Comprehensive Guide to pfSense 2.3 Part 2: Hardware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

howdy folks and welcome to part 2 of my comprehensive guide to PF sense in this video I'm going to be talking exclusively about hardware in terms of the the actual hardware in the machine itself as well as how to actually physically connect your network up now in the part 1 I was an intro and I talked about some of the things that pfSense can do but without equally good hardware to put it on it's still nothing so this video will hopefully solidify all of the everything you need to know about just hardware and configuration wise so in this video I'm going to be going over minimum hardware requirements I'm going to be giving some common configurations for PF sense in in homes I'll hopefully give some insight into choosing how to design your network and also make note of some less known mistakes people make and some caveats they may not be aware of now before I go any further I just want to mention what I'm not going to talk about so I'm not going to be giving exact parts to go out and buy to build a PF sense router it's going to be up to you to purchase or use existing parts you have based on your needs I'm also not going to be talking about embedded PF sense or ARM based systems so this is going to be only x86 hardware um I also guarantee that somebody out there is going to have something to say about one or more of the configurations that I'm going to show with something that's configurable as PF sense there's always going to be something else that you can do really the possibilities are endless so this is just going to be a basic intro to the concepts so you know leave it in the comments if there's anything you have may have questions about no I'll try and help you as best I can so just a bit of an outline as to what I plan to go over today we're gonna talk about the CPU memory network cards VLANs Wireless and even running PF sense in a virtual machine so without further ado let's jump right in so when building a computer or a server I usually start out with the CPU and pick parts based around that so that seems like a good place to start with with this now unlike most builds you may have done with pfSense more processing power does not generally improve performance and when I say that I mean that most CPUs from the last decade are more than enough to route Gigabit traffic so unless you're routing 10 Gigabit Ethernet or InfiniBand or something like that you have absolutely no reason to go with anything other than the cheapest CPU so this includes things like seller ons Pentiums Adams SEM prawns whatever the hell you've got spending more will not generally have any effect whatsoever unless you're running a crazy configuration in which case you probably already know what you need I mean I personally use like a one point eight six gigahertz it's an e 6300 Core 2 Duo e 6300 I use that for ten years for my network of over 40 devices and the only reason I replaced it was because the motherboard gave out so it was still perfectly capable of handling all the traffic without any delays so like CPU pretty much anything will do however there are some things you may want to consider now if you've read online about PF sense and what CPU want to buy you'll undoubtedly have come across somebody who says that PF which is the core application behind pfsense thus the name is single-threaded so thus you should buy a CPU with really fast cores like very few very fast cores instead of many slower cores and this was true up until pfsense 2.2 so now PF is fully multi-threaded so there is absolutely no reason to stress over the number or the speed of cores so the geometry doesn't matter anymore now most of what runs on your pfsense box will utilize multiple cores so this includes the interrupt service routines for most network cards and I'll talk about that when we get into network car it depends on the driver of course but generally speaking no matter what you run it should be distributed across all course so so don't don't worry about the CP geometry too much and this news sort of might encourage you to go out and fetch an old Pentium 4 machine you've got in your basement and use it as a router and while that will probably work assuming that you know meets all the other requirements you probably don't want that thing running simply due to the energy it consumes I mean if you don't pay for electricity that is probably fine but otherwise you probably want to calculate the total cost of ownership for something like that versus an alternative and my argument for this is as follows I mean look at the state of Wired networking now Gigabit Ethernet has been the standard for consumer gear for a pretty long time now and it's not looking like it's going to be replaced in the near future I mean 10 Gigabit Ethernet is in large businesses but it's not marketed for consumers yeah nor do I see it being something consumers would want until either internet connection speeds do some you know massive massive increase ah or you know I mean most consumers don't have file servers in their houses so if the hardware is powerful enough now to pass gigabit traffic that means that as long as the underlying network standard remains Gigabit Ethernet and it doesn't change I mean your router will always be powerful enough so just keep it in mind that routers have a much longer life span than most desktop computers or even servers so I mean like I said mine was in service for a decade so it depends on that's more what you want to look at when you do the calculation so it may be may be worth it to a to invest in new hardware than to go with old hardware but again it depends on your needs so moving on to memory TF sense uses the store and forward switching architecture now this means that incoming packets are copied into Ram processed and then they're copied out of RAM and forwarded out the corresponding interface so there's two memory transfers per packet required and this is the same architecture that's used by pretty much all consumer gear and even low to mid range enterprise gear and the memory bandwidth of ddr2 is far higher than necessary for gigabit networking so there will be no bottleneck with pretty much any memory you use so doesn't matter what kind of memory or what speed of memory the only real question is how much memory do you need now some people will argue this figure but a reasonable installation with a couple of packages will use about just under 512 megabytes on its own so as a result I would personally recommend at least a gigabyte of memory for most basic installs now you could technically do with 768 megabytes but that's not a common amount of RAM unless you've got some you know old 256 megabytes sticks somewhere you're not going to able to get that configuration so I would generally only install more than a gigabyte if either you already have it and it's free or if you'll be installing packages like squid or n top or a couple others which use a lot of memory by themselves now I personally have 6 gigabytes in in my router and both because I had a bunch of ddr2 lying around from old computers so I might as well put them in something and also because I use squid so I wanted to give it as big a Ram cache as possible so memory generally speaking you can get away with a very very small amount of memory if that's what you've got but if you have stuff lying around throwing more at it is not not a bad thing so I mean really that's all I think I need to say about memory it's very simple so I want to move on to to network cards now now I'm going to argue that network cards are pretty much the most important components in the router and that's because all traffic that passes through the router is either generated or received by the network cards so they're going to govern the performance stability configurability of the entire router and not all Knicks are created equal and they can have more of an impact than you might think so it's a good idea to budget for the right cards if at all possible now like I said at the beginning I'm not saying you need to buy exactly a model XYZ of network card but the generally accepted rule with PF sense is to only use Intel network cards now in case you're wondering I'm not affiliated with or sponsored by Intel to tell you this the answer to why you should use Intel has to do with both the hardware and the software support and because the picture is worth a thousand words I'm just going to go into a little bit of an aside here now I recently picked up a bunch of 6-inch silicon wafers which I'll do a microscopic video on soon but I can use these to illustrate my point so what you're looking at is two silicon wafers or six inches and these are what they use to make semiconductor dyes so they use photolithography to manufacture the wafer and then they cut out each of these dyes they capsulate them in a plastic package and that can be made on a circuit board that's what we you know see as chips so the cost of making one of these wafers is essentially fixed no matter what kind of chip your manufacturer and assuming that the process by which it's manufactured is the same so as you can see the the dyes on the Left are much bigger than that on the right so since the cost of a dye is the wafer cost divided by the number of usable chips on the wafer the smaller the dye the cheaper you can sell them for at and/or the higher the profit margin you can make on the chip now before anyone tries to correct me neither of these are network controllers in fact the one on the left is a MIPS processor on the one on the right I haven't identified yet but it's probably an op-amp or a logic gate or something but my point still holds now you may be wondering how the hell does this tie into buying network card but companies like real tech marvel they try to reduce the die size as much as possible and they do this by removing pretty much all the circuitry which can be supplemented by software so they only include the absolute minimum hardware and this results in an extremely large and complex driver which relies on the cpu to do most of the work for which it's really not optimized now not only this but the driver quality for BSD is usually lacking and it can lead to problems beyond performance now Intel they're a hardware manufacturer and their network controllers do most of the heavy lifting in silicon and the drivers are thus very simple they're very fast and they have very good support for UNIX including BSD so just for it as an example take transmit and receive buffers for example most real tech cards have no more than about 300 kilobytes of buffer memory which is just enough for a regularly sized TCP window Intel cards on the other hand even the consumer-level cards have pretty much a standard minimum of 8 megabytes of buffers which is very useful when things get busy on your router because you don't want to have a buffer overrun because then a bunch of packets gets dropped and all sorts of weird stuff happens so I'll let you hopefully agree that you should get Intel network cards if at all possible how many network cards do you need now the general set up with the router acting as a gateway requires two network cards one for the lan which is computer modem and one for the land which could be connected to a switch which then connects to all the rest of your devices now every additional subnet requires its own network card and if you're fortunate enough to have more than one WAM then you'll need another NIC of course for that as well so I just want to point out that when I say nikkor network card this refers to how many total ports you have so you could easily get a dual or quad poor card and call it a day so it's just one card but with four ports on it I'll just call it four Knicks for this video because it's easier now I also want to mention that you don't need to purchase brand new network cards in fact I never purchase brand new network cards almost ever it's very economical to purchase secondhand network cards off of ebay that have been pulled from old servers you end up getting enterprise quality dual or quad port NICs for pretty much the same cost or even less than that of a brand new single port consumer grade NIC so there's there's absolutely no reason you should buy a you know a brand new card for yeah there's really no reason I can't think of one to be honest I mean in all reality Gigabit Ethernet is Gigabit Ethernet so it doesn't matter if the card was made six years ago or made yesterday it's pretty much gonna perform exactly the same I do the same function it doesn't it doesn't change anything unless you're you know at the blur and a data center you drink bleeding edge stuff it doesn't matter how new or how old the card is as long as it's got the right connector of course generally speaking you want a PCI Express network card only if you're trying to repurpose old hardware would I try to do a PCIe network card I really wouldn't do that unless you absolutely have to because PCI has bandwidth limitations so if you're trying to run multiple gigabit cards on PCI you may encounter a problem but again you have to deal with the hardware that you have just keep it in mind that you can get things used so I'll start by diagramming the simplest setup here now when I say simplest setup is a gateway I pretty much mean the following we've got a modem on the left and switch on the right and I'm just going to represent that that's going to sort of represent the land in this situation because I did connect all of your devices to it and we can connect a router which is course that's the symbol for a router in the center there we can just connect it with two network cards one to the win one to the land of course I'm depicting them as separate cards you can use a dual port cart and just have a single card for this doesn't matter now you may have been thinking in the back of your mind about using an old laptop as a router maybe the hinges are broken maybe some keys are missing but can you turn it into a router and they actually make a lot of sense for a couple reasons I mean they're small and compact you can put them pretty much anywhere they're generally designed to be energy efficient because of course they have to run on a battery and they also have effectively a built-in UPS right when the power goes out they just switch to battery power so generally speaking you can save a lot of money by repurposing an old laptop however there are some problems and they have one sort of critical flaw and that is that they only have one wired network card and there is no way to add another you can't just add in there's there's no PCI Express expansion slots in a laptop pretty you know that you can add a NIC to know in case you're thinking about those USB 3.0 gigabit adapters didn't know don't buy those they suck they're not going to work properly with PF sense so just don't even bother to be honest not only that but most laptops also don't have Intel network cards in them not I mean I'm not saying every laptop doesn't the business class laptops also some high-end gaming machines do but you've really got a check so if you're on Windows you can go to device manager and find out you're on Linux you can run LS PCI and find it with manufacturers if you're unsure most manufacturers DC manufacturers will actually tell you the manufacturer in the spec sheet of the laptop so you can find out what you actually have and it may seem just just from these two things alone that even despite of it you know the advantages of using on a laptop you just can't use one because you know it did only has one NIC and you know may or may not be Intel but there actually is a way and that is to use virtual LANs or VLANs now VLANs allow you to use a single physical network card port to serve multiple physical subnets so this means that you could connect both your LAN and your land to the router via a single port and not end up connecting them together and this physical connection is done using an external device which is a managed switch which I'll talk about in just a moment so if I adapt the previous diagram using VLANs we get this you can see we have both the modem and the network card from the router connected to the same switch and if I just sort of clean that up a little bit this is the exact same thing just looks a little bit nicer so to understand how this is possible without the wind being connected directly to the land we need to look at how VLANs work so this is just going to be a super quick intro into VLANs so Ethernet frames are tagged with an integer value which corresponds to the virtual LAN that the packets are either coming from or going to so in that setup we would create two virtual LANs one for the web and one for the land with a different tag number and pfSense can then be configured with two virtual interfaces that correspond with each of those tags now the reason you need a managed switch over a regular more common of course less expensive unmanaged switch is because you need to configure which ports on the switch correspond with which VLAN so on an unmanned switch all ports are forwarded to all other ports so of course that won't work now that being said you can of course connect any device to each port on the manager switch and that means you can you can connect unmanaged switches to the ports on your manage switch so if you want to get away with buying a cheaper managed switch with fewer ports like a 5 or 8 ports which you can connect other unmanaged switches to that to expand out and you'll just get a tiny latency increase from the extra switch delay but you can do that if you want to try and save money that way and again if I just diagram that up here you can see that the ports would be configured sort of like this have color-coded the red and blue here you'd have all of your LAN ports would be on one one VLAN your way would be on the other and then the port to the router would be on a member of both VLANs so that it could pass traffic back and forth so the question that you may ask yourself is why would you want to use VLANs in the first place and the answer that I would give is when there are more subnets then you can physically add network cards or we're at the or basically the point where it becomes unfeasible in the case of a laptop where there's only one network card VLANs of course makes sense if you have ten subnets for example it's not practical to have ten network cards in a machine so again VLANs make sense there and my reasoning behind this is pretty simple manage switches are expensive more so than dual or quad port network cards so if you have a physical machine a desktop a server that you can actually put network cards in it's generally better and cheaper to do that than to use the existing you know single or dual port card and use VLANs but of course situation like a laptop you can't add network cards you know it's probably cheaper to buy a managed switch than it is to replace the whole laptop with another machine so again you got to look at what you've got the other big thing is that villains can create bottlenecks because in the scenario that I just showed all the traffic that passes from the when to the land has to go through that single Network card in be processed by the router and then be passed out through the exact same network card through the exact same cable so if you have many gigabit streams all passing through your router at once well of course that's not possible there's going to be a bottleneck in that one connection so you may want to consider that again most people most people in the home won't have this problem but again it depends on your setup for whether that would be an issue or not you just have to be aware of it now up until now I haven't said anything at all about wireless networking and as much as I hate Wireless sometimes it's a necessary part of pretty much all networks nowadays so if you want to set up where else with pfSense you have one of two options you either use wireless cards in the router itself or you connect external access points to a wired network card in the router so by internal wireless card I pretty much mean you take a regular wireless access card either USB or you know PCI Express generally PCI Express would be preferred but most of them are USB dongles now and you would use that too instead of connect to an existing network you'd actually use that to broadcast the BSS to broadcast the network instead of connecting to it so that's what I mean by internal where the card is physically in the machine or connected directly to the machine now with an external access point you take an external third-party device and you connect it over wired Ethernet to the router which of course therefore broadcast the network as normal and you can use a regular wireless router for this and just disable the route of functionality so in terms of which setup is better of course it's ultimately down to your needs as always but I strongly recommend that you use external access points for pretty much every configuration and the reason why is well there's actually a couple of reasons why first of all with external access points you can place the access points anywhere you want and as long as you can run a cable to it you can put it anywhere and not only that but you can of course connect an arbitrary number of access points which is really good for covering a large area so you can put one upstairs one the main floor one in your basement one in that random room that has a dead spot as long as you can run cables to them you can do that and like like I mentioned I tend to buy consumer wireless routers the thing that we're trying to replace with pfSense I buy those disable the router part and I just use it as an access point and a lot of them are actually relatively good as access points I have a tp-link Archer C 2 and it's been up for almost 400 days and I've never had a single problem with it as I mean it just use it as an access point it's pretty much a wired Ethernet to 802 2.11 adapter basically it works it works great as that and they also have switches in them so you can daisy-chain those devices together or you can wire them in a star topology or however it works for you and you just sort of get that functionality for free but sort of the real reason why you should use external access points over internal wireless cards is for support of modern Wi-Fi standards freebsd unfortunately does not have good wireless drivers for wireless n and pretty much no drivers for wireless AC network cards so if you want those kinds of speeds you have to use external hardware unfortunately which is it's unfortunately disappointing but that's the state of Unix and even linux to this to this day you just unless you have the proprietary driver for that card which you're unlikely to get you just unfortunately you can't use it now internal wireless cards they provide the ability to use PF sense to control the network and access control very precisely so it's useful in situations where you need control that external access points don't provide it might also be beneficial if you're using let's say a laptop and it already has a built-in intel wireless card and you don't want to buy any new hardware and that'll work for you that is also an option and I've seen that done quite a bit but just be aware that you're not going to get the same performance probably as what you would get if you used a an external access point so speaking of you know buying new hardware some of you may be thinking what about using existing hardware in the form of a virtual machine and of course pfSense you can run it in a virtual machine on pretty much any VM software platform it's actually quite common to do this and it's used mostly in situations where hardware is scarce using a VM allows you to allocate only the resources that pfSense needs so the minimum amount of processing power a minimum amount of memory that we talked about so you don't waste anything and if you're thinking about doing this just remember that you still need all of the requisite network cards in the host machine to connect the router to the physical real world so depend and also depending on your your platform whether you're using VirtualBox VM ware whatever you may incur some performance degradation as a result of the hardware abstraction between the virtual machine and the physical host so also you want to keep that in mind now you also need to consider that the host machine will need to be able to boo without a working Network and run for a few minutes until the VM can start so you also need to be aware that if the host goes down for any reason be it planned or unplanned downtime the entire network will also go down now of course that is unless you have a failover setup in place on another machine that can take over but just be aware of this because I mean I personally don't like virtual machines because I mean I like to have a physical machine that I there's no dependencies in place it's just a standalone I can fix it if anything goes wrong but virtual machines are definitely a good place to start if you just want to experiment with pfSense and you have a machine that has the physical network Hardware in place I mean of course you can always build a physical machine later if you like how it works so when I do my installation video you might want to just basically follow along with what I'm doing in a virtual machine and you know try that out even even if it's not controlling a real physical network and it's just controlling some virtual on machine like on host network it's still a great way to experiment with the software so just as sort of a quick overview in this video I've shown the pfSense will work with pretty much any CPU made in the last decade you really don't have to worry about it unless you're doing really high-speed networking or really insane stuff it should have at least a gigabyte of RAM to be happy but of course throwing more at it is not going to hurt especially if you're using squid and stuff that you know really really chews up the memory you're going to need at least two physical network cards unless you use VLANs and of course physical network cards are better than VLANs unless it becomes you know money canonical to do so and of course all the network cards you buy they should be made by Intel if at all possible you can use ones by other companies but just be aware that their performance and possibly stability are going to be affected by that PF sense will work in a VM and if that configuration suits your requirements go ahead and Wireless should be implemented usually with external third-party APs but of course you can run on it on Intel or AB integrated cards if if you're ok with potentially lower speeds and older wireless standards so I think that sort of wraps it up for this video I hopefully I didn't forget anything I think that covers all that you really need to know as to what to look for either in a machine that you're going to salvage or repurpose or hardware that you're going to buy in part 3 I'm going to go into installing pfSense on either our physical machine or might do it in a VM so it's easier to screencast it's going to be a short video installing pfSense is extremely easy there's a couple options you may want to change but generally it's very easy to do so that'll be differently a quick video and it'll be coming in a few weeks after the holidays so until then hopefully this was helpful and interesting and thanks for watching

Info

Channel: Mark Furneaux

Views: 94,561

Rating: undefined out of 5

Keywords: pfsense, network, guide, tutorial

Id: 0spAIaWb7x0

Channel Id: undefined

Length: 32min 0sec (1920 seconds)

Published: Wed Dec 23 2015