A low cost pfSense build - for Home, SOHO & Small business

    • A low cost pfSense build - for Home, SOHO & Small business

      My new pfSense box

      Until recently, I was using a Lanner FW7535 as my pfSense box but my ISP has just upgraded my speeds to 200Mbit, so I have replaced it with a custom box.



      Requirements:

      1. Cost as low as possible. I won’t be gaining a ton out of this at the moment, as the Lanner probably would have been mostly capable, but as the connection speed increases again (and I demand more of the box) it will probably not cope.
      2. Very low power. This will remain on 24/7 (obviously!) and I already run separate components for Wifi AP, Switch etc. This approach is always going to drain a bit more power than an ISP router, but it’s worth it. Regardless, low power consumption is good :)
      3. Small. This is probably relative, but to give you an idea of what I think is small: The videos on Youtube showing you how to DIY a pfSense box with some old dragon Dell Optiplex? Not that. No bigger than about 10cm x 25cm x 25cm.
      4. Must be able to handle: 200Mbit, VPN, Snort, Adblocking, AV etc.



      The Build Hardware

      After a LOT of searching I have ended up with this:

      Mobo/CPU: ASRock N3700M (Pentium N3700)
      Chassis: e-Mini E2010
      RAM: Kingston KVR16LN11/4 (4GB DDR3L-1600)
      Storage: 16GB Kingston Traveller USB Key Drive 16GB SanDisk Cruzer Orbit
      PSU: PicoPSU 120W + External Power Brick (12v 10A)
      NIC: HP NC360T
      Other stuff: PCIe x16 to x16 right angle riser card and USB3 Header Cable


      Mobo/CPU:

      The motherboard and CPU gave meal a headache, along with the chassis. I wanted a very low TDP CPU but one that could still handle what I threw at it without cooking itself. I came across the N3700 CPU which has AES, a TDP of only 6W(!) and is cheap to purchase on a board such as the ASRock N3700-ITX. This board presents a few problems. The first of which is that the onboard NIC is Realtek (uber crappy in BSD), the second is that I was trying to find a case that it would fit in and still have the ability to add a PCIe card because of the Realtek NIC (see below), the third was the limitation of PCIe options. The board has Mini PCIe, but only a single V1 x1 PCIe slot. I eventually cancelled the order in favour of the N3700M (thank you Amazon for being lovely) because in the event that I wanted to repurpose this board as a HTPC or CCTV box, the x1 lane would be useless. I was also conscious that the V1 x1 speed limit is 250MB/sec, and this is only enough for a Dual Gig NIC. Fine for this build at the moment, but if I wanted a quad at some point, the ports would suffer and run at half speed. One of the best things about this mobo and CPU combo, is that the CPU supports AES.

      Chassis:

      Probably the biggest headache. I didn’t think it would be such a mission to find a small MicroATX case (MiniITX at first) that wasn’t twice the size of an ancient VCR, that had a PCIe slot and didn’t cost the earth. It’s typical of this industry- things get smaller and the price goes up! I don’t mean in an almost justifiably Apple-esque ‘we crammed tons in that space that wasn't thought possible and defied current manufacturing sizes and processes’ kind of way, I mean: The box with holes in is smaller and we used less metal.. that’ll be 3 x the price, please! After all, there are gaming ATX towers on eBay with tons of fans and LEDs for £25 and much lower (AvP Storm 27, CiT F3 etc), delivered! The problem is that I wanted to use a PicoPSU and power brick to keep the internal heat as low as possible as this will be an entirely passive box. A lot of small cases with PCIe assume you want an ATX power supply and are much bigger as a result) and a lot of the ones that use a PicoPSU do not have the room for any PCIe cards. Sure, there are some - if you want to pay £100-£350+… I didn’t. Anyway, enter Realan’s e-Mini E2010, which I found on eBay from a seller who only had one left. £39.99 - thanks! It’s not the smallest (6.5cm x 29cm x 27.5cm) or best looking thing on the planet, but it’s small enough and it’s by no means ugly. It does have a weird sliding front panel and no USB3 at the front, but that isn’t going to be needed. I like the fact that it has a lot of ventilation in the lid and sides, and can be positioned horizontally or vertically.

      RAM:

      Pretty bog standard here. For this budget, there’s no ECC (in either the board, CPU or memory!) so it’s completely out of the question. The N3700* series board by ASRock support either 1.5v or 1.35v memory, so I opted for Kingston KVR16LN11/4 (4GB DDR3L-1600) which is the lower voltage option. 4GB should be more than enough for this box.

      Storage:

      I was originally going to use an 16GB generic mSATA flash module I had but the N3700M doesn’t have Mini PCIe (N3700-ITX did), so I decided to use a Kingston DMT30 Sandisk Cruzer Orbit that I had spare, that’ll do :) This will be plugged in internally into a short USB3 header cable. Note: For some reason the Kingston would not boot, so it was changed for a Sandisk Cruzer Orbit. I my buy an mSATA to SATA board at some point to use the flash module I have in order to regain the speed I was after.

      PSU:

      I wanted to go for a PicoPSU with an external power brick setup in order to keep the internal heat as low as possible. This is an entirely passive build, so it will rely completely on the airflow of the room and the chassis ventilation. There are plenty of cheapo 'pico' PSUs on eBay from China - and whilst I love buying stuff from China, I didn't want to take a chance with a generic pico style PSU that could conk out on me at worst, and at the least (depending on your perspective) feed the board dirty voltage. I opted for an official 120W PicoPSU from a reputable UK reseller on eBay.

      NIC:

      I will be using the HP NC360T from my HP N54L to replace the onboard Realtek NIC, and add an additional port. The chipset in this card is the Intel 82571EB, which is solid and fast under BSD (and any OS!). Some modding of the bracket was needed though, as the full height bracket places the pins in the wrong position, so we will use a modded low profile bracket instead. Tip: When searching for an Intel card, it's always a good idea to find a Dell or HP card that uses the chipset you require and search for that instead. The Intel branded cards are often much more expensive than their rebranded brothers.

      Other:

      I’ll also need a PCIe right angle riser card for this build, and a USB 3 header cable (mentioned above) if I am going to use a key drive for the OS for now. These were dirt cheap from Hong Kong but took the longest to arrive and held the project up by a couple of weeks. I know I could have bought them in the UK, but they were 5-8x the price, and the whole point of this build was the keep it as low as possible.

      - PCIe Riser: I decided to go for a right angled riser card instead of a cheaper ribbon cable because of two reasons. The first being that I ordered a ribbon cable for the original ITX board and it looked very cheap - all of them do. Secondly, and more importantly, I was told that the excess unshielded cable could be a problem for interference. This is how I have landed up going down the route of modding a low profile bracket and using an actual PCB riser.

      - USB 3 Header: I guess I could have just plugged the key drive into one of the front or rear ports, and yes, this would have made removing the key drive for upgrades etc much easier. But I didn't like the idea of having it stuck out the back - and had the original internal mSATA in mind, so wanted to have a small internal header cable. This has worked out quite well.

      The post was edited 1 time, last by ellnic ().

    • Cost of Hardware

      My aim with this build (unlike my server) was to keep the cost to a minimum, whilst satisfying all of the requirements. As such, there have been some compromises. For example, I don't particularly like the flip down front on the E2010 chassis. It's irritating. But, it was cheap. I also would have rather preferred a board with two Intel NICs on board, but that costs more. I would have much rather preferred a chassis from the Streacom line up like the FC5WS (Wow!) and put an Aewin MB-8305 in it, but that would have added several hundred to the cost - and that is not what I was going for. Maybe one day. ;)

      The cost was:

      Mobo/CPU: ASRock N3700M (Pentium N3700) - £88.08 Amazon
      Chassis: e-Mini E2010 - £39.99 eBay
      RAM: Kingston KVR16LN11/4 (4GB DDR3L-1600) - £14.44 eBay
      Storage: 16GB Kingston DTM30 USB Key Drive 16GB Sandisk Cruzer Orbit (Already Owned)
      PSU: PicoPSU 120W + Power Brick - £34.99 all in - eBay
      NIC: HP NC360T (already owned)
      Other stuff: PCIe x16 to x16 right angle riser card - £1.40 eBay and USB3 Header Cable - £1.83 eBay

      Total cost of parts I didn't have: £180.73

      and if I had not had a couple of the :

      Storage: 16GB Sandisk Cruzer Orbit - £3.29 eBay
      NIC: HP NC360T - £15 eBay

      Total cost of all parts: £199.02

      Links to follow

      Show & Tell :)


      The hardware:



      The chassis with the original RAM for the ITX board to put in a bit of size perspective.
      Notice that this chassis is extremely well ventilated



      The back of the chassis showing the PCIe slot with the original board fitted. Note that this is a full height slot, so we will need to do some modification, see below.



      The quite amazing, and incredibly tiny PicoPSU... this is the 120W version, although it's probably a tad overkill for this build. It was the cheapest I could find though.



      Finally, the inside of the chassis with the optical/HDD plate installed (the board pictured is the original ITX)




      Assembly :)

      Now my favourite part :D

      Motherboard in:



      Compare it to the size of the ITX! This has now been returned, as it only had one PCIe x1.



      Cables attached and cable-tied out the way:



      PSU and RAM in, Cables Tidied:



      This is the NIC held approximately at the position it would be if I used a full height bracket as the chassis is designed to use. Note that the pins line up with the PCIe x1, which is not suitable.



      Now look at the positioning of the low profile bracket... it lines up with the x4, but it will need one end of the bracket bending so that it is straight.



      Like this:



      Fitted to the card:



      The right angled riser:
      Note: If you plan to make this build, make sure you get the correct riser - you can buy them 90 degrees in either direction.



      Fitted to the card:



      In place on the motherboard:

      Because of the low profile bracket, we have to cheat a bit - let's secure with my favourite thing :) CABLE TIES :D they should stop excess movement and strain on the connection when plugging cables. Note: I had to disconnect the HD Audio header here, as it was in the way of the RJ45 ports on the card. This is probably a design flaw/clash of this chassis and/or motherboard combo.



      From the inside:

      Now the optical/HDD bracket back in place, and the USB 3 header installed and cable tied to the top of it. This is where the key drive will stay:



      Like this:

      The post was edited 7 times, last by ellnic ().

    • Making the Key Drive

      Because I am using a key drive in this build, the quickest and easiest way to get up and running is the use the NanoBSD embedded image from pfSense.

      I grabbed the image from here:
      https://www.pfsense.org/download/



      Then wrote to the key drive after decompressing:

      Source Code

      1. dd if=/path/to/img of=/dev/disk bs=4M



      Booting:

      I plugged the key drive in, attached a monitor and keyboard and powered on, entering the UEFI with F2

      Before I could adjust the boot settings, I noticed that my board was running 1.10 and the latest version (as of 14/06/2016) is 1.30. I downloaded this from ASRock (asrock.com/mb/Intel/N3700M/?cat=Download&os=BIOS) placed it on a FAT32 key drive and swapped the key drives and used the Instant Flash util:




      Once this completed, I set the boot device to the USB key drive, swapped the key drives back and booted into pfSense:
      Note: For some reason, booting from the Kingston USB 3 key drive that I was originally going to use didn't want to happen automatically. I could boot from it manually by entering the boot menu, but nothing else. I suspect it's on it's last legs, so I ended up using a Sandisk Cruzer Orbit that I also had. I may purchase an adaptor for the mSATA module that I have and use this in the near future as the Sandisk is only USB 2. An adaptor to use the mSATA module with one of the sata ports is only £1.64 on eBay.



      I configured some initial NIC settings then shut down to move the box to it's [almost] final resting place:



      Note the nasty ISP router in modem only mode ;) I have no idea why the hideous WPS button is lit, wifi is completely disabled! :P

      The post was edited 6 times, last by ellnic ().

    • A low cost pfSense build - for Home, SOHO & Small business

      First login to Web GUI

      On first login to the web panel pfSense asks if you would like to run the setup wizzard:



      Setup is simple if you have used devices like this before, and soon you will be at the main dashboard:



      Now I can move on to configure the rest of pfSense. :)

      This will probably be moved to the post below at some point soon, but here is my recent speed test:



      This box isn't breaking a sweat under full load.

      I can't wait until we move over to DOCSIS 3.1 and get some more upload! :D

      The post was edited 4 times, last by ellnic ().




    • I will be adding more to each section and posting power consumption and performance information soon. I'm really busy at the moment due to family so this could take a few days. I hope this has been helpful to others so far! Cheers :)

      Update 27th June 2016: I'm still really busy at the moment, but I haven't forgotten this. I ordered the mSATA adaptor from eBay and will finish/update the write up once it is here. Sorry for the wait! The box has been solid over the past couple of weeks and I have been thoroughly impressed with it :) Will update soon!

      The post was edited 5 times, last by ellnic ().

    • Yes, I did. But a lot of those Alix boards are very similar to the Lanner I had, so there would be no point in replacing it. Plus, once you've imported them and paid a hefty whack of UK import tax you've paid quite a bit. Companies in the UK that stock those Alix boards also tend to charge a bit too much for them. With the exception of some of the smaller cables, most of these components were sourced in the UK and this also has the added benefit of not paying an arm and a leg to return them if they develop a fault.

    • Looking at the specs, there are some reasons why I am glad I haven't gone with Alix.

      Have a look at this: msdist.co.uk/ and search for Alix.

      There is really only one lot of boards (quite some way down the list) that are suitable and they contain the T40E, like this one: msdist.co.uk/product_pcengines-apu1d4.php

      This board is £152.74 plus delivery on top! Not a good choice in the UK.

      Performance and power:

      cpu-world.com/Compare/897/AMD_…Mobile_Pentium_N3700.html

      The power consumption in that hungry little AMD is more than the N3700. And I bet it runs a lot hotter being at 28nm.

      Edit: Hrm, this claims the AMD is 40nm: cpuboss.com/cpus/Intel-Pentium-N3700-vs-AMD-G-G-T40E

      But then it also says the TDP is 11w for the N3700, which it isn't. It's 6W: ark.intel.com/products/87261/I…0-2M-Cache-up-to-2_40-GHz so this site could be inaccurate. If the benchmarks are accurate though, there's quite a difference.

      Edit 2: It's 26c in here at the moment:



      The post was edited 5 times, last by ellnic ().