Sunday, May 7, 2017

Mini-PC pfSense

It has been some time since I wrote a blog entry here, despite having more than enough to write about. This entry will be on future pfSense firewall update paths for myself, as well as what I will recommend to others. Recently I bought a mini-PC that I intended to replace my current pfSense installation, but was disappointed to see an announcement within days by Netgate for their pfSense roadmap and what it means for CPU requirements to run future versions.

pfSense 2.3.4 was released on the 3rd of May, and will likely be the last version with support for older 32-bit CPUs. Despite my elaborate home network, a dual-Pentium III server with four network interfaces is able to handle pfSense very well, with the CPUs utilization rarely rising above 50%. The CPUs, of course, are 32-bit, being well over 15 years old.

pfSense 2.4 is close-at-hand, and will only have support for 64-bit CPUs. Thus my ordering the mini-PC with four Intel network interfaces, having a Celeron J1900 CPU with four cores that is 64-bit. Running on 12VDC (future blog entries on that) it seemed to be exactly what I was looking for (at a cost with RAM and a SSD drive having pfSense pre-loaded of around $280).



Alas, Netgate soon made an announcement after I received the unit that pfSense 2.5 (possibly a year from release at this point) will require CPUs with the "AES-New Instruction" set (AES-NI). The Celeron J1900 does not support AES-NI, meaning I will easily be able to go to pfSense 2.4 (and later incremental versions), but not 2.5 when it is released. Of course, I can remain at version 2.4, but miss any new features added with 2.5 and patches once it is released.

Netgate also made a later announcement that the AES-NI requirement was not for VPN package support when complaints were received. I will likely deploy a 1U home-built unit with an AMD CPU that supports both 64-bit and AES-NI I developed to run on 12VDC, keeping the mini-PC as a redundant fail-over firewall. As the pfSense 2.4 release date nears that project will be covered in other blog entries.

Otherwise, I am happy with the mini-PC pfSense installation. My current configuration transferred without any problems. I printed a black label to properly identify the additional "Opt 1" and "Opt 2" interfaces as my "ADMIN" and "DMZ" networks respectively (the first two interfaces are already labeled as "LAN" and "WAN" unlike the picture above shows).

Stay tuned for more blog entries on their way!...