Recommended Specs for Air and PFSense?

anonym

Hello,

I have a DD-WRT router which had its WiFi functionality quit, so I'm looking to replace it with a PFSense device.

I've got about $70 to buy a PFSense device (used is fine), so I've got a few questions.

I have speed of ~40mbps up and ~4mbps down on my network connection.

What specs would you suggest to run an always-on connection to Air with 3-5 computers behind the PFSense device (the computers wouldn't be running 24/7)?

How much RAM, CPU, etc.?

I'd like to buy something that can handle the load of OpenVPN without spending too much or significantly slowing down (ie not <50% of current speed) my web access.

Here are the devices I'm considering:

http://www.ebay.com/itm/Pfsense-2-1-Instagate-EX2-Firewall-VPN-Router-/301114026875?pt=US_Firewall_VPN_Devices&hash=item461bcb6b7b

http://www.ebay.com/itm/Router-Firewall-VPN-QOS-appliance-running-pfSense-LAN-and-WAN-ports-/181379828147?pt=US_Wired_Routers&hash=item2a3b1489b3

http://www.ebay.com/itm/pfSense-2-1-2-Router-Firewall-VPN-QOS-appliance-LAN-and-WAN-ports-/181385843068?pt=US_Wired_Routers&hash=item2a3b70517c

http://www.ebay.com/itm/pfSense-2-1-2-ROUTER-FIREWALL-1GHz-SSD-Flash-VPN-DMZ-DUAL-GIGABIT-WAN-GUI-3-port-/360909880045?pt=US_Thin_Clients&hash=item5407e7baed

Please let me know which you think is best.

I look forward to hearing from you soon.

Best regards,

anonym

airvpnusercoin

I used a long time a VIA C7 1.2 Ghz CPU with Padlock Support on a 50 Mbps connection with pfSense without issues but I was able to reach only 41-43 Mbps. In your case it would be ok. As the seller if the VIA C7 CPU has on board Padlock chipset.

pfSense_fan

I used a long time a VIA C7 1.2 Ghz CPU with Padlock Support on a 50 Mbps connection with pfSense without issues but I was able to reach only 41-43 Mbps. In your case it would be ok. As the seller if the VIA C7 CPU has on board Padlock chipset.

Or if you are looking at an Intel or AMD processor you want to make sure it has AES instructions. Very important. Also consider you will lose 10% of your speed to the overhead of the VPN tunnel. For a 40-50 Mbit connection through VPN I would be looking ~2.0Ghz processor as I don't like the idea of a processor always running near it's max. I like to have a bit of headroom. It would be hard for me to recommend anything in your price range for use with VPN.

VPN - Heavy use of any of the VPN services included in the pfSense software will increase CPU requirements. Encrypting and decrypting traffic is CPU intensive. The number of connections is much less of a concern than the throughput required. A 500 MHz Intel or AMD CPU can typically support 10-15 Mbps of IPsec, and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps. Future support of AES-NI acceleration of IPsec is planned, and should significantly reduce CPU requirements on platforms that support it.

https://www.pfsense.org/hardware/index.html#sizing

EDIT: Also, as far as RAM goes, this all depends on your uses. If you plan to use Snort and other packages, you can easily eat 4-6 gigs of RAM. Without Snort you can get away with 2. I recommend 8, and no less than 4 though. My setup uses up to 9 gigs of RAM, But I run Snort on up to four gateways. Each gateway takes about 2 gigs of ram to hold all the Snort rules, so if you ran it on your WAN and AirVPN gateway you would easily use 4. Just food for thought.

anonym

Thanks, pfSense_fan and airvpnusercoin. Your replies are appreciated!

Airvpnusercoin, the seller replied to my question 2nd and 3rd device I linked to support padlock.

http://www.ebay.com/itm/Router-Firewall-VPN-QOS-appliance-running-pfSense-LAN-and-WAN-ports-/181379828147?pt=US_Wired_Routers&hash=item2a3b1489b3

http://www.ebay.com/itm/pfSense-2-1-2-Router-Firewall-VPN-QOS-appliance-LAN-and-WAN-ports-/181385843068?pt=US_Wired_Routers&hash=item2a3b70517c

pfSense_fan, thanks for the tips. Although I can't spend that much, I appreciate your advice. At least the devices I linked to will be an improvement over my WRT54GS.

Sincerely,

anonym

pfSense_fan

Thanks, pfSense_fan and airvpnusercoin. Your replies are appreciated!

Airvpnusercoin, the seller replied to my question 2nd and 3rd device I linked to support padlock.

http://www.ebay.com/itm/Router-Firewall-VPN-QOS-appliance-running-pfSense-LAN-and-WAN-ports-/181379828147?pt=US_Wired_Routers&hash=item2a3b1489b3

http://www.ebay.com/itm/pfSense-2-1-2-Router-Firewall-VPN-QOS-appliance-LAN-and-WAN-ports-/181385843068?pt=US_Wired_Routers&hash=item2a3b70517c

pfSense_fan, thanks for the tips. Although I can't spend that much, I appreciate your advice. At least the devices I linked to will be an improvement over my WRT54GS.

Sincerely,

anonym

It's good that they support Padlock, in fact it's important. but beware you will be looking at bottlenecks with an 800mhz processor. I will be surprised if you can get even 10 megs through a 4096 bit VPN. That CPU will be pegged and it WILL interfere with the rest of traffic in your home.

If you get it and need help setting up the VPN, please refer to my guide, and let us know how it goes.

anonym

Thanks pfSense_fan.

I do have a few questions for you.

You said 10 megs max speed with this device. Do you mean MB/s or mbps? I believe Air uses 4096-bit encryption for authentication and AES-256 for encrypting the actual traffic (correct me if I'm wrong).

Are you saying this CPU would be to slow for encrypting and decrypting the actual traffic?

Also, how much memory (RAM) and flash storage do I need to run OpenVPN and pfSense?

Either device has 512mb RAM and 1GB flash memory. (is this enough to run OpenVPN and pfSense?)

Again, I appreciate you writing the tutorial. I'll let you know when I order a device.

Best regards,

anonym

pfSense_fan

Thanks pfSense_fan.

I do have a few questions for you.

You said 10 megs max speed with this device. Do you mean MB/s or mbps? I believe Air uses 4096-bit encryption for authentication and AES-256 for encrypting the actual traffic (correct me if I'm wrong).
Are you saying this CPU would be to slow for encrypting and decrypting the actual traffic?
Also, how much memory (RAM) and flash storage do I need to run OpenVPN and pfSense?
Either device has 512mb RAM and 1GB flash memory. (is this enough to run OpenVPN and pfSense?)

Again, I appreciate you writing the tutorial. I'll let you know when I order a device.

Best regards,

anonym

10 Mb/s. You might get between 10-20, but either way, if you are doing any downloading through the VPN and hit that 10-20 that cpu would be saturated. You mentioned you didn't want it to affect the rest of the network, but if the CPU is maxed it will have nothing left and that of course will affect it. Just being up front, I have no doubts it will work just don't be surprised when you run into it's limits. Most modern consumer routers are 800mhz - 1ghz or even more... and those processors are purpose built for networking. An x86 CPU is not.

What I'm saying about the CPU is that it will be running at 100% during pretty much any use. This will require you to tune your buffers and face packet loss as it tries to keep up.. Just as the link to the pfSense guidelines state, the encryption is extremely CPU intensive. As those queues build up, those buffers will fill. But you could always set bandwidth limits with traffic shaping to try to mitigate it.

As far as memory, you will need to use the nanobsd builds. I have no experience with those. I would not find that suitable because I consider Snort a necessity. On it's highest setting... the only setting that catches intrusions BEFORE (AC-NQ, no queues, it catches in real time) they enter your system, it requires plenty of memory. To each their own.

Having started out with a low powered build based off of many discussions on other forums and subsequently realizing I could not do ANY sort of power user type functions, I have my prejudices against these types of builds. Don't let me deter you though. I'm just sharing my experiences. The money i spent on my first build was money wasted. i feel like all the advice I read about was given by old farts who only read the news online.

It all depends on your uses though.

anonym

Thanks pfSense_fan.

This one uses a 40GB HDD, has 256MB memory, and has a 566 mhz Celeron processor.

Is it better to get a device with a larger HDD but lower RAM and CPU? Also, does pfSense allow (can be configured) the use of part of the HDD as swap when RAM is full?

What exactly is the Padlock chip? Would 1GHz be much of an improvement over 800 MHz. Also, would 512 mb of flash (not RAM) be enough for OpenVPN?

Again, I appreciate you taking the time to respond to my questions as I contemplate what I'll do.

Regards,

anonym

iwih2gk

I hope this doesn't come across wrong. I would recommend skipping going out to dinner a few times (or whatever) and redirect a few more dollars into newer/more advanced hardware. I know pfsense fan is being nice, but he pretty much declared his going with cheap/old hardware was a big mistake on his part.

This conversation reminds me of one I went through when buying a safe. I decided to buy the smallest one that would do the current job. A very short time later I hated my decision and wished I would have thought it through a little better and longer term. It was costly for me to correct that decision with a larger high end safe. The comparison here is similar and I have learned through it. When I bought my laptop I wanted to make sure to get an i5/i7 chip with a bunch of RAM even though I didn't need it. I was wrong. I now run virtual machines exclusively and I do need it every single day. I hope this post is well received. I am only trying to help you avoid the mistake I made. Live and learn.

anonym

iwih2gk,

Thanks for the input. I'm looking into spending a bit more. Your post is well received, as was by pfSense_fan.

Whatever I buy, it'll be better than my WRT54GS!

Best regards,

anonym

anonym

Hello,

Would a regular computer like this one be good enough to run Air at ~40 mbps? It's a bit cheaper than the ones I linked to before, yet it's an actual computer.

It has 2.8 GHz Celeron D, 512 MB RAM, and 80GB HDD.

I could run it headless (no monitor) with pfSense x86, upgrade the RAM, and add one or more ethernet or WiFi NICs.

Please offer suggestions if you would.

Thanks,

anonym

pfSense_fan

First off, forget about running wi-fi on pfsense. Waste of time and money and it doesn't work well. This is not a primary goal for pfSense and it is not well developed or supported. Just use a router that has access point mode and save the headache.

Now to the point of that pc you linked:

Will it run it? Yes.

Is it a good choice? Absolutely not.

http://ark.intel.com/products/27512/intel-pentium-d-processor-820-2m-cache-2_80-ghz-800-mhz-fsb

1. it is a 95 watt TDP older generation chip (from 2005!!!) meaning it has a high idle power because it does not have EIST (Enhanced Intel Speedstep Technology). If it idles at 70-80 watts just for the cpu, that's probably 95-150 watts of power for the whole system... 24/7, 365 days of the year. The amount you will spend on electricity is MUCH BETTER spent on better equipment. You might spend $100-$200 or more in electricity to run that for one year. A quad core Rangely board (15 watts TDP) might cost $15-$20 per year.

EDIT: Not to mention an aged power supply may only be 50-60% efficent, which could double power consumption. That thing is TEN YEARS OLD. Computer tech has come a LONG LONG way since then. Modern power supplys are 80-90%+ efficient.

2. It does not have AES instructions. You asked what Padlock was. Padlock and AES-NI (NI = New Instructions) are basically very specific functions built into those chips to accelerate encryption functions. OpenVPN and pfSense use these if available, and they greatly assist. YOU SHOULD CONSIDER THIS A NECESSARY FEATURE.

3. why spend ANY money upgrading a PC from 2005? Upgrade the ram? Is it even DDR2? Save the money for better equipment.

To put this in perspective, my brand new Intel XEON E3 1270 V3 (Haswell Based) has a TDP (think max power) of only 80 watts, and idles at 20. because it has tech that allows it to power down when in low use. This tech was new for the Haswell chips. When i measure my pfSense energy draw, it takes about 40-50 watts (for the whole system) with 12 gigabit NICS. My processor is probably 40 or more times more powerful than the one you linked to, and uses way less power. You don't need one like mine, you just need something that has proper modern tech in it. Think socket 1150 i3 (NOT socket 1155) and careful motherboard choice or better yet... one of the quad core (not octo-core) rangely (2558) or avoton (2550) boards. There was a big leap in features and function in the last 6 months, and you won't want to not be on board with that as pfSense gears towards a "strategy" based on AES-NI. Cheap hardware may be out of use in a year, and hence why I said it may be a waste of money. Meanwhile if you instead save your money to the $300-$400 price point, you have firewall capable of anything you throw at it. Trust me when i say you will want to use features like pfBlocker (which is the same as peerblock) and Snort. You will. And you won't be able to on crap hardware, both require plenty of memory to hold their "tables". Not to mention, what if in a year from now we move to AES 512 or similar? What then? This needs to be considered. Money saved now will soon be money wasted as i found out.

Just answer these two questions:

Is security important to me?

Is privacy important to me?

If you answer yes to both, what is $300 - $400 for an appliance that will provide you that for the next 5-10 years, maybe more?

Ultimately no one can tell you what to do, But i have tinkered with builds and wasted money. I wish i knew better to just do it right the first time.

And to be blunt, others are selling this old hardware for a reason. it is no longer useful.

I would advise just as was suggested. Find places where you can make cutbacks for a bit and save for a while. I by no means am a well off individual, but for me there was no question I was willing to spend $600-$700 on my security and privacy. Admittedly I went overboard, but you can build a damn powerful machine at half what i spent. I advise you do just that. You will have something useful for years after.

anonym

pfSense_fan,

Thanks for the advice once again.

Is there somewhere I can buy a prebuilt model with similar features to yours or that you would say is a good model for this purpose?

If not, where can I buy the exact parts I need? Is there a good starting point or site you would suggest for this?

I have no experience actually physically building a computer from parts, but I can learn.

I can do semi-advanced stuff with proper instructions with either software or hardware (I know Linux commands -I use it on all my machines- and can follow guides/tutorials).

Sincerely,

anonym

pfSense_fan

Ask this question in my tutorial thread. Then, as I answer this question, it is there for anyone asking the same in the future, I will get back to you in the coming days. There has been some other discussion on this topic that you can search for in the main thread, it ended up in PM's though. I will share what info was researched in that thread as i have time in the coming days.

Ernst89

Hi anonym

If you have a spare or underused PC with at least two LAN ports the easiest way to run pfsense is via a VMWare virtual machine.

VMWare offer VMware Player for free, and pfsense offer a free VMWare virtual appliance which is effectively a virtual computer set up with pfsense ready installed.

Then after setting up a Virtual pfsense machine you could follow pfSense_fan's guide to install the AirVPN certificates.

Personally I wouldn't bother with his redundant DNS firewall rules and would use the same LAN interface for both VPN and non VPN machines, I normally select a VPN or non VPN route based on IP as opposed to pfSense_fan who uses two lan interfaces.

I have been happily running a virtual version of pfSense on my HTPC for over six months and it is fast and apart from one blue screen has been rock solid. Which given that I run at least two other VMs on it isn't bad.

The only thing I needed to buy was an extra dual wan NIC card which you can pick up on ebay for ~$40.

*I actually use VirtualBox instead of VMWare but I suspect VMWare is easier to start with.

anonym

NickSpam,

Actually, though I don't have a spare computer to devote, I was planning on buying a used one off eBay. I appreciate your advice though.

I found one that has a relatively low power (45w TDP) AMD CPU @ 2.3 GHz. I would install pfSense to it as the only software running (no virtualization).

I figure with 2GB RAM and buying another Ethernet NIC I should be good to go without overloading. I plan to follow pfSense_fan's guide.

Again, I appreciate everyone's input in this process. Will let you know how it goes.

Best regards,

anonym

McLoEa

Hello guys,

we are talking here about adding NIC cards with RJ45 ethernet connections,I have a co-axial ethernet connection arriving at my present router.

What kind of adaptor would you use to change up the co-ax into an rj45 that a NIC card could accept?

Thanks

dIecbasC

Personally I wouldn't bother with his redundant DNS firewall rules and would use the same LAN interface for both VPN and non VPN machines, I normally select a VPN or non VPN route based on IP as opposed to pfSense_fan who uses two lan interfaces.

@Anonym: Personally, unless you know what you are doing, I'd follow pfSense_fans guide to the letter, its been tried and tested by numerous users on a variety of hardware platforms to not leak your ID.

I'd also caution against using very cheap and low powered hardware. Cheap NICs and low spec CPU's when used with robust rulesets in pfBlocker and Snort will cause increased latencies and lower throughput. You don't need to spend thousands but its likely to cost a few hundred $ at least to do this right.

I've used Intel DQ66KBs with a mixture of i5's and Xeon E3s with 8 and 16GB, both worked fine.

I'm about to write up a hardware build thread which will detail reasonable cost platform that will support pfSense_fans excellent guide.

Recommended Specs for Air and PFSense?

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation