I was starting to play with the thought half a year ago of building a failover router running pfSense as one of my Cisco routers is going EOL. and buying a new Cisco VPN router is not economically justifiable for me at the moment.
The documentation don’t say much
64-bit amd64 (x86-64) compatible CPU
1GB or more RAM
8 GB or larger disk drive (SSD, HDD, etc)
One or more compatible network interface cards
So i wonder about your real life experience of hardware minimum requirements on home-builds.
And that didn’t say mush. so i will add what it has to be able manage.
I will run basic firewall rules, V-lans and one DMZ and VPN (both as single inbound connection now and then and also site-to-site)
typical load Wan ↔ Lan/DMZ 50 ↔ 250 Mbit
Parhaps i will add arpwatch
I will use intel based parts CPU/chipset with four 1Gbit NIC’s. (Wan, Lan, DMZ +mirror port for IDS)
I wont mind the CPU running at 80% with an 250Mbit VPN load, as its only a failover router that isn’t meant to have any load more then a few hours do to main router downtime
So what is your thoughts/experiences on minimum hardware requirements for this?
2 core 3GHz CPU with 2/4GB Ram?
What I picked up the other day is that for higher speeds you want more threads/cores, e.g. for 10Gbps more an 8 core CPU. I know you want just 1 Gbps, I just wanted to mention that the number of cores can be of interest.
Since you are coming from a Cisco device you’re probably not used to having the option to use packages like pfBlocker-ng, Zeek and Suricata. However, on pfSense you do have these options and you might find them interesting later on, when you are getting deeper into the advanced functionality. All 3 of the mentioned benefit from a faster CPU with more cores and more RAM. Really hard to say without knowing the amount of simultaneous traffic / peaks you have. I just can tell you that you definitely want more than 4 cores if you run Zeek and / or Suricata and want them to keep up.
IP/geo blocking… i see that as normal firewall rules…
Thanks for the tip of Suricata, but I will keep my little “watchdog” as i call my computer that doing realtime monitoring of my network traffic.
That way i have real time overview in the corner of my eye directly on one monitor instead of pulling a log file.
as for traffic load
I only have four desktops and three laptops that has internet access 24/7 and generates the traffic load on the routers and that is seldom over 50-100Mbit unless its a temporary download/upload in progress…
oh, i also have a small web service that dont generate any load at all… between 1 to 5Mbit in short bursts.
and a few times a week i have my server syncing against another server… and that is maxing out my ISP connection for an hour or two some times
I have no use for 10Gbit to my routers, as ISP1 is 500/500Mbit and ISP2 is 250/250 to keep down the costs… (I’m thinking of cutting the 250 one down to 100/100Mbit as i almost never have any traffic over the second ISP)
So on my failover router i only need to be able to push 250Mbit with VPN if i have to sync my server if primary is down. or around 50-100Mbit for 7clients
N100 or maybe an N5105 processor should give you all you need. You can go similar AMD processor. For a used device, if you can track down a decent price on an HP T740 and an Intel based NIC to go with it, they will work pretty well. Just look up the [GIANT-LOCKED] error to find the info to correct it, it’s a BSD thing on these T740. The T740 will draw more power than an n100, just wanted to be clear on that.
I do suggest more than 16GB of disk, 128 are often really cheap these days and SATA is probably fine for a firewall.
If it is cheap, 16GB of ram won’t hurt.
[edit] What is ZEEK? I see reference to a pack manager which doesn’t make sense for a firewall.
throughput is not about RAM. for 10GB sustained you need more than 4 cores.
10 Gbps is in 99% of the use cases not about the ISP speed but about internal need for speed. You don’t seem to have any virtualization and storage backend for that. That is one major driver to upgrade to 10Gbps in a home network.
Here is a comparable device that breaks out the expected performance, it lists a G series AMD processor (A8) which is fairly low spec.:
They do specify IPSec as the VPN, OpenVPN will be slower but might still be enough.
I have a feeling that something like a Qotom with n100 and mutliple ports would work for you and cost a lot less than the above device. Performance should be somewhat similar.
And I still recommend 16GB, better to have it go to waste than to need it and not be able to upgrade it. Just my thoughts based on the little bit of testing I’ve done. No clear hard facts here and even now my current firewall has seen improvements and no longer uses that 7.x GB or RAM. I’m still specifying the next appliance to have 16GB. You can always use it as a ram disk for high write things like logs so that you can keep from burning out your SSD.
Also, thanks for the Zeek info, I need to look into this more deeply. Currently Zenarmor, Suricata, and Crowdsec on my firewall (see why I want the ram?).
Really?
it sounds overkill CPU’s for so low throughput.
I have to test it… as My Cisco router that goes EOL has a lot older/slower CPU and les Ram and can handle 1Gbit throughput.
as for Disk for the OS… i dont think i own a smaller disk then 128GB
I know Throughput isn’t about Ram that’s why i feel 2/4GB ram should be enough as i wont run so many services on the router… more then VPN services and basic firewall rules.
as i said i have no use for 10Gbit cards in any of my routers, so i wont put in one over 1Gbit for the next 5-10 years unless i get it for free… as i wont upgrade my ISP speed the next coming years… its not economical to upgrade to 10/10Gbit speed if i seldom use over 300Mbit in speed… its just a waste of money.
I have no kind of internal loads over the router, so no use for upgrade the router NIC speed for that reason either… i have all my Lan load over my switches… and i have 10Gbit between the two switches… i do plan on putting in a 10Gbit card in the server to get rid of the bottle neck to my server when more then one computer is using the storage at the same time… or on backup day and also during PXE boot on three machines… then i do notice the bottle neck of 1Gbit to the server.
No i do not really use virtualization… I do have a few small docker containers running on my server for internal use only, then i use a few VM’s on my main desktop for testing mods or testing updates before i apply that on my computers to minimize the risk of downtime.
So my server traffic has no kind of load against the routers, unless i do a offsite backup of the server… Then it do put some pressure on the router for an hour or two while syncing backups. but most of the time, the server is blocked for internet access… i only open up the firewall rule during offsite backup.
My work i do is mostly office related research and documentation… so it dont generate any kind of heavy load. Streaming youtube is more heavy LOL
The n100 or n5105 should be plenty for you then, and the cheapest options too. But when you get into things like filtering for ads, and attack detection, that all takes processor to scan through the lists for matches.
Just make sure that whatever you buy uses Intel NICs, the Realtek are not the greatest for PFsense and even with the drivers people say they should be avoided in OPNsense. And do not use USB network adapters, they tend to drop a lot of packets, especially when they get hot. The Protectli devices seem to have a good reputation and some of them are pretty inexpensive with the n100 and n5105 processors.
And if you get to something like Zenarmor, it is still a single threaded application. They keep pushing multithreaded down the road for other improvements, for this you want the highest clock frequency you can get.
I was planing on to be able to reuse old parts for a pfSense build… I have a few HP and Dell intel micro motherboards DDR3 laying around and a bunch of CPU’s to them.
i also have one two port and one four port intel NIC’s laying around, that i ripped out from my two servers when i got them, as i had no use of more then one Nic port.
So i was hoping that should be able to handle 250Mbit throughput with VPN service. either openVPN or Wireguard.
no i wont use the router for filtering ads… i use noscript and adblocker in firefox for that…
as for attack detection… I have no open ports anymore as i switched over to zerotrust solutions (Edit: unless i temporary open for a inbound VPN connection that isn’t over zero trust. 99% of the times its only outbound VPN connections to mask my public IP) and I already have a machine that monitor my network traffic 24/7 that also have real time observation on one monitor when I’m on my main computer
a router is a router, not a all in one solution… I’m old fashion that way.
I think it will run on 4th generation processors, but if possible I’d use 10th generation or newer. I don’t remember when AES-NI started and if it is really required. Long term and newer will be “better”. Use what you have and try it out, if you like it but things are too slow, then you can decide to spend money.
I used an HP T620 Plus and Pro 1000 card for a long time, and I’m pretty sure it will still work. Had a site to site OpenVPN back to work but only a 30mbps (on good days) connection so not really a challenge, I was able to saturate that connection.
If i dont remember wrong… AES came with the first gen of " i " series… if it was i3/i5/i7 i dont remember… but i think first gen had it… actually… i wonder if it even can have been a earlier CPU version then that.
I didn’t think of that one to get the crypto in the cpu to lower the load… even if VPN works without AES just that the CPU load get high
There was talk that AES-NI was going to be required, and I bought accordingly many years ago. I don’t know if they followed through and really required it.
It could be nice to have to calculate the encryption on the VPN, but as you say, CPU should take over if the feature is missing and maybe just slow down your connection. If you have all the pieces, I say put one together and give it a try. If you have to spend over about $100 to get this done, and you have good access to used equipment like ebay, then I’d suggest getting something newer like the HP T740. Maybe and old HP T620 Plus would still work, I haven’t tried using mine is a couple years so the software may have moved beyond it’s little processor by now. The used T740 are going anywhere from $60 in functional but not pretty condition to $300 in open box but new condition. The ones I bought still had a year of warranty with them which let me pay a little more money for that support. I’m thinking of getting a couple more for my VM lab because I can put many different NIC options in them, currently upgraded both of mine to 10gbe and with the local nvme, storage for VMs is FAST. Just wish I had more processor, but that doesn’t seem to be a huge issue in my lab (yet).
Yeah i think i have to do an “try by error” to see where the break point is
So for fun… i will first try a setup with some intel dual core DDR2 and then take one step up at the time, just to see where is the breakpoint… as a science experiment.
I can start as low as an Intel 8088, but i have a feeling that is just a waste of time. LOL
But dual core DDR2 might actually work as Gbit throughput speed isn’t the goal… just 250Mbit… So it can actually be useful information for the forum in the future to know where is the breakpoint.
Many people has less then 100Mbit speed on their connections and cant upgrade… so putting in a device for 10Gbit speed and have 900Mbit overkill is just a waste of money… (I’m totally guilty on this one on more then one area)
It is fun to have a car with 1000HP, But if you living in a big city, you will never have use for more then 100HP… so you just end up with a terrible mileage for something you never can use.
If i even get near the $100 mark, then i will put in $50 more and by a used Cisco small/mid business router… … Yeah i know i just swear in the church, and i apologize for swearing. LOL But i think no one can deny Cisco is producing reliable business equipment.
My main goal is to keep costs down to zero for the moment, as two of my cars needs some TLC.
I think it was Jan2025 my backup router goes EOL and if no “dangerous” CVE’s occurs for the next year or two… i might be able to continue using it… But the word “Might” is a really dangerous word, so i need a backup plan.
Thats why I’m going down this road on building a pfSense machine…
My main router is good for two more years… but as i work from home, uptime is a must with zero minutes of downtime.
I bought a DELL optiplex 3040 sff for $40, added another 8GB ram for $8. Added a low profile nic card, installed pfsense. No issues, 4 cores/16GB ram. I dont need 10Gbit, my 1Gbit is fine, jellyfin works well.
I think you should consider the power “voracity” of any such system, for you may save a few bucks in a given processor just to pay a power bill much higher latter.
I use a pfSense virtualized in a i7-8700 24/7 Proxmox machine, allocating 4 cores and I don´t remember how much RAM. My power bill increased so much that now I am considering building a bare metal atom machine to run as pfSense firewall and powering on the Proxmox only by demand of its others virtual machines, such NAS, gameservers etc.
I would probably suggest an n100 for a small system, not sure you will beat the power/performance with an Atom or D series Xeon. That said I haven’t really studied the newer Atom processors to see what their TDP might be.
The T740 come with a 65 watt power supply, so I would expect that at full go, they draw a lot (I need to buy a power meter). Way less than idle on any of my other lab servers (idle at 100+ watts), but still a lot. I’d expect them to idle down near that 10-12 watt area, which is still way above what some of the n100 system will do, I’ve seen people say their firewalls are drawing 5 to 8 watts in normal home use. This is a mix of n5105 and n100. My T740 when it was running my firewall never had the fan kick up to where I could hear it, processor always showed under 10% average and temps under 40 C, so I don’t think it was working hard.
so i will add what it has to be able manage.
that’s why i feel 2/4GB ram should be enough as i wont run so many services on the router… more then VPN services and basic firewall rules.
But i think no one can deny Cisco is producing reliable business equipment.