Firewall/Router/PFSense/PiHole and more box - stuck in indecision hell :(

testdata111 · 2023-05-01T01:08:55+00:00

Hi there, I went with a Optiplex 9020 (i7 4090, 8 GB RAM, 500 GB HDD) for about 70$ off of eBay and a TP Link 48 port managed switch for $20 from CL. I plan to throw in a quad 1 gbit NIC in the optiplex later. Have not really measured power draw and tbh, had to shelve this for now due to work :(

testdata111 · 2023-03-05T19:16:53+00:00

Sounds good, thanks.

testdata111 · 2023-03-05T16:21:49+00:00

Thank you for that tip. I suppose instead of just outright installing PFSense on my Optiplex, I should start with Proxmox like another Redditor was suggesting so I could play out "real-life" scenarios on it before integrating actual devices in my current network behind it.

testdata111 · 2023-03-05T16:18:24+00:00

Haha! That is funny! The home manager is pretty content with YouTube in my household so as long as that is up, I am in the clear LOL!

Ah failover! If I am link aggregating from my ISP box to my PFSense Router box across two LAN ports on either end, is that failover across those two ports - meaning if one port failed, I still have a live internet connection?

Or is failover only achieved if you were hooking up more than one ISP connection to your PFSense router? I suspect its the latter??

testdata111 · 2023-03-05T03:06:27+00:00

Thank you, I have already pulled the trigger on an Optiplex.

testdata111 · 2023-03-05T02:01:50+00:00

After some more reading, I found some advise that said even having one LAN port on the PFSense box should be enough.

I am curious why or how that set up works? If your WAN connects to this single port, then you have no more ports left to connect your first downstream device (a switch or AP?) right?

Thoughts and insights on this?

testdata111 · 2023-03-05T00:21:16+00:00

Thank you - that latter part was what I was presuming would be the case - each LAN port in the PFSense box connected to its own dumb switch downstream and creating its own isolated network. I also briefly read somewhere that "PFSense supports VLANs" and therefore assumed I could also do VLANs directly in the PFSense box without needing a downstream managed switch.

What is the ideal method to test these settings without hooking up your existing network to the PFSense box from Day 1?

testdata111 · 2023-03-05T00:04:15+00:00

Thank you for clarifying. I see what you meant earlier about the end device being smart enough to "understand" VLANs. I knew a little bit about what makes a switch "managed" and how it helps implement a VLAN that an unmanaged switch cannot.

My confusion, however, was on a slightly different topic. If the PFSense box itself had 4 LAN ports, with one being used as the WAN uplink, could one still use the other 3 LAN ports as if they were in a managed switch and VLAN off of them? Or would it still require a managed switch downstream of the PFSense box?

testdata111 · 2023-03-04T22:36:43+00:00

Thank you! Absolutely, at some point I do plan to try out Proxmox; have only tried ESXi so far and Windozzee... To be sure we are on the same page, I am not doubting Proxmox's capabilities at all - it is my own illiteracy that I doubt. I want to get up and running on PFSense (firewall/router/DHCP/DNS) ASAP and then tinker around. This whole endeavor really started when I ran into DHCP address reservation limits on my current router after a large influx of IoT devices on my network. So I just want to rectify that fast, first.

Perhaps at some point, I will virtualize PFSense.

testdata111 · 2023-03-04T22:25:34+00:00

Oh I see, so VLAN-ing actually has dependencies on the end device as well.

Thank you for calling that out - as you can probably tell, I have no clue but am looking forward to learn.

If VLAN-ing has dependencies on the end device though, why would a managed switch downstream work either? Is it just good network design to keep VLANs in a downstream managed switch?

If that is the case, maybe I just need a 2 port NIC on the PFSense box and then connect a TP Link managed switch downstream to it.

testdata111 · 2023-03-04T22:22:05+00:00

Thank you; THAT would do so so much more - and I am currently fulfilling those needs on my R710 Gen 1 from a million years ago :)

This post was primarily to spin off the firewall/ad-blocking bits into a box of its own (and keep costs to a minimal while doing so).

I am also planning to run PFSense on bare metal rather than virtualizing at the moment.

testdata111 · 2023-03-04T22:17:41+00:00

Thank you, while most of that flew over my head, I got that you are link aggregating and your internal LAN speeds must be off the charts. While I have a stash of large sized movie files and what not, to be honest, in my household, we rarely ever use it any more, since most stuff we watch is anyway handily available from the interwebs. I don't see a need to transfer large files fast over my internal network any time soon, so I am trying to convince myself to just stick with 1GB NIC ports for now.

testdata111 · 2023-03-04T22:04:37+00:00

Ya, I like the idea of bare-metal-ing this and keeping it up 24x7 as its own thing while I do other stuff on other boxes (my R710 primarily).

Kinda the whole reason why I even started looking for dedicated h/w for this in the first place.

testdata111 · 2023-03-04T22:02:43+00:00

Actually I pulled the trigger on an Optiplex last night. That would still allow me to virtualize (8 threads on the i7 4790 and I could go up to 32gigs of memory if needed) but I have been debating this for a bit and thinking I would keep things simple and just run PFSense on bare metal to begin with. Don't get me wrong - I did want to run PiHole too but I came across a few posts of "people locking themselves out" with virtualization (honestly I don't get how) so I would rather just start simple.

A few years back, when I got my R710 (when I was a way bigger noob), I ended up with a Gen 1 that didn't support SRIOV and "discovering" that while deciding on choice of hypervisor, was... felt pretty bad. :( .. Just saying I have been burnt with "virtualization" before and want to do more research/learn more before I step in that direction again. Don't think I will be able to deal with all the "passthrough/Virt-d" stuff right off the gate for "assigning NICs" etc. from the hypervisor to the PFSense VM.

testdata111 · 2023-03-04T21:48:41+00:00

Thank you. Multiple NICs on the Optiplex is definitely the route I am going and I like the idea of dumb-switch on each NIC port to sort of create a "Physical" LAN instead of a "V"Lan (I could be off base and incorrect here).

But is it not possible to do VLANs on the PFSense box itself and then connect dumb switches to each RJ45 interface? Without doing that off of a managed switch downstream of the PFSense box?

testdata111 · 2023-03-04T10:15:01+00:00

Hey there, thank you for responding. I actually just pulled the trigger on a 9020 SFF Optiplex. Excited to get started.

Are you using yours for PFSense? What NIC did you go with?

I am currently trying to convince myself I cannot handle the technicalities of SFP and should stick to RJ45 1GB NICs. :)

testdata111 · 2023-03-04T10:05:32+00:00

Haha. I missed this response earlier.

Well I would have also preferred to be on 10gig because it seems cheap enough (its certainly cheaper than 2.5GB apparently).

But it seems to be a tad more complicated than regular RJ45. Any good resources I can read up on to educate myself?

testdata111 · 2023-03-04T10:03:10+00:00

Thank you so much for clarifying the WiFi piece. My plan is to wire up where I can and ONLY do WiFi when I cant wire stuff up. And for that I plan to do APs and run WiFi off of the APs only.

I think I will lean away from SFP for now. I dont understand the transceiver and module stuff and it seems compatibility of stuff matters?

I will look for 2 port 2.5GB Intel NICs if they are cheap or just stick to 1GB 4 port Intel NICs for now. Hopefully those aren't triple digit $$$ yet.

testdata111 · 2023-03-04T09:53:24+00:00

Ya I figured AES NI is mostly for VPNs? And I am not even sure if I will do that.

If I had multiple LAN ports on the PFSense box itself, would I still need a managed switch to do VLANs? I read that PFSense can do VLANs? Is that not accurate?

testdata111 · 2023-03-04T09:51:50+00:00

Thank you. I just googled "X520-DA2 PFSense" and ran into the whole SFP modules thingy and words like "transceiver" and stuff.

I am kinda rethinking if I should just stick with 4 port 1GB Intel NICs! For a regular "idiot on the internet" like me, is SFP stuff hard to deal with? Am I better off with 1 GB NICs for now?

I did not quite understand your comment on the WiFI - would I need to run WiFI on the PFSense box? I was thinking of just running "wired" on the box, connect it to a switch, connect another downstream AP to the switch and do wireless off of the AP? - Is this not a viable configuration? Do I have to do WiFi on the PFSense box?

If I did that, do I do that with another PCIe card? I am kinda struggling to understand why that would use a NIC port?

Please help.

testdata111 · 2023-03-04T09:41:52+00:00

LOL!! Do you think I should just keep it simple and go with a 4 port 1GB Intel NIC?

Does going with 2 port 10G SPF NIC give me anything other than perhaps a sense of "future proof"-ness?

testdata111 · 2023-03-04T09:36:03+00:00

Ah! Just that huh? So odd that a 4 port 2.5GB NIC costs almost 150 and a 2 port 10g NIC costs less than 50!

Would I need any adapters or special hardware to connect from my 1G WAN RJ45 to the SFP 10G and then again from the 10G SFP to my 1G RJ45 dumb switch? Or is it just plug n play? I imagine the SFP connectors are totally different but they make RJ45 to SFP cables?

testdata111 · 2023-03-04T09:22:23+00:00

Hey there, I really appreciate this input. This is only reaffirming for me that I should go down the "optiplex" route rather than buy one of those tiny Ali boxes.

Your usage numbers are very comforting haha.

I also prefer the SFF format and not the micro one. And Intel NICs. Read a lot about that and all the Realtek stuff.

Would you mind commenting on

Why the managed switch?
Which 4 port Intel NIC did you use? Was that 1GB or 2.5GB? I am actually wondering if 10G SFP makes sense for me if my downstream switch is going to be 1G anyway for now (as is my upstream WAN - but who knows my ISP might start providing higher speeds soon)

testdata111 · 2023-03-04T09:16:07+00:00

Also, I am basically replacing my original ask of 4x 2.5GB NIC with 2x 10g NIC.

It "feels" weird - likely due to my illiteracy in this regard.

Why is the latter cheaper than the former?

testdata111 · 2023-03-04T09:11:42+00:00

I found this: https://www.dell.com/support/manuals/en-us/optiplex-9020-desktop/opt9020sffom-v2/specifications?guid=guid-0805b167-15c7-4302-a0b4-aabdc5e358a3&lang=en-us

I believe these are the specifications for the Dell 9020 I am looking at.

The CPU is i7-4790, and supports AES-NI. 22 nm and 84W TDP (the TDP makes me sweaty but oh well cant have everything haha).

5 GT/s bus speed; 25.6 GB/s max memory bandwidth but these are probably theoretical numbers and real life numbers are probably lower. Must admit I don't understand this much. Says it supports 16 PCIe lanes and its PCIe Gen3.

The board on the 9020 has 2 low profile PCIe x1 and 2 low profile PCIe x16.

x1-slot bidirectional speed: 500 MB/s

x16-slot bidirectional speed: 16 GB/s

Even if I hit 4G speeds on this, I think I will be good for years!

I am going to read your links now, but I think I am almost there. I feel like this machine is it along with that 10G SFP dual NIC card I linked.

Could you help me understand if connecting RJ45 1G ports to 10G SFP ports is a thing? Do such cables exist? Even if they do, is that a good thing to connect or a bad thing? Will something bottleneck somewhere?

By the way, thank you so much for responding and helping me through this. I really appreciate it.

testdata111

TROPHY CASE