{"id":17135,"date":"2018-12-28T17:11:39","date_gmt":"2018-12-29T01:11:39","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=17135"},"modified":"2018-12-28T17:11:39","modified_gmt":"2018-12-29T01:11:39","slug":"pfsense-router","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/12\/pfsense-router\/","title":{"rendered":"Replacing My PFSense Router"},"content":{"rendered":"<p>I told you about PFSense back in 2012 in <a href=\"https:\/\/www.podfeet.com\/blog\/2012\/03\/357-kernel-panics-quicken-lion-talk-tools-capti-flygrip-home-networking\/\">NosillaCast #357<\/a>, but six years later it&#8217;s time to revisit the topic.<\/p>\n<h3>What is PFSense?<\/h3>\n<ul>\n<li>A free and open-source router OS based on BSD Unix \u2014 <a href=\"https:\/\/pfsense.org\/\">pfsense.org\/\u2026<\/a><\/li>\n<li>Can run on just about any hardware \u2014 small embedded devices (regular home router hardware), micro-PCs based off things like the Intel NUC, regular PCs\/Macs (including very old ones), or hardware sold by <a href=\"https:\/\/www.netgate.com\/\">netgate<\/a>, the company that maintains the PFSense codebase\/project.<br \/>\n<!--more--><\/p>\n<\/li>\n<li>\n<p>Ships with all the features you&#8217;d expect from an enterprise-level router out of the box:<\/p>\n<ul>\n<li>Typical features you&#8217;d expect from any router (even a home router)\n<ul>\n<li>DHCP service powered by <a href=\"https:\/\/www.isc.org\/downloads\/dhcp\/\">ISC DHCPD<\/a> (more feature rich than a typical home router)<\/li>\n<li>Caching DNS forwarder powered by <a href=\"http:\/\/www.thekelleys.org.uk\/dnsmasq\/doc.html\">Dnsmasq<\/a>, includes advanced features not typically found in home routers like with tight integration with DHCP server to give Dynamic DNS entries based on DHCP leases &amp; reservations<\/li>\n<li>Full-featured Firewall which includes the basics like NAT, port forwarding, and DMZ addresses, UPnP, and NAT-PMP. Also includes more advanced features like traffic shaping to allow different IP ranges be given different priorities, or to impose bandwidth caps on specific IP ranges, and time-based rules to allow different things at different times of the day (could be a powerful parenting tool).<\/li>\n<\/ul>\n<\/li>\n<li>Typical enterprise router functionality\n<ul>\n<li>Can route between arbitrarily many physical subnets (the power of a Y-configuration of home routers entirely contained within a single box)<\/li>\n<li>VLAN support (logically separate subnets sharing a single physical NIC)<\/li>\n<li>DHCP forwarding (allows a single DHCP server to serve arbitrarily many separate physical LANs and\/or VLANs)<\/li>\n<li>Wake-on-LAN (provides a UI for sending out the magic packets needed to trigger a given MAC address to wake the host its attached to)<\/li>\n<li>Captive Portal (like you often see in hotels where you have to accept terms)<\/li>\n<li>SNMP support (protocol used by enterprise network management tools to pull stats out of routers, and to push configs into routers)<\/li>\n<\/ul>\n<\/li>\n<li>IPSec, L2TP, and OpenVPN VPN server capability<\/li>\n<li>NTP Server<\/li>\n<li>Support for clustered operation \u2014 two or more PFSense servers can work together to deliver a unified server, either balancing the load between them, or in primary\/secondary mode with the secondary in standby mode ready to take over should the primary ever fail.<\/li>\n<li>Fine-grained and searchable Logging powered by <a href=\"https:\/\/en.wikipedia.org\/wiki\/Syslog\">syslog<\/a><\/li>\n<li>A nice configurable dashboard including real-time usage graphs powered by <a href=\"https:\/\/en.wikipedia.org\/wiki\/RRDtool\">RRDtool<\/a><\/li>\n<li>PFSense configs can be backed up from one PFSense device and restored onto another.<\/li>\n<\/ul>\n<\/li>\n<li>Build-in package management system providing access to a library of additional features provided by the community \u2014 <a href=\"https:\/\/www.netgate.com\/docs\/pfsense\/packages\/index.html\">www.netgate.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>The PFSense Features I Use<\/h3>\n<ul>\n<li>Caching DNS server:\n<ul>\n<li>Connected to DHCP server to publish all DHCP reservations and leases under the special domain .localdomain. E.g. our network printer is at bw-printer.localdomain, our Plex server is at bw-plex.localdomain, our NAS is at bw-freenas.localdomain, my iMac is at bart-imac2018.local domain, etc..<\/li>\n<li>Uses 9.9.9.9 to resolve non-local DNS<\/li>\n<\/ul>\n<\/li>\n<li>DHCP with reservations and DNS names for all my devices, also instructs all devices to use the caching DNS server described above as their DNS resolver<\/li>\n<li>Port forwarding rules as needed for various online games<\/li>\n<li>NTP server to offer consistent time to all devices on the network<\/li>\n<li>Before we got fibre broadband I configured Skype to always use a specific port, and then use PFSense&#8217;s traffic shaping feature to give that port priority over all other internet traffic<\/li>\n<li>Additional packages I have installed:\n<ul>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Arping\">ARPing<\/a> GUI for scanning the network<\/li>\n<li><a href=\"https:\/\/nmap.org\/\">NMAP<\/a> GUI for scanning the network<\/li>\n<li>ntopNG, Bandwidthd &amp; darkstat services for logging and graphing network usage<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>My Old Setup<\/h3>\n<p>I&#8217;ve been running PFSense on an old Dell Optiplex 740 with a second PCI ethernet card since 2014 (the machine itself dates back to 2007!).<\/p>\n<p>A few weeks ago the machine became unstable, regularly crashing \u2014 it was time for a new PFSense box!<\/p>\n<h3>Options Considered<\/h3>\n<ul>\n<li>Another second hand PC\n<ul>\n<li><strong>PRO<\/strong> cheap<\/li>\n<li><strong>CONs<\/strong> big and bulky, high power use<\/li>\n<li><strong>Cost Estimate<\/strong> zero! (salvage)<\/li>\n<\/ul>\n<\/li>\n<li>Build-your-own fanless micro PC\n<ul>\n<li><strong>PRO<\/strong> small, low power<\/li>\n<li><strong>CONs<\/strong> a lot of effort sourcing compatible case, motherboard, CPU, RAM, and storage<\/li>\n<li><strong>Cost Estimate<\/strong> ~\u20ac300<\/li>\n<\/ul>\n<\/li>\n<li>Buy a fanless micro PC (almost all Intel NUC-based)\n<ul>\n<li><strong>PRO<\/strong> small, low-powered, easy<\/li>\n<li><strong>CONS<\/strong> all the models I was able to find were optimised to run as desktops, not routers, so only 1 ethernet adaptor, and much more RAM, CPU &amp; storage than needed<\/li>\n<li><strong>Cost Estimate<\/strong> ~\u20ac400<\/li>\n<\/ul>\n<\/li>\n<li>Buy a pre-assembled fanless micro PC configured for routing\n<ul>\n<li><strong>PRO<\/strong> small, low-powered, easy<\/li>\n<li><strong>CONS<\/strong> every option I could find was either expensive, from a vendor without reputation, or accompanied by reviews warning people steer clear<\/li>\n<li><strong>Cost Estimate<\/strong> ~\u20ac300-\u20ac500<\/li>\n<\/ul>\n<\/li>\n<li>Buy a pre-packaged PFSense router from netgate (the company behind PFSense)\n<ul>\n<li><strong>PROs<\/strong> easy, fully supported, cost-effective, small, low-powered<\/li>\n<li><strong>CONs<\/strong> none that I can see<\/li>\n<li><strong>Cost<\/strong> ~\u20ac270 including shipping form US to Ireland and all import duties, taxes, fees, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>What Did I Buy?<\/h3>\n<p>I opted for netgate&#8217;s entry-level device aimed at home offices \u2014 <a href=\"https:\/\/store.netgate.com\/MBT-2220-system.aspx\">MBT-2220 MinnowBoard Turbot Dual Ethernet Dual Core System<\/a> ($175 + shipping)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I told you about PFSense back in 2012 in NosillaCast #357, but six years later it&#8217;s time to revisit the topic. What is PFSense? A free and open-source router OS based on BSD Unix \u2014 pfsense.org\/\u2026 Can run on just about any hardware \u2014 small embedded devices (regular home router hardware), micro-PCs based off things [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":17138,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147],"tags":[2904,2902,2905,111,113,1246,2903],"class_list":["post-17135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-dhcp","tag-home-networking","tag-nat","tag-networking","tag-router","tag-routers","tag-vlan"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/12\/pfsense-logo.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=17135"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17135\/revisions"}],"predecessor-version":[{"id":17141,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/17135\/revisions\/17141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/17138"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=17135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=17135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=17135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}