pfSense router build
Published 5 April 2014.
I’ve previously made use of a VPN connection to provide an additional layer of security during my time working at remote locations. Having a UK based IP address is also useful for being able to watch UK TV via BBC iPlayer and ITV player when travelling also. I decided I wanted to add VPN functionality at the edge of my home network rather than per device so set about building a pfSense router to provide that functioanlity.
I’ll cover the setup of the pfSense software in a separate but I initially wanted to get this hardware build post out as I’ve noticed a lot of problems that people look for support with are down to trying to run pfSense with complicated rulesets on old hardware they had lying around. You can run pfSense on old or low powered devices like old Pentiums, Raspberry Pi’s and Asus routers with Merlin or Tomato firmware, but experience shows these limit performance to around 20mbps due to limited processing power and are often the source of problems when pushed beyond their capabilities. We certainly need more horsepower to run a 100mbit+ OpenVPN tunnel with low latencies.
I plan on continuing to use my Airport Extreme & Airport Express wireless access points to provide wifi access around my home and office. I’ve noticed a significant improvement in reliability upgrading from previous consumer spec wifi access points from the likes of Asus. Apple devices may not be the fastest access points on the market but they are cheap, easy to obtain and provide as close to fit and forget as I’ve experienced at this class of device so far. See the SmallNetBuilder review here for more details.
I built a small form factor PC to provide high end router functionality cost effectively. Overall goals for the build included being physically small, quiet, low powered whilst still being powerful enough to not negatively affect my 120mbps+ internet connection whilst running OpenVPN AES-256 encryption plus overheads of some packet inspection via Snort.
Motherboard selection
I wanted a motherboard which would be reliable, stable, low powered, support reasonably powerful CPUs and most importantly, offer at least two onboard Intel network connections, one for my Internet connection and one for my LAN connection. Intel NICs are the preferred choice because they are widely supported and facilitate low CPU overheads. The shortlist included the Intel DQ77KB, Supermicro X9SPV-M4 and Jetway NF9J-Q87.
I decided on the DQ77KB because it was tested and proven capable by the pfSense community. They are fairly difficult boards to obtain now as they are discontinued sadly. I also appreciated the DQ77KB was supported by the Akasa Euler silent case if a suitably low powered (less than 35W) CPU was used. Remote management was useful as the router would be deployed in a headless state and dragging a keyboard and monitor to it when/if it needed attnetion wasn’t an option.
The Supermicro X9SPV was eliminated because it was relatively expensive in comparison to the other alternatives, although I appreciated the fact it supported server grade ECC Ram and provided KVM remote management support over IP via IPMI. This was less important as the Intel board also supported KVM-IP functionality via vPro.
I eliminated Jetway’s NF9J because its a newer generation board and there wasn’t much info about running pfSense on it at the time I was looking to make a purchasing decision.
Case
Cases are probably the most subjective decision of any build. I wanted this router to be small and silent. I also didn’t need much room for further expansion and wanted to avoid noisy 1U server fans. Shopping around I came across the Akasa Euler which was capable of holding a mini-ITX motherboard and cooling a CPU up to 35W TDP. It has limited motherboard compatability and was partly responsible for the decision to use the Intel DQ77KB motherbaord.
Internet port on the left, LAN port (also management) on right hand side, coloured red. Notice the DC power input on bottom left.
CPU selection
Having selected the Intel DQ77KB motherboard and Akasa Eurler case, selecting a CPU capable of being cooled by the passive Euler case whilst still providing enough horsepower to process 100mbit+ of OpenVPN traffic via VPN was the next challenge. According to users on pfSense’s forums, any i3 or above processor would be powerful enough for my needs so I just needed to find one with a max TDP of around 35W max and supporting vPro to enable remote management. Here’s the research I did into compatible CPUs.
| Intel e3-1265Lv2 | Intel e3-1260L | Intel i5-3470T | Intel i3-3220T | Intel G860T | Intel G640T | Intel G530T | Intel i7-3612QE | Intel i7-3770T | Intel e3-1230 v2 | ||
|---|---|---|---|---|---|---|---|---|---|---|---|
| CPU | 22nm | 32nm | 22nm | 22nm | 32nm | 32nm | 32nm | 22nm | 22nm | 22nm | |
| Cores/Threads | 4/8 | 4/8 | 2/4 | 2/4 | 2/2 | 2/2 | 2/2 | 4/8 | 4/8 | 4/8 | |
| GHZ/Turbo | 2.5/3.5 | 2.4/3.3 | 2.9 / 5.6 | 2.8 | 2.6 | 2.4 | 2.0 | 2.1 / 3.1 | 2.5 / 3.7 | 3.3 / 3.7 | |
| Cache | 8MB | 8MB | 3MB | 3MB | 3MB | 3MB | 2MB | 6MB | 8MB | 8MB | |
| MaxTDP | 45W | 45W | 35W | 35W | 35W | 35W | 35W | 35W | 45W | 69W | |
| HD Graphics | HD 2500 | HD 2000 | HD 2500 | HD 2500 | HD | 2000 | HD | HD4000 | HD4000 | ||
| RAM Speed | 1600 | 1333 | 1600 | 1600 | 1333 | 1066 | 1066 | 1600 | 1600 | 1600 | |
| ECC | Y | Y | N | N | N | N | N | Y | N | Y | |
| VPro | Y | Y | Y | N | N | N | N | Y | Y | Y | |
| VT-x | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | |
| VT-x wEPT | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | |
| VT-d | Y | Y | Y | N | N | N | N | Y | Y | Y | |
| AES | Y | Y | Y | N | N | N | N | Y | Y | Y | |
| Displays | 3 | 2 | 3 | 3 | 2 | 2 | 2 | 3 | 3 | ||
| WiDi | N | N | Y | Y | N | N | N | N | Y | ||
| Geekbench (single-core) | 2983 | 2558 | 2934 | 2288 | 2048 | 3056 | |||||
| Geekbench (multi-core) | 10974 | 8369 | 6117 | 4923 | 10915 | ||||||
| Passmark | 8141 | 6313 | 4556 | 3732 | 6665 | 8282 | 8863 | ||||
| Price | $294.00 | $294.00 | $184.00 | $117.00 | $75.00 | $72.00 | $42.00 | $426.00 | $294.00 |
Having eliminated the i3 and GxT range as they don’t offer vPro support for remote management, eliminated the now discontinued e3-1260L and eliminated higher TDP CPU’s, I was left with a choice between the server class Xeon E3-1265Lv2 and the i5-3470T.
The Xeon was arguably the better CPU, but I went with the i5 due to significantly lower costs and because its a true 35W TDP unit so will be thermally manageable within the Euler case. The ECC Ram which is a definite advantage of the Xeon chip isn’t support on the DK77KB motherboard so wasn’t a factor in my decision.
There’s some good performance comparisons on line that suggest either would be more than capable of meeting my performance requirements.
Storage
Theres much talk on pfSense forums about the questionable reliability of SSDs used in firewalls due to the volume of log writing that takes place. I decided to take the risk with a SSD and see for myself how long one would hold up. Looking at the endurance and data volume specifications obtined from the manufacturer sites, it looks like it should last a good while.
| Intel s3500 | Intel s3500 | Intel 525 | Intel s3700 | |
|---|---|---|---|---|
| Form Factor | 1.8” | 2.5” | mSATA | 2.5” |
| Model Number | 00AJ040 | 00AJ000 | ||
| Capacity | 80GB | 120GB | 30GB | 100GB |
| Lithography | 20nm MLC NAND | 20nm MLC NAND | 25nm MLC NAND | 25nm MLC NAND |
| Interface | 6 Gbps SATA | 6 Gbps SATA | 6 Gbps SATA | 6 Gbps SATA |
| Capacity | 80 GB | 120 GB | 30GB | 100GB |
| Endurance | 5-year lifetime(45 TB TBW) | 5-year lifetime (70 TB TBW) | 3-years | 5 years, 1,825 PB |
| Data reliability | < 1 in 1017 bits read | < 1 in 1017 bits read | < 1 in 1016 bits read | < 1 in 1017 bits read |
| MTBF, hours | 2,000,000 | 2,000,000 | 1,200,00 | 2,000,000 |
| IOPS reads* | 70000 | 75000 | 5000 | 75000 |
| IOPS writes* | 7000 | 4600 | 10000 | 19000 |
| Sequential read rate (Mbps) | 340 | 445 | 500 | 500 |
| Sequential write rate (Mbps) | 100 | 135 | 275 | 200 |
| Read latency | 50 μs | 50 μs | 80 μs | 50 μs |
| Write latency | 65 μs | 65 μs | 85 μs | 65 μs |
| Shock, operating | 1000 g, 0.5 ms | 1000 g, 0.5 ms | 1000 g, 0.5 ms | 1000 g, 0.5 ms |
| Vibration, operating | 2.17 g rms 5-700 Hz | 2.17 g rms 5-700 Hz | 2.17 g rms 5-700 Hz | 2.17 g rms 5-700 Hz |
| Vibration, non-operating | 3.13 g rms 5-800 Hz | 3.13 g rms 5-800 Hz | 3.13 g rms 5-800 Hz | 3.13 g rms 5-800 Hz |
| Typical power | 5 W | 5 W | 300mW | 2.9W |
| Temp under load | 70degC | 70degC | 30DegC | |
| Price | $115.00 | $134.00 | $54.00 | $235.00 |
| Notes | power saving capcitors | power saving capcitors | no power saving capcitors | power saving capcitors |
Keeping with the no moving parts and silent approach taken so far, I took advantage of the mSATA port on the DQ77KB and used the Intel 525 MSATA SSD providing a relatively meagre 30GB of storage. Its far from the largest or fastest SSD on the market due to its limited memory channels, but its still fast enough for this machines purposes and will be more than large enough even if I decide to use local web caching. The mSATA port will also require less power than a full sized sata SSD keeping running costs down further. Case clutter will be minimised becase no cables are needed to connect the mSATA drive to the mtoherboard connector. The 525 does not provide capacitors to ensure data held in its memory can be written to disk in case of a power failure and this is a worry. I’ll mitigate this risk by running the router from my APS UPS battery backup.
Memory
I selected to use 8GB of memory from Corsair in the form of their Vengeance DDR3 SO-DIMM’s which provides tight memory timings (1600MHz 9-9-9-24, 1.5V). I didn’t see the need for 16GB RAM or for enthusiast specification overclocking capable premium chips.
PSU
The Intel DQ77KB runs from a 19v DC connection so I only needed a laptop style external PSU capable of providing a moderate 60w of power. Luckily I had one from an old HP machine lying around which was suitable.
Final Specification, Costs & Summary
Configuring the pfSense software has been time consuming, its complicated software and getting it right takes some experimentation. However the PC meets it targets goals, physically its silent and only consumes 25W when under load measured by a Wattmeter. CPU utilisation is around 10-15% on average and internet bandwidth is unaffected outside of the VPN overheads itself. Maximum throughput has seen a 10% reduction from 120Mbit to approximately 108Mbit. I can live with this given the additional security all my devices are now afforded. The machine has been completely stable since setting it up and runs at around 50degrees celcius in the passive case.
These are the current Uk retail prices to build an indetical router. The pfSense software is free.
| Component | Description | Price | Supplier |
|---|---|---|---|
| Case | Akasa Euler | £51.07 | CCL |
| PSU | Laptop PSU | £0.00 | Spare parts bin |
| Motherboard | Intel DQ77KB | £98.91 | Ebay |
| CPU | Intel i5-3470T | £138.18 | Scan |
| RAM | Corsair Vengeance 2*4GB | £66.96 | Scan |
| Hard Disk | Intel m525, 30GB SSD | £41.16 | Scan |
| TOTAL | £396.28 |