Another... DIY PFSense (OPNSense) Build

For those who would know.

Will this hardware configuration support PF/OPNSense with less than 10 users, 1 gig/1gig with all or most features turned on?

Gen 10 Intel Core i3-10100 3.6 GHz Quad-Core Processor 4 Cores, 8 Threads, 3.6Ghz w/ Turbo 4.3Ghz, 6MB Cache

G.Skill 8 Gb (2x4) DDR4-2400 CL15

Adata 250 Gb M.2-2280 NVMe SSD

Intel EXPI9402PTG2P20 PCIe x4 1000 Mbit/s Network Adapter Dual Gig Network Card

The i3 has a 65 watt TDP and seems to pack a pretty decent punch compared to other older or even current processors that have TDP’s in the 90’s and 100’s.

Thank you.

Oh… If you could recommend a switch (not unifi…) that would pair well with a PF/OPNsense box. LOcal control, no cloud only.

Thanks…

That’s a bit of horsepower it looks ok for a 1G line, though look at netgate and their specs.

I’d double the RAM as cost differential is minimal with 16GB, I’d also be inclined to add a QUAD port NIC with the view of putting these in a LAG to the switch you might notice benefits if you have a lot of traffic.

Not much love here for Netgear but I have a GS748T, no issues, it has LACP which is handy all local control.

That should be plenty of performance for pfsense, I handle many more users at the same gigabit and more services on an Atom processor with 8 cores (no hyperthreading). I agree on the RAM, for the few dollars it might be nice to have. I’d also recommend an Intel 4 port card, might be useful in the future, but 2 ports will get the job done. The i340 and i350 cards are probably what I would look at and probably only a little more money, I want to upgrade my older card to one of these.

Even at home I have a 4 port card, just what it came with when I bought it.

Services currently running with 2 percent idle processor:

Suricata
e2guardian
openvpn (one site to site)

Not sure about opnsense, but I think it has e2guardian from the approved packages which might make web filtering easier to set up.

All that said, you might be able to get away with an old HP T620 Plus, this is what I’m running on the end of my site to site and seems to have pretty good performance. I have not tested the speed because I don’t have good internet, but it will handle downloads at the 70mbps and uploads at the shameful 6mbps that I have for service, and do it all day long without complaint. Was about $160usd shipped from a seller on ebay. Came with a 4 port Intel card and advertised as good for pfsense.

As far as switches, it depends on what you need. Used Cisco can be cheap and fully featured. New I’m not sure and depends on your budget. We use Enterasys (now Extreme), but I’ve worked with some DELL and HP switches that are decent. Also many cheap Netgear and TPlink switches too, but these are pretty much just dumb switches which might be what you need.

Tom just did a review of a small Cisco switch that was fairly priced, might want to check his recent videos.

I’m just curious, do you have a lot of latency on your network ? If my understanding is correct with a high delta in speeds you can have slow acknowledgements which perversely can result in slow download speeds.

Latency doesn’t seem to be too bad, but if both of us are working from home (again), we need to schedule video meetings so they don’t both happen at the same time. Shameful Spectrum! Just shameful.

I keep hoping that Starlink will send me an invite, but I’m not in an ideal area for their testing since I do have a wired connection. Yes the 20mbps up that most people are getting would be worth all the money needed to invest. And it should get better and more reliable as more satellites go up.

If I had Verizon FiOS (fiber) I’d be done with Spectrum for as long as possible. They have 1gb/1gb for about $20 more a month, but no fiber in my area and they do not seem to be expanding. Spectrum is doing nothing to upgrade their plant. NOTHING! And too many years of doing nothing! (yes I have issue with them and their lack of moving forward)

Ah ok, I had massive latency issues on my woeful 50/20mbps would have thought it would be unbearable on your connection. Perhaps it’s my networking, though I addressed it with using limiters, browsing experience is very snappy now.

I’m personally using a TP-Link Jetstream T1600-28PS switch with my Netgate SG-1100 running PFSense. Haven’t had any issues yet but my topology is a pretty simple ROAS and I’m simply using the switch to provide 802.1q tagging to PFSense and PoE to a couple wireless APs. The uptime on this switch has been 457 days and I knock on wood haven’t had any trouble with it!

As for the switch, here’s an option. I found some CISCO SG-200s on Ebay. They are old, but for what I ask them to do (a home network) they aren’t tasked at all. Using some Intel NICs (coutsey of Ebay) I can pretty much max out my gigabit network (all wired with CAT5e).

Any processor with less will unable to be able to route at line speed with UTM fully enabled. Will I likely have everything enabled or saturate my home line? No. But the price difference in processors is not much in this respect.

Maybe someone can show me the flaw in my thought process here?

I’ve looked at protectcli, a device with full UTM that can handle a gig throughput is more expensive than the build I have.

The netgate model required to meet the full UTM plus gig is the SG3100. https://www.netgate.com/solutions/pfsense/sg-3100.html

It’s $399.00.

It has a quarter of the specs of my current build but only cost $25 less. The parts in the home build also tend to have longer warranties as well, for instance, Gigabyte mobos have a standard 3-year warranty, versus netgates 1 year.

https://pcpartpicker.com/list/dWJDMv
This build has fluctuated in price, but its maintained at around $400. Currently $425.00.

It will also be easily reused as a kids PC whereas the netgate or protectli will not. And can be upgraded, for isntance to 10gig or GUI Card, etc.

The Atom processor looks interesting. It appears to be slightly more expensive. I’m not sure the extra 2 cores or threads give it an advantage with the lower clock speeds. The TDP is about 40 watts lower, but again, as far as cost, negligible. The i3 supports more desktop processor tech such as video, but loses ECC support.

I’m confident though any Atom processor could not get close to routing at 2.5, 5, or 10 Gbe. I am cofnident that i3 could, albeit without any serious UTM modules enabled.

My goal is with cost being so close, to make something expandable in the future, or reusable. I.E The i3 could be a small server (back up), controller, etc and not be maddening slow to use.

I have used Netgear, interfaces always appear clunky and slow. TP Link has a decent switch but really lacks in updatings, patching, and maintenance. Not to say if I found the right device or model I wouldn’t pull the trigger.

I am currently looking at Aruba and the New ciscos, but the 24 port ciscos are $600, which is a little steep, but not out of range.

I currently have a TPLINK SG2424 and a USW 24. What polar opposites these two switches are in irony. Unifi constantly updates, but gives you buggy firmware. TPLink never updates devices, and you can even get devices that have firmware releases years old. This worries me, as I would expect patching from time to time, nothing is perfect or 100% secure, even if the device is functional.

I currently have TPLink Kasa devices, the are headaches, but were cheap. Smart switches disconnect from time to time, fail to reconnect, or have huge lags.

I also have some small 8 port TPLink switches. I tend to use them to expand hardwired outlets around the house for smart tv’s and the like. I think any brand would be find in this case really.

I’m looking at Aruba Switches, which can be locally managed, but their damn AP’s require cloud.

Every manufacture does something crazy, cloud, license, etc.

The atom processor is way less powerful than the i3 you are planning to use. As far as using this at 10gb, I’m way far away from any of that.

I hear ya, my switch is running firmware that’s close to 2 years old and I contacted TP link and they clarified this is correct.

I run two of their omada 802.11AC WAPs and an OC200 controller and those things get firmware updates every few months. Unfortunately my switch wasn’t included in the list of TP Link switches that will get the update to support adoption by an Omada controller which is a shame. I do like the Omada experience so far, seems pretty comparable to what you get with Unifi.

@onthegrind - PF is a single thread process and those multi cores do nothing for sheer (pf) routing. Although, they may be handy for other processes (e.g. suricata is a multicore process). I’m doubtful on your assessment regarding the i3’s throughput is accurate (based on negates documentation: https://docs.netgate.com/pfsense/en/latest/hardware/size.html).

@onthegrind - your initial question…yes. The hardware would easily support your requirement.

I’ve ran a fitlet2 (E3950, 8GB Ram, 32GB SSD) on a home FiOS (1GB) connection running OPNsense, suricata and squid. Consistently hitting 900Mbps+ on various speed tests.

I eventually moved to a new system (SuperServer E302-9A [C3558, 16GB ECC, 128GB SSD]) which performs just as good but with a nice boost to my OpenVPN connections and the IPMI allows me to remotely tinker.

I chose both options for their performance, power consumption and zero moving parts. I added an intel i350 quad nic to the SuperMicro and one word of caution…there are tons of fake nic’s on the market. I ended up purchasing two since the first (bought from a reputable site but shipped from China) was an obvious counterfeit. The second was a legit nic (etched chips vs painted - visible) and your performance will vary with those knock offs - I would avoid for a number of reasons. Ironically, the well packaged fake was returned (the shipping address was the same as Newegg’s).

As for switches… often this is a preference and I would recommend going with a brand you’re familiar and comfortable with. However, this will also be dependent upon your needs (VLAN, mirroring etc…)

https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E302-9A.cfm

Hey…

I researched both the fitlit2 and the supermicro. I notice these devices use the Atom embedded server chips. Typically at minimum 4C/4T. ECC Memory support, an extremely low TDP, and a bunch of the intel advanced technologies.

I priced a fitlit spec’d with:

Atom x7-CE3950
8GB Ram
M.2 Sata 120Gb
Standard case and options
$368.10 excluding Taxes, Customs, Etc.

Doesn’t seem to outperform my i3 build, but the i3 build only cost about $55 more. Am I missing something or do I have a flawed line of thinking with this so far?

The supermicro server MSRP’s over $500.00 for barebones and over $1,000.00 for a complete system. Uses an Atom Embedded server chip (C3558 4C/4T 2.20Ghz and a stunning 16watt TDP).

Again, it appears the i3 10100 build outperforms this system for a lower price point. The only advantage of the Atom chip over the i3 chip is the TDP, ECC Memory support, and larger Cache.

I also like the fact the i3 build can be easily upgraded with a full-featured case/mobo. If I put in 8Gb ram now, I can add 8Gb more later. If I put an i3 10100 in now, I can add a more powerful processor (LGA1200 which includes i5’s, i7’s, and even i9’s Comet Lake.) Icould even buy a cheap i5-K Version and Overclock it. This way, it doesnt require such an up front out of pocket cost.

I am vehemently trying to find the flaw in my logic in thinking with the responses when I research the suggestion. I have no idea the solutions to my problem that exists in the ether and enjoy each suggestion as I research them and learn about new products and companies.

Though, I am human and could miss something like maybe the i3 doesn’t support a feature required, AES-NI as an example. In this case, the i3 10100 supports AES-NI and I think most if not all processors for the last several years do.

I’m trying to move away from UI/UniFi as I am not happy with their AP or Networking performance. So looking to replace my unifi stack, router, switch, AP’s.

My current issue with prosumer/soho switches.

With Unifi Switches, they are designed to integrate into the unifi network. Of course they can be used stand-alone. However, while UI does an excellent job releasing firmware, especially for older products, the firmware always appears to have a bug or flaw. They fix one bug, create five more. Or, my favorite advertise a product has a feature that is actually in beta and never works correctly and refuses to fix it for years if ever (IPV6 Ba Dum Tss). I don’t want to spin up a controller to change settings in my switch. And they’ve taken the cisco route of renaming standards or making options confusing. Custom support doesnt exist, RMA procedure for me has been a dream and a nightmare. Nothing is consistent about Unifi but its inconsistent. The prices however are amazingly cheap for what is offered when compared to competitors.

If I were to use UI for networking, it would be their edgemax line with UISP/UNMS.

Looking at Aruba, the switch has local management, but their AP’s must be managed through the cloud.

This appears to be the way companies are going, even ubiquiti with the UDM/P.

So, I’d hate to get the Aruba switch and then another brand AP.

I’ve been looking at the grandstream products, especially their AP’s. Current testing (not by me) show they out perform Ubiquiti for the same price point. But their routers and switches are table top made specifically for home users/ISP.

TP-Link makes decent switches, but as a core switch I don’t feel totally safe using them. They rarely update firmware, patch it, etc. I have TP-Link switches with firmware from several years ago. I highly doubt they made perfect hacker-proof, flaw proof firmware that doesn’t even require some patching. I use several of their 8 ports to extend wired outlets for smart home things like T.V,s, Rokus, etc. I am not worried about the switches within the network getting exploited, if they do, it means the network was exploited already.

I’ve used Netgear’s, but their interfaces are clunky and slow and cartoonish/cheap feeling. I guess the devices themselves route traffic okay, but I hate using their interfaces. I do like it is an American Company, at least my understanding is it is American based.

I am thinking of the edge max and Aruba switches with grandstream AP’s. But, I’m still researching, digging through Reddit, Spiceworks, and more. Asking questions, getting opinions and advice.

Happy Sunday.

Feel free to point out where I may error in my thinking, comparisons, etc. I honestly do enjoy research people’s suggestions and comparing them to what I would/am going to do.

/finn

I didn’t read the whole thing, but what you might be missing with the SuperMicro is that it should work for a long time. Also the ECC memory really does help prevent issues. But yes they are expensive.

The other thing that both Atom powered boxes might give you is a power savings. This may not be a factor for you, but it also might. Heat is a factor too, and lower power means lower heat.

Overall I think your i3 will out perform the Atom and you may want to compare benchmarks between the processors to confirm this. More CPU performance can be useful if you start doing a lot of filtering with IDS/IPS or web filtering with something like e2guardian.

As far as LAN to LAN routing, the only bit of this that I’m doing is my production network to/from my lab network, and that isn’t really very much work. The lab also gets internet through the firewall so updates can take some work, but I barely notice anything during these activities.

I would get ECC memory for a server where data integrity is the most important thing. But, I’m not sure what router needs ECC that isn’t BGP/EDGE/MAN?

I just pulled the trigger on a refurbished dell Inspiron 3880 desktop for $279.00 from their outlet. Has a 1 year warranty with onsite repair included. So… not bad I reckon. 6 mos no interests… $50/m payment. I have a home/business acccount with them, so easy to finance, though I didn’t need to.

https://www.dell.com/en-us/member/shop/desktop-computers/inspiron-desktop/spd/inspiron-3880-desktop/nd3880eejis

10th Gen Intel® Core™ i3-10100 processor(4-Core 6M Cache 3.6GHz to 4.3GHz)

4GB, 4Gx1, DDR4, 2666MHz

1TB 7200RPM 3.5" SATA HDD

Has a single onboard gb nic. I’ll buy a refurb 2 port intel nic and 4gb ram stick to add. Bring the cost total around $400.00.

Looking for a switch now… In the mean time I guess I’ll use my TPLink SG2424 and donate my UniFi gear to my father.

The entire OS runs in RAM, so ECC is somewhat important. But my firewall at home doesn’t have ECC and seems to be fine. Either way, you haven’t invested a fortune in the DELL, so it can always be moved to another function if you decide to change.

ECC Memory is not useful for this application. This does not mean it would never be useful. In General it does not appear to be so and this is according to the developers of PFSense.

Netgate appliances do not even put ECC in their own products. And as far as the specs say use non-ecc UDIMM.

The biggest worry would be a corrupted config. Back-up regularly.

Even Netgate employees/engineers agree ECC for a pfsense UTM is not needed or necessary.

Returning to the Age Old ECC Question: How Important is it? | Netgate Forum

HHarvy66 Apr 10, 2016, 8:43 PM
Packets are mostly disposable. UDP doesn’t hugely care about loss and TCP is meant to handle loss. The Firewall’s config can be easily backed-up and replace.

The main benefit you get from ECC on a firewall is potential better up time and better detection of memory issues that could drive you wild. If you were talking about a file server, then it’s incredibly important.

jwtjwt NETGATE Apr 10, 2016, 8:50 PM
What he said, but ram density is lower too.

ECC RAM on router necessary? | Netgate Forum

stephenw10 NETGATE ADMINISTRATOR Jan 31, 2012, 6:29 AM
The only time I’ve ever had problems with RAM it was with really cheap unbranded stuff. That was when RAM was expensive.
These days RAM is cheap so just buy branded memory from a known source and you almost certainly won’t have any trouble.

Steve

ECC ram advice | Netgate Forum
stephenw10 NETGATE ADMINISTRATOR Feb 19, 2014, 3:50 PM
I wouldn’t go out of your way to use it.
If you get some memory error it will likely crash the box rather than cause any security problem. If uptime is critical then use it.

Home | Netgate Forum

Steve