Pfsense vs ubiquity

FreeStream

FreeStream

FreeStream

Soldato
Joined
10 Apr 2004
Posts
13,497
Pretty sure I'm going to go down the pfsense route from reading other threads, but thought I'd check.

I have a NAS running 24/7 and can pass through the NIC to a VM.
I need OpenVPN support
Easy to configure (QoS, OpenVPN, traffic monitoring, etc!)
<£50 for the NIC.


Edgerouter also highly rated but difficult to configure from research (RPI as a configuration host!?) I've done and possible slow OpenVPN speeds.

WiFi currently a RT-N66U which I'll probably replace with a Ubiquity AP.

Any thoughts?
 
PFsense won't be any simpler to configure than ubiquiti stuff but it probably gives you more control than what you need.

what is your definition of NIC? usually that stands for Network Interface Card which is basically a network card. but from your description it seems to be some kind of switch.

Are you looking to replace our RT or the Switch (NIC in your reference); pfsense firewall will do the routing etc but it usually consists of 2 ports and if you want a switching function then you need a physical switch or some kind of Virtual Switch (as you have mentioned VM which i assume is virtual machine)

I think i am understanding what your current setup is on a second read - your NAS is connected to a Virtual Machine through a PC's lan port which are all being managed by the RT-N66U?

you are looking basically to replace the RT-N66U with a more powerful router/firewall/edge that is capable of running OpenVPN and have wireless capability through a wireless Ubiquiti AP
 
I've had both and settled on pfSense. Strangely I found it easier than an ER-L

If I understand correctly you're looking to run pfSense as a VM? Heed @pc-guy 's warning about having enough NICs to pass through dedicated to the VM. Also if your host is a NAS, I don't know if it has enough grunt to decrypt OpenVPN traffic at high speeds.
 
Sorry let me clarify.
Code: 
Currently it is a SH2 -> RT-N66U --> Gigabit Switch --> Wired Devices
                                 --> Wireless Devices


The server is a Quad Intel Xeon E3-1230 v3, so more than enough grunt running UnRaid V6.
The server is also running a web server with the second motherboard NIC passed to the VM.

The NIC for Pfsense will probably be a Quad Port Intel Pro 1000VT again given to the VM via PCI passthrough.

I'm thinking:

Code: 
SH2 <--> NIC Port 1 <--> PFsense (VM on my server) <--> NIC Port 2 <--> Gigabit Switch --> Rest of House.
                                                                   <--> NIC Port 3 <--> Web Server
                                                                   <--> NIC Port 4 <--> RT-N66U/UB AC AP Pro

The RT-N66U can do QoS, but not at the 200/20 speeds, and hence it is disabled to keep FastNAT enabled. In addition it does OpenVPN well, but only up to about 10 Mb/s. It also doesn't do very good port forwarding (can't specify a WAN IP range and hence I have to do it via the firewall on the web server).

However I'm unsure if I should use a dedicated device like the Asus has been, or integrate it into my server. I'd have to move the GPU which I use for Steam Streaming/Casual Mining or find a larger motherboard (or upgrade to Ryzen -> many £££!)

I have played with pfsense in a VM and it seems pretty solid, but I obviously didn't get it running properly!
 
yes, run with PFsense on your server. i am considering buying a xeon to have everything under one box. pretty much the same as your setup.

out of interest what is your server spec? I have 4 lots of 6TB NAS drives I want to slot in the server but struggling to find anything reasonable that supports more than 4TB per channel.
 
pc-guy said:
yes, run with PFsense on your server. i am considering buying a xeon to have everything under one box. pretty much the same as your setup.

out of interest what is your server spec? I have 4 lots of 6TB NAS drives I want to slot in the server but struggling to find anything reasonable that supports more than 4TB per channel.
Click to expand...

X10SLL-F Motherboard, 16GB ECC DDR3L, AOC-SAS2LP-MV8 SAS card, 1TB Samsung EVO 850 as cache/VM drive.

All supports >4TB IIRC, however it is currently 1x WD Red Pro 4TB, 2x WD Red 4TB, 1x N300 4TB + 1 hot spare, 5x WD Green 2TB for about 22TB data, 4TB Parity (maybe add a second WD Red Pro for dual parity one day).

No throughput issues that I've seen, been pushing best part of 1.5GB/sec when parity checking/preclearing disks/etc.

More than enough for a home NAS!!
 
FreeStream said:
Nope! I mean 1.5GB/sec. The way UnRAID works means:

9 disks at 125MB/sec = 1.125GB/sec.
Two preclears at 200MB/sec each = 400MB/s
Total: 1.5GB/sec peak.

Uses about 20% CPU IIRC.
Click to expand...
Holy crap! Why do u need such massive throughput?
Are u running your own data centre :)
 
I've been running PfSense in a VM for over a year now and can't recommend it enough. I would also recommend getting yourself a PfSense Gold Subscription, the book and vids help to get your head round it all. I'm now running it along with Snort, Squid, SquidGuard, OpenVPN Server & Client. All runs sweet.
 
pc-guy said:
Holy crap! Why do u need such massive throughput?
Are u running your own data centre :)
Click to expand...

Nah, no!

That is just when running parity checks, just means the disk IO isn't bottlenecked :)

I'm limited to Gigabit otherwise (~118MB/sec is the best I've ever sustained), but rarely hit that unless backing up a new dump of photographs.
 
I've played about with pfSense in a VM myself but always baulked at the thought of my net access going down if my server crashed. From what I've read above, no one thinks this is an issue. Why?
 
Do you worry your router will go down? Your Hypervisor hosting the VM is probably as likely to go down so why worry? If its a proper server it's designed to be more tolerant than a PC and shouldn't be going down.

For years I've had a spare router configured in the drawer in any case for such a situation.
 
Good point. But if your server goes down then it's more time consuming to get back up as opposed to rebooting/ replacing a router. If pfSense is handling all your networking then you may not (definitely not in my case) be able to remote access the server to troubleshoot/ start VMs, etc.

I'm just playing devils advocate really!
 
Sure, I understand, although I'd say if something goes wrong then it's easier and quicker to fix a server than a router.
 
FreeStream said:
Nope! I mean 1.5GB/sec. The way UnRAID works means:

9 disks at 125MB/sec = 1.125GB/sec.
Two preclears at 200MB/sec each = 400MB/s
Total: 1.5GB/sec peak.

Uses about 20% CPU IIRC.
Click to expand...

I can't fault your maths however that's not "the way unRaid works" - you're misrepresenting it. The throughput is impressive but not a metric the rest of the community uses.

Your parity checks run at 125MB/sec (assuming that's your slowest disk), whether you have 2 drives or 20. You preclear at 200MB/sec.

Back on topic.........grab an Intel NIC for best performance and compatibility. There are loads of DELL and HP NICs that are Intel rebrands and are often cheaper.

I've kept unRAID and pfSense on different machines. If the server goes down the wife will be annoyed. If the internet goes too.....I'm dead :( ;)
 
MTA99 said:
I can't fault your maths however that's not "the way unRaid works" - you're misrepresenting it. The throughput is impressive but not a metric the rest of the community uses.

Your parity checks run at 125MB/sec (assuming that's your slowest disk), whether you have 2 drives or 20. You preclear at 200MB/sec.

Back on topic.........grab an Intel NIC for best performance and compatibility. There are loads of DELL and HP NICs that are Intel rebrands and are often cheaper.

I've kept unRAID and pfSense on different machines. If the server goes down the wife will be annoyed. If the internet goes too.....I'm dead :( ;)
Click to expand...

Fair enough - my point really was that I don't have any *disk controller* IO limitations ;)

Whilst my concern is also running pfsense on my server, it has had 100% uptime (bar me upgrading/tinkering/power cuts) in the last 4 years, so maybe it isn't an issue...

The NIC is relatively cheap so if it turns out to be a PITA then I'll do something else!
 
definitely go with the intel 1000pt quad or dual NIC. they are best supported by Pfsense. there are no reported issues with these. other brands such as Realtek/Broadcom there are some problems. I have realtek atm on my zotac NUC, it has issues with watchdog timeout. so apparently if i change some of the settings (i can't remember what they are now). it sorts them out. I have not had the issue so far. but I have not tried to replicate it either.

it is also anther reason for me to buy a relatively cheap xeon server to host the pfsense/plex/veeam backup/torrent download
 
I also had this debate in my head and settled on USG. Literally just ordered it now, arrives tomorrow.

I’ve got plenty of resource on servers for either a dedicated box or VM but I just decided against pfSense to keep everything in one eco system. I have sky fibre in my office and if the servers are in my garage and it just made sense to have Sky Router (modem) be next to the USG in my office. I am hoping to remove the sky kit entirely from my setup and even if I did I still think my decision for the USG was right.

I might just be letting my OCD dictate my purchase, I want all the options available in UniFi so if that’s something you want then decision is made. If you just need a firewall and not already invested in ubiquiti then personally I would try pfSense to save money.
 
You must log in or register to reply here.
Back
Top Bottom