughts?

 

[joeschmuck]

Thoughts?

Have you tried pfSense yet? If not and you can build a rig from home scraps, I'd do it. Both pfSense and Sophos are difficult to get them installed and running correctly. There is a lot of help out there so it's not hopeless (sometime I felt it was hopeless) but they are also not simply a hands off solution either. Well Sophos for me has been almost hands off once I configured it and I'm sure pfSense would be similar.

 

[sremick]

Have you tried pfSense yet? If not and you can build a rig from home scraps, I'd do it. Both pfSense and Sophos are difficult to get them installed and running correctly. There is a lot of help out there so it's not hopeless (sometime I felt it was hopeless) but they are also not simply a hands off solution either. Well Sophos for me has been almost hands off once I configured it and I'm sure pfSense would be similar.

I was thinking of just exploring the UI by setting it up in a VM. Actually part of the reason I want pfSense is because I want something more "hands-on" than my Netgear R7000 "Nighthawk" which is too dumbed-down and lacks configuration and data/stats. :) I miss Tomato on my old Buffalo router.

I could install dd-wrt on my R7000 but it's a hack and disables the hardware acceleration as a result. So I thought it might be better to try pfSense and separate out the firewall/VPN tasks to separate hardware than my wireless, making the R7000 just an AP. (Plus it's a chance to deploy more FreeBSD in my house!)

 

[Jailer]

Both pfSense and Sophos are difficult to get them installed and running correctly.

Citation needed

With pfsense you run the installer from the cd, plug in your WAN and LAN interfaces when prompted and bingo, you're there. If all you ever need is just a good basic firewall that's all you need to do. You check it occasionally for updates but that's it. And updates are even less painless. Where things get more complicated is when you start adding packages to add increased functionality and even that isn't that difficult. Hell if a dumb old prison guard like me can do it anyone can.

I really want to integrate pfSense into my network. I keep looking around at modern hardware options for small size and low power, but at the end of the day after adding up all the pieces I still can't seem to beat pfSense's own SG-2220 (which is just a rebranded Netgate RCC-DFF 2220 for $25 more).

Sure I could go with old PC hardware lying around but size and power usage matter to me. And I want enough CPU (and AES) to run VPN. I only need 2 NICs and my internet is 50 down/ 25 up (and not likely to increase).

Thoughts?

For the use scenario and connection speed you describe the SG2220 is a perfect fit. I'd go with one myself but I enjoy building my own machines so mine will be home built when I retire the ancient P4 rig I'm currently using.

I was thinking of just exploring the UI by setting it up in a VM. Actually part of the reason I want pfSense is because I want something more "hands-on" than my Netgear R7000 "Nighthawk" which is too dumbed-down and lacks configuration and data/stats. :) I miss Tomato on my old Buffalo router.

Check out the 2.3 beta. It's pretty far along and very stable for a beta and you can check out the new bootstrap UI they they just converted to. It's very slick and as soon as it's out of beta I'm updating.

 

[jgreco]

Since the big advantage of a product like pfSense or Sophos over a vendor-supplied firmware like the stock ASUS is that it is substantially more capable and that you can run stuff like virus scanning and intrusion detection, I'd say that pfSense "out of the box" is probably not a good basis for evaluating ease of installation.

I haven't looked at pfSense in its most recent iteration, but it used to be very difficult to get running properly with bells and whistles.

Sophos is somewhat easier in some ways, because there's a solid framework in place to make things easier, but it is also complicated in its own way.

 

[joeschmuck]

As for pfSense running out of the box as a firewall, well a basic router does the same thing. It's the add-on packages that make pfSense a useful tool IMO and they are not the easiest to work with.

 

[Mirfster]

Think I'll throw pfsense on a VM and take a looksy. Still using dd-wrt right now, but sounds intriguing.

 

[jgreco]

As for pfSense running out of the box as a firewall, well a basic router does the same thing.

And just to bring some NANOG-ness into this, the typical "basic router" is actually a NAT gateway, and often doesn't actually run a firewall at all, instead relying on the implicit unroutability of RFC1918 space to accomplish a separation. This can sometimes be defeated by injecting carefully crafted packets with a source IP address within the desired target range. This would, of course, be a lot more "useful" (to bad guys) if networks didn't aggressively strip source routing options.

I believe that the pfSense wizard actually does provide an actual correctly configured stateful firewall that protects against this sort of thing.

 

[anodos]

I believe that the pfSense wizard actually does provide an actual correctly configured stateful firewall that protects against this sort of thing.

It does. The default rules on the WAN interface block RFC1918 and bogon networks. The default install also allows more fine-tuned egress filtering than a cheap gateway thingy. PF is a really powerful tool even if it doesn't have the bells and whistles of a 'security appliance'. I view most of those bells and whistles as yet another thing to maintain and so avoid them unless I have a specific need (and IDS sensor placement is something that has to be planned out - the perimeter isn't always the best place to put it).

Just a long and rambling way to say "I like pfsense even when I'm not using its packages".

 

[jgreco]

There really aren't any significant bogon networks anymore, as virtually all IPv4 space has been allocated.

It's nice to hear you say that an IDS sensor doesn't necessarily belong at the edge. There's far too much "big giant network with squishy vulnerable innards" design that goes on.

 

[anodos]

There really aren't any significant bogon networks anymore, as virtually all IPv4 space has been allocated. :)

It's nice to hear you say that an IDS sensor doesn't necessarily belong at the edge. There's far too much "big giant network with squishy vulnerable innards" design that goes on.

Yeah, how's that working out for them? :D The IDS on the perimeter isn't showing anything so they must be fine. :D

For that matter though, even on networks with big squishy innards, I'd prefer to configure a span port on the switch and use a dedicated security appliance for IDS rather than run it all on my firewall.

 

[jgreco]

That gets difficult "at speed."

 

[JJT211]

I could install dd-wrt on my R7000 but it's a hack and disables the hardware acceleration as a result. So I thought it might be better to try pfSense and separate out the firewall/VPN tasks to separate hardware than my wireless, making the R7000 just an AP. (Plus it's a chance to deploy more FreeBSD in my house!)

From my understanding (I also have an R7000 with dd-wrt) the lack of hardware acceleration is only issue if your internet connection is 500Mbps +. Since you just stated that youre only around 50ish mpbs, hardware acceleration doesnt matter either way.

That being said, I think you should go pfSense as there's sooooo much you can do with it, especially when it comes to the packages. And being able to run your entire network over a VPN at full ISP speeds is awesome. The R7000 couldnt quite hang when it came to a VPN.

 

[jgreco]

The lack of hardware acceleration being an issue isn't a function of the "Mbps" rate. It's a function of the packet per second rate. A common mistake is for someone to haul out a FTP client or other "speedtest" type app and quote the speed they see as being what their router is capable of, but in reality, if your "router" craps out at 500Mbps on such a test, I can almost certainly get it to topple on a mere 20Mbps of small packet traffic. It is very difficult to deal with hundreds of thousands of packets per second (or more!) in pure software, which is why devices such as the Ubiquiti EdgeRouter have some hardware assist from the Cavium processor and can get one or two MILLION packets per second.

 

[Jailer]

One of the pfsense devs posted some throughput numbers on reddit that may shed somelight on what it's capable of with certain hardware.
https://www.reddit.com/r/PFSENSE/comments/3xqhqo/thinking_of_switching_to_pfsense/cy7evhu>
https://www.reddit.com/r/PFSENSE/comments/3xqhqo/thinking_of_switching_to_pfsense/cy7evhu>