I am getting rather comfortable with using Pfsense. Been reading up and doing tons of research on this superb software and I think very soon I will embark on my next...
I am getting rather comfortable with using Pfsense. Been reading up and doing tons of research on this superb software and I think very soon I will embark on my next project. As you guys know I have been using Pfsense in my office. Just an old Pentium IV system with about 1.5GB of RAM. These pieces of hardware are about 7 years old! And it is running fine! Sure, the power supply gave up a while back, but this is expected. Once the power supply was replaced, everything was smooth. I didn’t face any major problems using Pfsense. Currently it is being used as a very basic NAT router and firewall, as well as some Intrusion Detection. Just added http proxy to it and nobody is complaining. In fact I think it has speed up a little. As you guys should know by now, all the ISPs in Singapore do have transparent proxies so it is actually a proxy behind a proxy.
Anyway, the office setup isn’t a real firewall with all its features intact. This is probably because I don’t want to overload the Pfsense box. Sure we have about 10 users only, but still it would be 10 angry people around if something goes wrong. So why risk it? A better idea would be testing it from my home. However one of the problems of using a off the shelf computer (even old ones) is the power consumption and they take up lots of space. I think running a normal computer system, the electricity bills would cost hundreds of dollars per year. A more practical idea would be using something that consumes less power, like a Mini-ITX Atom based system. Furthermore Atom based systems are pretty cheap nowadays. Well, not in Singapore but in most other countries. That is why I am planning to buy most of the stuff online. Ebay is a good source for such systems and there are sellers that have tested their hardware with Pfsense and knows that it works very well. You will need an Atom board that comes with dual LAN ports – hey it is going to be a firewall cum router. Without dual LAN ports, I believe Pfsense wouldn’t even install for you. Realtek seems to be a bad choice, seeing the number of complains people have with cheap Realtek LAN cards. Since this (the LAN port) is going to be a very important component, it makes sense to spend some time searching for the right one. I would certainly choose Atom boards that come with Intel LAN ports. They are known to be more reliable.
I will be buying the Mini-ITX Atom board and casing online. The rest of the stuff, I think I will get them locally. Overall, Singapore is cheaper when it comes with parts and accessories. Especially the harddisk, which I am afraid that the courier guys will smash it before it even reaches me. In Singapore, the RAM and harddisk from Sim Lim Square is cheap. So no worries about breaking the budget. Since most Atom boards can support only up to 4GB, I think I will go for the maximum. As for hardddisk, there is no real need for it to be real big. Even with tons of log files and cache for the proxy, it would probably not reach what is available in the market nowadays. I will get the cheapest I can find. Once I assemble all the parts, I will report back here. Let the fun begin!
For your information, I actually use to run Monowall as my home router. No harddisk required. Just a CDROM Drive, 2 LAN cards and a floppy disk. All the configuration files are stored in a floppy. Now isn’t that cool. Pfsense is a Monowall fork, which means that they developed Pfsense from the Monowall distribution, which is based on FreeBSD. I had used it for a long time without any problems. However Monowall does not come with many enterprise features. Just a NAT device and a basic firewall. You can use Pfsense as a UTM device but for Monowall, you will be hard pressed to find such features. But they are two entire different beasts. Monowall works very well for small offices that do not worry about intrusions and just want to stop basic attacks on their systems. Most small companies fall into this category. It is not that Monowall is not secure, but bigger organizations might need something more powerful.