Learning Curve for pfSense?

About to jump in the deep end and having second thoughts. Going Unifi for all switches and AP’s. Undecided on firewall. Keep flip flopping between UDMP and pfSense.

Glaring question……how steep is the learning curve?

I’m not a network guru but enjoy tinkering and believe I can figure it out. I speak Mac, PC and really bad Linux.

Life can be demanding. But wife has a small home business with sensitive data that needs protected. Probably multiple VLAN’s and VPN in/out. Of course also want the home stuff to play nicely like it is in the current unprotected heathen state.

If I go PfSense I’ve been considering the 6100. I’m not sold on VM and like dedicated hardware. I just don’t like the $800 price tag.

Appreciate any wisdom or slapping of sense into me (no pun intended, seriously).

You can always spin up a VM to have a play with it before buying hardware. Agree on the Netgate pricing, its way too expensive for us, particularly paying in AUD which makes it a lot worse. We have been supplying Protectli routers which are a bit cheaper.
Have a go, I think its worth learning.

It took me the best part of 18m until my home network stablised, that is to say the first month was just working things out. Then it was a case of tinkering around for a while until I didn’t need to.

With pfSense there are so many features that if you didn’t see you would have no idea you needed e.g. traffic shaping to address bufferbloat.

In your shoes, I’d get at least a four port (or higher) Protecli box and a managed switch and play around with it, before you change your home network. At this stage I’m not sure if you virtualise pfSense if you will get any benefit as you will have no idea why something doesn’t work.

I have a cheap chinese box which has been running for a couple of years now without any issues, I am glad it has 6 ports which I put in a lagg mainly because I can.

The learning curve is proportional to the complexity of your network. Starting out basic is easy and the initial wizard takes care of that. The UDMP is does basic and is easy, but if you have some things like a need for some advanced VPN that is where the UniFi still falls flat.

Thank you for the additional feedback so far.

I had noticed the UDMP seemed limited with VPN options. I just wasn’t sure how critical this was as I’ve not set this up before. I see most recommendations for OpenVPN or Wireguard.

And I don’t think Unifi supports either without beta firmware and CLI hacks. Not my idea of a good or stable environment. For my own sanity I can’t put my wife in a solution that is half baked.

The bigger question — are we over emphasizing the need or use for VPN? Sure, tunneling back in remotely is awesome but it’s a small percentage of use. I’d be more concerned about setting up something so all her outbound traffic from the house is protected. Can either pfSense or UDMP put all traffic from a VLAN on VPN so it has additional protection? Will I need a 3rd party like PIA VPN?

As pointed out I think there are so many situations and variables I am simply unaware exists. With the setup wizard it would likely let me get online and not be worse than we are now and then I could build VLAN’s and do testing on those areas (hopefully without taking down the main system).

LOL don’t even think about playing with pfSense as your main router unless you want a divorce !

You’re getting VPNs mixed up, PIA is a service that you can use so that when you download torrents their IP address comes up and not yours, you can also use the same protocols / networking to setup a secure connection to your home network via your phone.

If you take out a subscription to say PIA, you can setup a vlan so that all traffic exits via PIA and not your ISP. Furthermore, you can setup an OpenVPN server at home, which you access on the road but exits via PIA. You can also setup another OpenVPN server at home which exits via your ISP, handy if you use free wifi.

As I mentioned before, get a box for pfSense and a switch, test it out.

However, you can easily backup the config in pfsense and then restore your settings easily if it all messes up. Though, keep the pfSense ISO, as pfSense only posts the latest version.

Start with an old pc, a managed switch (for vlans), install pfsense, and go from there. You can upgrade and spend more $$$ when your certain or just add a piece at a time (VPN, new netgate box, protecteli, or build your own custom pc for pfSense, unifi switch/es, unifi AP, etc.)

You can use an old pc to test pfSense before upgrading to actual Netgate hardware. If it doesn’t have dual ethernet ports you can buy a pcie card for cheap if you want multi nics (Only purchase intel nics. PFSense doesn’t play well with other brands and is optimized for Intel.)

You can pretty much do everything in pfSense from the GUI. You don’t have to “know” linux to use pfsense.

pfSense is easy to tinker with, back up, and restore, especially now, with boot environment saves. You can do a quick save. Set up a new config for something, test it, if it doesn’t work, just hit the reboot pc button and pfsense reverts back to the previous state where you can start again. It makes learning rather easy comparing to taking your router or system down until you figure out what you did wrong to fix it.

pfSense has really good official and 3rd party documentation, videos, and support environments/forums, as well as, official Netgate support.

I have been acquiring gear for the new network over the last few weeks. Here’s what I got so far:

Unifi 6 Mesh AP x2
Unifi 6 In-Wall AP x3
Unifi 24 POE switch
Unifi 8 POE Lite switch
Unifi Cloud Key Gen2+
Unifi cloud key rack mount bracket (smokin eBay deal)

No old PC desktops to use. I have a couple of Windows laptops that I’m going to sell or repurpose. Our primary devices are MacBooks.

I do have an older 2014 Mac Mini (dual core i7, 16gb, 256gb SSD) I had originally planned to use. Great size, horsepower and low power consumption. Research led me to discover the internal NIC is Broadcom as well as the Thunderbolt2 to Gigabit ethernet adapter. Reports confirm it works but as noted Broadcom doesn’t play nice with BSD, more specifically netmap so no Suricata or Snort.

I managed to find and get a killer deal on an Akitio Thunder2 PCIe enclosure and was heading down the path to get an Intel 350 NIC. Then learned BSD doesn’t have a driver to turn on the internal fan in the Mini. There may be a way to compile something but that seems above my head. Which led me back to either getting a UDMP or Netgate 6100.

Been a learning experience thus far. Some fun and some frustrating. Ready to put my toys to work though.

You can use an old windows laptop for pfSense. With one ethernet port it’s a good way to get into vlans. pfSense hardware requirements are very minimal to get it running. To get all the features and packages you want working requires a specific amount of cpu horsepower and ram though. AES-NI Crypto chip is probably the most important for older systems if you want to use a VPN. In a new system you want QAT.

VPN features in pfSense are amazingly good and continually updated. pfSense has written the code for wireguard on freebsd. I’m not sure about openVPN and data channel offload. There is nothing like running all my traffic through VPN, aes-256-gcm, at the router, at line rate, with no slow down (I have a QAT pcie card installed).

A lot of people buy a cheap, old Dell PC to use as their pfSense box. Here is a good starter box HP// T620 PLUS Thin Client Quad Core GX-420CA 4/16+Intel 4PORT GB -pfSense ready | eBay. In your situation, I don’t know if I’d waste the money getting a starter box and just invest in a netgate appliance. Then you get free tech support also (TAC lite), which can be upgraded to Pro support if your wife’s business needed it. The pfSense Pro support could be written off as a business expense also.

UDM gives you the nice gui where you can see everything going on but it doesn’t have as many features as pfSense. pfSense is a firewall software company, that sells their own hardware and supports it. It also does updates 3 times a year, or so? Unifi is a switch hardware company that has a router for their eco system.

If you like tinkering and playing with hardware you can build a comparable netgate 1541 with used or new old stock for about the half the price or lower. Just depends on how many of the old pc parts you already own or the deals you can get on parts to build it.

The laptops I have available to use are:

Lenovo Yoga 910
Dual Core 2.70ghz, i7-7500U, 16gb, 1tb SSD
Passmark = 3,668

HP Spectre x360
6-Core 2.60ghz, i7-9750H, 16gb, 1tb SSD, 4gb GPU
Passmark = 11,149

My concern is neither have built in NIC’s so I’d have to use a USB C solution of sorts. My rough understanding of pfSense/BSD is that isn’t ideal. I think both are powerful enough from a CPU and RAM perspective.

Another concern is I think running a single NIC is called “router on a stick” and the downside is throughout is halved as it will carry traffic both up/down. I’m not sure how drastic that would affect us in a normal case use scenario.

My last thought with these laptops is they may still offer enough life to get some decent cash to help put a dent in my overall expenses to upgrade our network. Maybe more so than repurposing them in a scenario where they still bring their own limitations.

I do really like that HP 620 thin client. I had toyed with this idea after I hit the wall on the Mini. But I hadn’t found one where they did all the conversions already. For the price, it seems to pack a punch!

I do have a 1gb asymmetrical fiber connection. My guess is it will route 1gb traffic fine. What kind of speeds should I expect for firewall and VPN? I know those are more taxing on the CPU.

Also you mentioned QAT. I had considered buying a standalone card because so few processors have it built in. Those are fairly pricey but may be worth every penny. The question I got to but never got a great answer was how much faster does QAT make things? I was trying to verify it was a good bang for the buck.

I was thinking just to “test” out pfSense with the laptop before buying the “right” router hardware for you, but if neither has a built in NIC then that’s probably not going to work (or work well at all).

Speeds with pfSense and VPN vary depending on hardware configuration and crypto. VPN is going to HURT your router’s cpu doing all the encryption/decrpytion. Expect 1/5 or less throughput, in general. pfSense Plus How to buy can give you an idea about speeds with VPN compared to the firewall traffic it can handle. ie: 6100 IMIX Firewall: 2.73 Gbps, IPsec VPN: 552 Mbps. I would suggest comparing different models, cpus, and imix ipsec VPN traffic to get an idea of what to expect. Those are IPsec VPN figures. You will probably end up using OpenVPN which is generally slower than IPsec. I have an extremely high end hardware build for my pfSense router so my stats are probably not going to relate to most people. When your pushing VPN speeds at 1 gig throughput you really need to be able to keep the system cool with the amount of heat generated from all that processing power going on. I live in 100’F+ weather most of the year so I have active fan management. I don’t think a protecteli will handle that very well.

The Intel QAT pcie cards are rather cheap. You just need a computer/appliance with an open pcie slot (the right size/speed slot). From what I’ve heard only the 8950 and 8960 cards are compatible with pfSense. 8960 uses about 1/2 of the power as the 8950. There was a glut of “old new stock” 8960’s on ebay a while back for like 150.00 each and someone bought all of them. Now there only seems to be 8970’s which I’ve been told don’t work but I don’t have any experience with them. Netgate has stated 8920’s won’t work. 8950’s last time I checked ebay “new old stock” was around 100.00.

It depends on what your doing with it (QAT) to if it will speed up your system or not. It’s definitely noticable. Some who have the built in chip say about 10% faster compared to aes-ni. Crypto and Compression with the pcie add in card are extremely noticeable for me. YMMV ServeTheHome just did an updated review of QAT Intel QuickAssist is a "Cheat Code" for Server Performance - YouTube. It offloads crypto and compression from the main cpu to the QAT card. QAT free’s up the main cpu for other functions/packages like pfblocker and suricata IDS/IPS. Netgate has stated you will see a more noticeable increase from IPsec VPN and little to no gain from OpenVPN but that hasn’t been my experience. OpenVPN DCO (data channel offload) is coming but isn’t available/working yet.

With an 8960 QAT card I’m able to get line rate as if I wasn’t using OpenVPN, aes-256-gcm. I had to upgrade my cpu so my router could handle 1 gig VPN speeds along with pfblocker and suricata. The only downside/difference is ping went from 10-15 to 27-33 through the VPN.

Yeah I think selling the laptops and Mac Mini is probably the smarter move. Then I can use that money to offset the costs of whatever hardware I decide on for the long term.

Appreciate the link. Much of my research thus far has been based on those speed results. I’ve primarily focused on the IMIX data as I understand it’s a more real world experience. Having a 1gb up/down fiber connection means I need a 1537 to reach full line speed to route, firewall & VPN. That’s outside my budget and the reason I was considering the 6100 instead. While the VPN only gets about half my line speed, it is more than sufficient. I’d just prefer to get full line speed if possible.

The more time I spend with this, the more I think I want a 1U device I can mount. I know the 6100 has a 1U rack mount and that also works. The Mac Mini also has a rack mount option, although that’s out now. My point is some of the other PC builds might as well.

Thanks for sharing more experience on the performance of the QAT card. I’m going to check them out again. Last time I looked there were no $100 or $200 options on eBay and Netgate wants $650 for their QAT 8955 card! But that was a few months back. Maybe the market has changed.

Here’s a crazy idea – has anyone taken a UDM Pro, wiped it and installed pfSense on it?

Thoughts on this? Passmark = 7,295.

I really can’t say about the u1 open source hardware there. I would be leery of "WE HAVE UPDATED THE BIOS AND THERE IS NO LONGER A BIOS PASSWORD -

BIOS IS FREE AND CLEAR TO MAKE CHANGES" It may be fine but it would worry me that it was hacked and you can no longer update the bios now or if you update the bios it would be password locked again.

The main thing about pfSense with the cpu is you want cores/threads, which pfSense see’s as cpus. Speed/Ghz isn’t as important as the number of cores/threads. Don’t forget about energy consumption. My pfSense router, modem and switches use 65w of power.

An old dell desktop with a 4 port intel nic would work just as well and be cheaper, imo. 1u chassis is going to be loud. Those small fans will make a lot of noise. I have 5 fans, 2 14" intake fan, 2 cpu tower cooler 12" fans, 1 12" exhaust fan in a mini atx case which stays at 37’C at idle and 41’C maxed out that has no fan noise.

I would recommend getting something cheap to start with, get your feet wet with pfSense and then decide what you really want.

You can take a desktop case and place it at the bottom of your rack or get a rack shelf for it. Don’t limit yourself on a 1u server.

I didn’t dig to hard but for example, something like this: Dell Precision Tower 7810 Workstation | Tech Supply Direct
https://www.techsupplydirect.com/dell-x520-da2-10gbe-dual-port-pci-e-converged-network-adapter-card/

632.00 +85.00 + discount 10%? use code (LTSERVICES) + free shipping

gets you 8 core processor or better if you want to spend more, ecc ddr4 ram, video card to add a monitor if you want (so you can work directly from the console with a keyboard, instead of ssh), and a 10gig spf+ 2 port adapter (To use dac cable to the switch, which has lower latency and heat generation than a rj45 plug). With a fiber connection you might be able plug the fiber line directly to the pfSense router instead of using the company’s converter (there are youtube videos about this). This would give you expansion slots to add more network ports or a QAT card if so desired in the future.

1x Intel Xeon E5-2630 v3 2.4GHz (3.2GHz Turbo) 8 Core Processor - 20MB Cache - 85W - (DDR4-2133MHz) [Add $32.00]
16GB (2x 8GB) DDR4-2133 PC4-17000R ECC Registered Dual In-line Memory Modules [Add $80.00]
1x Nvidia NVS310 512MB GDDR3 64-bit - 2x DP 1.2 (Entry-Level 2D) Graphics Adapter [Add $24.00]
10gig sfp+ adapter 85.00

There are cheaper clearance models including rack mount options

https://www.techsupplydirect.com/dell-11g-poweredge-r710-8-bay-2-5-small-form-factor-2u-server-configure-to-order/

https://www.techsupplydirect.com/hp-z620-mid-tower-workstation-configure-to-order/

@sledge , I may have overlooked it. But it seems that you have not specified the use-case/scenario we are talking about.

I’m an amateur. My home lab has a small number of VLANs driving some OpenWRT access points with multiple network names.
Initially I used pfSense on a VM on my main server. Had no great issues setting it up.
I moved to dedicated hardware (a £200 second-hand NUC with a couple of Ethernet ports) when I hit issues hosting large Zoom meetings. That fixed the issues, and I discovered having the network stable when I need to reboot the server was well worth the investment.

I serve a bunch of websites, plus jitsi conferencing and SIP Voip. The pfSense firewall has not caused me any issues.

As I said, I’m an amateur, but if I can get this lot working, anybody can :0)

As an option

I’m using a Intel Celeron N5105/N5095 Soft Router Fanless Mini PC 4x Intel i225 2.5G LAN HDMI DP pfSense Firewall Appliance from Ali Express (Link Beloe) and Have No issues.

For $200 it seems to do everything i want. Works well with my 1GB link Coudn’t ask for much more for the Price.

Intel Celeron N5105/n5095 Soft Router Fanless Mini Pc 4x Intel I225 2.5g Lan Hdmi Dp Pfsense Firewall Appliance i - Barebone & Mini Pc - AliExpress

You might want to watch this:

Definitely prefer 6 ports! The dude has a hint on the cooling of the unit.

@Cudzu thank you for the links and recommendations, I will check them out more thoroughly.

@neogrid thank you for the link. The 6 port sounds interesting. Do you know if there is any IMIX results on VPN using the i7 1165G that Patrick recommended?

@chris we have a mixed use case. We own and operate a small home based business that deals with sensitive info. Wife is the primary operator and also serves in a director role with an out of state company under contract basis. Some of the contract work is done via a special program using RDP (furnished by them). Our desire is to put this under its own VLAN using a combo of wired and wireless connections and preferably using VPN for all communications. If we are remote, we also want the ability to enter back in securely. I might add we don’t yet have VOIP but will likely add. And lots of video conferencing using Zoom, Teams, etc.

I work for an independent company who provides their own IT for office operations. I do occasionally need to work from home and am able to use VPN to remote back in. While I believe connections are secure I dislike this traffic sharing the “general pool”. Maybe more paranoia than anything but I question if this should also have its own VLAN.

Lastly we have the normal home stuff. Kids, guests, streaming services, camera (want to expand to multiple), gaming, IPTV, various IoT devices, cell phones, tablets, laptops, printer, etc. While we haven’t done so yet I could also see having a media and/or network storage server.

I’m sure I missed something so fire away if you need more data.