Building a decent PC for VPN - Is this any good ?

[BarQ]

Hi All,

I have issues with VPN speeds as many people on the forum do and yes I have tried switching to different countries but it doesn't work very well unfortunately as well as buying another router and all those “VPN” advertised routers are crap because they have crappy processors and even if I get something from higher shelf I won't get the speeds that I want.

I need to squeeze 50 Mbps Download and 9 - 10 Mbps upload which is my current speeds without VPN active. When I activate VPN on my current router, I can't get more than 10Mbps which is a crappy speed when multiple people want to use the internet simultaneously. Such example would be two people downloading 60 GB game at decent speeds, two browsing the internet and one streaming Full HD movies on Netflix, all that needs to be handled simultaneously which current router can't handle and in addition to that limits the speed.

So, I have decided to spend £400 - £500 to get a PC and set it up as Router with pFsense which will handle everything and squeeze the speeds to maximum. However, in this case what I worry about is selecting the wrong CPU which might be too weak to handle OpenVPN encryption so very strong processor is a must. I was wondering if someone could give me a hand in building such PC ? I don't ask or expect to spoon feed me but help with my build that I have currently put together.

The current build is:

CPU: AMD - Ryzen 5 1400 3.2GHz Quad-Core Processor (£131.94 @ Aria PC)

Motherboard: MSI - B350 TOMAHAWK ATX AM4 Motherboard (£94.35 @ Ebuyer)

Memory: Kingston - FURY 4GB (1 x 4GB) DDR4-2400 Memory (£45.48 @ Ebuyer)

Storage: Kingston - A400 120GB 2.5" Solid State Drive (£43.52 @ More Computers)

Case: BitFenix - Nova ATX Mid Tower Case (£21.95 @ Overclockers.co.uk)

Power Supply: Corsair - VS 450W ATX Power Supply (£44.79 @ Alza)

Total: £382.03

I don't need GPU as I have a crappy MSI Radeon R7 240 somewhere which I can use for this build.

My doubts about the build:

Mobo - I'm not really sure if I will be able to get 3 Nic's on it (DSL,Wi-Fi and LAN).

Processor - I feel like I could go with something less powerful but I'm not sure how powerful it should be.

RAM - I think that 4GB of Ram should be enough but I'm not really sure.

PSU - I think I could do with more quiet and less powerful PSU and when it comes to noise comparison, I have old PC with Corsair CX430 and that PSU is so loud.

Case - I think that I could do with a better case which is less noisy and smaller then the one I have selected.

In this build I need something very quiet which will make no nose at all or close to it as the build will be run 24/7 behind sofa in my living room as well as it needs to use low energy as I don't want to spend hundreds of pounds per month for the bill.

P.S I have tried to build a Micro ATX, Micro ITX but they don't have that many PCI Express ports which I need for Wi-Fi, DSL and LAN NIC's.

Any take on my current build ?

 

[Fingers]

If it was me, and the speeds you have, there is no way I would spend that and chose those parts. I built my own pfsense router.

First off, stick to INTEL for CPU and NIC

Choose a chip that supports AES-NI, only Intel will do. I run a Pentium G4400 and its plenty. its running Snort and pfblockerNG and has three VPN's running downloading/uploading at full speed (100/20), CPU is at 8%.

For NIC choose something like an INTEL I350 dual or quad card, off ebay, they are cheap. Dont get an IBM one as they mostly run custom firmware and you may run into issues. (you can always add a switch later if you need more ports) I would not use the MOBO onboard NIC's as the INTEL server stuff is bomb proof.

PSU, choose one that runs without a fan unless under high load (like corsair RM series)

RAM: I run 4gb and ticks over at 20% so I think you will be fine

Case: Your choice

Motherboard: Basic board, nothing fancy required, just as long as the RAM and CPU are compatable and has a PCI slot for the NIC

Mine is in the living room and cannot be heard. Its a M-ITX. For WIFI I use 3 Linksys LAPAC1750 AP's connected through a managed switch with multiple VLAN's

Its totally silent, runs 24/7 and my wife is happy, which is always a winning combination!

 

[BarQ]

If it was me, and the speeds you have, there is no way I would spend that and chose those parts. I built my own pfsense router.

First off, stick to INTEL for CPU and NIC

Choose a chip that supports AES-NI, only Intel will do. I run a Pentium G4400 and its plenty. its running Snort and pfblockerNG and has three VPN's running downloading/uploading at full speed (100/20), CPU is at 8%.

For NIC choose something like an INTEL I350 dual or quad card, off ebay, they are cheap. Dont get an IBM one as they mostly run custom firmware and you may run into issues. (you can always add a switch later if you need more ports) I would not use the MOBO onboard NIC's as the INTEL server stuff is bomb proof.

PSU, choose one that runs without a fan unless under high load (like corsair RM series)

RAM: I run 4gb and ticks over at 20% so I think you will be fine

Case: Your choice

Motherboard: Basic board, nothing fancy required, just as long as the RAM and CPU are compatable and has a PCI slot for the NIC

Mine is in the living room and cannot be heard. Its a M-ITX. For WIFI I use 3 Linksys LAPAC1750 AP's connected through a managed switch with multiple VLAN's

Its totally silent, runs 24/7 and my wife is happy, which is always a winning combination!

Just out of curiosity, how much have you paid for your box and how much power does it consumes ?
I see, I will put another build tomorrow and if you could take a look that would be great.
Do you use Modem + PfSense or do you use NIC for PfSense ? Would there be any security implications with using Modem built into PfSense in a way that it's less secure as I understand that you connect PfSense directly to the internet where separate modem must have some kind of firewall and connecting PfSense to it is more secure ?

 

[Fingers]

The build was about £175. I have no idea what the box consumes but its negligible (otherwise Mrs Fingers would be on the rampage! )

No I use a Draytek 130 modem. I made a typo in last post, my speed is 80/20 VDSL line

 

[BarQ]

The build was about £175. I have no idea what the box consumes but its negligible (otherwise Mrs Fingers would be on the rampage! )

No I use a Draytek 130 modem. I made a typo in last post, my speed is 80/20 VDSL line

I don't know how you have build it for £175 as looking for the prices right now, the processor itself is around £50. I have looked up the prices for the NIC's you have and damn, they are so expensive.

When it comes to security, how do you make sure that your family for example don't spread viruses between each other or don't get infected with random crap as I know that many people click and install loads of crap on their computers.

I use 3 Linksys LAPAC1750 AP's connected through a managed switch with multiple VLAN's

I'm interested in some VLAN's over LAN and Wi-Fi myself as long as they are not that expensive. Where should I look for good guidance and equipment if you have any recommendations ?

 

[Fingers]

You use a good home security suite together with Snort monitoring the LAN side and pfblockerNG for other nasties.

All my kit was used from ebay and other forums.

VLAN's running multiple networks with network isolation will stop risky users or devices from doing damage.

Nothing is cheap running VLAN's over wifi, as most domestic kit doesnt support it so you need to look at business stuff., I dont know your needs but some consumer mesh kits now offer a simple 'Guest' network, so that maybe enough for your needs.

 

[BarQ]

You use a good home security suite together with Snort monitoring the LAN side and pfblockerNG for other nasties.

All my kit was used from ebay and other forums.

VLAN's running multiple networks with network isolation will stop risky users or devices from doing damage.

Nothing is cheap running VLAN's over wifi, as most domestic kit doesnt support it so you need to look at business stuff., I dont know your needs but some consumer mesh kits now offer a simple 'Guest' network, so that maybe enough for your needs.

wow, you have a hell of a setup right there, do you mind if I ask you how much did you spend on setting everything up ? I know that pFsense requires some learning curve. Ahh and when you have set-up everything that you do have now, did you just "Set it up and let it run until some hardware breaks and it needs re-configuration" or are there any check-ups from time to time on it ?

Do you run any Anti-Virus software on your pFsense ?

Sorry for so many questions but I don't have much knowledge in this area with pFsense as far as my knowledge goes I have only played around with DD-WRT.

 

[Fingers]

When you need to configure something you just log in via GUI like any other router. Not sure what you mean regarding anti virus on pfsense? Pfsense by default is a firewall that blocks all traffic. It's up to you what you open up.
Ivemnot had any issues with hardware failure, should it happen, I will swap out the offending item.

 

[BarQ]

All my kit was used from ebay and other forums.

Weren't you scared of used parts etc ? Buying used equipment for network especially ?

Also, I have decided to loosen up my budget a little bit as I see that I also need to get more equipment to get it working. So when it comes to managed switches which support VLAN's are there any cheap ones and quiet ones ?

I'm asking because usually managed switches are loud as Jet Engines and people hide them in basements, room servers etc. How did you set-up your managed switch in terms of it's placements and loudness ?

Also, to have a WI-FI guest network, do I need to dedicate a separate Access Point or can I use something called Virtual Interface for it ?

So when it comes to my build, I have lurked around eBay to see if I can get some super microscopic PC box which I could open and add NIC and I found Beelink S1 mini PC for £242.99 except that it doesn't have expansion port ... what a shame, if you can run WoW, CS:GO etc on it then it would be perfect for my task but that lack of expansion port .... and most of those computers comes from China, hmmm ...

So, here's my new build that I have tried to put together:

CPU: Intel - Pentium G4400 3.3GHz Dual-Core Processor (£47.23 @ Box Limited)
Motherboard: Gigabyte - GA-H110N Mini ITX LGA1151 Motherboard (£69.65 @ Novatech)
Memory: Crucial - 4GB (1 x 4GB) DDR4-2133 Memory (£41.15 @ Novatech)
Storage: Kingston - A400 120GB 2.5" Solid State Drive (£43.16 @ More Computers)
Case: Cooler Master - Elite 110 Mini ITX Tower Case (£39.61 @ Box Limited)
Total: £240.80

However, I have a couple of issues, most of the M-ITX cases has PCI Express x16 slot and when I have tried to find any NIC's for it, I couldn't find anything as most of them were PCI-Express x1 ,x4 or x8. Then the Power Supply is missing from the list above as I couldn't find anything fan-less and finally, I'm not sure if the selected ram which is DDR4-2133 Mhz is fast enough ? It feels like building full sized ATX would be much easier but I need something compact and quiet ...

Any take on the build above ?

 

[System Error Message]

a lot of wrong things mentioned here. Firstly with ryzen b350 chipset, i only consider the TUF or strix from asus because of VRAM + Cooling and better bios/memory support.
2ndly, AMD CPUs do have AES-NI. When it comes to instruction support, AMD usually is slower to implement them and may use different names but intel and AMD have the exact same extensions. So when picking between intel/AMD you have to check the extra instructions. Intel low end CPUs like may even lack the good extras.
3rdly, performance of VPN on any CPU is highly dependent on VPN type and encryption used.
4th, When it comes to pfsense or linux routers, intel NICs are the best. My ryzen board comes with intel NIC and non realtek audio. However since you need 2 NICs, getting 2nd hand intel server NICs work well. It doesnt matter what CPU you use as long as the architecture, busses and choice of NICs are good it will work very well. This intel CPU bias has to stop. Its the NICs that you need from intel, not the CPU/platform.

For instance, it is said that all AMD CPUs support ECC ram while only intel xeons do. This is another major factor too. Say you want a PC to handle 10Gb/s routing, you can grab a 1st gen 6 core iseries xeon and consumer board. add the intel NICs and ECC ram, and tune/overclock it to make it very capable of multi 10Gb/s while also supporting the VPN speeds you need (only the 45nm full core intels come with AES-NI and the lga1366 platform allows cache to be overclocked which improves throughput other than overclocking the ram + CPU too).

I myself have a commercial game server that runs on the lga1366 finely tuned with intel NIC. Not only is it very resource efficient, but i run into issues in simulations where clients cant keep up with the server. So new or old doesnt matter. I even have an amd phenom ii as my file server and it serves 3 live encoded 1080p streams on plex with a bit of CPU to spare and uses software RAID 5.

So you dont need a very pricey PC for your linux routing needs. With VPN throughputs of lower than 100Mb/s, there are many tiny PCs made for these router duties for low price points. As long as the NICs are intel, and the CPU has AES-NI you're good to go. Some newer CPUs have hardware acceleration for SSL too but those are good for servers.

 

[FatherLandDescendant]

I'm asking because usually managed switches are loud as Jet Engines and people hide them in basements, room servers etc. How did you set-up your managed switch in terms of it's placements and loudness ?

I have a 16 port managed switch sitting 10 feet across the room from me now and have NEVER heard one single noise from it. It sits right under my TV on a shelf in my entertainment center and I live in a small studio apartment. I have another 8 port managed switch that I was using before my current switch and it never made a single noise. The managed switch in our network closet at work, it doesn't make any noise either...

Makes me wonder what your talking about here

 

[FatherLandDescendant]

So, here's my new build that I have tried to put together:

While I have a NetGate device personally, your price list isn't to far off of what I spent putting a zotec box together and I put a 750G HD in mine to use as a linux machine so I could get use to working with linux.

https://www.zotac.com/us/product/mini_pcs/ci327-nano

Get 4G of DDR3 and a 32G 2.5SSD. This would work just fine to run pfSense and run it well

 

[BarQ]

a lot of wrong things mentioned here. Firstly with ryzen b350 chipset, i only consider the TUF or strix from asus because of VRAM + Cooling and better bios/memory support.
2ndly, AMD CPUs do have AES-NI. When it comes to instruction support, AMD usually is slower to implement them and may use different names but intel and AMD have the exact same extensions. So when picking between intel/AMD you have to check the extra instructions. Intel low end CPUs like may even lack the good extras.
3rdly, performance of VPN on any CPU is highly dependent on VPN type and encryption used.
4th, When it comes to pfsense or linux routers, intel NICs are the best. My ryzen board comes with intel NIC and non realtek audio. However since you need 2 NICs, getting 2nd hand intel server NICs work well. It doesnt matter what CPU you use as long as the architecture, busses and choice of NICs are good it will work very well. This intel CPU bias has to stop. Its the NICs that you need from intel, not the CPU/platform.

For instance, it is said that all AMD CPUs support ECC ram while only intel xeons do. This is another major factor too. Say you want a PC to handle 10Gb/s routing, you can grab a 1st gen 6 core iseries xeon and consumer board. add the intel NICs and ECC ram, and tune/overclock it to make it very capable of multi 10Gb/s while also supporting the VPN speeds you need (only the 45nm full core intels come with AES-NI and the lga1366 platform allows cache to be overclocked which improves throughput other than overclocking the ram + CPU too).

I myself have a commercial game server that runs on the lga1366 finely tuned with intel NIC. Not only is it very resource efficient, but i run into issues in simulations where clients cant keep up with the server. So new or old doesnt matter. I even have an amd phenom ii as my file server and it serves 3 live encoded 1080p streams on plex with a bit of CPU to spare and uses software RAID 5.

So you dont need a very pricey PC for your linux routing needs. With VPN throughputs of lower than 100Mb/s, there are many tiny PCs made for these router duties for low price points. As long as the NICs are intel, and the CPU has AES-NI you're good to go. Some newer CPUs have hardware acceleration for SSL too but those are good for servers.

I have checked my available options and it looks like I just need one NIC.
When it comes to hardware for a router, I currently have old PC which is collecting dust and has the following specs:

Motherboard: ASUS M4A88T-M uATX Form Factor (9.6 inch x 9.6 inch ( 24.4 cm x 24.4 cm ))
Processor: AMD Athlon x2 250
RAM: 2GB DDR3
HDD: 300 GB
PSU: Corsair CX430

Do you think this computer would be suitable for the mentioned purpose ? In top of that I would need to get a smaller case, SSD [HDD is loud as hell] and some new PSU as the one now in the case is very loud so for comparison, the Athlon CPU Fan is quiet compared to the power supply. Do you think that should invest in it, if it has the right specs ? I would probably spent less on upgrading this computer than buying a new one. Ideally I would want something really small.

With VPN throughputs of lower than 100Mb/s, there are many tiny PCs made for these router duties for low price points. As long as the NICs are intel, and the CPU has AES-NI you're good to go.

Do you mind pointing in the right direction ? I would prefer to have something small with Ethernet NIC for my router but the only mini pc's I could found was stuff like Beelink S1 and other Chinese variants.

I have a 16 port managed switch sitting 10 feet across the room from me now and have NEVER heard one single noise from it. It sits right under my TV on a shelf in my entertainment center and I live in a small studio apartment. I have another 8 port managed switch that I was using before my current switch and it never made a single noise. The managed switch in our network closet at work, it doesn't make any noise either...

Makes me wonder what your talking about here

Sorry, maybe I have confused it with the actual servers.
When it comes down to pfSense and VLAN's, is managed switch required to create a VLAN's in pFsense or can I create them without managed switch ?

While I have a NetGate device personally, your price list isn't to far off of what I spent putting a zotec box together and I put a 750G HD in mine to use as a linux machine so I could get use to working with linux.

https://www.zotac.com/us/product/mini_pcs/ci327-nano

Get 4G of DDR3 and a 32G 2.5SSD. This would work just fine to run pfSense and run it well

Are you sure it will support VPN and its encryption very well ? It looks like it has only one core which shows that it has extremely low power. My current router has some Atheros CPU with if I remember correctly 900 or 1Ghz speed and I'm only getting around 10 Mbps download, maybe a little bit more if I'm lucky. Also, the mentioned Zotac Mini PC is not available in my region.

I'm not looking into spending another few hundreds pounds just to find out that the processor again as in my router case is limiting my internet speed so I need to be 100% sure as I will be spending big bucks on buying the right equipment not to mention the learning curve I would need to spend on learning.

 

[FatherLandDescendant]

is managed switch required to create a VLAN's in pFsense or can I create them without managed switch ?

PFsense supports VLAN tagging.

Are you sure it will support VPN and its encryption very well

I actually linked the wrong one I should have given you a link to the C1527. I've read quite a few posts on the internet where people have set these boxes up to be PFsense routers and they are highly recommended for the purpose. MyZbox is a Linux machine and from what I've seen with it I can see why so many people like them for PFsense, and as soon as my dad is ready to tinker again (he just had open heart surgery a few weeks ago) I fully intend on installing PFsense on this Zbox and sending it to him to play with.

t looks like it has only one core

Regardless to it being the wrong link that box if you look at the specs has a quad core CPU.

My current router has some Atheros CPU with if I remember correctly 900 or 1Ghz speed and I'm only getting around 10 Mbps download

I'm currently using a NetGate Sg2220, it has a Intel(R) Atom(TM) CPU C2338 @ 1.74GHz. I have a VPN set up on that gateway and my speed tests get 110 - 111 Mbps down and 10 - 12 Mbps up, with 4 tabs open in the browser, while the speed test is running the CPU hits roughly 50% usage, during normal usage it typically runs around 10%. I'm not running anything else in my setup at the moment, though I have been toying with the idea of running PFblockerNG and maybe snort.

Also, the mentioned Zotac Mini PC is not available in my region.

I got mine from Amazon, if you looked around I would think you could find a Zbox even in the EU. And the price should be comparable to what you would spend trying to find all the parts and pieces to cobble one together out of a full sized PC that's going to take up more room and have comparable performance.

One thing in closing, I agree with an earlier posts that suggests you stick with Intel at lest as far as the NICs are concerned. PFsense use the AES-NI encryption set. There are work arounds for non-Intel hardware, but your looking at monitoring and maintaining those work arounds, which could become an issue on any given update in the future.

Good Luck

 

[System Error Message]

I have checked my available options and it looks like I just need one NIC.
When it comes to hardware for a router, I currently have old PC which is collecting dust and has the following specs:

Motherboard: ASUS M4A88T-M uATX Form Factor (9.6 inch x 9.6 inch ( 24.4 cm x 24.4 cm ))
Processor: AMD Athlon x2 250
RAM: 2GB DDR3
HDD: 300 GB
PSU: Corsair CX430

Do you think this computer would be suitable for the mentioned purpose ? In top of that I would need to get a smaller case, SSD [HDD is loud as hell] and some new PSU as the one now in the case is very loud so for comparison, the Athlon CPU Fan is quiet compared to the power supply. Do you think that should invest in it, if it has the right specs ? I would probably spent less on upgrading this computer than buying a new one. Ideally I would want something really small.




Do you mind pointing in the right direction ? I would prefer to have something small with Ethernet NIC for my router but the only mini pc's I could found was stuff like Beelink S1 and other Chinese variants.

You can use it, it'd definitely achieve 100Mb/s VPN speeds. For instance my phenom ii can do more than 1Gb/s of SSL (no hardware acceleration) and thats more taxing.

1 NIC is required for a VPN server thats below 1Gb/s but the reason to use intel NICs are driver support, virtualisation support and less CPU load (hardware offloads). Intel NICs are transparent so they offer lower overheads than mellanox that is basically a black box as far as the chips are concerned.

Many 2nd hand intel server NICs roam cheaply.

 

[BarQ]

PFsense supports VLAN tagging.

What I worry about is that because I don't use manage switch, that there is a possibility of VLAN Hopping if it's only supported by software (PfSense itself).

I actually linked the wrong one I should have given you a link to the C1527.

Is it C1527 or CI527 Nano ? When I looked around for C1527 I couldn't find anything and Google suggested CI527 Nano which has Intel Core i3-7100U, dual core 2.4 GHz.

I got mine from Amazon, if you looked around I would think you could find a Zbox even in the EU.

Yeah, I find all those boxes on Amazon but mainly Amazon displays
"This item has not yet been released. You may pre-order it now and we will deliver it to you when it arrives." Like what ? This was released a long time ago and is not available ? ... Now when they say that it will be delivered to me when it arrives which means:

A) Do I buy it, they order it and send it from US to the region where I live ?
B) Do I buy it, then wait when it will be available in my region then I will get it ?

I'm confused

And the price should be comparable to what you would spend trying to find all the parts and pieces to cobble one together out of a full sized PC that's going to take up more room and have comparable performance.

Yeah, buying this box will be definitely worth in the long run. Does your have any fans and runs 24/7 too ? What I worry about is also not burning down my house so I was wondering if I could get some sort of device which might prevent that like cutting the power off etc.

Also, if you need to turn off PfSense, can you just unplug it from the wall socket or press down a power button to shut it down properly ?

'm currently using a NetGate Sg2220, it has a Intel(R) Atom(TM) CPU C2338 @ 1.74GHz. I have a VPN set up on that gateway

So you have set-up that NetGate device as Gateway which is or acts as a router ?

 

[FatherLandDescendant]

What I worry about is that because I don't use manage switch, that there is a possibility of VLAN Hopping if it's only supported by software (PfSense itself).

If it gets past on an un-managed switch VLAN hopping best chances are it can also get past on a managed switch too, VLAN Hopping is VLAN hopping regardless.

E.T.D.s (electronically transmitted diseases/ie viruses/malware) are like that.

Is it C1527 or CI527 Nano ?

They're the same thing...

A) Do I buy it, they order it and send it from US to the region where I live ?
B) Do I buy it, then wait when it will be available in my region then I will get it ?

I'm confused

I can not answer that question, I live in the U.S. so availability usually isn't an issue for me. I've also seen them on NewEgg as well. It's a made in China surely someone in your region carries them?

Does your have any fans and runs 24/7 too ?

No the Zotac mini-PCs are passively cooled, no fans. I have several such devices in service and never have any worries about them starting a fire. They should just stop working before they get to that point.

Also, if you need to turn off PfSense, can you just unplug it from the wall socket or press down a power button to shut it down properly ?

NO ABSOLUTELY NOT.

Regardless of which way you go with this project PFsense HAS to be shut down like a regular computer. If you just pull the plug (like you do with an off the shelf router) PFsense doesn't take it very well. I had a friends kid unplug mine to plug in their phone once and when I brought it back online I couldn't log into PFsense through the web browser. I had to log into it through a terminal session to get it back up and running right.

You have to either use a terminal session, or you can log into the system through a browser session (the way I prefer) and go into diagnostics (I believe it is) and tell it to "Halt System". Don't power cycle a PFsense device like you would an Asus or nutgear router.

So you have set-up that NetGate device as Gateway which is or acts as a router ?

My setup is - modem to NetGate device running a VPN/ NetGate device to 16 port managed switch/ on my switch I have ALL of my personal devices hardwired/ I also have two wireless routers on the switch both on their own separate VLANS one is for IoT devices (Alexa and a security camera) and the other is a separate network for a friend in another apartment that pays half of my internet bill.

 

[BarQ]

E.T.D.s (electronically transmitted diseases/ie viruses/malware) are like that.

Correct me if I'm wrong but isn't VLAN deployed for network separation to prevent one computer infecting others e.g viruses/malware/ransomware etc over in the same network ?

I can not answer that question, I live in the U.S. so availability usually isn't an issue for me. I've also seen them on NewEgg as well. It's a made in China surely someone in your region carries them?

The only option is to buy it on Ebay and get it shipped from US to my region. In this case, I don't really trust Ebay in this aspect and would like to stick with Amazon which is more trustworthy.

NO ABSOLUTELY NOT.

Regardless of which way you go with this project PFsense HAS to be shut down like a regular computer. If you just pull the plug (like you do with an off the shelf router) PFsense doesn't take it very well. I had a friends kid unplug mine to plug in their phone once and when I brought it back online I couldn't log into PFsense through the web browser. I had to log into it through a terminal session to get it back up and running right.

You have to either use a terminal session, or you can log into the system through a browser session (the way I prefer) and go into diagnostics (I believe it is) and tell it to "Halt System". Don't power cycle a PFsense device like you would an Asus or nutgear router.

That's good to know. Tho, when it's shut down the wrong way, shouldn't PfSense return to it's previous state as I'm pretty sure that configuration files for it are saved somewhere on HDD ?

I also have two wireless routers on the switch both on their own separate VLANS one is for IoT devices (Alexa and a security camera) and the other is a separate network for a friend in another apartment that pays half of my internet bill.

I was wondering of something similar, if I could have my one Wi-Fi Access Point on the unmanaged switch and separate it from LAN as well as run two Wi-Fi networks on the same AP which won't touch LAN and each other Wi-Fi devices ? That probably would be VLAN as well ? Is that even possible to do this way or do I need to invest into more expensive hardware to achieve it ?

 

[FatherLandDescendant]

Correct me if I'm wrong but isn't VLAN deployed for network separation to prevent one computer infecting others e.g viruses/malware/ransomware etc over in the same network ?

Not only that, usually it's deployed to keep networks separate, so say that a companies accounting department can't access the systems for the R&D department, and R&D can not access the production network and vice-versa. Even if you set VLANs up on a managed switch it's still on the same hardware and therefore the result of the switches software. Vlan tagging is VLAN tagging, regardless on if you set it up through PFsense (and the PFsense software sets it), or if you set it up on a managed switch (and the switches software sets it), VLAN tagging is VLAN tagging.

That's good to know. Tho, when it's shut down the wrong way, shouldn't PfSense return to it's previous state as I'm pretty sure that configuration files for it are saved somewhere on HDD ?

When I had my issue with improper shutdown I had just bought my gateway and thought there was something wrong with the device and called NetGate. They are the ones that told me what I was experiencing was because the device was shutdown improperly. The first question out of the guy was to ask me if it had lost power or just gotten unplugged. That's when they said that if it got shutdown wrong it could not only lock you out of the web configuration, but it could create other anomalous behaviors as well.

I was wondering of something similar, if I could have my one Wi-Fi Access Point on the unmanaged switch and separate it from LAN as well as run two Wi-Fi networks on the same AP which won't touch LAN and each other Wi-Fi devices ? That probably would be VLAN as well ? Is that even possible to do this way or do I need to invest into more expensive hardware to achieve it ?

You can do it that way. Just make sure that you set the network IPs in the routers first. So say the PFsense is 192.168.1.1, you set one router as 192.168.2.1, and the second router as 192.168.3.1. You don't need to setup VLANs to configure it like that and keep network separation.

Also a Zotec box should come with a WIFI card, it'll take some configuration on your part (or so I've read) but you can set it up for wireless too.

 

[Xentrk]

The last link will show you how to configure VLANs
Helpful links
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
https://www.infotechwerx.com/blog/Policy-Routing-Certain-Traffic-Through-OpenVPN-Client-Connection
http://supratim-sanyal.blogspot.com/2017/04/pfsense-pfblockerng-ultimate-list-of-ip.html
https://nettb.com/blog/2015/03/pfsense-dns-leak-when-connected-to-vpn-fix/
https://nguvu.org/pfsense/pfsense-baseline-setup/

My main use case is Selective Routing. pfBlocker allows me to create IPv4 lists. I then use the Firewall-Rules-Lan to use the list to route the traffic to the appropriate WAN or VPN interface.