** The pfSense Users Thread **

[Oh Ed not again.]

Couldn't find an "official" thread for pfSense conversations, well unless I necro the one from 2010...

Just built a new pfSense router out of a Dell 5070 Extended Wyse terminal with a quad port I340-T NIC for dual WAN, LAN and DMZ goodness.

What setups physical or virtual are people running?

 

[Oh Ed not again.]

Hey, I'm interested to hear about your pfsense setup. Physical or Virtual? I'm going to be building a pfsense box next week based around a i3 6100t. Just waiting on the case to arrive!

My edge router lite is not about to handle 100mbps with QOS on virgin and always wanted to have a go with pfsense!

I was previously running a PCEngines APU2C4 (AMD Geode GX-412, 4GB RAM, 3 NICs and an mSATA 32GB drive) but with all the grief I've been having with Virgin Media recently I wanted to get a backup WAN link via PlusNet FTTC so needed another NIC.

As above I'm now running 2.4.5 on a Dell Wyse 5070 Extended (Pentium Silver J5005, 4GB RAM, 120GB WD Green M2 SSD). Dual WAN in failover mode with VM as the primary (350MB, but will probably drop to 100MB) and ~30MB Plusnet FTTC connection.

LANs wise I run one "clean" LAN for my server stuff, NAS, desktop. The other "DMZ" network is where I land wireless networks, they're split into two: 1 for phones, laptops and semi-trusted devices; the other is an IoT VLAN for anything I don't trust that needs Internet and nothing else. Nest, Alexa that sort of thing.

LAN can see DMZ and Internet, certain DMZ hosts (my phone, laptop) can see some stuff on the LAN, and IoT can see nothing but the Internet.

The reason the choosing a thin client was power consumption, the APU drew about 6w in normal operation and the 5070 pulls about 15w but with PCIe NIC and an M2 SSD. Plus a lot more CPU grunt.

Give me a shout if you need a hand with any setup stuff, I've toyed with Virtual installations as well as I run one in my lab environment.

 

[Oh Ed not again.]

Nice setup. I'm new to pfsense but use Checkpoint at work and from what i read its easy to get pfsense up and running. I'm planning on running two VLANs. VLAN 1 will be for my wired devices and VLAN2 will be for wifi.

I picked up an empty Wincor Nixdorf "Beetle" case which is a POS mini itx case with a full height Expansion slot and it was pretty cheap so it will be going in that.

To be fair my edge router light has been great and QOS upto 60mbps has been no problem but now VM upped the connection to 100mbps the ERL can't put the traffic through at 100mbps and caps out at 60mbps.

If i get stuck i'll certainly give you a shout and i'll add my build into the thread when the case arrives.

I was running an Edgerouter ER-X before pf, and changed for pretty much exactly that reason. Still running Unifi APs and a ToughSwitch for PoE/DMZ side. Very cool kit, I think you'll like the change though.

Had a quick look at those cases, utilitarian! Looks like it'll do the job nicely, and the full height PCI slot is a nice touch too. Intel NIC going in there?

 

[Oh Ed not again.]

Put to the hardware together today for my pfsense build. Tonight I will go about having a crack at setting it up when the kids are in bed. Yeah I stuck Supermicro AOC-SG-i4 nic card in it.

Specs are
Intel i3 6100t
Asus Mini ITX motherboard
16gb 2600mhz DDR4 Corsair Stick (only stick i had lying around, will pull this out when i get a cheaper 8 gig stick)
Supermicro AOC-SG-i4 4 port NIC
200watt FSP Power Supply
Wincor Nixdorf "Beetle" Case

That's neat! Plenty of space in that case to work, could probably even get an AIO or a passive cooler in there if you had some airflow and an undervolt. How are you finding PF?

I was interested by your Dell WYSE 5070 Extended so i picked up one like brand new on the bay 8 gig ram and a 32 gig m.2 drive that i have replaced with a Samsung 860 evo m.2 it had a graphics card that i removed and put in the same Nic i had as a spare ( Intel I340-T4 Quad) I have not added my config yet ,i have been busy but I have installed pfsense and it boots up quite fast. I will report back at some point maybe with some photos!

Oh sweet, glad you like it. Did you have any issues getting things up and running? I had a couple (which were fairly easy to overcome):

• PCIe NIC shorted out on the case, needed to bend a bit of the card cage out of the way to stop it shorting on the solder pins of the NIC.
• PF kept throwing some weird errors about the MMC controller timing out. I initially installed on it, but it kept hanging on boot (would get there eventually) but didn't feel comfortable putting it to work with that on the go. I did see some other posts on the BSD and Netgate forums about other MMC controllers and Netgate Xeon-D appliances doing this, but no confirmed resolution I could see.

All in all though, really pleased with it. Those Pentium J5005 chips are very capable, doesn't sweat VPN at all. Currently running dual WAN and a VPN tunnel out for policy based routing, and it's bearly breaking a sweat.

 

[Oh Ed not again.]

assuming you are using your firewall for home use, why have you got DMZ?

Internet facing services, somewhere to land guest WiFi and IoT devices.

 

[Oh Ed not again.]

I get guest network. But IOT aren’t you just making it prone to be hacked and taken over as part of bot net or worse? Many IOT now are cameras, door bells etc etc. I would think privacy concern is a greater problem?

IoT is a VLAN on the DMZ network that only has the ability to see the Internet outbound and nothing else. No UPnP, no port forwarding, nuffin. There is no way to initiate an inbound connection, the IoT devices need to dial out.

 

[Oh Ed not again.]

Why would you have an IOT device in a DMZ if it is outbound only?

Put it in its own vlan behind the firewall with no connectivity to your other networks.

It's not in DMZ, it's in an IoT VLAN which is on the DMZ interface.

I want it as far away from my trusted devices as possible.