2024 pfSense Builds

[OptimusPrime]

Hey guys. I noticed there hasn’t been much recent activity for pfSense builds lately. The Dell mini PC I repurposed just died when we moved and I need a new pfSense box. I was curious if anyone would make a 2024 recommendation to handle home use, Frontier Gigabit, only one or two VPN connections (mainly myself), and playing around with the plug-ins from time to time to just check them out. I’m fine with used gear for this. This is just to hold me over until I run cabling through the house and build out a Ubiquiti network...

Thanks for your feedback…

 

[newabc]

Most popular discussion threads (from year 2023) focusing on the 4-port or 6-port 2.5gbps fanless boxes/mini PCs/special motherboards designed by CWWK:

4-ports:

https://forums.servethehome.com/index.php?threads/topton-jasper-lake-quad-i225v-mini-pc-report.36699/

https://forums.servethehome.com/index.php?threads/cwwk-topton-nxxx-quad-nic-router.39685/

6-ports:

https://forums.servethehome.com/index.php?threads/cwwk-i5-1235u-6-port-i226-report.39341/

https://forums.servethehome.com/index.php?threads/cwwk-6-port-router-intel-u300-i3-1315u-i5-1335u-i7-1355u.42079/

Patrick and his team have posted some introduction and testing articles on these boxes on the STH website, too.

Actually if any user doesn't want better IDS/IPS performance, a CPU with passmark 3000 should be good for 1Gbps NATing(total bandwidth without VPN), plus 1-2 OpenVPN connections with limited speed.

 

[OptimusPrime]

Thank you for the referrals.

 

[Sealside]

A lot of peoples have jumped ship to OPNsense.

 

[jei]

A lot of peoples have jumped ship to OPNsense.

Do these people have something to say about the hardware?

 

[louie1961]

I was running a 4 port, fanless, Celeron J4125 powered pfSense box for a couple of years. There was nothing wrong with it, but I got the bug to upgrade to an N100 processor. I went with Moginsok the first time, and Hunsn the second time, but I don't think there is much if any difference in the various Chinese brands. I bought both on Amazon. My only regret with the new N100 unit is not having gone for more than 4 ports. I originally thought "who needs more than two ports, that's what the switch is for?" But I guess that would be me. I have evolved my setup to the point where I use two ports for my redundant WAN connections, and I use the other two ports for a link aggregation connection (LACP) to my switch. It might be nice to have an extra port for accessing the web interface during set up rather than juggling the WAN ports. But that's not a big deal. My first unit came with eMMC storage, the newer box came with a m.2 NVME drive. The NVME feels so much more responsive. N100 CPU is way more than I need. I run a tailscale firewall connection with advertised routes, DNS resolver, and 5 VLANs. So not too much stress on the CPU. I also have 16 gb of memory which has turned out to be overkill for my situation as well.

Finally, this is not a hardware issue, but I recommend going pfSense Plus, even if you have to pay the $140-ish per year. The ability to use the "boot environment" features is AWESOME. Saved me from having to do a full install a few times when I did something stupid trying to set up dual WAN and link aggregation.

 

[networkguy]

I recently purchased one of these:

Q20331g9 4* Sfp+ 10gbe Ports 5 Intel 2.5gbe Lan Multifunctional Computer Vms Nas Home Server Pfsense Opnsense Mini Pc - Buy C3758 C3758r 4x Sfp+ 10gbe 2.5gbe Nas/ Virtualization Host 4x Sfp+ 10gbe Home Server For Proxmox Ve 4 10g Sfp+ Ports Pfsense Firewall Router Mini Pc Product on Alibaba.com

Q20331g9 4* Sfp+ 10gbe Ports 5 Intel 2.5gbe Lan Multifunctional Computer Vms Nas Home Server Pfsense Opnsense Mini Pc - Buy C3758 C3758r 4x Sfp+ 10gbe 2.5gbe Nas/ Virtualization Host 4x Sfp+ 10gbe Home Server For Proxmox Ve 4 10g Sfp+ Ports Pfsense Firewall Router Mini Pc Product on Alibaba.com

www.alibaba.com

Maybe a little overkill, but it a great bit of kit. I've installed pfsense on mine, I have a 10Gbe link to my LAN, 10Gbe into my DMZ and two spare 10Gbe for future expansion. I have used a combination of DAC's and 10Gbe SFP+ transceivers and haven't had a problem with compatibility.

The other 5 copper ports are all 2.5Gbe. I'm running Snort in IPS blocking mode and also ntopng for flow data. I have privacy wire guard VPN's running directly on the box to provide VPN's for all my networks, I can push 1Gb over wireguard without the Firewall breaking sweat. I can also saturate 10Gbe between my LAN and DMZ via the Firewall.

There is a thread on them here - https://forums.servethehome.com/index.php?threads/qotom-denverton-fanless-system-with-4-sfp.41331/
and a great servethehome review here - The Everything Fanless Home Server Firewall Router and NAS Appliance (servethehome.com)

I've had it a month so far - no complaints, it's been a huge upgrade on what I had before and has brought me a ton more flexibility.

 

[Sealside]

Do these people have something to say about the hardware?

I'm running on a lenovo m920q i5 9500t with 2x10gb mellanox connectx 3. Super stable, lots of information in the Lenovo tiny thread

https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/

 

[OptimusPrime]

This is great feedback. I appreciate y’all’s responses.

 

[OptimusPrime]

I’m outfitting the house with cabling for POE, the TVs, home office computers and Unfi access points/products towards the end of the year (we just moved, so starting from scratch again). At that point, if you were choosing your router from scratch, would you still use pf/opnSense? Or would you just stay in the Unfi ecosystem for your home router? Let’s assume a difference of $300-$500 in cost is not a concern in the long run, and it’s not a production environment.

 

[louie1961]

I have no experience with Unifi, so take that with a grain of salt. But I like pfSense enough to pay the $140 per year for the pfSense Plus licensing. I have been so happy with it that it would take a lot to convince me to switch. BUT all of my wired networking is in the same room where my home lab is. The rest of the house is served by wifi.There's really not much that I would use POE for, and I have one switch to manage. All my other devices (NAS boxes, Proxmox nodes, Pistar hotspot, WAP, etc.) are all in the same book case.

 

[OptimusPrime]

I have no experience with Unifi, so take that with a grain of salt. But I like pfSense enough to pay the $140 per year for the pfSense Plus licensing.

I appreciate you sharing your thoughts. I’ve been using the free version of pfSense for about 5 years and it’s met my needs. What does someone gain for the upgrade to the license?

 

[Sean Ho]

I know we're all about the overkill here at STH, but my little opnsense box for gigabit fiber is just a $35 m73 tiny (Haswell) plus a $10 mPCIe RTL8111 NIC. Runs a bit hot but works just fine including wireguard, haproxy, and DNSBL; no suricata though. I try to design my network to minimize inter-VLAN routing.

 

[ccie4526]

I just picked up a couple weeks ago a Dell/VMware Edge 620 (aka VEP1425) for $75 on the ebay. Following the separate threads here on the Edge/VEP units, I updated the firmware and such, then installed PF on it.

Intel(R) Atom(TM) CPU C3558 @ 2.20GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: Yes (inactive)

8GB Memory with a DDR4 SODIMM slot available.
16GB eMMC and 128GB SSD

Ethernet ports are:
device = 'I350 Gigabit Network Connection'
device = 'I350 Gigabit Network Connection'
device = 'I350 Gigabit Network Connection'
device = 'I350 Gigabit Network Connection'
device = 'Ethernet Connection X553 10 GbE SFP+'
device = 'Ethernet Connection X553 10 GbE SFP+'
device = 'Ethernet Connection X553 1GbE'
device = 'Ethernet Connection X553 1GbE'

I'm using the two SFP+ ports with 10G-SR SFPs, and one of the X553 1GbE (it won't do 10G, I tried) ports, the others are unused on mine.

Only thing that sucks is that I can't enable the QAT because of NetGate's bullsh*t $129 a year subscription for pfPlus.

 

[louie1961]

What does someone gain for the upgrade to the license?

pfSense Plus FAQ

The most frequently asked questions (FAQ) associated with pfSense Plus software

www.netgate.com

I know that right now you need to have pfsense plus in order to take advantage of boot environments, which is a very useful feature. QAT crypto and a few other features are limited to pfsense plus as well.

With pfSense plus, Netgate commits to 3 times a year releases. pfsense CE releases are going to be dependent on the work of the community and might not be as frequent.

 

[networkguy]

I’m outfitting the house with cabling for POE, the TVs, home office computers and Unfi access points/products towards the end of the year (we just moved, so starting from scratch again). At that point, if you were choosing your router from scratch, would you still use pf/opnSense? Or would you just stay in the Unfi ecosystem for your home router? Let’s assume a difference of $300-$500 in cost is not a concern in the long run, and it’s not a production environment.

I have used both Unifi and pfSense, I do use Unifi for my AP's but I personally wouldn't move my entire stack to Unifi as it simply doesn't provide the same level of flexibility and granularity. You can do ANYTHING network wise with pfSense - ospf/bgp/VTI IPSEC to Azure, Wireguard tunnels, packages for Snort, ntopng - you can do any enterprise level task you want to do, if it's not in the base then there will be a package to facilitate it.

Unifi has it's market with simplified web management and a single pane of glass, which is good - but I never found the same level of flexibility with Unifi - I was given a first-gen UDM Pro to play with ages ago, took me about 2 hrs to realise that this isn't going to give me the flexibility pfSense does.

I did have pfsense plus on my previous box, but as they discontinued the free 'home lab' licence I've had to revert to Pfsense CE on my new box for the time being. I will likely go back to pfsense plus in the next few months as I think it's worth the extra $$. The boot environment options are priceless, especially if you're a fiddler! Their 24.03 release coming shortly is full of some big upgrades too, one of the ones which caught my eye is Gateway failback. One of my gripes with pfsense has been the WAN Failover bits, whilst the failover to the secondary connection is pretty immaculate in the main...it's the failing back to the primary when it comes back online that has never worked 'right' - there is a big feature in 24.03 which entirely fixes that, looking forward to trying it.

 

[ccie4526]

I did have pfsense plus on my previous box, but as they discontinued the free 'home lab' licence I've had to revert to Pfsense CE on my new box for the time being. I will likely go back to pfsense plus in the next few months as I think it's worth the extra $$. The boot environment options are priceless, especially if you're a fiddler! Their 24.03 release coming shortly is full of some big upgrades too, one of the ones which caught my eye is Gateway failback. One of my gripes with pfsense has been the WAN Failover bits, whilst the failover to the secondary connection is pretty immaculate in the main...it's the failing back to the primary when it comes back online that has never worked 'right' - there is a big feature in 24.03 which entirely fixes that, looking forward to trying it.

So I've got four nodes, 3 are in various remote locations and 1 at a colocation facility. I'm doing VTI hub and spoke with FRR BGP because the direct links between the various sites was not working well, packet loss on the direct internet paths between locations. Bringing them all back to the co-lo has eliminated that packet loss and everything works extremely well now.

Two of the nodes are still running under the free "home lab" (yes, all three of these nodes are at properties I own, and none are being airbnb'ed) and QAT is working fine for them.... but I just can't justify essentially $520 a year for what I can get done with the CE license. It's not my loss, it's NetGate's loss.

I'm still gainfully employed in the network engineering field, and normally play with Cisco and Palo Alto stuff... but all that stuff is enterprise, none of it runs in a silent/fanless chassis, so even when I have access to our spare/lab equipment, I really don't want to run it at home because of the fan noise.

Sorry for the soapbox digression. I was trying to stay mostly technical, but.....

 

[zachj]

I built a custom box using intel i3 12100…these things have gotten extremely cheap.

it’s a full atx board in a regular desktop case I had lying around so it’s not small or pretty, but installed in an unfinished basement I don’t give a shit.

mine is virtualized on VMware with pci pass through of the x540 nic.

 

[Tzvia]

I had had a very good experience with a little 6x gig port Qotom with the i5 7200 so when I decided last year I needed something new and shiny (and with 2.5gig ports as part of a general home network 'upgrade') I came here to read up on all those mini PCs I saw on Amazon. I've used PFSense a long time, maybe 9 years, and yea before I got that Qotom in 2020 I repurposed old computers with server pull 4 port NICs. I toyed with the idea of a used one liter PC and messing with adding NICs, but I instead bought the 6 port 8505 CPU fanless CWWK last year and didn't look back. And while I use Unifi WAPS, I have no interest in their router. PFSense CE has a good mix of built-in and third party apps as I am sure you know, and is a very capable product. As I have VLANS, I assigned them to the NICs so have 4 ethernet cables between the router and my switch so no 'bottleneck' there. I use OpenVPN with LDAP (to windows server) and certificates and it works just fine. PFBlocker and SNORT installed, set DNS to resolve not forward, running dual stack ipv4 and ipv6 and also virtual ipv6 networks to provide static IPV6 IPs for my internal servers and things like printers. Even setup Avahi so I can airprint between VLANS. That little 8505 is doing a 'bang up job' for me, rarely hits 30% CPU (doing speed tests across VLANS and internet) with all that it is doing (with SpeedShift set to 60% yet).

At the very least a read through the thread(s) mentioned by networkguy above about the box(s) you may be interested in is a good idea IMO. There is some tweaking that needs to be done to get the most from them, and possibly a modded BIOS (but 'measure 3 times cut once' with BIOS flashing as there are more than a few models...). But if the goal is an EdgeRouter spend a few minutes doing triage on the old box; can anything be salvaged (added extra NICs, memory or drive??) and pick up another used box. But IMO I don't see an EdgeRouter over one of these mini PCs with PFSense...

 

[louie1961]

There is some tweaking that needs to be done to get the most from them

I don't know if it is required or even recommended, but when I bought my latest pfSense box, it came pre-installed with pfSense Plus (which I don't know how they get away with that, its not a Netgate appliance). But being a not trusting soft of individual, I completely wiped the drive and installed pfSense from a fresh download. I used the default file system (ZFS), and when I finished installing the ugrade to pfSense Plus we pretty simple. By installing fresh, I get it just the way I want it with no fear Chinese spyware.