Budget 0-20k ultra-slim, fanless, dual-LAN firewall box

S

silverbyte

Disciple
Questions
  1. What is your budget?
    • <20k
  2. What is your existing hardware configuration (component name - component brand and model)
    • None
  3. Which hardware will you be keeping (component name - component brand and model)
    • None
  4. Which hardware component are you looking to buy (component name). If you have already decided on a configuration then please mention the (component brand and model) as well, this will help us in fine tuning your requirement.
    • 32 GB SSD for running the firewall OS - pfsense
  5. Is this going to be your final configuration or you would be adding/upgrading a component in near future. If yes then please mention when and which component
    • NA
  6. Where will you buy this hardware? (Online/City/TE Dealer)
    • Delhi
    • Open to online purchase
  7. Would you consider buying a second hand hardware from the TE market
    • No
  8. What is your intended use for this PC/hardware
    • Firewall
    • PFSense operating system
    • Dual NIC mandatory to be used as a firewall
  9. Do you have any brand preference or dislike? Please name them and the reason for your preference/dislike.
    • NA
  10. If you will be playing games then which type of games will you be playing?
    • NA
  11. What is your preferred monitor resolution for gaming and normal usage
    1. No monitor
  12. Are you looking to overclock?
    • No
  13. Which operating system do you intend to use with this configuration?
    • Freebsd based PFSense

hi guys,
Need a very small, ultra-slim, dual-nic hardware for my pfsense based firewall. I was looking at this (originally via this discussion ) - and it is perfect for me. Could someone help on what is possible in India ?

I have been looking at some Intel NUC on Amazon (here), but most of them go over 20K and dont have dual NIC. Need some help!
 
Dont buy that, I have the same, and its crap. Well, I have the 1037U board, it has 2 Realtek GbE interfaces and works well.... well, most of the time. Sometimes we see issues needing a restart.

Buy this instead

Mi NAS 25 from ebay - Has dual Intel NICs and a PCIe 1X slot which can accomdate a single NIC or a WiFi card.
1GB or upto 4GB SODIMM - 1.5V DDR3 1066 MHz
HDD/PSU/Cabby/ - your choice

Buy a PCIe 1X WiFi Card or USB card which has the WLAN chipset on the supported list. I use APs, not the router to do WiFi.

Alternatively, look at DDWRT, OpenWRT to run the routing. OpenWRT would be more suited to a home user and would allow packages such as torrents/etc (ipkg) files to be added.

Rather than a 32GB SSD, use a pen drive, run the embedded version. However, if you want to run all packages, preferably run it on a HDD . An SSD is not that much of a plus for pfsense.
 
@vivek.krishnan thank you so so much for this. Just to make sure I understand your config correctly - is it this http://www.amazon.in/Motherboard-MI...scsubtag=879305b0-a36e-44a0-9dac-490ee2b7e99a

what power supply and enclosure are you using ? Remember that this will be running 24/7 - this is for work and not for home.

I dont have too much experience between pfsense and openwrt - but I'm going to be connecting access points as well ? I need to service about 100 laptops using this. What access points are you using ... and most importantly how does on configure it ? do I just take any access point and connect it to the output of pfsense and it will work ... or is there any config that needs to be done ?

in this context would you still recommend pfsense vs openwrt (btw, as per your advice.. i will probably use a 64GB pen drive!)

EDIT: btw - some of the reviews mention that it has difficulty in detecting boot pendrive and having the power to run openfiler, etc. Would you still recommend it over the others ? (http://www.amazon.in/review/R3KN1ND...ail-glance&nodeID=976419031&store=electronics)[DOUBLEPOST=1470391711][/DOUBLEPOST]@vivek.krishnan also - planning to that we will have two incoming internet links (from different service providers) and that goes and connects to our local LAN switch. we can distribute our bandwidth over both links (or for failover).

will this hardware support that kind of configuration ?
 
Last edited:
We have pfsense running in 2-3 locations.

We use standard PSU. As long as the power is clean, there is no need to spend on expensive PSU. But at factory it runs on Lenovo (Delta OEM) PSU.

It is more than enough for running pfsense. I have run Windows Server 2012 R2 on it as well. Plex too. Dont use openfiler - not recommended.

Rather than this for a NAS, get the entry level synology, which has 2 HDDs and costs 15k. Works well with AD as well. You could make this as well into an XPenolgy box, which I did for kicks.

For pfsense - If you are going to use more than 2 links, this is not the board to buy, instead get a standard machine, put a 4 port NIC and use that instead. You get the NICs for 7k on ebay.

http://www.ebay.in/itm/Dell-Intel-P...010010?hash=item43f2c81e1a:g:ptQAAOSwR5dXRVdw

Yes, it can distribute and do all sorts of stuff.
 
Based on the conversation we had, this is what I would recommend

1. Get a assembled machine with an entry level PSU which should run 24x7, with a mobo with atleast 2 PCIe slots - x16 and x4 so that you can add more NICs in the future. Purchase the Intel NIC from eBay.

2. Setup pfsense without any WAN connections, then add each WAN connection. Add each WAN connection and then make the failover and load balancing groups. Tiers will be same for load balancing and different for failovers.

3. Blocking Internet access :

You need to understand that any firewall is built on the rules you make, and these are followed top to bottom. You need to cover all angles.

You have 2 ways basically

Whitelisting devices/sites or blacklisting sites/devices

Make a list of URLs/IPs that are needed to be accessed by users, allow all users to access these, and ensure that the allow all rule is disabled. Do the same for each IP/device etc. Make specific rules for email and etc.

If you wanna block for all users, you can use DNS filtering from OpenDNS (not free) or a combination of Squid+Squidguard+ShallasList (after a free email contract)

Let me know if you need any help. Call me anytime.
 
Quick update for everyone in case anyone has this question later.

First, a super thanks for @vivek.krishnan - he has been incredibly helpful ... called and talked to me on the phone for atleast 2 occassion for nearly an hour. Thanks a lot vivek !

So on pfsense forums, i was recommended this box - http://www.aliexpress.com/item/Eglo...442.html?spm=2114.13010108.99999999.10.rNXuRL . One big plus is that it has 4 intel gigabit NIC, so was pretty sure it would be compatible with pfsense.

apparently it is quite popular for pfsense setups and everyone thinks that it will work well for a two WAN links of 16-24 mbps load balancing and failover. I bought one with 4GB ram and 8gB ssd. cost me 177$ and free shipping via fedex. Had to pay 1500 rs as duty to fedex.

it reached home in 4 days - it is the size of 2 pack of cards. Incredibly awesome. I have been running it 24/7 for 3 days now and hasnt conked off (fingers crossed). I downloaded the USB img of pfsense and "restored" it to my usb drive using Fedora Linux. Plugged it in and was installed in 5 mins. P.S. remember that the output is VGA only, so you need to buy a VGA cable to connect to your TV. surprisingly VGA->HDMI and VGA->3RCA cables didnt work.

i now have it feeding my wifi router (that is now setup as an access point). I really recommend this setup to people running small offices - it has features of more expensive 1 lac plus routers in a tiny package.
 
Great to know it works for you.

As for the comparison with the paid equivalents, if there is an issue, you are on your own. And there is not much money to be made in selling hardware, but subscriptions, thats why I guess this is not taking off in India.
 
hi vivek - well pfsense is popular with a lot of consultants. I just checked that Upwork has a lot of consultants who work. I'm sure they are not the top level experts in this (like you!) ... but for small usecases like us, it works great.
I think im going to recommend this setup to more startups that I know... a lot of people are in the same boat as us and cannot afford expensive equipment. even if this fails twice a year... it still is much cheaper than alternatives.
 
silverbyte said:
hi vivek - well pfsense is popular with a lot of consultants. I just checked that Upwork has a lot of consultants who work. I'm sure they are not the top level experts in this (like you!) ... but for small usecases like us, it works great.
I think im going to recommend this setup to more startups that I know... a lot of people are in the same boat as us and cannot afford expensive equipment. even if this fails twice a year... it still is much cheaper than alternatives.
Click to expand...

In that case, I will try to see if I can write a guide for this. Basically, what to do and what not.

And great that you donated to devs, its a great thing!
 
Back
Top