My home lab is certainly turning into quite a setup and I now have another new device to add to it – the pfSense SG-4860 hardware unit. I’ve played around with pfSense in virtual machines over the years but never got round to actually deploying it as my home router. I finally took the plunge and decided on purchasing one of their pre-build units. Now I know some people will probably shout at me to just use an old computer or parts I had lying around and yes this is certainly an option. In my case however I didn’t want a big PC case in my front room (which is where the telephone point for ADSL terminates) plus the kit I do have is now very old and I wanted something with features in the CPU such as Intel Advanced Encryption Standard (AES) New Instructions (AES-NI).
pfSense Software
pfSense has a huge range of features and I don’t intend to list them all but here is the summary from their website –
pfSense is a free, open source firewall and router platform based on FreeBSD that is functionally competitive with expensive, proprietary commercial firewalls. pfSense can be configured as a stateful packet filtering firewall, a LAN or WAN router, VPN Appliance, DHCP Server, DNS Server, or can be configured for other applications and special purpose Appliances. This next generation pfSense security appliance features include:
- Stateful packet filtering firewall or pure router
- Routing policy per gateway and per-rule for multiple WAN, failover, load balancing
- Transparent layer 2 firewall
- Support for IPV6, NAT, BGP
- Captive portal with MAC filtering, RADIUS support, etc
- VPN: IPsec, OpenVPN, PPTP
- Dynamic DNS client
- DHCP Server and Relay functions
- PPPoE Server
- Reporting and monitoring features with real time information
More information can be found here – https://www.pfsense.org/about-pfsense/features.html
pfSense Hardware
Let’s take a look at some of the hardware specifications for the SG-4860 –
CPU | Intel “Rangeley” Atom C2558 2.4 Ghz with Intel QuickAssist |
CPU Cores | 4 |
Ethernet Interfaces | 4 x Intel I350 ( SoC Intel I354 Quad GbE on-die MACs )
2 x Intel I211 |
Memory | 8GB DDR3L |
Storage | 32GB eMMC |
Additional Storage | 1 x M.SATA Port |
Expansion Ports | 2 x Mini PCIe |
Physical Dimensions | 1.5″ tall x 6.8″ deep x 7″ wide |
Extended hardware information can be found here – https://store.pfsense.org/SG-4860/
If you’ve looked at the price of the unit you’ll know this is a rather expensive device to run at home and you might wonder why I went for it. Well the simple answer is throughput and options. I wanted to ensure the device would easily handle gigabit throughput while also providing enough ports for me to connect various networks and devices to. I expect the hardware to last me many years so it also felt sensible to select a unit with enough CPU and memory capacity to handle higher WAN speeds as and when those become available where I live.
How about we take a look at a few pictures?
First off we have a front view of the unit, the physical size is impressive and was important for my environment due to the location of installation – 1.5″ tall x 6.8″ deep x 7″ wide.
Next we can see the side of the unit which has vents to allow airflow, the top of the unit also has a small vented section to allow hot air to escape.
The unit has a number of rubber grommets which seal the pre-cut holes for wireless hardware to be passed through. In my case I am not going to add wireless functionality to the pfSense hardware itself, in the future I will add a dedicated access point (AP). Right now I’m just using my old wireless router in AP mode. The unit has a console port which enables one to connect a USB cable to another device for serial access. This is achieved through via Silicon Labs CP210x USB-to-UART bridge chip. The Ethernet ports are labelled and the pre-installed pfSense software applies the same labels within the management console which makes life nice and easy.
In case you’re interested the unit comes with an external power unit along with a USB cable for console access, a retaining device to hold cables in place and a micro-fibre cloth so you can polish the unit and make it sparkle.
Now that we have looked at the external aspects of the unit let’s open it up and check out the insides. The CPU is passively cooled making the unit silent which is another valuable trait for my deployment. Note the location of the two mini-PCIe ports, they are located together back to back while the M.SATA port is positioned next to the Ethernet ports.
I purchased a 60GB M.SATA drive to be used for Squid caching along with holding any additional logging information I want to keep separate to the integrated storage. Installation is simply a case of removing the two screws across from the port, sliding the M.SATA drive in and then securing it down again.
Right now I’m using the LAN, OPT1 and OPT2 ports which leaves two spare ports for future use. I may create an LACP (Link Aggregation Control Protocol) LAG (Link Aggregation Group) between the pfSense unit and my Cisco SG-300 lab switch for increased bandwidth – at the moment though it’s fine as it is. I was tempted to write a post on how I setup this unit however I’ve customised things quite a bit to fit the needs of my own environment so I think I only consider writing posts which others can apply in their own setup.
I strongly recommend you try pfSense, it’s a fantastic piece of software and this hardware compliments it nicely. The selection of packages is impressive allowing you to extend functionality to suit your needs. Below is an example dashboard that I have running, the software provides a wealth of information – far more than is shown here so if you want details trust me, it has them.