Should I virtualize my firewall or get a cheap pfsense box like this?
Should I virtualize my firewall or get a cheap pfsense box like this?
Jeremiah Phillips
Other urls found in this thread:
teklager.se
twitter.com
David King
thats a really cute little thing you have there, user
Anthony Allen
>cheap pfsense box
isn't that like $150 with shit specs
you can get a low power fanless x86 celery box with $150
Evan Bailey
why does one use a firewall like this instead of using the routers built in one? honest question
Robert Russell
what's a virtual firewall
Jonathan Sanchez
how is it not the same thing
Kevin Scott
Using a VM on an already existing server.
Eli Murphy
I want the practice of managing/monitoring one.
Gavin James
>using the routers built in one
Because it suck
Chase Green
>$150
>not even PoE powered
gtfo
Ethan Reed
Assuming you run the same OS on your router, how so?
Michael Gray
>Implying someone sane wants that.
Joshua Brown
I bought the PCEngines APU2C4 for my home network. Beefier unit than the SG-1000.
APU2C4 = £280 (Quad Core x86-64, 16GB mSATA, 4GB RAM, 1xWAN, 2xLAN, Wifi)
SG-1000 = £150 (dual core ARM, 4GB eMMC, 512MB RAM, 1xWAN, 1xLAN, no-wifi)
The more expensive SG-3100 box is also only a dual core with other shit specs as well. and it's £265 without VAT. The APU2C4 just made more financial sense for a low powered pfsense firewall.
Christian Roberts
Should add the APU2C4 price is with wifi optioned. It's cheaper without, since it's nothing more than a mini PCIe card, antennas and tails. Which adds an extra £45 to the overall price. You can spec without and then put that money towards a different AP like Ubiquity or something. I didn't, because I wanted an all in one box.
William Morris
What's wrong with iptables?
Samuel Phillips
pfsense is a router & firewall. A very high quality one to boot.
I have an old desktop with two gigabit NICs running pfsense at home as a router and it runs great. You get a lot of enterprise features like traffic shaping and captive portal
Ian Rodriguez
It's not power efficient, the SG1000 is ARM based and basically a RPI with GBe, it's a pretty good deal.
Never virtualize your firewalls, that's at least what i'd say if i'd be discussing this at work, for private users ... meh, most attacks are so trivial, nobody would even bother trying to go further if they actually rooted it (which on its own is pretty unlikely).
pfsense btw now days relies on AES-NI so .. depending on how paranoid you are you might not want to use it and just use straight up openbsd and pf on some amd based cpu
Parker Peterson
>It's not power efficient, the SG1000 is ARM based and basically a RPI with GBe, it's a pretty good deal.
When you're under 10w, it begins to be irrelevant. The ARM chip isn't even dual core. So God help you if you're using OpenVPN or something.
So it boils down to whether you want to save points of a cent/penny on your electric bill, or have a beefier CPU that can handle a busier network and crunch encryption.
Aaron Campbell
>It's not power efficient
nigger all those celery incels hover around 5W tdp at max load on all four cores
Austin Kelly
> 150 € single core
> 22Mbps throughput
into the trash it goes
Jace Turner
>The ARM chip isn't even dual core
Who gives a shit, it's a small soho system which is good enough for moving packets from a to b. look at your shitty router from your ISP and tell me that that mips inside has more than 1 core on average.
>So it boils down to whether you want to save points of a cent/penny on your electric bill, or have a beefier CPU that can handle a busier network and crunch encryption.
Not really because a shitty pentium or celeron will perform as bad as an ARM soc with AES-NI.
I can tell you from experience that generating dnssec key on a pi first gen takes like ~12 hours, though having tunnels established via SSL is a joke on performance peak. Both sides share their keys, establish a connection with a negotiated symetric key, ez, you have a little spike in top and then its gone.
Now if you want to run Surikata or Snort... that's a different story, then you need CPU power and memory.
Juan Lee
Buy a cheap fanless mini pc with 2 or 4 ethernet ports from china.
Daniel Walker
you can buy a used i5-4590 for around 100€ and add a second Gb card for 20€ and basically have a fucking beast to run your firewall.
don't buy that shit, it's worth 25€ max
Bentley Richardson
You can get a cheap ass $10 box with similar specs that can run pfsense.
Hunter Edwards
>Who gives a shit, it's a small soho system which is good enough for moving packets from a to b. look at your shitty router from your ISP and tell me that that mips inside has more than 1 core on average.
I don't have a shitty router from my ISP. I'm using the APU2C4.
>Not really because a shitty pentium or celeron will perform as bad as an ARM soc with AES-NI.
teklager.se
Meanwhile the SG-1000 can barely do 25Mbps over OpenVPN. Wireguard performance absolute smashes OpenVPN using all four cores on the APU2C4. And until Wireguard runs on FreeBSD, the SG-1000 ain't getting it.
>I can tell you from experience that generating dnssec key on a pi first gen takes like ~12 hours, though having tunnels established via SSL is a joke on performance peak. Both sides share their keys, establish a connection with a negotiated symetric key, ez, you have a little spike in top and then its gone.
Are you arguing that waiting 12 hours to generate keys is acceptable or what?
The SG-1000 is shit. ARM is shit for use in a network device unless you plan on doing absolutely fuck all with it. When it's such a shit single core ARM CPU, it's a fucking joke. Especially when OpenVPN is single threaded.
The only thing the SG-1000 has going for it is the fact it pulls 2.5w at idle. The APU2C4 pulls a max of 12w. And only at full CPU load. You can also install what you want on it, be that any distro of Linux, or any of the BSDs and build from your router/firewall from the ground up yourself, should you be that anal retentive.
The only reason you'd buy an SG-1000 or even the SG-3100 is to support Netgate.
Ayden Howard
>Are you arguing that waiting 12 hours to generate keys is acceptable or what?
No i'm talking about performance over time of different use cases, one where you actually generate crypto keys and the other were you simply use it.
>The SG-1000 is shit. ARM is shit for use in a network device unless you plan on doing absolutely fuck all with it. When it's such a shit single core ARM CPU, it's a fucking joke. Especially when OpenVPN is single threaded.
It's good enough for what it's supposed to do and for someone who wants support out of the box, this is a great package. I haven't read the entire thread but i couldn't see OP arguing for OpenVPN being a hard criteria, most folk here wouldn't know what to do with the features the apu2 devices provide.
>I don't have a shitty router from my ISP. I'm using the APU2C4.
You know what i mean.
It should be more of a question of what is OP capable of, what does he want to achieve and how much is he willing to invest, otherwise we are just assuming shit
Joseph Gutierrez
>set up firewall (nftables) on low end haswell xeon box
>everything a ok
>add intrusion prevention system (snort)
>box constantly drops packages because only 8GB of RAM
>after upgrade, a ok again
yeah, na. if you want to do fun stuff you probably want some higher specs