pfSense - router + stateful firewall + vpn HW requirements?

[Kalm_Traveler]

Hey guys I'm debating setting up a pfSense device for security and to offload routing and vpn duties from my main wifi/router combo but I'm not finding any definitive answer on whether or not I'd be better off using an actual PC (small PC of course) if I want it to do routing, stateful packet inspection firewall, and run a VPN service like OpenVPN or something similar.

 

I know you can buy hardware devices from Netgate, but they seem to be fairly weak hardware-wise and if I do this I want to make sure there are zero slowdowns.

 

Can you point me to any resources for figuring out what would be best for this situation? I don't mind either building a from-scratch SFF PC, or using one of those NUC-size mini PCs as a base as long as it has dual 1gb ethernet ports, but a standalone Netgate device is fine too as long as it really won't bottleneck traffic by running those services.

 

What do you guys think?

[jj9987]

Is this going to be used in home or business (or otherwise more critical than home) environment?

[Kalm_Traveler]

Just now, jj9987 said:

Is this going to be used in home or business (or otherwise more critical than home) environment?

Just home - it's half for addressing my own paranoia and half because I've moved into infosec as a field but at work am stuck doing very host-based things like antivirus/application whitelisting, etc and not effectively learning about network security since I'm still the FNG.

[mynameisjuan]

You dont need much in terms of power to push even a gig VPN. Netgate is even better at this because the use of ASICs. What speeds do you actually need with a VPN?

[Kalm_Traveler]

Just now, mynameisjuan said:

You dont need much in terms of power to push even a gig VPN. Netgate is even better at this because the use of ASICs. What speeds do you actually need with a VPN?

1 gig is fine for now, fiber to the house is 1gb symmetric anyway and although I can get 10gbit it's not worth the cost. I'd have to pay to upgrade the fiber interface box in my house, monthly service cost would jump from about $50 USD to I think $500, and I'd have to redo all the ethernet runs since they're only CAT5E (pretty sure none of them would support a 10gbit connection).

 

So you think I should just look at one of Netgate's home-ish devices?

[mynameisjuan]

2 minutes ago, Kalm_Traveler1 said:

1 gig is fine for now, fiber to the house is 1gb symmetric anyway and although I can get 10gbit it's not worth the cost. I'd have to pay to upgrade the fiber interface box in my house, monthly service cost would jump from about $50 USD to I think $500, and I'd have to redo all the ethernet runs since they're only CAT5E (pretty sure none of them would support a 10gbit connection).

 

So you think I should just look at one of Netgate's home-ish devices?

Cat5e can do 10gig up to 30m or so but 10gig routing is a whole other ball game and will be shelling out $1k+for a router that can router 10gig and forget VPNs at 10gig.

 

I would stick with Netgate as you will also have support and warranty. 

[Kalm_Traveler]

1 minute ago, mynameisjuan said:

Cat5e can do 10gig up to 30m or so but 10gig routing is a whole other ball game and will be shelling out $1k+for a router that can router 10gig and forget VPNs at 10gig.

 

I would stick with Netgate as you will also have support and warranty. 

haha good point and thank you

 

A few of the desktops in the house have Aquantia 10g NICs but I have zero networking equipment to even test the runs with - and as you said it would cost an arm and a leg to upgrade to a 10gbit router (nevermind the service increase and likely complete lack of improvement since I can't usually saturate even this 1gb line).

 

I'll give Netgate a try then, should be a fun project!

[Kalm_Traveler]

Erm one more question if anyone can help... 

 

To use an IDS package like Suricata or Snort on the internal traffic, how would the pfsense device be connected to the rest of the network? 

 

As is, the plan is fiber > pfsense > switch/AP

But I'm not sure how it would see all internal traffic that way. I can set a switch port to full mirroring but if pfsense only has 2 NICs how would it make use of that mirroring port? 

[Alex Atkin UK]

On 12/7/2019 at 11:04 PM, mynameisjuan said:

You dont need much in terms of power to push even a gig VPN. Netgate is even better at this because the use of ASICs. What speeds do you actually need with a VPN?

From what I can gather you are literally the only person to EVER say that, there are endless discussions on the Netgate forum about how much is enough for Gigabit.

Did you miss the bit on their product page that clearly says, and this is WITHOUT A VPN:
 

Quote

501+ Mbps

= Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.

 

Now granted I think they are assuming an increase in number of clients proportional to the speed, and server-class hardware is definitely NOT required (especially as top-end Ryzen is giving it a run for its money now) but the CPU requirements are very real.

 

I see my i5 7200U hit 50% usage on the core OpenVPN is running on when only pulling 50Mbit when running at around 800Mhz.  I can't imagine it hitting Gigabit at full speed.

 

Using Suricata and/or Snort makes requirements even higher.

[jagdtigger]

I have suricata running and while maxing out the 150 mbits/sev dl speed internet i have the router uses about 20% cpu(2200G)....  Also with IDS/IPS you also need more RAM.

[Kalm_Traveler]

6 hours ago, jagdtigger said:

I have suricata running and while maxing out the 150 mbits/sev dl speed internet i have the router uses about 20% cpu(2200G)....  Also with IDS/IPS you also need more RAM.

I ended up going for a mini pc with an i5 9400 and 16gb of DDR4 that I already had laying around. Hopefully this is good enough 

[sphbecker]

The router will not use much power, but you want it to be as responsive as possible, so I suggest a 4 core CPU if possible (2 cores is probably fine, but there could be situations were CPU queue time adds a millisecond or two to your latency). Clock speed doesn't really matter, any 4 core CPU is fine.

 

4 GB of RAM is all you need unless you plan to use plug-ins, if you do, refer to their documentation for additional RAM needs.

 

You don't need to think about 10 gig routing. Even if you install a 10 gig switch, the router only only touches packets to/from the internet, and you don't have a 10 gig internet connection

[mynameisjuan]

9 hours ago, Alex Atkin UK said:

From what I can gather you are literally the only person to EVER say that, there are endless discussions on the Netgate forum about how much is enough for Gigabit.

Browse around the r/Pfsense sub and people getting gig VPNs with i3/5s with higher clocks as that matters more with VPN throughput. To say I'm the ONLY one to say that is a bit outlandish

 

As for what true requirements are needed for base speeds it doesn't seem as critical as you are making it out to be. These requirements seem to be outdated over the past few years

[sphbecker]

On 12/7/2019 at 4:49 PM, Kalm_Traveler1 said:

Hey guys I'm debating setting up a pfSense device for security and to offload routing and vpn duties from my main wifi/router combo but I'm not finding any definitive answer on whether or not I'd be better off using an actual PC (small PC of course) if I want it to do routing, stateful packet inspection firewall, and run a VPN service like OpenVPN or something similar.

 

I know you can buy hardware devices from Netgate, but they seem to be fairly weak hardware-wise and if I do this I want to make sure there are zero slowdowns.

 

Can you point me to any resources for figuring out what would be best for this situation? I don't mind either building a from-scratch SFF PC, or using one of those NUC-size mini PCs as a base as long as it has dual 1gb ethernet ports, but a standalone Netgate device is fine too as long as it really won't bottleneck traffic by running those services.

 

What do you guys think?

One question I am surprised has not come up (I didn't ask it either). Are you using VPN with a tunnel provider for all your internet traffic, or are you setting up a VPN service so you can access your own network remotely? If the 2nd, then don't worry about sizing the router for VPN needs. There is a HUGE different between the VPN needs of a business and a home. For a small businesses you might expect a dozen or more users connected at a time transferring meaningful amounts of data while local users are also hitting the router, or you might have a situation where all local traffic is being sent to another site over a VPN tunnel. Both of those scenarios puts a meaningful load on the CPU. If you just have VPN for the very occasional remote connection into your own stuff, then don't bother adding extra CPU for that purpose. A single user isn't going to create much of a load and I highly doubt you will be pushing gigabit levels of traffic across VPN

 

If you are doing all traffic over VPN, then yes, that will requite more CPU.

[Kalm_Traveler]

2 hours ago, sphbecker said:

One question I am surprised has not come up (I didn't ask it either). Are you using VPN with a tunnel provider for all your internet traffic, or are you setting up a VPN service so you can access your own network remotely? If the 2nd, then don't worry about sizing the router for VPN needs. There is a HUGE different between the VPN needs of a business and a home. For a small businesses you might expect a dozen or more users connected at a time transferring meaningful amounts of data while local users are also hitting the router, or you might have a situation where all local traffic is being sent to another site over a VPN tunnel. Both of those scenarios puts a meaningful load on the CPU. If you just have VPN for the very occasional remote connection into your own stuff, then don't bother adding extra CPU for that purpose. A single user isn't going to create much of a load and I highly doubt you will be pushing gigabit levels of traffic across VPN

 

If you are doing all traffic over VPN, then yes, that will requite more CPU.

Aha very informative sir! 

 

It would be the latter, OpenVPN for myself to access home resources or bypass country restrictions when abroad (I travel to Asia about every year or so now and am planning to move over there next year - keeping this device at my mom's house in case I need to use it). 

 

The only data I had looked at was Netgate's resource recommendation based on OpenVPN bandwidth, and I have noticed that running it through my current wifi/router it feels very slow even over fiber from work nearby. 

[sphbecker]

4 minutes ago, Kalm_Traveler1 said:

Aha very informative sir! 

 

It would be the latter, OpenVPN for myself to access home resources or bypass country restrictions when abroad (I travel to Asia about every year or so now and am planning to move over there next year - keeping this device at my mom's house in case I need to use it). 

 

The only data I had looked at was Netgate's resource recommendation based on OpenVPN bandwidth, and I have noticed that running it through my current wifi/router it feels very slow even over fiber from work nearby. 

Do you know your upload speed? When using VPN, your speeds basically work backwards. If "uploading" something to your house, you and using your connection's download speed. If downloading something from your house, you are using your upload speed. If you are accessing the internet, then both are in play at the same time and upload becomes the bottleneck.

[Kalm_Traveler]

17 minutes ago, sphbecker said:

Do you know your upload speed? When using VPN, your speeds basically work backwards. If "uploading" something to your house, you and using your connection's download speed. If downloading something from your house, you are using your upload speed. If you are accessing the internet, then both are in play at the same time and upload becomes the bottleneck.

Home is 1 gbps symmetric, speed tests confirm it is consistently pretty close to that

[mtz_federico]

15 hours ago, Kalm_Traveler1 said:

The only data I had looked at was Netgate's resource recommendation based on OpenVPN bandwidth, and I have noticed that running it through my current wifi/router it feels very slow even over fiber from work nearby. 

do you mean running the vpn in your current wifi/router or in the pfsense box behind your wifi/router?

[Kalm_Traveler]

1 hour ago, mtz_federico said:

do you mean running the vpn in your current wifi/router or in the pfsense box behind your wifi/router?

OpenVPN running on my wifi/router. I don't have the pfsense box yet. Pfsense will sit in front of the wifi router (changed to AP mode). 

[bigjohns97]

I am looking into doing something similar with 9600k and was wondering what performance you were getting with your build.

 

I was wanting to do some VPN server along with being a vpn client for a couple of clients on the local LAN not to mention IPS via suratica.

 

@Kalm_Traveler are you happy with your setup? you hit line speed? what is cpu usage with all that running when you do a speed test?

[Alex Atkin UK]

On 12/11/2019 at 6:12 PM, mynameisjuan said:

Browse around the r/Pfsense sub and people getting gig VPNs with i3/5s with higher clocks as that matters more with VPN throughput. To say I'm the ONLY one to say that is a bit outlandish

 

As for what true requirements are needed for base speeds it doesn't seem as critical as you are making it out to be. These requirements seem to be outdated over the past few years

I think this is where you lost me, I don't consider an i3/i5 with a higher clock to be "not very powerful" when it comes to a router.  It seemed you were assuming the comparison was being made compared to a gaming PC, but unless you know what the person asking considers to be "not very powerful", you need to be way more specific when making such claims.

 

There are a LOT of appliances for sale pre-installed with pfSense that are Atoms, Celerons, older/laptop i3/i5s, so DON'T have higher clocks and would easily bottleneck on OpenVPN.

 

As mentioned above, if a 2200G hits 20% load at 150Mbit with no mention of OpenVPN, that's clearly not enough for Gigabit in one direction, let alone symmetrical.  There are a lot of i3/i5 and even i7 CPUs that perform similar to a 2200G.

[Kalm_Traveler]

13 hours ago, bigjohns97 said:

I am looking into doing something similar with 9600k and was wondering what performance you were getting with your build.

 

I was wanting to do some VPN server along with being a vpn client for a couple of clients on the local LAN not to mention IPS via suratica.

 

@Kalm_Traveler are you happy with your setup? you hit line speed? what is cpu usage with all that running when you do a speed test?

very happy with it - I haven't had an instance to use the VPN though (been in town/home since I got it set up). Soon as I can use it externally I'll report back what CPU utilization is. With just base pfSense doing the usual router/firewall/dhcp and Suricata it sits around 2% CPU utilization.