Converting a Cisco Ironport C170 to Opnsense router

ddaenen1

Senior Member
So someone offered a Cisco Ironport C170 on a local 2nd hand website for cheap (30 Euro). Since i didn't know what that was, i started to google. There are multiple threads as this on Reddit about use cases for this on so i decided to pick it up, to play around with it a bit and also that i have been wanting to experiment with Opnsense for some time without impacting the network at home so this seemed to be ticking the boxes to do this.

They are basically equipped with a Pentium G6950 and 4Gb DDR3 1333MHz unbuffered ECC RAM, 2 1Gbe NICs and front located 2.5" hotswap bays. Specs are widely available on the web. What it doesn't have is a VGA output but it does have a video header on the main board. There are several links online that can help you how to make a video cable for that. I used an old FDD flatcable connected to a chopped off VGA cable and some insulation tape which works perfect. I am contemplating integrating it into the housing or the expansion slot cover - not sure yet since you can SSH into it so headless operation is not an issue. So i booted this thing after installing an old 100Gb SSD that still had a pfsense installation on it from a previous router that i replaced. To my surprise, the system booted up and pfsense was up and running in a whiff.

After that, i plugged in a USB with Opnsense image on it which it installed nearly flawless (had an issue with accesibility of the GUI since Opnsense also wanted to use 192.168.1.1 on which my pfsense router already is). After fixing that, all was well and i went through the wizzard for basic setup. Throughput appears to be the same as my current pfsense router at first glance and it seems to be running perfect and i will spend some time looking at the features as a potential future alternative.

I thought it was worth posting this if there is someone out there that wants to step into the world of pfsense or Opnsense with a minimal investment. The noise level is quite good for a 1U box and whilst the VGA cable may need some work, with the information already available on the web shouldn't be a job stopper. Also, the box is upgradeable. You can replace the G9650 with a Xeon 3430 or L3426 (for the power-saving minded) or even an i5-650 with AES-NI and also memory can be expanded up to 32Gb unbuffered ECC when dropping in a Xeon. With some creativity, you can also use the onboard PCI-E slot for more NICs.

If someone wants more details or has questions, let me know.

P.S. - there is also an Ironport S170 which is basically the same with more onboard NICs so that would do perfectly too.
 
Last edited:

Tech9

Part of the Furniture
This thing is huge. Unnecessary waste of space and electricity for home use.
 

ddaenen1

Senior Member
This thing is huge. Unnecessary waste of space and electricity for home use.

Maybe, it has the typically dimensions of a 1U short depth rackserver. Not more or less than any others of similar type. My aim was to point out that there is a cheap entry point to discovering pfsense or Opnsense before spending a couple hundreds on a Protectli or similar.
 

Tech9

Part of the Furniture
Mini PC or appliance will be smaller, faster, noiseless and can save hundreds in electricity cost in its lifetime, depending on the country you live in. It won't require initial maintenance and modifications and can have more and faster LAN ports to utilize better the processing power available.
 
Last edited:

coxhaus

Part of the Furniture
Cisco builds good hardware which runs much longer than supported software. Are you going to use it for your front door and replace your existing one?

When I ran pfsense I ran it on a low voltage Xeon. Ram would be good unless you hit IPS/IDS hard for a home. This would be a good time to test and run IPS/IDS as it won't kill your real network.
I would not worry about VGA and just run it headless with remote.

I believe in only 1 inbound and 1 outbound for firewalls. I always run my firewalls this way.
 

Christos

Regular Contributor
Since the release of pfSense+ with a free license for home/lab, I see no reason for someone to choose opnsense anymore.
pfSense is very stable and with the ZFS snapshots they added recently, you can try and break anything and it will come back to its previous state with a simple reboot.

However, if your internet connection is really fast, you could try netgate's TNSR which is marketed as the router for fast connections.
 
Last edited:

Tech9

Part of the Furniture
I see no reason for someone to choose opnsense anymore.

OPNsense it's just an alternative to pfSense and some like it better.
 

Crimliar

Senior Member
I guess over winter at least it'll also work as a room heater!
 

ddaenen1

Senior Member
Cisco builds good hardware which runs much longer than supported software. Are you going to use it for your front door and replace your existing one?

When I ran pfsense I ran it on a low voltage Xeon. Ram would be good unless you hit IPS/IDS hard for a home. This would be a good time to test and run IPS/IDS as it won't kill your real network.
I would not worry about VGA and just run it headless with remote.

I believe in only 1 inbound and 1 outbound for firewalls. I always run my firewalls this way.

I haven't really decided on that yet. My current Supermicro is a bit more modern with an E3-1230, has all the same features including the 2 hotswap from bays and 16Gb of memory so it really does the job and with the X550-T2 is well equiped for the near future and above all, it has IPMI. I bought this because i was curious, it was dead-cheap, looked like good build quality with all the right features and since i always like to experiment and test stuff before deploying it into my home network as i do home-office a lot and really can't afford downtime because something went sideways, it seemed like a no-brainer. I am thinking about throwing in an L3426 and add some RAM but not really needed for experimenting, for now.

As i have played around with Opnsense now for a day, i can't say i am thrilled about it. Some talk about the better GUI but i don't see it (yet?). The only feature i did appreciate is the ability to backup your config to Nextcloud. I am thinking right now to install pfsense once again and start thinkering with features that i never dared before such as setting up VLAN's, VPN and what not. My private screwup firewall/router :)
 

ddaenen1

Senior Member
Since the release of pfSense+ with a free license for home/lab, I see no reason for someone to choose opnsense anymore.
pfSense is very stable and with the ZFS snapshots they added recently, you can try and break anything and it will come back to its previous state with a simple reboot.

However, if your internet connection is really fast, you could try netgate's TNSR which is marketed as the router for fast connections.

I have really have no instant desire to switch over to Opnsense. I just read the forums and then curiosity gets the best of me. I am perfectly happy with pfsense CE and it does all i need it to do, especially the ACME certificates and HAproxy combo to facilitate https access to my nextcloud server via my FQDN.
 

coxhaus

Part of the Furniture
Since the release of pfSense+ with a free license for home/lab, I see no reason for someone to choose opnsense anymore.
pfSense is very stable and with the ZFS snapshots they added recently, you can try and break anything and it will come back to its previous state with a simple reboot.

However, if your internet connection is really fast, you could try netgate's TNSR which is marketed as the router for fast connections.
My understanding is TNSR is just a router. When you strip out firewall duties you end up with a faster router. In the old days routers really did not perform firewall duties. Probably the hardware was too slow.

Oh, and by the way you may be able to disconnect some of the fans just running pfsense. Maybe 1 blowing on the heat sink. It worked for me as I used 1 small laptop drive so no real heat there. It will be quieter and use less power. You know you have gone too far if you get a CMOS shutdown.
 
Last edited:

coxhaus

Part of the Furniture
So, I was reading about OPENsense since seeing this thread as I have never run it. There is a new module you can install called Zenarmor. Has anybody tried it?

I think most people that run pfsense don't really run SNORT and if they do, they don't actively use it. It is a lot of work.
 

ddaenen1

Senior Member
In the mean time i already parted from OPNSense and installed pfsense CE and instantly did an upgrade to pfsense+ to see what the difference is and what it would mean if i would do this on my main router. All in all a flawless conversion. For now, i am going to keep the Cisco as my backup router. Once i did the pfsense+ upgrade to the main router i will upload the config file the backup router.

In case i find another purpose for it, i can always pull out the SSD and stick in another one since it has 2 hotswap slots in the front.
 

coxhaus

Part of the Furniture
Well, your thread got me thinking about opensense so I have a dell i3 setting around that I plan to load opensense on since I have never run it. It was my TV Dell PC but it will not do 4K since my TV upgrade which is now 4K. I am just waiting on a dual port Intel card.
pfsense is getting ready to jump kernels so it will be nice to have a second one. You can test on it as I am sure there will be issues.

I tried to buy my Cisco Firepower 1010 but I am having issues with getting a license as I need a work domain and email which I don't currently have. Looks like doing google it will be $79 more dollars a year to maintain a work email. I am still looking for a cheaper solution.
 

jasonreg

Regular Contributor
@coxhaus - when I was setting up my cisco "Smart Account Licensing" account to purchase and manage the Security licenses for my RV340 I ran into the same issue. In the end, they accepted a gmail address for my "Home Office" domain during the registration. IIRC I needed to submit a TAC request but not sure if you need this step. Interestingly they did not accept icloud but did accept gmail for whatever reasons.

Anyway - not sure if this would help but thought I would pass it on.
 

coxhaus

Part of the Furniture
Yes, I have a Cisco ID with a Gmail account. This is different than a Cisco Smartnet License. Cisco will not take a Gmail account for their enterprise gear. I opened a case with Cisco and when I talked to them on the phone to reaffirm, they said I need a work email like [email protected].

I am trying to come up with a cheap solution without running my email server.

I should receive my low profile dual port Intel card tomorrow. None of my dual port Intel cards were low profile.

I am going to use my old pfsense laptop drive I used in the past and wipe it. It will be low power. I am thinking this Dell 54watt PC with a laptop drive will not heat up my closet. It is very quiet.
 
Last edited:

ddaenen1

Senior Member
So, I was reading about OPENsense since seeing this thread as I have never run it. There is a new module you can install called Zenarmor. Has anybody tried it?

I think most people that run pfsense don't really run SNORT and if they do, they don't actively use it. It is a lot of work.
Not me. I haven't even looked into it. I run pfBlockerNG which is quite ok once you have configured it but i guess it is not really the same as IPS/IDS. You have tickled my curiosity again though. I am going to look into it.
 

coxhaus

Part of the Furniture
Yes, pfBlockerNG is just a bunch of block lists by IP. IPS/IDS is packet inspection and correction of actual data in the packet. SNORT requires rules as to what to do with packets as discovery happens. This kind of turns into an ongoing thing developing these rules.
 
Last edited:

avtella

Very Senior Member
pfblocker is more than just IP blocking, has a DNSBL portion as well, this portion can be a bit memory intensive based on you list size as it tries to block all forms/variants of a given base address (works pretty well vs Facebook, YouTube etc) (Someone more knowledgeable can do a better job explaining). But yes not IDS/IPS. As for Snort/Suricata yeah but more complicated due to all the knobs that are available to fine tune. Not really something a home user needs in my personal opinion. As for Zenarmor (Sensei) if I recall it’s a layer 7 firewall essentially .. on Opnsense available on the package manager but can be installed on pfsense as well.

TNSR is a completely different thing, not simply a router without firewall additions, it uses Vector Packet Processing.
 
Last edited:

coxhaus

Part of the Furniture
pfblocker is more than just IP blocking, has a DNSBL portion as well, this portion can be a bit memory intensive based on you list size as it tries to block all forms/variants of a given base address (works pretty well vs Facebook, YouTube etc) (Someone more knowledgeable can do a better job explaining). But yes not IDS/IPS. As for Snort/Suricata yeah but more complicated due to all the knobs that are available to fine tune. Not really something a home user needs in my personal opinion. As for Zenarmor (Sensei) if I recall it’s a layer 7 firewall essentially .. on Opnsense available on the package manager but can be installed on pfsense as well.

TNSR is a completely different thing, not simply a router without firewall additions, it uses Vector Packet Processing.
So is this what you are talking about with DNSBL which is still an IP list. Any way I believe pfBlocker does not analyze data in packets. It has been several years since I have looked at pfsense.
pfSense DNSBL
"A DNSBL is a list of domains that the application/network does not properly resolve, hence the “black-hole”.
Originally, DNSBLs prevented spam e-mails from reaching users.
In this case, I wanted to block as many ads, malvertising, etc. as possible."
To use the DNSBL feature in pfBlockerNG, you must be using the DNS Resolver in pfSense for your DNS resolution. That means you can't assign your hosts' DNS via DHCP or use the DNS Forwarder (dnsmasq) if you want to use the DNSBL feature. By default, pfSense uses the DNS Resolver on all interfaces.
Me I prefer to use QUAD9 for DNS which means I would use a DNS forwarder for my DNS and DNSBL will not work for me. I prefer a DNS provider worry about DNS as I don't want to be responsible for DNS just my network.

Yes layer 7 is a missing feature in pfsense which Untangle does well. I think we will see a lot of development work on this. I assume what applies to pfsense applies to Opensense but I don't know as I have not run Opensense.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top