pfSense is great if you want to build your own router/gateway

I’m pretty hard on my networking hardware.  For a few years, I’ve been quite happy with OpenWRT running on a WNDR3700 by Netgear.  Just the routing and gateway functions … I always separate wireless access point functionality onto other devices.  As I’ve mentioned before, I have been very pleased with Airport Extreme’s and Express’s as my wireless access points for a number of years.  They are not always reviewed the best in performance.  But they have all been stable, which is where most of my wifi experiences have gone bad.

However, when I moved to San Francisco, I realized we had WebPass service in the building.  The service speeds are mindblowing.  I measured around 500 mbps up AND down once (on the new pfSense based router, which I’m about to talk about).  Compare that to Comcast business class service at 7 mbps up and 28 mbps down.  I’m not even sure how fast the service really is, because I doubt if other test sites can actually keep up.

As is true in so many instances, when you open one performance bottleneck up, another one takes its place.  In this case, it was the WNDR3700.  Its basic routing speeds only ran up to 200 mbps unencrypted.  Even the Airport Extreme 802.11AC router I bought a couple of weeks later only seemed to get around 350mbps.  Encrypted throughput was the real killer.  I like to VPN home sometimes, and embedded hardware in a consumer class router just doesn’t cut the mustard.  I was topping out at 7 mbps upload.

So it was time to do something new.  The requirements?

1. High CPU performance – For the aforementioned VPN throughput and to make sure the full connection gets utilized when I need it.

2. Low idle power – This is still a router, which means it has to be on 24/7.  We want plenty of CPU power for spikes in utilization, but we don’t need to kill the monthly energy bill the rest of the time.

3. Stable and full featured – We’re not in Kansas any more!  With some of the very specific requirements I mentioned, no consumer level router is going to fit the bill.

As far as hardware goes, it was pretty clear I needed a PC of some sort, but a light weight one.  Routing isn’t gaming level intensive, but it appreciates performance on occasion.  As it turns out, Intel’s NUC platform fits the bill well.  Fortunately, at the end of last year, the new Haswell processor line … well regarded for its power efficiency … had just been incorporated into the latest revision of NUC’s.  I bought the Core i5 NUC … you can think of this as a Macbook Air equivalent processor.

For software, I went to an open source solution called pfSense.  Even though OpenWRT was stable, it required way too much command line tweaking.  On a PC, I had way more options to select from.

Now, the problem was that the Haswell hardware was new enough that pfSense wouldn’t install natively on the platform.  So I ended up doing something a bit hacky, but which turned out to work.  I simply installed Ubuntu on the NUC, and then using KVM, virtualized pfSense on top of it.  This required some detailed network interface configuration on the host to get everything working, but the important part is that it worked.

The second problem was that the NUC only had one network port.  Of course, any router or gateway is going to need at least two ports!  The way to work around this was to either A. Use a USB network adapter to add a port. or B. Use a VLAN capable switch to create extra physical ports from just the one port on the NUC.  As it turns out, the USB network adapter I bought was not stable under Ubuntu, so I was forced to go with the second option.  Luckily, this also worked.

This might sound like a lot of work, and it was!  But now that it’s all working, it works very well.  I’ve also gained the following features as a result.

  1. High speed VPN
  2. High speed routing
  3. Traffic shaping.  In my case, this means smarts so that one client can utilize most of the connection if no one needs it, but fair allocation if multiple clients are active.  In other words, one user can’t kill the whole connection for others.
  4. Very detailed statistics, graphs, and logging
  5. Both UPnP and NAT-PMP support
  6. Guest network support (in combination with VLAN’s).  Guest networks allow you to provide wireless service to guests without giving them access to your local network.
  7. Future proofing.  This hardware should be able to keep up with bandwidth requirements for a very long time.

Most importantly, it’s extremely stable.  If you have the time to tinker with pfSense and are a power user, I highly recommend it.  The one thing is that you might want to take a slightly less aggressive route and buy hardware that it can run on directly.  My choice to virtualize it is what added a lot of the complexity … although now that I’ve worked through the issues, I have more flexibility since I can use the NUC for other computing tasks.

This entry was posted in Networking. Bookmark the permalink.

5 Responses to pfSense is great if you want to build your own router/gateway

  1. tychotithonus says:

    Which VLAN-capable switch did you use?

  2. French guy with slow ISP and dying router says:

    Thanks for the article. I’m currently running OpenWRT on an old, slow router, and I’m hesitating between pfSense or OpenWRT on PC hardware. Could you tell me which USB network adapter you tried (but was unreliable), and which switch with VLAN tagging support you use?

  3. Vince says:

    Thanks for sharing,
    i am looking also into a system like yours.
    I was wondering, have you ever looked what the energy consumption is from this box running this software ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s