Building a PFsense box

[Carnagerover]

Hi all,

I am currently testing out PFsense on my main PC and so far i am very impressed with what it can do. I am now considering specs for my actual finished build.

I have an Athlon 1700+ machine with 1Gig of Ram lying around doing nothing and i was thinking about using that.

Then after looking on the specs sheet on PFsense;

http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

I am thinking of getting hold of a PIII 500mhz or greater and putting 512mb of ram in there. I would imagine that the cost to run a PIII 24/7 would be much more cost effective than running an Athlon 1700+ watts wise anyway.

I also have two Intel Pro 1000GT that I am planning to use as the WAN and LAN on PFsense

Just wondered if anyone had any experience with building this type of machine for PFsense and had any advice for me.

thanks

Stu

 

[thiggins]

http://forums.smallnetbuilder.com/showthread.php?p=5498

 

[Carnagerover]

Thanks for the link, interesting information on there.

I am also looking into the ALIX 2C3 as a viable option, its not too bad with a 500mhz cpu and it does also have 256mb of RAM.

This would save on electricity and i am not really looking to run any packages so that wouldn't be a problem either.

I will also get a PIII system so that i can test any packages though down the line if the ALIX proves to be not fast enough for my needs.

The only problem is i have no experience with how to install this via a serial port, need to do more research on that.

I am currently running PFsense now on my main computer and it seems great for my needs.

 

[YeOldeStonecat]

I've been looking for something like a little Alix package, I do have one project coming up for a client where I need to deploy a WAN, and I'd like a little box about the size of a commercial grade SOHO router like a Linksys RV042 or so...to run PFSense on.

However, for home...IMO an older laptop is great. You can pick up one of the older T2X series Thinkpads for less than the price of purchasing an Alix box/enclosure/cf card. Heck, if I came across one of their smaller X series models (12" LCD), that'd be ideal.

When you run it on your laptop, you have the console right there...so you can eyeball the status whenever you want (see the WAN IP), and gracefully reboot it right from the laptop from console.

A laptop provides
*Small footprint
*Low AC consumption
*Low heat output
*Low noise (depending on laptop model I suppose)
*Built in keyboard/monitor

I am still wanting to try an Alix setup, something like the SBC enclosures at the RockBox site...
https://www.linuxappliance.net/catalog/index.php/components/mini-itx-enclosures/sbc-enclosures, with an Alix board with cf card.

 

[thiggins]

Don't forget netbooks and MSI Wind PC. Atom should have plenty of poop to run PFsense. Just need to add a USB Ethernet adapter.

 

[Carnagerover]

Thanks for the input

I know what your saying with the laptop, sounds like a good idea, just wish there was some cheaper stuff available.

I'm holding off on the Alix for the time being and i'm going to use this machine;

Athlon 1700+
1 Gig of Ram
2 x Intel Pro 1000GT

I have started to try out some of the packages, namely Squid, Squid Guard and BandwidthD, this sort of stuff cant really be done on the embedded devices so until i stop using the packages i'll just stick with this.

I am still going to keep my eye out for a more cost effective way but its ok for now

 

[Carnagerover]

Don't forget netbooks and MSI Wind PC. Atom should have plenty of poop to run PFsense. Just need to add a USB Ethernet adapter.

Thanks for that i did not see your reply when i replied earlier.

Looks just the ticket really, however i dont think you can get them from anywhere in the good old U S of.... UK, lol

Will keep my eye out though

 

[Carnagerover]

Think i may have found just the very thing for me,

http://www.mini-itx.com/store/?c=44

I am thinking of getting the bundle without the HDD, I have an 80GB 2.5 Sata Drive here and then that would enable me to make use of the PCI slot, i'm not sure if it would require a low profile PCI card or not, hopefully then i could just slot my Intel PRO 1000GT in there, there is also the optional CD-rom drive that would be ideal for installing PFsense.

The only problem is i dont know if this hardware is compatible with PFsense, other than that it would appear to fit my needs exactly.

What do you think ?

 

[vnangia]

Think i may have found just the very thing for me,

http://www.mini-itx.com/store/?c=44

I am thinking of getting the bundle without the HDD, I have an 80GB 2.5 Sata Drive here and then that would enable me to make use of the PCI slot, i'm not sure if it would require a low profile PCI card or not, hopefully then i could just slot my Intel PRO 1000GT in there, there is also the optional CD-rom drive that would be ideal for installing PFsense.

The only problem is i dont know if this hardware is compatible with PFsense, other than that it would appear to fit my needs exactly.

What do you think ?

I run one of my pfSense boxen on precisely that motherboard, and I have no problems with undetected hardware. I had a kernel panic with an older version of pfSense, but since moving to the 1.2 series, I've not had a problem - I attributed it to the Atom processor, but I could be wrong. No experience with the Intel Pro 1000GT, can't comment.

 

[Carnagerover]

Thanks good to know that it is supported;

I also found the Dual Core version

http://www.mini-itx.com/store/?c=47#d945gclf2

However i cant for the life of me find out if that is supported, my google jedi skills have abandoned me.

 

[MoralDelima]

Forget the Wind - check out the new Ion platform. Pure sex.

http://www.engadget.com/2009/01/12/nvidia-ion-platform-gets-demonstrated-at-ces/

 

[YeOldeStonecat]

I was in a datacenter the other day, they provide managed bandwidth for their clients...and they use PFSense for their WANs. The guy there said he uses Netgates stuff..
http://www.netgate.com/

I'm considering snagging one to check it out in detail...for the project I have coming up. When you click on the SBC and Firewall links up on top of their page...some good little boxes.

 

[Carnagerover]

Hi,

I ended up going for this setup in the end and i'm very pleased with it, will be arriving tomorrow as i just placed the order today;

This case in black;

http://www.mini-itx.com/store/?c=3#venus

This board as already mentioned;

http://www.mini-itx.com/store/?c=47#d945gclf

Ram;

2GB PC5300 DDR2 667 DIMM

Storage

80GB 2.5" SATA drive with a 2.5" HDD to 3.5" HDD Bay Anti-Vibration Mounting Kit

LAN and WAN Adapters;

On board 10/100 for WAN
Intel Pro 1000GT for Gigabit LAN in PCI slot

Now all my router issues are soon to be behind me

 

[Carnagerover]

Just wondered if anyone could help with a little info on my setup to make sure I have it setup correctly.

This is how my setup is connected,

Netgear DG834GT modem only mode >Gigabit switch >Gigabit switch upstairs which is connected to the PFsense box.

One gigabit cable carries the traffic between switches.

I have setup my LAN and WAN on the PFsense box and everything works fine, DHCP works for wireless and wired as the AP in the Netgear still works when in modem only mode.

However i dont understand what bridging is really, I have seen alot of talk of different people using bridging but i cant find an explanation of what it does and why it is useful in layman's terms.

For example Bridging LAN to WAN ?

Lastly i see more talk on a transparent firewall, what is this and why is it useful.

I dont really understand these crucial elements of networking yet, i have packets working on the box like Iperf, squid yet i dont know these things.

Can anybody help ?

 

[YeOldeStonecat]

Curious why the 2x switches in between the modem and the red NIC of your PFSense box...

When you see bridged mode used with broadband modems....it's commonly used with DSL modems.

In the early days of DSL (and still with cable modems today), whatever was plugged into the modem would pickup the public IP address. With DSL, whatever you plug into the pure bridged DSL modem would also do the PPPoE authentication.

This is a security risk if you do this with your PC, as your PC is wide open on a public IP address.

In more recent years, DSL ISPs starting shipping combo modem/routers...a little gateway appliance. The software you run to setup your DSL connection configure the modem to do the PPPoE authentication, and the little box also runs as a little NAT router...giving you hardware firewall protection. Your PC obtains a private class C IP address...so it's safe and secure behind this NAT firewall protection.

However...if you stick your own router behind one of these ISP supplied combo modem/routers...you end up with "double NAT", possible IP conflicts, and other things. So...you'll see the term used "convert your DSL modem to bridged mode"..so that your router can obtain the public IP address and do the PPPoE.

Bridging is also commonly used to refer to a device that converts media...
Ethernet over AC adapters
Ethernet over phoneline adapters
Wireless to ethernet
Serial to ethernet
..are some examples.

"Transparent Bridge"...an example of this is when you place a device between your network and your gateway...it doesn't take the place of anything, or make you reconfigure much...traffic just flows through it through some trickery. You can do this with Untangle...another linux distro that has UTM features like antivirus scanning of your traffic. You can install an Untangle box on your network in transparent bridged mode..and it requires no reconfiguration of your network...client traffic will automatically flow right through it.

Versus...replacing your router with Untangle..doing the NAT, etc.

 

[Carnagerover]

Ahhhh i see,

Thanks alot for the detailed reply, much appreciated,

My router is in modem only mode and therefore passes the converted adsl signal straight to the router in this case the PFsense.

I also have a static IP and no username or password so i assume this is why i dont need to bridge mine as it is already bridged and PFsense has full access to my external IP address and the only NAT that is running is the PFsense.

Basically i just wanted to make sure that everything was working as it should be.

Update

My setup is as follows;

Netgear DG834gt >5 port Gigabit switch with the following devices connected;

Xbox 360
Popcorn Hour
Netgear Dg834gt
Link cable that goes upstairs

Once the link cable comes out of the wall upstairs, a patch cable goes into the second Giga switch;

PFSense LAN cable
PFSense WAN cable
Dlink DNS - 323
Seperate Gigabit enabled PC

Basically a couple of months ago i ran a CAT 5e cable from a Wall plate, outside, into the loft, across the loft and then down and into my computer room into another wall plate. So i only have one link for my downstairs and upstairs equipment. Ideally i should have one for each but that's not feasible.

What speed does the link actually run at then if it is connected to two Gigabit switches, i'm not entirely sure how the bandwidth is shared on the link itself with a mix of Gigabit and none Gigabit devices

I dont fully understand the transparent firewall yet but looking on PFsense forums it would appear that you have to manually setup rules for everything on your network as it is all blocked by default when this is setup, knowing now that i am totally protected i think i will leave this for the time being.

Thanks again

 

[YeOldeStonecat]

Ahh I see...so the devices you have plugged into the switch...are basically pulling their gateway from the green NIC of the PFSense box which is plugged into the switch upstairs. So any internet traffic from devices plugged in downstairs...travel back upstairs..through PFSense..then back into the upstairs switch..and back downstairs into the downstairs switch..and out your modem. So it's traveling through the downstairs switch twice, and across the upstairs switch a few times.

A few extra steps...but appears necessary in your situation.

If the the following setup is possible..it may streamline your connection a bit.

Relocate your PFSense box to downstairs..between your DG834gt and your downstairs 5 port switch.
DG834gt==>WAN NIC of PFSense.
LAN NIC of PFSense ==> 5 port switch downstairs....plus your other downstairs nodes.
===cable leading to upstairs switch===
Upstairs switch plus all other upstairs nodes.

Links between anything internal on your gigabit switches will travel at gigabit speeds..such as LAN to LAN transfers between PCs, if your PCs have gigabit NICs.
Anything that has a 100 meg NIC will naturally only transfer at 100 meg speeds.
Anything heading out to the internet, your speed from the ISP will be your bottleneck as soon as it leaves your modem. Say..6 megs, for example.

 

[Carnagerover]

I know what you are saying about moving the router downstairs but it would then have to be in my living room which wouldnt go down well

How much benefit would i get from installing a second cat5e network cable ?

I could do another external install, but i dont really want to have to if its not going to be a significant improvement.

It doesnt seem to slow my connection down i ping <1ms to the PFsense box, what are the drawbacks to my setup other than what you said in your earlier posts.

Update

I have just installed my new PFsense box upstairs, took me a while to build it but it is now up and running, everything went smooth apart from one little wrinkle on the operation, for some reason RRD Graphs doesnt work, none of the graphs get populated with any information yet Darkstat and Bandwidthd work fine;




Weird

Thanks again

 

[YeOldeStonecat]

How much benefit would i get from installing a second cat5e network cable ?


It doesnt seem to slow my connection down i ping <1ms to the PFsense box, what are the drawbacks to my setup other than what you said in your earlier posts.

Since it's only an XBox downstairs..and whatever this "Popcorn Hour" thing is...probably not much. If you had a bunch of PCs downstairs doing heavy duty online gaming..then it would be a performance killer.

 

[Carnagerover]

Good to know,

I think i will probably order another kit next week, might as well now i have this proper setup going.

I am re-installed my new PFsense box and the RRD Graphs seem to be graphing again so thats good, dont know what happened there at all.

Hope you dont mind if i blame you when i tell the ball and chain that i have got to drill some more holes in our house

Popcorn hour fantastic bit of kit;

http://www.popcornhour.com/onlinest...og&task=info&item_id=6&main_id=0&category_id=