** The pfSense Users Thread **

[Oh Ed not again.]

Couldn't find an "official" thread for pfSense conversations, well unless I necro the one from 2010...

Just built a new pfSense router out of a Dell 5070 Extended Wyse terminal with a quad port I340-T NIC for dual WAN, LAN and DMZ goodness.

What setups physical or virtual are people running?

 

[Oh Ed not again.]

Hey, I'm interested to hear about your pfsense setup. Physical or Virtual? I'm going to be building a pfsense box next week based around a i3 6100t. Just waiting on the case to arrive!

My edge router lite is not about to handle 100mbps with QOS on virgin and always wanted to have a go with pfsense!

I was previously running a PCEngines APU2C4 (AMD Geode GX-412, 4GB RAM, 3 NICs and an mSATA 32GB drive) but with all the grief I've been having with Virgin Media recently I wanted to get a backup WAN link via PlusNet FTTC so needed another NIC.

As above I'm now running 2.4.5 on a Dell Wyse 5070 Extended (Pentium Silver J5005, 4GB RAM, 120GB WD Green M2 SSD). Dual WAN in failover mode with VM as the primary (350MB, but will probably drop to 100MB) and ~30MB Plusnet FTTC connection.

LANs wise I run one "clean" LAN for my server stuff, NAS, desktop. The other "DMZ" network is where I land wireless networks, they're split into two: 1 for phones, laptops and semi-trusted devices; the other is an IoT VLAN for anything I don't trust that needs Internet and nothing else. Nest, Alexa that sort of thing.

LAN can see DMZ and Internet, certain DMZ hosts (my phone, laptop) can see some stuff on the LAN, and IoT can see nothing but the Internet.

The reason the choosing a thin client was power consumption, the APU drew about 6w in normal operation and the 5070 pulls about 15w but with PCIe NIC and an M2 SSD. Plus a lot more CPU grunt.

Give me a shout if you need a hand with any setup stuff, I've toyed with Virtual installations as well as I run one in my lab environment.

 

[cee-S-dee]

I was previously running a PCEngines APU2C4 (AMD Geode GX-412, 4GB RAM, 3 NICs and an mSATA 32GB drive) but with all the grief I've been having with Virgin Media recently I wanted to get a backup WAN link via PlusNet FTTC so needed another NIC.

As above I'm now running 2.4.5 on a Dell Wyse 5070 Extended (Pentium Silver J5005, 4GB RAM, 120GB WD Green M2 SSD). Dual WAN in failover mode with VM as the primary (350MB, but will probably drop to 100MB) and ~30MB Plusnet FTTC connection.

LANs wise I run one "clean" LAN for my server stuff, NAS, desktop. The other "DMZ" network is where I land wireless networks, they're split into two: 1 for phones, laptops and semi-trusted devices; the other is an IoT VLAN for anything I don't trust that needs Internet and nothing else. Nest, Alexa that sort of thing.

LAN can see DMZ and Internet, certain DMZ hosts (my phone, laptop) can see some stuff on the LAN, and IoT can see nothing but the Internet.

The reason the choosing a thin client was power consumption, the APU drew about 6w in normal operation and the 5070 pulls about 15w but with PCIe NIC and an M2 SSD. Plus a lot more CPU grunt.

Give me a shout if you need a hand with any setup stuff, I've toyed with Virtual installations as well as I run one in my lab environment.

Nice setup. I'm new to pfsense but use Checkpoint at work and from what i read its easy to get pfsense up and running. I'm planning on running two VLANs. VLAN 1 will be for my wired devices and VLAN2 will be for wifi.

I picked up an empty Wincor Nixdorf "Beetle" case which is a POS mini itx case with a full height Expansion slot and it was pretty cheap so it will be going in that.

To be fair my edge router light has been great and QOS upto 60mbps has been no problem but now VM upped the connection to 100mbps the ERL can't put the traffic through at 100mbps and caps out at 60mbps.

If i get stuck i'll certainly give you a shout and i'll add my build into the thread when the case arrives.

 

[Silicon Si]

I have used a few different pfsense builds but the latest one is in a 4U pc rack case i5-4690 CPU, Asus H81M-C Intel LGA 1150 DDR3 system board, 4 gig ram, Kingston 240 gig ssd, BeQuiet fan and an Intel quad port I340-T4 NIC, I will have to set up vlan for the TV but that's it really, I have the pfsense router, modem and switch plugged into a APC Smart-ups 750 VA. there is a MikroTik Ap but that's turned off for months at a time.

Haha edited this post because the system board i had put down was an Amd board, I bought two boards at the same time and copy pasted the wrong one over!

 

[ecksmen]

I've used various opensource firewall solutions; prefer Opnsense over PFsense. My primary firewall is a ubiquiti edge route x sfp; I don't have a managed switch yet, considering it but I do have an esxi server. The servers running a few ubuntu vms with LXC containers in and a kubernets cluster which is sat behind a vm instance of a pfsense firewall. I segemented the traffic to purely be able to easy watch north south dataflows and to be able to create vlans segements within the host. Its a two nic box Eth0 is plumbed into my LAN and then eth1 is a trunk port. I created a virtual machine port group and tag vlan 4095 into it. Then I create addtional vmport groups as needed and bring up a new vlan interface (optx) off eth1. Works really well in fairness.

 

[Silicon Si]

Does anyone turn their pfsense router off at night to save electricity? i did used to but have got lazy, always left the modem on though.

 

[fezster]

Custom 3470T 1155 build with pico psu. Runs esxi (previously had proxmox) with pfsense as a vm.

Battled with the Virgin ping spike / packet loss issues last few months, but finally seem to have found a resolution. It also gave me a chance to try OPNsense (which is fine - but im more used to pfsense and prefer it's traffic shaping capabilities).

 

[BigT]

Run mine on a little Chinese mitx fanless PC with 6 intel NICs. Celeron 3685U and 4Gb RAM. I don't run any fancy packages particularly and it copes fine running OpenVPN at my line speed (70MBps). I don't now, but have run a couple of WAN interfaces in failover mode before. As well as VPN client interfaces for three providers (PIA, Nord, Windscribe) I also have it set up as an OpenVPN server for remote access to my home LAN and it runs a couple of VLANs for IoT and a guest network with bandwidth limiting on. Rock solid and never missed a beat in the two years it's been up and running. I make use of policy based routing for a few geo restricted things and to ensure my download server only ever uses one of the VPN client interfaces.

 

[Oh Ed not again.]

Nice setup. I'm new to pfsense but use Checkpoint at work and from what i read its easy to get pfsense up and running. I'm planning on running two VLANs. VLAN 1 will be for my wired devices and VLAN2 will be for wifi.

I picked up an empty Wincor Nixdorf "Beetle" case which is a POS mini itx case with a full height Expansion slot and it was pretty cheap so it will be going in that.

To be fair my edge router light has been great and QOS upto 60mbps has been no problem but now VM upped the connection to 100mbps the ERL can't put the traffic through at 100mbps and caps out at 60mbps.

If i get stuck i'll certainly give you a shout and i'll add my build into the thread when the case arrives.

I was running an Edgerouter ER-X before pf, and changed for pretty much exactly that reason. Still running Unifi APs and a ToughSwitch for PoE/DMZ side. Very cool kit, I think you'll like the change though.

Had a quick look at those cases, utilitarian! Looks like it'll do the job nicely, and the full height PCI slot is a nice touch too. Intel NIC going in there?

 

[andy_mk3]

Running mine on a Dell R210ii, Windows Server 2019 with Hyper-V.

Pfsense is running vpn server and a PIA vpn client, pfblockerng, squid proxy and a few other bits.

 

[apachegoose]

Our pfSense / OpnSense server is now running on a J4105 based computer built for the task. Used various hardware to power it, last was a spare E3 V2 based rack server, that used 35W+ of power but decided to de-rack all my kit so had to switch pfSense into the custom built J4105. Looked at various other options (PC Engines, various Chinese things, Odroid H2) but this was the best for cost and reliability; the new system uses around 10W.

Also unless you need pfBlocker go with OpnSense its more stable. pfSense despite its age still has lots of annoying bugs and almost all are around the DNS resolver. Hopefully the 2.5 build should get rid of these annoying issues. We use pfSense as we need pfBlocker, but if we didn't we would use OpnSense as it works with 0 hassles.

 

[enigma27]

I run Pfsesne on an old HP PC with the addition of a dual nick card


Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Current: 3300 MHz, Max: 3301 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
8gb Ram
1tb HD

Been running for the last few years without many hiccups.

Run DuckDNS to access my internal dockers from unraid using my own Domain
Pfblocker for blocking nasties
Open VPN connection that my Unraid server passes through.

Took me a while to get used to Pfsense but its much better than the crappy modem/router that sky use.

 

[RSR]

I have mine in a VM at the moment (Xeon Silver 4110 @ 2vCPUs), as its a backup for my UDM-Pro but I have been looking at the Netgate SG-3100/5100 at the moment.

I've got the following pluggings for it:

pfBlocker
Adanced QoS - Not a plugin but its a non standard setup for my requirements.
Suricata

 

[Armageus]

Currently on a 3rd iteration of our PFSense server at work:



Baremetal install on
HP DL360 G7
2x Xeon E5620 @ 2.4Ghz - 16 Threads
24GB RAM
HP 560SFP+ 2 port 10Gb NIC (Intel Chipset)
HP NC365T 4 port 1Gb NIC (Intel Chipset)
2 x Direct Attach 10Gb cables
2x Draytek Vigor 130 Modems

Presently routing between our local LAN subnet and head office's MPLS
Splitting internet traffic between our poor MPLS connection (20Mb) and 2 VDSL connections (40Mb each), as well as using Limiters and Queues to fairly distribute (e.g. so if 2 people download on the MPLS they get 10MB each)


Also have a duplicate unit with same NIC's etc sat below it as a cold spare, and for testing updates etc.

 

[cee-S-dee]

I was running an Edgerouter ER-X before pf, and changed for pretty much exactly that reason. Still running Unifi APs and a ToughSwitch for PoE/DMZ side. Very cool kit, I think you'll like the change though.

Had a quick look at those cases, utilitarian! Looks like it'll do the job nicely, and the full height PCI slot is a nice touch too. Intel NIC going in there?

Put to the hardware together today for my pfsense build. Tonight I will go about having a crack at setting it up when the kids are in bed. Yeah I stuck Supermicro AOC-SG-i4 nic card in it.

Specs are
Intel i3 6100t
Asus Mini ITX motherboard
16gb 2600mhz DDR4 Corsair Stick (only stick i had lying around, will pull this out when i get a cheaper 8 gig stick)
Supermicro AOC-SG-i4 4 port NIC
200watt FSP Power Supply
Wincor Nixdorf "Beetle" Case

 

[Silicon Si]

I was previously running a PCEngines APU2C4 (AMD Geode GX-412, 4GB RAM, 3 NICs and an mSATA 32GB drive) but with all the grief I've been having with Virgin Media recently I wanted to get a backup WAN link via PlusNet FTTC so needed another NIC.

As above I'm now running 2.4.5 on a Dell Wyse 5070 Extended (Pentium Silver J5005, 4GB RAM, 120GB WD Green M2 SSD). Dual WAN in failover mode with VM as the primary (350MB, but will probably drop to 100MB) and ~30MB Plusnet FTTC connection.

LANs wise I run one "clean" LAN for my server stuff, NAS, desktop. The other "DMZ" network is where I land wireless networks, they're split into two: 1 for phones, laptops and semi-trusted devices; the other is an IoT VLAN for anything I don't trust that needs Internet and nothing else. Nest, Alexa that sort of thing.

LAN can see DMZ and Internet, certain DMZ hosts (my phone, laptop) can see some stuff on the LAN, and IoT can see nothing but the Internet.

The reason the choosing a thin client was power consumption, the APU drew about 6w in normal operation and the 5070 pulls about 15w but with PCIe NIC and an M2 SSD. Plus a lot more CPU grunt.

Give me a shout if you need a hand with any setup stuff, I've toyed with Virtual installations as well as I run one in my lab environment.

I was interested by your Dell WYSE 5070 Extended so i picked up one like brand new on the bay 8 gig ram and a 32 gig m.2 drive that i have replaced with a Samsung 860 evo m.2 it had a graphics card that i removed and put in the same Nic i had as a spare ( Intel I340-T4 Quad) I have not added my config yet ,i have been busy but I have installed pfsense and it boots up quite fast. I will report back at some point maybe with some photos!

 

[Oh Ed not again.]

Put to the hardware together today for my pfsense build. Tonight I will go about having a crack at setting it up when the kids are in bed. Yeah I stuck Supermicro AOC-SG-i4 nic card in it.

Specs are
Intel i3 6100t
Asus Mini ITX motherboard
16gb 2600mhz DDR4 Corsair Stick (only stick i had lying around, will pull this out when i get a cheaper 8 gig stick)
Supermicro AOC-SG-i4 4 port NIC
200watt FSP Power Supply
Wincor Nixdorf "Beetle" Case

That's neat! Plenty of space in that case to work, could probably even get an AIO or a passive cooler in there if you had some airflow and an undervolt. How are you finding PF?

I was interested by your Dell WYSE 5070 Extended so i picked up one like brand new on the bay 8 gig ram and a 32 gig m.2 drive that i have replaced with a Samsung 860 evo m.2 it had a graphics card that i removed and put in the same Nic i had as a spare ( Intel I340-T4 Quad) I have not added my config yet ,i have been busy but I have installed pfsense and it boots up quite fast. I will report back at some point maybe with some photos!

Oh sweet, glad you like it. Did you have any issues getting things up and running? I had a couple (which were fairly easy to overcome):

• PCIe NIC shorted out on the case, needed to bend a bit of the card cage out of the way to stop it shorting on the solder pins of the NIC.
• PF kept throwing some weird errors about the MMC controller timing out. I initially installed on it, but it kept hanging on boot (would get there eventually) but didn't feel comfortable putting it to work with that on the go. I did see some other posts on the BSD and Netgate forums about other MMC controllers and Netgate Xeon-D appliances doing this, but no confirmed resolution I could see.

All in all though, really pleased with it. Those Pentium J5005 chips are very capable, doesn't sweat VPN at all. Currently running dual WAN and a VPN tunnel out for policy based routing, and it's bearly breaking a sweat.

 

[apachegoose]

Wincor Nixdorf "Beetle" Case

How you finding that case? They are absurdly cheap for what they are, just the airflow on them seems questionable, but they are probably the smallest full height STX case around without spending £100+ (they are 2L smaller than the SG13 for instance).

 

[Silicon Si]

That's neat! Plenty of space in that case to work, could probably even get an AIO or a passive cooler in there if you had some airflow and an undervolt. How are you finding PF?



Oh sweet, glad you like it. Did you have any issues getting things up and running? I had a couple (which were fairly easy to overcome):

• PCIe NIC shorted out on the case, needed to bend a bit of the card cage out of the way to stop it shorting on the solder pins of the NIC.
• PF kept throwing some weird errors about the MMC controller timing out. I initially installed on it, but it kept hanging on boot (would get there eventually) but didn't feel comfortable putting it to work with that on the go. I did see some other posts on the BSD and Netgate forums about other MMC controllers and Netgate Xeon-D appliances doing this, but no confirmed resolution I could see.

All in all though, really pleased with it. Those Pentium J5005 chips are very capable, doesn't sweat VPN at all. Currently running dual WAN and a VPN tunnel out for policy based routing, and it's bearly breaking a sweat.

It worked fine no problems, made a backup of my other config and updated the new one fine, seems ok runs a little bit hotter than my old setup.

 

[Jimbeam3678]

Silly question but what does this do that regular modem can’t do?