Hardware for pfsense

Steve_bullockuk · 18 May 2017 at 17:14

moogle said:
Well that is dense, I know it's router software.

Maybe I should have said what are they using it for, what uses or advantages does it have over a normal router, what benefits does it bring, why would one build one.
Is that easier to read for you?

I run a pfSense appliance at home in quite a basic network environment with no VM's or anything fancy. As said its a very powerful bit of software which has a huge dev community behind it. It has some tools like pfBlocker for blocking known "bad" IP's from entering the network (useful if you allow open ports on the WAN) and can block IP ranges by Geo Location. pfB can also do ad-blocking really well. The OpenVPN server side of things works well, as does SNORT which is a layer 7 packet inspection tool made by SourceFire (For anti virus checking of all traffic amongst a lot of other things). I certainly won't be going back to an average consumer-grade router.

ChrisD. · 18 May 2017 at 17:55

moogle said:
I haven't reached the limits of my ASUS router yet , but I have been thinking of messing about with an old computer and making it a pfsense box, the caching aspect of it interested me quite a bit. Not that I needed to save bandwidth, but the idea of optimising it certainly appealed.

The ASUS is a good bit of kit, but if I was downloading from USENET, streaming something, running OpenVPN and other things, CPU usage used to hit 90%+ regularly and I noticed some slow down. Granted, I didn't get this with the Edgerouter Lite, but as I said before I wasn't a huge fan of the beta like software and clunky interface. It's certainly not as polished as pfsense or the Ubiquiti Wifi kit.

moogle said:
I can see it's for very specific and advanced usage requirements. The AV part is a nice feature true, still doesn't stop your PC from scanning it again right?

No, you can still scan with PC. I mostly use Mac's at home with no AV installed.

moogle said:
Any reason to buy those specialised hardware boxes instead of using an old PC? Other than compatibility and power saving?

Not really, it's easy enough to set up in a VM to have a play around with. I just wanted an appliance to plug and play and be done with it.

zoomee · 18 May 2017 at 18:23

I much prefer Sophos. I ran an Asus AC88U and 66U a while back and got sick of the firmware issues (and constant exploits) and my synology NAS being hacked all the time lol. Had a nightmware with hikvision cameras and Asus gear - they can't get the minimap stuff right for some reason and magically merlin fixes it. Problem is Merlin is always behind.

I didn't like the false reporting from the built-in Trendmicro engine - kept on throwing errors about my NAS after one of the latest firmwares.

Bought one them of BRASWELL cheapo NUC's with two REALTEK NIC's. Intel NIC's are better if running pfsense though. I preferred the BRASWELL NUC as it was far more powerful and as I wanted to run more than just a firewall

I needed better protection for my NAS and Sophos Home version is an amazing free Firewall and lots more. Pfsense is more configurable BUT the GUI in sophos is just gorgeous. I can fully manage all my PC's (AV), got my network on sick lockdown all whilst using the AC88U as just a wireless access point. Been working spotless the past 6 months.

Sophos is a great product - try it - it'll easily run on them chinese NUC's.

https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx

I've got FULL control over every single aspect of my network using Sophos - A/V fully managed its a great offering from Sophos - but the icing on the cake is the Web Server Protection. Not even been attempted once by a haxor since the web proxy has gone in place. Love it - took a bit getting used to the GUI but take a look at this thread for more info on my experience:

http://smallnetbuilderforums.com/th...any-reason-to-change.35229/page-3#post-301417

APM · 19 May 2017 at 13:30

Would an old Dell 390 with an i3 or i5 CPU and 8GB RAM make a good pfSense box?

I'm sure I read that if you want to use Snort with some good configs then you need a lot of RAM?

zoomee · 19 May 2017 at 13:35

Overkill buddy. Whole point of these type of nucs is to reduce power draw and noise of which the dell wont be able to compete

ChrisD. · 19 May 2017 at 13:53

Plus the interfaces in the Dell might give you issues as they tend to use Broadcom.

bremen1874 · 19 May 2017 at 14:03

It actually looks like the 390 has Realtek on the motherboard.

If I already owned a such a PC I'd use it, at least for long term evaluation. Even if you have to add a couple of Intel NICs it's still a cheap option.

If I was looking to buy something to run pfsense I'd look elsewhere.

APM · 19 May 2017 at 15:52

What about the Snort configs using RAM though?

If you wanted a NIDS/NIPS system going and some elaborate rules?

Bluecube · 19 May 2017 at 19:53

bremen1874 said:
No. The hardware requirements are listed on the pfsense website.

Trying it out in a VM or on spare hardware makes a lot of sense.

I'm being playing around, or trying to play around with pfSense in a VM. I take it you still need two NICs for it to function properly? And that I should take my router off the network as pfSense will be taking over those functions?

pc-guy · 19 May 2017 at 20:28

Bluecube said:
I'm being playing around, or trying to play around with pfSense in a VM. I take it you still need two NICs for it to function properly? And that I should take my router off the network as pfSense will be taking over those functions?

you need more than 2 LAN ports if you want VM on the machine without using the wireless; pfsense will use up 2 LAN and you need another to connect your computer that's running the VM to the switch

Bluecube · 19 May 2017 at 20:36

I've a quad NIC card on my VM server so shouldn't be a problem. So I'd be hooking one of the ports to the WAN, one to my network switch (both for pfSense) and then a third one to allow the server itself to connect to the LAN?

pc-guy · 20 May 2017 at 00:12

yep pretty much

ChrisD. · 20 May 2017 at 09:40

Thought I'd locked myself out as I was reconfiguring the accounts on it, luckily I had SSH enabled and there's a list of configs to roll back to. Very neat.

lmfy2k · 20 May 2017 at 10:00

How much did your pfsense box cost on the end mate ? Does it come with full warranty too?

ChrisD. · 20 May 2017 at 14:30

lmfy2k said:
How much did your pfsense box cost on the end mate ? Does it come with full warranty too?

£360 off Amazon and yes it does.

Caged · 20 May 2017 at 14:51

It's got a serial console as well in case you really lock yourself out

pc-guy · 20 May 2017 at 21:04

that's a serious amount of money for a pfsense box to use at home..

Vimes · 20 May 2017 at 21:50

When I built a pfsense box I did it around a ASRock J3355B-ITX 2DDR3(SOD)/2S3/GL M-ITX Motherboard, passively cooled Celeron dual core which ran pfsense well as it supported AES instructions. When fully configured with RAM and a SSD it consumed around 18w or so IIRC, max.

I did end up going back to a router tho.

pc-guy · 22 May 2017 at 10:20

zoomee said:
Sophos is a great product

Sophos is terrible. we have sophos on our firewall at work. it didn't catch some ransomeware which resulted in half of our networked drives being encrypted. It also doesn't detect some viruses. It often times throws up false positives on cookies. It is truly dire piece of software. It shouldn't be allowed to exist as it is next to useless - in fact it is probably worse than not using an anti-virus as the user will be aware that they are not protected, but having sophos gives user false sense of security thinking he or she will be protected in fact it is offers very little protection.

ChrisD. · 22 May 2017 at 10:32

We are running Sophos AV on our email gateway at work and we can't get it to pick up the EICAR test virus.