Dennis Wood
Senior Member
EDIT: (Nov 18) With our draytek 2950 routers locking up our network the last few days, the decision to insert the new pfsense 2.0 routers was made. They are fast, comprehensive and incorporate antivirus, proxy, content filtering, SNORT (instrusion protection) and even VPN. So far, the performance improvement over the draytek 2950 routers is impressive.
Some of you may have recalled a whole lot of testing and tweaking to get the two Draytek 2950G routers (see the sticky posts in this section!) configured and working with two WAN connections, VPN, RSYNC between several NAS units, and Iphone VPN. So things have been stable/good but there were a few things that bothered me about the Draytek units:
1. The Smartmonitor software (been working very well) must be run on a seperate Windows XP workstation. Well, it's time to retire that box.
2. I could never properly prioritize SKYPE packets which we use a lot.
3. At times I had some questions about how well the QOS was working with our VOIP systems. For sure, the faster speeds now provided by our ISPs are pushing the total routing performance of the Draytek units.
4. The Draytek boxes are unable to provide proxy/caching features..an easy performance boost on any network.
So after much research, PfSense (open source distribution) was an obvious path to a very high performance router that does everything the Draytek did (and a lot, lot more)but for about $350. The need for the external XP workstation for web monitoring/restricted access is gone, and we've gained proxy caching performance for the network. This all ends up in a box simiarly sized to the Draytek 2950 router box...but much quieter. So here's the chosen path, presented here so it would save a few folks a lot of time!
This article here is an excellent read before you go on: http://www.smallnetbuilder.com/secu...1406-build-your-own-ids-firewall-with-pfsense
The Chosen Hardware
Criteria: Low power, low cost, quiet operation, and compact footprint, but with minimum of 1 LAN Gigabit port, and 3 WAN Gigabit ports. Target performance is in the 1Gbps for firewall throughput, 70Mbps (Similar hardware, iperf measurments: http://www.hacom.net/catalog/mars-openbrick-m-pfsense-appliance )
M350 Mini-iTX Case with silent power supply: http://www.mini-box.com/M350-enclosure-with-picoPSU-80-and-60W-adapter ($69)
Intel Atom Dual Core 1.6 GHz Mainboard: http://www.mini-box.com/NC92-Intel-N330 ($109)
Daughterboard (adds 3 more Gigabit ports): http://www.mini-box.com/VERSA-3-x-Gigabit-LAN-Port-Daughterboard ($48)
1GB DDR2 memory: (old stuff I had on hand..usually $20-30 new)
Intel 40GB SSD drive: http://www.ncix.com/products/?sku=59822&vpn=SSDSA2CT040G310&manufacture=Intel ($100)
So purchased in bits and assembled yourself (add in some shipping), and we're looking at about $400. We won't talk about the time it took to sort out a few issues...several of them classic bone-head moves on my part. Here's the basic skinny on getting it working.
Installing Software/Hardware
1. Assemble the motherboard, plug in the daughterboard, install ram, install the HD, make your connections and fire it up. This was the simple part...many online tutorials on mini-itx builds you can refer to.
2. Attach a monitor and keyboard to the box and boot er up. Set up the BIOS to look to the hard drive first. Assuming everything boots (no OS yet..don't worry) then onward.
3. Prepare a USB memory stick to boot pfsense and install it to the SSD drive. I had a USB 8GB stick...refused to boot. An older Kingston 4GB Datatraveler..yes.
a) Download the "pfSense-memstick...amd64...img.gz" you will find on one of the mirrors here: http://www.pfsense.org/mirror.php?section=downloads
b) Use 7zip to decompress the .gz file to a .img file.
c) Use Win32DiskImager.exe to write .img file to your USB stick. You can download the utility here: https://launchpad.net/win32-image-writer/+download
4. During boot, hit DEL key and enter BIOS. Set box to boot from USB key (in BIOS set hard drive order so USB stick is #1 priority, make sure 1st boot device is hard drive)
5. You'll see some choices come up during the boot. It's important that you choose option 3 "Boot pfsense from USB"
6. From there, the wizard will ask you questions. You can use this as a guide: http://doc.pfsense.org/index.php/Installing_pfSense
7. Once you're done choosing LAN and WAN interfaces (hint re0, re1, re2, re3 are the port names looking from left to right, then choose 99 to install pfsense to the SSD hard drive in the box.
8. Choose easy install, and when asked which kernel to install, choose default multi-kernel.
9. When done, the machine will reboot and stop at a console. Here you can change the LAN IP address (hint: most times your bitmask will be "24") to something other than the default of 192.168.1.1 if required. Once this is done, you can disconnect the keyboard/monitor etc. as everything else can be done from the web interface.
Use this to set up load balancing:
http://forum.pfsense.org/index.php/topic,28121.0.html
Problem: IPSEC Passthru did not work. VPN connections outbound were established but nothing was routed over them once the load balancing (two WAN connections) was set up. This one was frustrating!!
Solution: System, Advanced, Miscellaneous, Enable "Use sticky Connections"
Port Forwarding, for RSYNC Use this:
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense?
In troubleshooting remote rsync inbound (requires rsync port and encryption port forwarded to host NAS) I wasted several hours because the default gateway on the NAS was set to the old router address!! Bonehead mistake!
Dynamic DNS on interfaces, set up under SERVICEs, Dynamic DNS
Packages
This is the cool stuff. Under the System menu on the pfSense router, you can very quickly install available packages from the web with one click. My picks:
EDIT: As at Jun 21 SNORT is not working with RC3 release :-(
a) Improved security provided by SNORT which adds literally hundreds of rules that are updated daily via subscription from snort.org
b) A high performance proxy system using SQUID which caches content on the SSD drive so frequently requested data, windows updates etc. come from the cache..not the web)
c) Advanced content filtering via SQUIDGUARD allows you to filter/restrict web content based on a ton of criteria
d) Finally LIGHTSQUID provides a reporting facility to check on web usage/bandwidth use etc.
Once you install the packages they show up as items in the SERVICES and STATUS menus. Each package requires configuration/setup but they are relatively easy to figure out using guides provided in the pfsense forums...in the RC2 versions of pfsense much of the context help is not finished yet so you're left to the forums for information. More on this later as we figure out VPN server setups to replace the Draytek 2950 IPSEC server which allows both 64 bit windows (using Shrewsoft VPN) as well as iPhone VPN. Pfsense provides similar functionality.
My overall thoughts after messing around for 3-4 days is that pfSense is incredibly well featured. The traffic shaper wizards worked great so I was able to set up VOIP priorities etc. with a few clicks. Once set up, the ability to look at queues as well as pile of graphs etc. pretty much tells you exactly how traffic is being routed and load balanced. Going forward, the ability to filter packets at Layer 7 means the router can inspect the contents of packets not just the headers which gives you all kinds of power to block, or prioritize just about anything. This includes SKYPE which is almost impossible to deal with due to the constant changes in ports. Routers like the Draytek 2950 do not have the horsepower to do this...but our $400 pfSense router does. More to come.
Whew...enough for tonight.
Some of you may have recalled a whole lot of testing and tweaking to get the two Draytek 2950G routers (see the sticky posts in this section!) configured and working with two WAN connections, VPN, RSYNC between several NAS units, and Iphone VPN. So things have been stable/good but there were a few things that bothered me about the Draytek units:
1. The Smartmonitor software (been working very well) must be run on a seperate Windows XP workstation. Well, it's time to retire that box.
2. I could never properly prioritize SKYPE packets which we use a lot.
3. At times I had some questions about how well the QOS was working with our VOIP systems. For sure, the faster speeds now provided by our ISPs are pushing the total routing performance of the Draytek units.
4. The Draytek boxes are unable to provide proxy/caching features..an easy performance boost on any network.
So after much research, PfSense (open source distribution) was an obvious path to a very high performance router that does everything the Draytek did (and a lot, lot more)but for about $350. The need for the external XP workstation for web monitoring/restricted access is gone, and we've gained proxy caching performance for the network. This all ends up in a box simiarly sized to the Draytek 2950 router box...but much quieter. So here's the chosen path, presented here so it would save a few folks a lot of time!
This article here is an excellent read before you go on: http://www.smallnetbuilder.com/secu...1406-build-your-own-ids-firewall-with-pfsense
The Chosen Hardware
Criteria: Low power, low cost, quiet operation, and compact footprint, but with minimum of 1 LAN Gigabit port, and 3 WAN Gigabit ports. Target performance is in the 1Gbps for firewall throughput, 70Mbps (Similar hardware, iperf measurments: http://www.hacom.net/catalog/mars-openbrick-m-pfsense-appliance )
M350 Mini-iTX Case with silent power supply: http://www.mini-box.com/M350-enclosure-with-picoPSU-80-and-60W-adapter ($69)
Intel Atom Dual Core 1.6 GHz Mainboard: http://www.mini-box.com/NC92-Intel-N330 ($109)
Daughterboard (adds 3 more Gigabit ports): http://www.mini-box.com/VERSA-3-x-Gigabit-LAN-Port-Daughterboard ($48)
1GB DDR2 memory: (old stuff I had on hand..usually $20-30 new)
Intel 40GB SSD drive: http://www.ncix.com/products/?sku=59822&vpn=SSDSA2CT040G310&manufacture=Intel ($100)
So purchased in bits and assembled yourself (add in some shipping), and we're looking at about $400. We won't talk about the time it took to sort out a few issues...several of them classic bone-head moves on my part. Here's the basic skinny on getting it working.
Installing Software/Hardware
1. Assemble the motherboard, plug in the daughterboard, install ram, install the HD, make your connections and fire it up. This was the simple part...many online tutorials on mini-itx builds you can refer to.
2. Attach a monitor and keyboard to the box and boot er up. Set up the BIOS to look to the hard drive first. Assuming everything boots (no OS yet..don't worry) then onward.
3. Prepare a USB memory stick to boot pfsense and install it to the SSD drive. I had a USB 8GB stick...refused to boot. An older Kingston 4GB Datatraveler..yes.
a) Download the "pfSense-memstick...amd64...img.gz" you will find on one of the mirrors here: http://www.pfsense.org/mirror.php?section=downloads
b) Use 7zip to decompress the .gz file to a .img file.
c) Use Win32DiskImager.exe to write .img file to your USB stick. You can download the utility here: https://launchpad.net/win32-image-writer/+download
4. During boot, hit DEL key and enter BIOS. Set box to boot from USB key (in BIOS set hard drive order so USB stick is #1 priority, make sure 1st boot device is hard drive)
5. You'll see some choices come up during the boot. It's important that you choose option 3 "Boot pfsense from USB"
6. From there, the wizard will ask you questions. You can use this as a guide: http://doc.pfsense.org/index.php/Installing_pfSense
7. Once you're done choosing LAN and WAN interfaces (hint re0, re1, re2, re3 are the port names looking from left to right, then choose 99 to install pfsense to the SSD hard drive in the box.
8. Choose easy install, and when asked which kernel to install, choose default multi-kernel.
9. When done, the machine will reboot and stop at a console. Here you can change the LAN IP address (hint: most times your bitmask will be "24") to something other than the default of 192.168.1.1 if required. Once this is done, you can disconnect the keyboard/monitor etc. as everything else can be done from the web interface.
Use this to set up load balancing:
http://forum.pfsense.org/index.php/topic,28121.0.html
Problem: IPSEC Passthru did not work. VPN connections outbound were established but nothing was routed over them once the load balancing (two WAN connections) was set up. This one was frustrating!!
Solution: System, Advanced, Miscellaneous, Enable "Use sticky Connections"
Port Forwarding, for RSYNC Use this:
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense?
In troubleshooting remote rsync inbound (requires rsync port and encryption port forwarded to host NAS) I wasted several hours because the default gateway on the NAS was set to the old router address!! Bonehead mistake!
Dynamic DNS on interfaces, set up under SERVICEs, Dynamic DNS
Packages
This is the cool stuff. Under the System menu on the pfSense router, you can very quickly install available packages from the web with one click. My picks:
EDIT: As at Jun 21 SNORT is not working with RC3 release :-(
a) Improved security provided by SNORT which adds literally hundreds of rules that are updated daily via subscription from snort.org
b) A high performance proxy system using SQUID which caches content on the SSD drive so frequently requested data, windows updates etc. come from the cache..not the web)
c) Advanced content filtering via SQUIDGUARD allows you to filter/restrict web content based on a ton of criteria
d) Finally LIGHTSQUID provides a reporting facility to check on web usage/bandwidth use etc.
Once you install the packages they show up as items in the SERVICES and STATUS menus. Each package requires configuration/setup but they are relatively easy to figure out using guides provided in the pfsense forums...in the RC2 versions of pfsense much of the context help is not finished yet so you're left to the forums for information. More on this later as we figure out VPN server setups to replace the Draytek 2950 IPSEC server which allows both 64 bit windows (using Shrewsoft VPN) as well as iPhone VPN. Pfsense provides similar functionality.
My overall thoughts after messing around for 3-4 days is that pfSense is incredibly well featured. The traffic shaper wizards worked great so I was able to set up VOIP priorities etc. with a few clicks. Once set up, the ability to look at queues as well as pile of graphs etc. pretty much tells you exactly how traffic is being routed and load balanced. Going forward, the ability to filter packets at Layer 7 means the router can inspect the contents of packets not just the headers which gives you all kinds of power to block, or prioritize just about anything. This includes SKYPE which is almost impossible to deal with due to the constant changes in ports. Routers like the Draytek 2950 do not have the horsepower to do this...but our $400 pfSense router does. More to come.
Whew...enough for tonight.
Last edited: