Choosing An Appliance To Run pfsense

On my list of things to learn and implement is pfsense. I am currently looking at the following options:

GEEK+ Mini PC

  • Celeron J3455
  • 6GB RAM
  • 128GB SSD/
  • 2 x RJ45

One recent reviewer stated that he has had good success using the PC for running pfsense, but noted that it has “Realtek NIC drivers which have been known to cause problems…”, but also said he was able to install alternative drivers easily.

The second choice I am considering is the Protectli Vault 4 Port Firewall Micro Appliance which was recommended on The Geek Pub as a great box for this purpose.

  • Intel Quad Core
  • AES-NI (I had to look up why that is important to some people)
  • 4GB RAM
  • 32GB mSATA SSD

Would you choose one of these over the other? Maybe you have a different suggestion? If I go with the Protectli Vault I will definitely have to scale back my planned cluster build to reduce cost.

We have the Protectli FW4B and its been working great. We got it direct from Protectli (https://protectli.com/product/fw4b/) so we could easily configure it, plus it was cheaper than from Amazon.

We got ours with 8GB RAM (not needed, really, but gives room for experimenting with different packages and was cheap anyway). We also picked CoreBoot and OpenSense, though you can get pfsense if you want, too.

We couldn’t be happier with it. :slight_smile:

1 Like

Could anyone recommend a couple good resources that give a high level overview of what kit one might need/want for a homelab/home network, and how the parts work together? For instance, I have cable modem running into a wi-fi router. I assume I would put a firewall appliance between the two? I have a Pi-hole plugged into the wi-fi router. Would that need to be plugged into the firewall instead? Does the firewall become the router? Does it supplant the Pi-hole?

@Buffy I really like the looks and features of the Protectli, but this is one of the things that has me at a stand still. Do I need an appliance like that to secure my network without slowing it down (say vs a virtual firewall)? Would my resources be better spent on something like the other option I mentioned because it would be “good enough”?

I am continuing to research all of these things (and the other topics I post) via The YouTubes and Interwebs, but there is an overwhelming amount of information. Given limited resources, I would hate to set up a networking infrastructure only to discover I have payed for equipment/services that are not effective, but have no budget to change.

As I said, YouTube, blogs, Jay’s book, are all in the mix, but I would like to get some equipment ordered and it feels like a chicken/egg situation. I cannot know what I need until I cover enough of the learning curve, but I cannot cover a sufficient space of the learning curve without knowing what I need!!

Your Pi-Hole can be plugged into your network pretty much whereever you want, it’s just a DNS server so what matters is that your other systems look to it for DNS.

Your current setup is probably using the bulit-in firewall on your wifi router? So then as long as it is working, it’s probably “good enough” already*. If you’re running out of ports on it, you can just add a cheap (Netgear, etc) Gigabit ethernet switch (an 8-port one is < US$50, 16-port one < US$90) and be good to go. Of course, the Protectli with either openSense or pfSense will be lots more featureful, flexible, and robust but, if you don’t need it, it’s still optional. If it was just me messing about, I’d still be using our wifi one, but my dad needs multiple VPNs and other stuff for his work so that’s why we have the Protectli.

*also make sure your wifi router/firewall has the current firmware and that it’s up to date to handle some of the recent exploits that have affected consumer routers.

The other thing that you can use your Pi-Hole for is doing your DHCP, it will almost certainly be nicer than what your wifi router provides, plus then it will integrate with your DNS on the Pi-Hole, too. And it’s also nice because Pi-Hole has a quick and easy backup right from its interface.

You honestly don’t have to spend lots to set up a home lab for learning. XCP_ng or Proxmox on even an old PC (we have it on an old i7-2600 with 16GB RAM and can run 6 VMs real nice). Server VMs with 2GB RAM allocated is plenty for most any lab work, you can even use 1GB RAM. Linux servers are very light-weight.

That was very helpful. Thanks! I do indeed use my Pi-hole for DHCP as my router will not pass through the names of my devices and trying to figure out what is going on by IP is a PITA. I do want to set up one of my other Pis as for redundancy, and I saw a YouTube video on how to do that and keep them synced.

Did you see my thread on using Pis vs x86 boards for a small cluster? Would you mind weighing in on that at some point?

I appreciate your time!

1 Like

You’re welcome! :slight_smile:

For Pi4 vs x86 for homelab server nodes, I think just go with what’s cheapest (and uses less power/makes less heat); I can’t think of any services you’d want to run that don’t have builds for both. Even PostgreSQL (a “big boy” database :stuck_out_tongue: ) has RPi 4 builds and works real nice for labbing and even development. I put more in that other thread.

I think we discussed that I do not particularly need a firewall. However, if I decided I wanted to learn pfsense just for kicks, could you explain to me what the extra ports on the FW4B are used for? Could I get away with something cheaper that only has two ports or would that cut out an entire segment of functionality?

Something like this (also from Protectli):

Yeah, that would work. I think the only advantage of extra ports for learning is being able to have separate physical networks and learn about how to configure DMZs and set up routing between the networks with additional firewalling. If it’s not something you need to do, then you can save money with the 2-port and still have a real good platform for learning pfsense.

1 Like

Ok, I have my new laptop (ThinkPad T14 AMD) setup dual booting Windows 10 Pro (easier to use Lenovo’s built in utilities etc.) and Fedora. I would rather use Ubuntu as I am going to work through Jay’s book and my lab will be mostly Ubuntu server, but Ubuntu is simply not as responsive and slick as Fedora with Gnome 40 IMO. I am going to work through his book using a VM on the laptop first.

I believe my next course of action is to put the cluster on the “future” list, set up openmediavault on my Mac mini, and set up a Proxmox server.

My question is this: can I run Proxmox on mini PC with decent specs and have the VMs and containers live on that server? They would then be backed up to my roll your own NAS (which will be backed up to Backblaze).

I would prefer to have the VMs and containers live on the NAS, but I do not think my performance will be acceptable unless I have a decent TrueNAS setup which I cannot afford at present. Also, I could run pfSense as a VM on the same box until I can afford a dedicated appliance, again with everything backed up to the NAS.

Does this all sound copacetic or am I a) misunderstanding how Proxmox works, or b) creating a plan that will technically work, but is a really bad idea?

Unless I’m missing something, I don’t see any reason why you’d have trouble running Proxmox on your mini PC. It’s moreso about how you use it and divide up the resources. There is no “bad” idea, just some things work more efficiently than others. You can get a lot more containers out of such a PC than VMs, but that’s always true (for the most part).

One thing that might be challenging is IO, unless you have 10gig ethernet. That said, my Proxmox server is currently backing up to TrueNAS with standard 1gig Ethernet, and it works fine. Sure, it’s very slow by comparison, but since I schedule my backups to run overnight while I sleep, I don’t care if they take an extra amount of time to complete.

Your idea seems reasonable to me.

It makes sense that Fedora might outperform Ubuntu in that case, since Fedora uses a newer version of GNOME as you mentioned. It may have something to do with optimizations the GNOME developers have made, they do that in virtually every release nowadays. So sometimes it can feel sluggish when you use an older version after having used a newer version. I’m not switched over to GNOME 40 yet, but on one of my laptops, I’m either going to install Arch or Tumbleweed, and in either case I’ll end up with GNOME 40. I wonder if I’ll have the same impression.

1 Like