PFSense logo

Replacing My PFSense Router

I told you about PFSense back in 2012 in NosillaCast #357, but six years later it’s time to revisit the topic.

What is PFSense?

  • A free and open-source router OS based on BSD Unix — pfsense.org/…
  • Can run on just about any hardware — small embedded devices (regular home router hardware), micro-PCs based off things like the Intel NUC, regular PCs/Macs (including very old ones), or hardware sold by netgate, the company that maintains the PFSense codebase/project.

  • Ships with all the features you’d expect from an enterprise-level router out of the box:

    • Typical features you’d expect from any router (even a home router)
      • DHCP service powered by ISC DHCPD (more feature rich than a typical home router)
      • Caching DNS forwarder powered by Dnsmasq, includes advanced features not typically found in home routers like with tight integration with DHCP server to give Dynamic DNS entries based on DHCP leases & reservations
      • Full-featured Firewall which includes the basics like NAT, port forwarding, and DMZ addresses, UPnP, and NAT-PMP. Also includes more advanced features like traffic shaping to allow different IP ranges be given different priorities, or to impose bandwidth caps on specific IP ranges, and time-based rules to allow different things at different times of the day (could be a powerful parenting tool).
    • Typical enterprise router functionality
      • Can route between arbitrarily many physical subnets (the power of a Y-configuration of home routers entirely contained within a single box)
      • VLAN support (logically separate subnets sharing a single physical NIC)
      • DHCP forwarding (allows a single DHCP server to serve arbitrarily many separate physical LANs and/or VLANs)
      • Wake-on-LAN (provides a UI for sending out the magic packets needed to trigger a given MAC address to wake the host its attached to)
      • Captive Portal (like you often see in hotels where you have to accept terms)
      • SNMP support (protocol used by enterprise network management tools to pull stats out of routers, and to push configs into routers)
    • IPSec, L2TP, and OpenVPN VPN server capability
    • NTP Server
    • Support for clustered operation — two or more PFSense servers can work together to deliver a unified server, either balancing the load between them, or in primary/secondary mode with the secondary in standby mode ready to take over should the primary ever fail.
    • Fine-grained and searchable Logging powered by syslog
    • A nice configurable dashboard including real-time usage graphs powered by RRDtool
    • PFSense configs can be backed up from one PFSense device and restored onto another.
  • Build-in package management system providing access to a library of additional features provided by the community — www.netgate.com/…

The PFSense Features I Use

  • Caching DNS server:
    • Connected to DHCP server to publish all DHCP reservations and leases under the special domain .localdomain. E.g. our network printer is at bw-printer.localdomain, our Plex server is at bw-plex.localdomain, our NAS is at bw-freenas.localdomain, my iMac is at bart-imac2018.local domain, etc..
    • Uses 9.9.9.9 to resolve non-local DNS
  • DHCP with reservations and DNS names for all my devices, also instructs all devices to use the caching DNS server described above as their DNS resolver
  • Port forwarding rules as needed for various online games
  • NTP server to offer consistent time to all devices on the network
  • Before we got fibre broadband I configured Skype to always use a specific port, and then use PFSense’s traffic shaping feature to give that port priority over all other internet traffic
  • Additional packages I have installed:
    • ARPing GUI for scanning the network
    • NMAP GUI for scanning the network
    • ntopNG, Bandwidthd & darkstat services for logging and graphing network usage

My Old Setup

I’ve been running PFSense on an old Dell Optiplex 740 with a second PCI ethernet card since 2014 (the machine itself dates back to 2007!).

A few weeks ago the machine became unstable, regularly crashing — it was time for a new PFSense box!

Options Considered

  • Another second hand PC
    • PRO cheap
    • CONs big and bulky, high power use
    • Cost Estimate zero! (salvage)
  • Build-your-own fanless micro PC
    • PRO small, low power
    • CONs a lot of effort sourcing compatible case, motherboard, CPU, RAM, and storage
    • Cost Estimate ~€300
  • Buy a fanless micro PC (almost all Intel NUC-based)
    • PRO small, low-powered, easy
    • CONS all the models I was able to find were optimised to run as desktops, not routers, so only 1 ethernet adaptor, and much more RAM, CPU & storage than needed
    • Cost Estimate ~€400
  • Buy a pre-assembled fanless micro PC configured for routing
    • PRO small, low-powered, easy
    • CONS every option I could find was either expensive, from a vendor without reputation, or accompanied by reviews warning people steer clear
    • Cost Estimate ~€300-€500
  • Buy a pre-packaged PFSense router from netgate (the company behind PFSense)
    • PROs easy, fully supported, cost-effective, small, low-powered
    • CONs none that I can see
    • Cost ~€270 including shipping form US to Ireland and all import duties, taxes, fees, etc.

What Did I Buy?

I opted for netgate’s entry-level device aimed at home offices — MBT-2220 MinnowBoard Turbot Dual Ethernet Dual Core System ($175 + shipping)

1 thought on “Replacing My PFSense Router

  1. James Tisdale - January 19, 2019

    Hi Bart, looks like since you got your new pfSense box they (Netgate) have gone and stop selling it. Steve Gibson in SN#697 just talked about Netgate’s SG-1100. Would the SG-1100 be an ok replacement to your MBT-2220? Is the typical home user going to miss the extra 1gig of RAM and 32gig of storage space? Thanks for all that you do, always love to get your take on things (right after Steve’s).

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top