pfsense on laptop?

[MrBill10]

Hello, new guy here... Retired a couple years ago and decided I needed to learn more about computers in general, and networking in particular. Our home system consists of about 40 hosts on two VLANs managed through a Netgear M4100 Layer 2+ switch. The network houses a NAS, a couple (8) IP cams and the usual assortment of wireless devices such as phones, TVs and Ipads. The internet connection is stone-age and not likely to improve for a few years; we're on wifi way out in the country.

As I seem to have too much time on my hands, I'm looking to update my old gateway router with something that'll do tagged VLAN; to that end, I'm exploring the possibility of running pfsense on a dual-NIC equipped laptop.

I like laptops for their all-in-one configuration of monitor/keyboard/trackpad/UPS... High end used ones can be bought for under $150 with 2Gigs of ram and a 350GB hard drive, add in a $50 gigabit/VLAN capable second NIC from Startech and it looks like a real nice platform for pfsense...

Or is it...? I'd appreciate any feedback, positive or negative, before pulling the trigger on this one; although I'm used to shooting myself in the foot, it's not nearly as fun as it used to be...

Thanks, and here's the link to the Startech NIC:
https://www.startech.com/Networking...rnet-ExpressCard-Network-Adapter-Card~EC1000S

 

[Fardringle]

The only negative I can think of is that most laptops (especially on the cheaper end) are not designed to run 24/7 and are prone to overheating.

 

[MrBill10]

Another good reason to avoid cheap stuff. While I occasionally buy top-of-the-line, I try to never buy the lowest-price-first.

The present stable of workhorse computers includes 4 laptops, each elevated in some way to assist with cooling. The 10 year-old Panasonic CF-29 Toughbook has been in 24/7 service for 6+ years.

 

[John Connor]

You may need something like this: http://www.amazon.com/Intel-Fanless...p/B008KB5YCK/ref=cm_cr_pr_product_top?ie=UTF8

https://www.google.com/search?q=D2500CCE&ie=utf-8&oe=utf-8#q=D2500CCE&tbm=shop

http://www.ebay.com/sch/i.html?_fro...l1313.TR0.TRC0.H0.TRS0&_nkw=D2500CCE&_sacat=0

However, I run a netbook 24/7 that is used for PhoneTray, a Team Speak and FTP server who's storage is a SD card. It's been on for 2 years now and so far no issues.

 

[us3rnotfound]

I'd search ebay for a used Dell Precision desktop and run it as a headless unit once you have PFSENSE fully configured.

 

[MrBill10]

I consider myself a pretty average guy... meaning I have at least 3 generations of used computers stowed away in the garage along with multiple 17" CRT monitors... Should really recycle, but you never know when that 4x4 serial/parallel breakout card will come in handy... Another used desktop box doesn't boot my hormones any...

The Mitac boxes look interesting, and the price is certainly right. Going to have to think about that one.

I considered using my CF-29 as it's maxed out on XP (no drivers available to upgrade further), but it only has 1 gig of memory and is a very high hour unit. Better to leave it doing Outlook and monitoring the NAS health.

Locally there's Dell 1764 i5 M450 2.4GHz 6GB/DDR3 120GB for $125, but it doesn't have an ExpressCard slot... I'm going to keep my options open until next weekend then make the call.

 

[fyy0r]

I have pfsense running on a laptop. It's an old Dell Inspiron 500M - an old junker laptop with a broken sodimm slot, missing keys, and a half dead battery, but for a home/small business it makes a decent router. It has a single core Pentium M which downclocks when not being used and is still relatively power efficient by modern standards. It's been running 24/7 for years now.

It has a PCMCIA slot that I threw a 100mbit card in for the LAN hooked up to a gigabit switch. The built in ethernet is hooked up directly to the modem and acts as the WAN. My ISP gives me 100MBit down 5Mbit up. The laptop itself has wifi capability, but the chip either doesn't support Master mode or it wasn't put into the FreeBSD driver, so it can't act as an AP. The house gets wifi through a consumer AP hooked up to the switch.

Some thoughts:

-When downloading at a full 100Mbit, the PCMCIA card generates tons of interrupts which causes the CPU usage to go up by quite a bit. This actually caused an "interrupt storm" event in the kernel which then throttled the device and ended up reducing my download speeds. I fixed that by modifying the hw.intr_storm_threshold to a higher value.

-The laptop battery is kind of convenient because the power has gone out but I was still able to shut the router down cleanly.

-Laptops "specialize" in relatively low power so its reasonably efficient to keep on 24/7

-This old laptop only has 512MB of memory, but thats plenty for a router and the state table can be massive. Have no issues with torrents anymore or any number of connections/clients using the internet.

-I have a DNS blacklist with 30,000+ domains sitting in memory (mostly ad domains)

-It runs a little OpenVPN server, but since its an old processor and doesn't have AES-NI, it's only running at 10mbit. It's actually 5Mbit effective since thats my upload speed at home. For casual usage out in public wifi's, this is sufficient for me.

-Having only 1 LAN interface kind of sucks because with a dumb switch it means I only have 1 subnet. Would be nice to be able to use a quad port gigabit nic or something but that's alot more difficult with an older laptop using older interfaces. This could be mitigated with a managed switch and vlans.


It's running off a USB thumb drive which further saves power. One thing I would recommend is do NOT install the regular pfsense build on USB flash, because all the logs in /var/log and /tmp are constantly being written to which will kill flash memory pretty fast. My first install was done in this way and I killed the thumb drive in about a month. It was actually pretty interesting the way data became corrupted, because some of the corruption occured inside simple shell scripts. So variables like

set example_var=5

became

sEt eXAmple_vAR=5

And then when that var is referenced it wouldn't be found. I repaired alot of it manually, but the flash drive was too far gone and it was time to abandon ship.

My 2nd install was with the nanobsd pfsense build, which puts all the logging data in memory and puts the flash drive into read-only mode after boot. That one lasted about 6+ months before it started to die. I'm currently on my 3rd or 4th thumb drive right now.

 

[Genx87]

As I have suggested in the past. Look at the free version of Sophos UTM 9. It has everything you could want in a firewall and will install on hardware. But make sure if you are using USB nics they have drivers for it. I use an old desktop with two NICs.

https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

 

[MrBill10]

fyy0r, thanks for the detailed info on using pfsense on an old laptop; you've done what I hope to do with slightly newer hardware. I was expecting someone so say I was out to lunch for considering an i5 processor for a router. You don't mention a hard drive, and 512MB isn't a lot of ram... How big a USB stick are you using?

Genx87; I'll read up on Sophos. Thank you for that. My understanding of NIC thru USB is that it's very processor intensive; dual LAN may be too intense for old hardware (?). I've been looking at the ExpressCard option because it's tied directly to the bus.

btw; back on the mini-pc/thin client side, there's this cute little 4 LAN piece...
http://www.amazon.com/gp/offer-listing/B019Z8T9J0/ref=dp_olp_new?ie=UTF8&condition=new

 

[Aarondeep]

you are going to have annoying issues with the VLAN and non-intel NIC. BSD doesn't like NICS that aren't intel based. I'd try to get a cheap desktop with a dual port NIC to avoid the headaches associated with a laptop build

 

[MrBill10]

you are going to have annoying issues with the VLAN and non-intel NIC. BSD doesn't like NICS that aren't intel based. I'd try to get a cheap desktop with a dual port NIC to avoid the headaches associated with a laptop build

I don't belong to any forums other than this one. The other networking sites either talk way over my head or have an arrogant attitude, like they're keymasters or gatekeepers or something equally fictional. I took a chance on AnandTech because of the huge user base with what seemed to be a very deep experience level. And a willingness to share.

Thank you, Aarondeep; I believe you just killed off my laptop idea. Not that it couldn't be made to work, but the frustration level isn't worth it for a novice like me. I checked my machines: the 2 Dells run Broadcom NICs, the Panasonic is Marvell Yukon and the Toshiba is Intel (but PCMCIA not ExpressCard). Finding the right combination of machine with an ExpressCard slot and a Intel NIC is probably doable, however, what serviceable brain cells I have left are better used learning pfsense, not searching for the perfect magic laptop. Time to move on.

A local used computer shop has several Dells for sale; $100 for a 760 SFF, Core 2 Duo @ 2.9GHz, 4G DDR3, 80GB hd with Win7pro & Office 2007Pro, 19" monitor, DVD-RW, cables, keyboard & mouse. I'll upgrade/add the NIC's as required. Shame to have to lose the software; it's worth more than all the parts together.

Thank you everyone; I'll let you know how it goes.

 

[Red Squirrel]

Should be ok, I would maybe take it apart to clear out any dust, or maybe even lay it out in a 1U chassis somehow and then add more fans for cooling. If the battery is still good you can even plug it in a non UPS outlet, since it will have it's own built in UPS basically.

 

[mxnerd]

I don't like the idea using an old PC as pfSense box.

An old PC running 24/7 generates too much heat, uses too much energy and does only one thing - routing.

I would rather buy a mini PC that equips with multiple NICs.

 

[Red Squirrel]

I don't like the idea using an old PC as pfSense box.

An old PC running 24/7 generates too much heat, uses too much energy and does only one thing - routing.

I would rather buy a mini PC that equips with multiple NICs.

Depends on budget. Nice to use something already laying around. I use an old core2duo 1U server box for mine that I got for cheap. If I was to buy new, I'd do something like this:

http://www.ncix.com/detail/supermicro-5018a-ftn4-1u-atom-c2758-9a-91811.htm

Cheaper option but ports are in back:

http://www.ncix.com/detail/supermicro-sc512l-200b-atx-1u-chassis-cf-58822.htm

I never checked how much power my current box uses though, it might actually be worth upgrading it.

 

[CubanlB]

I had pfSense 1.9(?) running on a Duron 1GHZ with a DLink and 3COM nic in a shoebox. No vlans at that time so I can't speak to that. (In general I also recommend Intel nics, for just about any OS)

This should be an interesting build.

 

[mxnerd]

The mini PC with 4 Intel ports on Amazon (factory direct link hre http://www.qotom.net/goods-129-QOTOM-Q190G4+4+LAN+Mini+PC.html) that OP linked is quite interesting, and the price is very reasonable.

Good reviews too.

 

[fyy0r]

I don't belong to any forums other than this one. The other networking sites either talk way over my head or have an arrogant attitude, like they're keymasters or gatekeepers or something equally fictional. I took a chance on AnandTech because of the huge user base with what seemed to be a very deep experience level. And a willingness to share.

Thank you, Aarondeep; I believe you just killed off my laptop idea. Not that it couldn't be made to work, but the frustration level isn't worth it for a novice like me. I checked my machines: the 2 Dells run Broadcom NICs, the Panasonic is Marvell Yukon and the Toshiba is Intel (but PCMCIA not ExpressCard). Finding the right combination of machine with an ExpressCard slot and a Intel NIC is probably doable, however, what serviceable brain cells I have left are better used learning pfsense, not searching for the perfect magic laptop. Time to move on.

A local used computer shop has several Dells for sale; $100 for a 760 SFF, Core 2 Duo @ 2.9GHz, 4G DDR3, 80GB hd with Win7pro & Office 2007Pro, 19" monitor, DVD-RW, cables, keyboard & mouse. I'll upgrade/add the NIC's as required. Shame to have to lose the software; it's worth more than all the parts together.

Thank you everyone; I'll let you know how it goes.

I actually purchased an Optiplex 760 SFF ($15 why not?) just for this very purpose recently with the idea of using it to replace my laptop router. Some concerns:

-The PCIe x16 slot can only be used with GPUs. If you put anything in this slot the onboard video will be disabled. This is hard coded into the BIOS and is something I didn't anticipate and it REALLY sucks because otherwise I coulda used a quad port gigabit nic here. It seems like there is no way around this and was a HUGE blow to my plans.

-Because the only PCIe slot is reserved for GPU's, you only have a plain old PCI slot you can use for half height gigabit cards. Multi-port gigabit nics on a PCI interface is kinda pointless because throughput from a single gigabit port can saturate the bus anyways.

-The HD bay fan + power supply fan are relatively noisier than the laptop fan.

-No UPS

-It feels as though alot more can go wrong with this system if it were on 24/7. I dont trust the power supply or HD for example.

-The HD is a plain old 80GB junker, which while plenty for a router, could die at any moment. Might go the cheap SSD route and toss the fan cooler with it to save noise,power, and gain speed.

-Sips alot more power relative to my HD-less laptop.

-It needs a dedicated monitor hooked up to it, atleast for initial setup and stuff. I'd recommend setting up SSH immediately so you dont have to keep the monitor there.


The PCIe x16 issue was HUGELY disappointing. I MIGHT be able to configure everything I need in the BIOS, then install the serial console version of pfsense, and then put in a PCIe nic card and configure the interfaces from there with no video but I haven't tried it yet. I dont recall whether the system even actually boots or not if the PCIe card is something other than a GPU.

 

[SunnyD]

40 hosts and 2 vlans?

You're telling me that you don't have any virtual servers running in that network anywhere that you couldn't slap a dual port NIC and put pfSense in a VM onto?

I run my network off a pfSense VM on ESXi. I haven't had any complaints over the last 3 years. Throughput is top end and it supports every feature pfSense has. I'd repurpose a machine in your situation.

 

[dave_the_nerd]

40 hosts and 2 vlans?

You're telling me that you don't have any virtual servers running in that network anywhere that you couldn't slap a dual port NIC and put pfSense in a VM onto?

I run my network off a pfSense VM on ESXi. I haven't had any complaints over the last 3 years. Throughput is top end and it supports every feature pfSense has. I'd repurpose a machine in your situation.

Yeah, seconded. This sort of thing is what VMs are for.

 

[MrBill10]

I actually purchased an Optiplex 760 SFF ($15 why not?) just for this very purpose recently with the idea of using it to replace my laptop router. Some concerns:

-The PCIe x16 slot can only be used with GPUs. If you put anything in this slot the onboard video will be disabled. This is hard coded into the BIOS and is something I didn't anticipate and it REALLY sucks because otherwise I coulda used a quad port gigabit nic here. It seems like there is no way around this and was a HUGE blow to my plans.

Thank you, fyy0r. You've saved me from shooting myself in the other foot... I'll pass on the 760 and look for a Precision like us3rnotfound suggested a few days ago. I'm thinking he knows what he's talking about. If I can't find a suitable box in the next few days I'll be ordering one of the mini-PCs from China.

SunnyD, dave-the-nerd; you are where I want to be. I suspect my path getting there is slightly more tortuous than yours... My end-goal is to have my network completely on VM's, but I have to crawl before I walk. I wish to be competent in tagged VLANS before moving on, and I don't know what I'll be moving on to next. Learned the VLAN thing and that led to tagged VLANs, which leads to pfsense and a decent router/firewall package, which leads to, what, servers? I want to end up with a fully non-residential network; the consumer stuff seems to be various levels of crap.

 

[SunnyD]

Thank you, fyy0r. You've saved me from shooting myself in the other foot... I'll pass on the 760 and look for a Precision like us3rnotfound suggested a few days ago. I'm thinking he knows what he's talking about. If I can't find a suitable box in the next few days I'll be ordering one of the mini-PCs from China.

SunnyD, dave-the-nerd; you are where I want to be. I suspect my path getting there is slightly more tortuous than yours... My end-goal is to have my network completely on VM's, but I have to crawl before I walk. I wish to be competent in tagged VLANS before moving on, and I don't know what I'll be moving on to next. Learned the VLAN thing and that led to tagged VLANs, which leads to pfsense and a decent router/firewall package, which leads to, what, servers? I want to end up with a fully non-residential network; the consumer stuff seems to be various levels of crap.

It's really not as difficult as you make it out to be. ESXi is "free" as is Hyper-V Server Core. IIRC ESXi will run pfSense better due to ESXi's better support with FreeBSD. But the networking layer in ESXi is super-easy to deal with, supports VLANs on the virtual switch, and gives great throughput. From the machine you go to a physical switch and everything else works the same.

About the only troublesome aspect that you'll deal with is initially learning how to set up the virtual network to handle pfSense's lan and wan ports. Once you do that though, the rest is cake. It's really an elegant solution once it's set up, and you hardly ever have to deal with the virtualization aspect at all.

 

[pitz]

You really don't need dual NICs for a pfsense (or similar) gateway. A single NIC configured with VLANs is good enough (and this is how most of the dd-wrt devices actually work -- its a single NIC to their SoC, and then they have a Ethernet switching ASIC that understands VLANs).

IMHO, go with either a mini or micro-ATX system, or even an Intel NUC. Instead of a laptop. Heck, even a current gen Raspberry Pi running Linux would work just fine if you can convince the NIC to do VLANs.

 

[MrBill10]

pitz; I've pretty much given up on finding a laptop with the hardware configuration that I think it needs, and moving to a single NIC setup is, imho, a bit out of my comfort zone... I understand the concept but not the programming.

SunnyD; you make a good case for stepping up sooner than later. What is a good hardware platform to build on? Used servers with tons of memory are going dirt cheap.

Speaking of comfort zone: wtf am I getting myself into...?

edit: I need to know what to buy...

Hardware requirements


Hyper-V requires a 64-bit processor that includes the following:

• Hardware-assisted virtualization. This is available in processors that include a virtualization option—specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.
• Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).

edit again: Is this what I'm looking for? I checked that the processor is 64 bit, and it's only $150...


Dell PowerEdge 2950 server
CPU: 2x 5355 quad core Intel Xeon processors : 8 cores
RAM: 32Gb DDR2
Storage: 2x 73 GB SAS 3.5" HDDs; the backplane is SATA compatible
Perc5/i RAID
Network: 2x 1Gbps NICs
DRAC remote control card
Power: 2x PSU

 

[sdifox]

pitz; I've pretty much given up on finding a laptop with the hardware configuration that I think it needs, and moving to a single NIC setup is, imho, a bit out of my comfort zone... I understand the concept but not the programming.

SunnyD; you make a good case for stepping up sooner than later. What is a good hardware platform to build on? Used servers with tons of memory are going dirt cheap.

Speaking of comfort zone: wtf am I getting myself into...?

edit: I need to know what to buy...

Hardware requirements


Hyper-V requires a 64-bit processor that includes the following:

• Hardware-assisted virtualization. This is available in processors that include a virtualization option—specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.
• Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).

edit again: Is this what I'm looking for? I checked that the processor is 64 bit, and it's only $150...


Dell PowerEdge 2950 server
CPU: 2x 5355 quad core Intel Xeon processors : 8 cores
RAM: 32Gb DDR2
Storage: 2x 73 GB SAS 3.5" HDDs; the backplane is SATA compatible
Perc5/i RAID
Network: 2x 1Gbps NICs
DRAC remote control card
Power: 2x PSU

Get something with AES-NI if you care about AES at all.

https://en.wikipedia.org/wiki/AES_instruction_set

 

[XavierMace]

Dell PowerEdge 2950 server
CPU: 2x 5355 quad core Intel Xeon processors : 8 cores
RAM: 32Gb DDR2
Storage: 2x 73 GB SAS 3.5" HDDs; the backplane is SATA compatible
Perc5/i RAID
Network: 2x 1Gbps NICs
DRAC remote control card
Power: 2x PSU

It's only $150 because it's so old. Going one generation newer gets you substantially faster and more efficient tech. Look for a PowerEdge R610/710 or an HP DL360G6/DL380G6 if you want rackmount and a bit more grunt. ML350G6 if you would prefer tower instead of rackmount. If it's only going to be running pfSense, those are severe overkill. Look for a single socket setup instead, like a PowerEdge R310.

Edit: The Xeon 5600's in the above mentioned R610/R710 and DL360G6/DL380G6 support AES-NI. The Xeon 3000's in the R310 do not.

Edit 2: If you go the Dell route, try to find one that includes the iDRAC upgrade.