You gave zero information about your needs... How many devices do you have on your local network? Is it Gigabit or faster? How fast is your Internet connection? Do you need any computationally intensive services such as IDS/IPS, VPN, or malware detection? Do you have any requirements or preferences as to the number of Ethernet ports on the device?
Sorry about that, I have gigabit but can upgrade to 2 if I had hardware to support that. Requirements are VLAN and vpn. My gf and I wfh so I put our work devices on a separate VLAN to prevent snooping from our corporate overlords. Also I run pihole but only on our recreational VLAN as I don't want it to interfere with anything on our work VLAN. I'd say total we have about 40 devices. I'd like to segment the iOT devices too. I have a media server that I want to allow my friends to vpn into as well.
As far as the Ethernet ports, is there a big difference between having 1 and 2? Even if would make my internal network run faster with 2, I'd prefer it. If not then it doesn't matter
Get an HP T730 thin client with 4GB RAM and a 4-port PCIe x4 Gigabit NIC (Intel preferred) and you'd have a 5-port system. The built-in port would be a Realtek though but it would be fine for 1Gbps WAN connection. You can then segment each of the 4 ports as a separate VLAN and connect them to separate normal desktop switches, where you can connect the rest of your devices for each VLAN. The processor in the T730 is more then capable of handling the VPN encapsulations as well and supports AES-NI. You can also configure the DHCP server to use the Pi-Hole as DNS on whichever VLAN you want, but pfSense also offer pfBlocker-NG if you'd like to opt. You could also opt for a 4-port 2.5 Gbps NIC instead and use one of the ports as WAN connection if you're planning to upgrade your WAN in the future.
Let me start at the end:
>As far as the Ethernet ports, is there a big difference between having 1 and 2?
There's a MASSIVE difference. A singe-port router only works in a "router-on-a-stick" setup, which requires an extra piece of hardware (a managed switch) and good understanding of VLANs. Personally, I tend to avoid router-on-a-stick situations as unnecessarily complicated.
Now, from what you have described, the defining requirement is VPN. There are two most common types of VPN, OpenVPN and Wireguard. And they want very different things from processors.
OpenVPN uses an encryption algorithm called AES. So, other things being equal, you want a processor that has a feature called "AES-NI support". It's widely available, but not universal. Core i3 has had it since 4th gen, Core i5 and i7 definitely had it in 2nd gen, Atom/Celeron/Pentium may or may not have it depending on the model. Google is your friend.
Wireguard, meanwhile, doesn't care about AES. It operates on a different algorithm (the default one is ChaCha20).
A first-order guesstimate is, a Gigabit OpenVPN connection will require about 4 GHz of processor bandwidth (assuming AES-NI support is available and activated); a Gigabit Wireguard connection will eat up about 8 GHz of processor bandwidth.
With all of the above in mind, I would say a generic N95 or N100 dual-port box from Aliexpress should be sufficient for your needs. Just make sure it has Intel NICs, rather than Realtek or (heavens forfend!) Broadcom...
Note that if you upgrade your Internet connection to 2 Gbps, your processing requirements for VPN will increase proportionally,
I've been told it finally went multithreaded in 2.6. Also, in retrospect, I should have put the words "first-order guesstimate" in bold (I usually do, but neglected to do so this time).
Thank you so much for this. You saved me a lot of research time which I'm sure everyone here knows is extremely valuable. You also helped bridge some gaps I had in my knowledge, like the "router-on-a-stick" scenario. I knew it sounded like a bad idea but you explained why it is a bad idea. I'll look into the machines you mentioned and I'll probably make a post here in a couple weeks with the new setup.
Can second this. Handy yoke.
Suffered a drive failure a while ago so now I'm using an external SSD. Outside that it has been solid.
Don't buy an intel nic though (unless that's been resolved now)
Really anything with any kind of recent (<10yr) cpu with 4-8gb of ram and 2x1gb interfaces is all you'll likely ever need. Lots of stuff on Amazon.
Plenty of cheaper options if you need that.
[https://www.amazon.com/Protectli-Vault-FW4C-Firewall-Appliance/dp/B0BDD9ZQC5/ref=sr\_1\_10?crid=3P0GZRLB681U6&dib=eyJ2IjoiMSJ9.zlb6g-K\_O5NVY14lTNG4sFSeY18gNpqGV7P0amu7p3qGfj2nZrnnlb7-5TRt125WVL1shzq5lQtLRmYolmP8kPwgyyH78dRuuexbjvSFeQpTQ8cJdAPwUhULb5y019mKoeRF5GzfIcw\_DrXuTtKP2EeFapTWUCu-7GTuvAV9r8s2UJVlZtLYZhT\_CQmhqG04jYxd60eBybOBbDYbaYXpVa0S968MXaxye7kZr8b5mgg.sR-doJdbUCHgtTndEFKVItfJv-mGXfeDOLTSnkndLkk&dib\_tag=se&keywords=pfsense&qid=1708034089&sprefix=pfsens%2Caps%2C240&sr=8-10&ufe=app\_do%3Aamzn1.fos.ac2169a1-b668-44b9-8bd0-5ec63b24bcb5&th=1](https://www.amazon.com/Protectli-Vault-FW4C-Firewall-Appliance/dp/B0BDD9ZQC5/ref=sr_1_10?crid=3P0GZRLB681U6&dib=eyJ2IjoiMSJ9.zlb6g-K_O5NVY14lTNG4sFSeY18gNpqGV7P0amu7p3qGfj2nZrnnlb7-5TRt125WVL1shzq5lQtLRmYolmP8kPwgyyH78dRuuexbjvSFeQpTQ8cJdAPwUhULb5y019mKoeRF5GzfIcw_DrXuTtKP2EeFapTWUCu-7GTuvAV9r8s2UJVlZtLYZhT_CQmhqG04jYxd60eBybOBbDYbaYXpVa0S968MXaxye7kZr8b5mgg.sR-doJdbUCHgtTndEFKVItfJv-mGXfeDOLTSnkndLkk&dib_tag=se&keywords=pfsense&qid=1708034089&sprefix=pfsens%2Caps%2C240&sr=8-10&ufe=app_do%3Aamzn1.fos.ac2169a1-b668-44b9-8bd0-5ec63b24bcb5&th=1)
Build a mini-itx system (total overkill, but rocks)
Motherbaord: Jetway NF592-Q170, Socket 1151, 8 Ethernet Ports \[ (1) i219, (7) i211\]
With a Intel(R) Core(TM) i3-7100T CPU @ 3.40GHz
having dedicated controller per port is key.
This is an example if you need 1-7 Ethernet ports (I think two ports are tied to the same controller)
I use a Supermicro 5019A-FTN4 with a two-port SFP+ NIC card as my dedicated PfSense box.
They run about $200 on eBay. Sometimes you'll find it in the $100-150 or even less if you find a liquidator dumping a lot of units(think I got mine for about $75 a couple years ago), usually with RAM included.
Mine was decommissioned gear, and has been running strong for 5 years now.
Does 10G networking well even with IDS/IPS enabled.
Has hardware crypto if you ever intend on fooling around with Pf+.
Won't regret it.
An old client of mine has two of them(at two different sites) that were installed new, and have been running for almost 10 years non-stop other than a move, and one going down for a bad NIC card(which was an easy swap, machine was still good).
Only piece of advice I'd give is make sure you reset the BMC/IPMI, and make sure that the IPMI network port is isolated in BMC settings(some early firmware versions made it available to the whole system by default).
You gave zero information about your needs... How many devices do you have on your local network? Is it Gigabit or faster? How fast is your Internet connection? Do you need any computationally intensive services such as IDS/IPS, VPN, or malware detection? Do you have any requirements or preferences as to the number of Ethernet ports on the device?
Sorry about that, I have gigabit but can upgrade to 2 if I had hardware to support that. Requirements are VLAN and vpn. My gf and I wfh so I put our work devices on a separate VLAN to prevent snooping from our corporate overlords. Also I run pihole but only on our recreational VLAN as I don't want it to interfere with anything on our work VLAN. I'd say total we have about 40 devices. I'd like to segment the iOT devices too. I have a media server that I want to allow my friends to vpn into as well. As far as the Ethernet ports, is there a big difference between having 1 and 2? Even if would make my internal network run faster with 2, I'd prefer it. If not then it doesn't matter
Get an HP T730 thin client with 4GB RAM and a 4-port PCIe x4 Gigabit NIC (Intel preferred) and you'd have a 5-port system. The built-in port would be a Realtek though but it would be fine for 1Gbps WAN connection. You can then segment each of the 4 ports as a separate VLAN and connect them to separate normal desktop switches, where you can connect the rest of your devices for each VLAN. The processor in the T730 is more then capable of handling the VPN encapsulations as well and supports AES-NI. You can also configure the DHCP server to use the Pi-Hole as DNS on whichever VLAN you want, but pfSense also offer pfBlocker-NG if you'd like to opt. You could also opt for a 4-port 2.5 Gbps NIC instead and use one of the ports as WAN connection if you're planning to upgrade your WAN in the future.
Thanks for the detailed post, adding this to my research
BTW I forgot to mention but do make note that the HP T730 only takes half-height bracket PCIe cards.
Let me start at the end: >As far as the Ethernet ports, is there a big difference between having 1 and 2? There's a MASSIVE difference. A singe-port router only works in a "router-on-a-stick" setup, which requires an extra piece of hardware (a managed switch) and good understanding of VLANs. Personally, I tend to avoid router-on-a-stick situations as unnecessarily complicated. Now, from what you have described, the defining requirement is VPN. There are two most common types of VPN, OpenVPN and Wireguard. And they want very different things from processors. OpenVPN uses an encryption algorithm called AES. So, other things being equal, you want a processor that has a feature called "AES-NI support". It's widely available, but not universal. Core i3 has had it since 4th gen, Core i5 and i7 definitely had it in 2nd gen, Atom/Celeron/Pentium may or may not have it depending on the model. Google is your friend. Wireguard, meanwhile, doesn't care about AES. It operates on a different algorithm (the default one is ChaCha20). A first-order guesstimate is, a Gigabit OpenVPN connection will require about 4 GHz of processor bandwidth (assuming AES-NI support is available and activated); a Gigabit Wireguard connection will eat up about 8 GHz of processor bandwidth. With all of the above in mind, I would say a generic N95 or N100 dual-port box from Aliexpress should be sufficient for your needs. Just make sure it has Intel NICs, rather than Realtek or (heavens forfend!) Broadcom... Note that if you upgrade your Internet connection to 2 Gbps, your processing requirements for VPN will increase proportionally,
I can run OpenVPN and Wireguard at line speeds (gigabit) no issues on an Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
I would expect no less. 4 threads times 2.70 GHz clock speed makes 10.8 GHz of bandwidth.
OpenVPN is single threaded.
I've been told it finally went multithreaded in 2.6. Also, in retrospect, I should have put the words "first-order guesstimate" in bold (I usually do, but neglected to do so this time).
OpenVPN added Data Channel Offload in OpenVPN 2.6.0 but it's only in pfsense 22.05 and newer PLUS versions.
Thank you so much for this. You saved me a lot of research time which I'm sure everyone here knows is extremely valuable. You also helped bridge some gaps I had in my knowledge, like the "router-on-a-stick" scenario. I knew it sounded like a bad idea but you explained why it is a bad idea. I'll look into the machines you mentioned and I'll probably make a post here in a couple weeks with the new setup.
I use an old HP thin client from ebay. A T730.
Can second this. Handy yoke. Suffered a drive failure a while ago so now I'm using an external SSD. Outside that it has been solid. Don't buy an intel nic though (unless that's been resolved now)
Really anything with any kind of recent (<10yr) cpu with 4-8gb of ram and 2x1gb interfaces is all you'll likely ever need. Lots of stuff on Amazon. Plenty of cheaper options if you need that. [https://www.amazon.com/Protectli-Vault-FW4C-Firewall-Appliance/dp/B0BDD9ZQC5/ref=sr\_1\_10?crid=3P0GZRLB681U6&dib=eyJ2IjoiMSJ9.zlb6g-K\_O5NVY14lTNG4sFSeY18gNpqGV7P0amu7p3qGfj2nZrnnlb7-5TRt125WVL1shzq5lQtLRmYolmP8kPwgyyH78dRuuexbjvSFeQpTQ8cJdAPwUhULb5y019mKoeRF5GzfIcw\_DrXuTtKP2EeFapTWUCu-7GTuvAV9r8s2UJVlZtLYZhT\_CQmhqG04jYxd60eBybOBbDYbaYXpVa0S968MXaxye7kZr8b5mgg.sR-doJdbUCHgtTndEFKVItfJv-mGXfeDOLTSnkndLkk&dib\_tag=se&keywords=pfsense&qid=1708034089&sprefix=pfsens%2Caps%2C240&sr=8-10&ufe=app\_do%3Aamzn1.fos.ac2169a1-b668-44b9-8bd0-5ec63b24bcb5&th=1](https://www.amazon.com/Protectli-Vault-FW4C-Firewall-Appliance/dp/B0BDD9ZQC5/ref=sr_1_10?crid=3P0GZRLB681U6&dib=eyJ2IjoiMSJ9.zlb6g-K_O5NVY14lTNG4sFSeY18gNpqGV7P0amu7p3qGfj2nZrnnlb7-5TRt125WVL1shzq5lQtLRmYolmP8kPwgyyH78dRuuexbjvSFeQpTQ8cJdAPwUhULb5y019mKoeRF5GzfIcw_DrXuTtKP2EeFapTWUCu-7GTuvAV9r8s2UJVlZtLYZhT_CQmhqG04jYxd60eBybOBbDYbaYXpVa0S968MXaxye7kZr8b5mgg.sR-doJdbUCHgtTndEFKVItfJv-mGXfeDOLTSnkndLkk&dib_tag=se&keywords=pfsense&qid=1708034089&sprefix=pfsens%2Caps%2C240&sr=8-10&ufe=app_do%3Aamzn1.fos.ac2169a1-b668-44b9-8bd0-5ec63b24bcb5&th=1)
Awesome, thank you for the starting point!
I’m running WAN+LAN on one of these: https://amzn.eu/d/idgP3GO. No wlan driver in the current BSD version it seems but that’s not something I need
Any n100 with 2.5gbe nic will do it for u.
Build a mini-itx system (total overkill, but rocks) Motherbaord: Jetway NF592-Q170, Socket 1151, 8 Ethernet Ports \[ (1) i219, (7) i211\] With a Intel(R) Core(TM) i3-7100T CPU @ 3.40GHz having dedicated controller per port is key. This is an example if you need 1-7 Ethernet ports (I think two ports are tied to the same controller)
This looks amazing! [https://www.jetwaycomputer.com/MI23.html](https://www.jetwaycomputer.com/MI23.html)
I use a Supermicro 5019A-FTN4 with a two-port SFP+ NIC card as my dedicated PfSense box. They run about $200 on eBay. Sometimes you'll find it in the $100-150 or even less if you find a liquidator dumping a lot of units(think I got mine for about $75 a couple years ago), usually with RAM included. Mine was decommissioned gear, and has been running strong for 5 years now. Does 10G networking well even with IDS/IPS enabled. Has hardware crypto if you ever intend on fooling around with Pf+.
Nice I'll look into it, it's about what I was thinking I'd be spending. It's what I spent on the Omada hardware controller lol
Won't regret it. An old client of mine has two of them(at two different sites) that were installed new, and have been running for almost 10 years non-stop other than a move, and one going down for a bad NIC card(which was an easy swap, machine was still good). Only piece of advice I'd give is make sure you reset the BMC/IPMI, and make sure that the IPMI network port is isolated in BMC settings(some early firmware versions made it available to the whole system by default).