Quick pfSense Question

[ilikecake]

I have heard many good things about pfSense on these forums, and now that I have roommates that use Bittorrent, I was thinking of setting up a small pfSense box to do QoS for our network. I was thinking of using one of the Intel Atom ITX motherboards, or maybe the VIA C7 (or Nano if it ever comes out). However, I have a question about storage.

Has anyone tried to install pfSense on a USB flash drive? I saw on their website something about an embedded version of pfSense, but that seems to not use VGA and I would like to have that option. Is the normal version of pfSense going to be too hard on the USB drive?

It looks like pfSense needs only a small amount of hard drive space, and it seems like a waste to get a 2.5" drive just to use 125mb out of 60gb. Also, SSD would be nice, but I don't really want to spend $100+ on a drive. Seeing as how I can get an 8gb USB key from Newegg for like 15$, this seems like it would be a good option. All this is assuming I can boot from USB, but that's a motherboard problem.

 

[xphil3]

I have heard many good things about pfSense on these forums, and now that I have roommates that use Bittorrent, I was thinking of setting up a small pfSense box to do QoS for our network. I was thinking of using one of the Intel Atom ITX motherboards, or maybe the VIA C7 (or Nano if it ever comes out). However, I have a question about storage.

QoS is quite robust with pfsense, you're making a good choice of UTM I think. Many others on these forums prefer untangle, but pfsense is pretty lightweight and does a lot.

Has anyone tried to install pfSense on a USB flash drive? I saw on their website something about an embedded version of pfSense, but that seems to not use VGA and I would like to have that option. Is the normal version of pfSense going to be too hard on the USB drive?

All versions of pfsense are "headed", but there is no GUI. Its all menu driven, unless they changed how the embedded versions worked(which Im not aware of). I haven't used the USB version but its identical to the CDROM version(except for the fact that you can store your config file in the same location as the OS). As long as your computer can boot off the USB controller you're good. Also, the firewall is managed through the web, I doubt they would have removed this in the newer embedded versions(it was there before).

Do you have any old drives laying around? I installed mine a while ago on a 8GB drive. ATA100. Worked prefectly and will be faster than USB2 as well(something you may also want to consider).

 

[YeOldeStonecat]

QoS is quite robust with pfsense, you're making a good choice of UTM I think. Many others on these forums prefer untangle, but pfsense is pretty lightweight and does a lot..

PFSense is not a UTM though, it has no antivirus scanning abilities, no SPAM removal, no trojan/spyware detection of web traffic, etc.
UTM distros would include Untangle, Astaro, Endian, IPCop with the Copfilter add-on, etc. They can all do scanning of traffic for threats.

I love Untangle like crazy, I have it installed at lots of clients, and hopefully will do dozens and dozens more, but I run PFSense at home...due to the traffic shaping. Which....Untangle is getting more and more robust with its QoS, but just too much overhead for my online gaming needs...I don't need all that scanning 'n stuff adding latency...however minimal a fast box would make it.

 

[xphil3]

PFSense is not a UTM though, it has no antivirus scanning abilities, no SPAM removal, no trojan/spyware detection of web traffic, etc.
UTM distros would include Untangle, Astaro, Endian, IPCop with the Copfilter add-on, etc. They can all do scanning of traffic for threats.

Um......snort plugin, squidguard plugin, spamd plugin, plus your routing and firewalling. Sounds like a UTM to me. How is it not? Since pfsense also has a compiler you can go ahead and compile source for a custom device.

 

[YeOldeStonecat]

Uhm...UTM appliances are defined as having anti-virus, anti-malware (adware/spyware) protection, viruses, trojans, web based threats, spam filtering, phishing protection, as well as content filtering and the typical SPI/ID stuff.

PFSense is missing the first couple. Compiling your own plug-in does not mean the distro itself qualifies as a UTM.

Rather than define UTM here..as I have to leave this onsite, just Google "UTM appliance"...and see what comes up. You won't see the basic *nix distros here.
http://www.google.com/search?hl=en&q=utm+appliance&btnG=Google+Search&aq=f&oq=

 

[xphil3]

Uhm...UTM appliances are defined as having anti-virus, anti-malware (adware/spyware) protection, viruses, trojans, web based threats, spam filtering, phishing protection, as well as content filtering and the typical SPI/ID stuff.

Why do you always try(and usually fail) at proving me wrong? If you want to get technical a UTM is defined very CLEARLY as a firewall with IPS/IDS and antivirus(which pfsense has.... snort and clamAV) capabilities. Everything else is just icing on the cake.

PFSense is missing the first couple. Compiling your own plug-in does not mean the distro itself qualifies as a UTM.

wait..... didn't you just say that IPcop with copfilter was a UTM? Don't you have to compile copfilter? hmmm. I see.

Rather than define UTM here..as I have to leave this onsite, just Google "UTM appliance"...and see what comes up. You won't see the basic *nix distros here.
http://www.google.com/search?hl=en&q=utm+appliance&btnG=Google+Search&aq=f&oq=

I have a better idea, google "pfsense UTM" and see what you find
http://www.google.com/search?hl=en&q=PFsense+UTM&btnG=Google+Search&aq=f&oq=

actually, let me tell you... its you(and only you) blabbing that pfsense is not a UTM. Good times, Good times....

 

[ilikecake]

Well, that got a bit off track...

Thanks for the responses. There is some basic info on the embedded version of pfSense here. The main thing that caught my eye was the part where it says "Video and keyboard is disabled as some embedded systems don't have this hardware. " I don't know if this is a bad thing of not, as I have never used pfSense before. Does one just install it, and then connect to the web interface to set it up?

Do you have any old drives laying around? I installed mine a while ago on a 8GB drive. ATA100. Worked prefectly and will be faster than USB2 as well(something you may also want to consider).

Hmm, now that you mention it, I have an old 20/40gb 2.5" drive from an old laptop. That would probably work for this. Saves me ~12$ i guess. I still like the idea of USB drive as a hard drive, but you are probably right that it will be slow.

 

[xphil3]

Well, that got a bit off track...

Thanks for the responses. There is some basic info on the embedded version of pfSense here. The main thing that caught my eye was the part where it says "Video and keyboard is disabled as some embedded systems don't have this hardware. " I don't know if this is a bad thing of not, as I have never used pfSense before. Does one just install it, and then connect to the web interface to set it up?



Hmm, now that you mention it, I have an old 20/40gb 2.5" drive from an old laptop. That would probably work for this. Saves me ~12$ i guess. I still like the idea of USB drive as a hard drive, but you are probably right that it will be slow.

Sorry about the thread jack man, its just stonecat is old and thinks that knowledge always comes with age....

I would go with the laptop drive with a 3.5->2.5in converter if you're not using it with anything else. Also, interesting about the quote..... Maybe they did create something like that. The console really isn't used anways. You use the web manager for everything.

 

[PossumK]

Have you seen this page about pfsense images modified by Hacom to include VGA support on the embedded version?
http://myseafoam.blogspot.com/2007/08/pfsense-on-cf-card.html

Link to images:
http://www.hacom.net/catalog/product_info.php?cPath=2_29&products_id=99

I've never tried it since the unmodified embedded version works fine for me. I use the serial port connection to do the initial setup and web interface to do the rest.

 

[p3n]

Isn't monowall the 'embedded' version or pfsense?

Anywho i've tried pfsense with the config stored on a floppy and booting from a cd but that was far from reliable and I wanted to have squid etc so I just chucked in an old HDD and installed it to that instead - works like a charm (only i've not setup the QoS since my connection isnt exactly a stable speed, anyone got any pointers?!)

 

[YeOldeStonecat]

actually, let me tell you... its you(and only you) blabbing that pfsense is not a UTM. Good times, Good times....

No, it's the dictionary. Let me break it down to Tip and Mitten book level for you.

Your link even steers itself to a few threads on PFSenses forums...where even the PFSense forum mods state what I'm stating.

Here is one post that is dated Dec 27 of 2007...which is not even a year ago. Two of the PFSense mods there state that there is not a package yet, one says it is still under development (my guess is for 1.3)
http://forum.pfsense.org/index.php/topic,7277.0.html
^^^click the above link^^^

But another thread from July of 08, some PFSense staff express no interest in further developing an AV scanner plugin. Bummer
http://forum.pfsense.org/index.php/topic,10508.0/all.html

FACT: UTM means all the features I've listed a few posts above. It's a pure definition of what UTM is, clear and simple. Antivirus scanning is a requirement.

FACT: PFSense by default does not have antivirus scanning features

Basic logic even a 4th grader can grasp...."Thus PFSense is not a UTM product".

There have been several threads on their forum..quite a few actually, lots of PFSense users have put this on the package wishlist. I've read several home grown packages on the site, most of them buggy, and abandoned...as over the years I've been waiting for an AV scanning package for PFSense.

I don't see the HAVP option available on the drop down menu for package list.

Nor does IPCop by default. I don't call IPCop a UTM distro, nor should anyone else..by definition of UTM.

IPCop can only fall under the UTM category if you add the Copfilter add-on. The Copfilter add-on is a fully supported add-on package, which is easy to install, and supported within their community.

Perhaps, and hopefully, PFSense will also, as it would be nice to have it as an option, I have a client with a WAN that I use PFSense for their IPSec tunnels, I'd love to get some extra scanning safety on there.

I'm not knocking PFSense for not having it, as PFSense is designed to be a high performance distro, and any antivirus scanning would work against that. I've been excited about PFSense since the very first version was released and have been playing with it since then, and use it quite a bit for setups. But by definition..clear definition, it is not a UTM distro.

 

[YeOldeStonecat]

Isn't monowall the 'embedded' version or pfsense?

PFSense was started by one of the main contributors to the m0n0wall project. You could say PFSense began its roots from m0n0wall.

 

[ilikecake]

Thanks for the replies.

pfSense is a UTM!

No it's not!

Having read postings from both of you, I appreciate your input and knowledge. However, on this point, perhaps you should agree to disagree? I know enough about what a UTM is to know it is probably not needed in my case. There are 4-6 computers in our house maximum, and I am pretty sure they are hardened enough that we don't need another line of protection. Plus, only one is running windows.

Anyways, I will probably scrap the USB key idea, and just use my old 2.5" hard drive (if I can find it). That seems like it will save me a bit of trouble. Does anyone know the approximate size of the pfSense install? The FAQ says the embedded version is ~128mb, but the real version may be a bit bigger.

Also, on a sorta related note: If I go with the pfSense router, I will need a switch to connect all my computers together. I am currently using a D-Link DGS-2208 switch to connect some stuff elsewhere in the house. Would something like this be good enough for my needs? I just looked for the cheapest gigabit router when I was getting that one, but I don't know if there are other things I should consider if I am getting one for my primary router.

 

[ilikecake]

I guess I scared everyone off.

Well, if anyone is interested, it looks like the ethernet chip on the Intel Atom board I was looking at (D945GCLF2) is not compatible with BSD, and therefore will not work with pfSense. Apparently people are working on this problem, and so there will probably be an updated driver eventually.

I am currently considering getting a VIA C7 board like this instead. It has a different Realtek chip on it, which apparently works in BSD. As a bonus, it has two ethernet interfaces.

I also read some talk on the internets about using the pfSense firewall with only a single ethernet port. How does that work exactly? Don't you need an interface for the incoming signal and a different one for the local network? Or can you do some magic with vlans to make it work?

Anyways, I am gonna take my time with this project, I guess. Hopefully better Atom boards or VIA's Nano will come out and be a viable option for this. In the mean time, I will stick to my current QoS method of yelling at my roommates when the internet is slow.

 

[YeOldeStonecat]

Also, on a sorta related note: If I go with the pfSense router, I will need a switch to connect all my computers together. I am currently using a D-Link DGS-2208 switch to connect some stuff elsewhere in the house. Would something like this be good enough for my needs? I just looked for the cheapest gigabit router when I was getting that one, but I don't know if there are other things I should consider if I am getting one for my primary router.

That should be fine....you uplink the "green NIC" from your *nix router..to your switch. Whatever switch you choose for your LAN needs will be fine. DHCP can be run from the PFSense box, so it will basically act just like a regular NAT router, just a lot more powerful.

As for the hardware compatibility, just hang out on their forums, and read what people are reporting success on. They have an HCL (Hardware compatibility list) stickied at the top of the hardware forum, but it's rather outdated.
http://forum.pfsense.org/

Bleeding edge hardware often is not the most friendly with *nix distros, as don't forget, they're open sourced, can take a while for hardware support to catch up. I find the most success with using business grade hardware....such as small form factor biz grade desktop PCs, or more standard laptops such as older IBM Thinkpads, etc.

 

[supergper]

I still like the idea of USB drive as a hard drive, but you are probably right that it will be slow.

FWIW, having your OS on a USB stick will be light years faster than having it on a HDD...ANY HDD! Reading from flash memory is tons quicker than reading from platters. Granted you may kill your USB drive with all the writes but it would last quite a while and just keep a backup of your config so you can be back up and running quick if it does fail.

On that note, why all the talk about UTMs? The OP never asked about a UTM, he asked about QoS, which pfsense will do just fine. It seems most threads Stonecat gets involved with involving UTMs or firewalls end up being a pissing match.

 

[YeOldeStonecat]

On that note, why all the talk about UTMs? The OP never asked about a UTM, he asked about QoS, which pfsense will do just fine. It seems most threads Stonecat gets involved with involving UTMs or firewalls end up being a pissing match.

Because it was called a UTM, and it's not. Pure definition, not opinion or how far one can piss. I go by literal facts.

It's like calling a hub a router.

 

[YeOldeStonecat]

=

I am currently considering getting a VIA C7 board like this instead. It has a different Realtek chip on it, which apparently works in BSD. As a bonus, it has two ethernet interfaces.

Even though it's Via and Jetway....they are very compatible from what I've seen in various *nix forums. Nice little boxes. Don't worry about CPU power as much, you'd be surprised at the extreme performance you'll get out of under 1GHz with PFSense....way more throughput than you'd be able to throw at it.

 

[ytzombe]

So the question being, can anti-virus be installed on pfsense?

 

[xphil3]

FWIW, having your OS on a USB stick will be light years faster than having it on a HDD...ANY HDD! Reading from flash memory is tons quicker than reading from platters. Granted you may kill your USB drive with all the writes but it would last quite a while and just keep a backup of your config so you can be back up and running quick if it does fail.

This is actually a very common misconception. The bottneck is not the hardware its the bus itself. Also, the average read throughput for a USB2 flash drive is around 25MB/sec whereas the average read throughput for a ASA100 drive is 50MB/sec. This has come up before and is pretty well documented all over the net.

On that note, why all the talk about UTMs? The OP never asked about a UTM, he asked about QoS, which pfsense will do just fine. It seems most threads Stonecat gets involved with involving UTMs or firewalls end up being a pissing match.

T-R-U-T-H

I don't see the HAVP option available on the drop down menu for package list.

Nor does IPCop by default. I don't call IPCop a UTM distro, nor should anyone else..by definition of UTM.

IPCop can only fall under the UTM category if you add the Copfilter add-on. The Copfilter add-on is a fully supported add-on package, which is easy to install, and supported within their community.

Its not in the drop-down GUI menu. If you look a bit deeper on the forums you will see that you can complie any BSD package(including HVAP) therefore adding more functions to firewall and creating a UTM. Weather or not its supported is IRRELEVANT.

http://forum.pfsense.org/index.php?topic=8442.msg47627

also, if we're talking defaults... doesn't untangle come with NOTHING added to the virtual rack by default? So by your logic untangle is not a UTM until you manually add the packages, or technically "apps".

Because it was called a UTM, and it's not. Pure definition, not opinion or how far one can piss. I go by literal facts.

It's like calling a hub a router.

You sir, are ignorant and this analogy just shows how idiotic you really are. Your definition of a UTM is pure opinion. Period.

http://www.techweb.com/encyclopedia/defineterm.jhtml?term=UTM
http://searchsecurity.techtarget.com/dictionary/definition/what-is-unified-threat-management.html
http://staging.fortigate.com/products/fortigate_overview.html
http://en.wikipedia.org/wiki/Unified_Threat_Management
These are some more of your "facts" but they seem to sway toward my argument. Most of these features are supported by pfsense with a simple package add with antivirus being the exception(manual install).Seriously stonecat, stop being so pompas and realize that you can be wrong. I think you needed this argument, and I hope that you came back down from the cloud you were on. Im finished fighting with you.

So the question being, can anti-virus be installed on pfsense?

HVAP yes, email virus scanning is something that may not make it to the table.

 

[YeOldeStonecat]

You almost cracked me up this morning....all your links for UTM definitions...guess what they have...yes.."antivirus". Wow..big shovel you took with you to dig your hole.

Again, proves it is not an opinion, but an industry standard definition..which is my point. Up above, you were trying to change the definition of UTM. Good luck on that project.

And the "default" minimum package for Untangle is the OpenSource package..which has ClamAV based antivirus component plus the Spyblocker component which consists of another several technologies. Your library "starts" with that once installation is complete. You then load the features you want by adding them to the rack..but that choice is yours...and the library comes with them by default.

also, if we're talking defaults... doesn't untangle come with NOTHING added to the virtual rack by default? So by your logic untangle is not a UTM until you manually add the packages, or technically "apps".


You sir, are ignorant and this analogy just shows how idiotic you really are. Your definition of a UTM is pure opinion. Period.

http://www.techweb.com/encyclopedia/defineterm.jhtml?term=UTM
http://searchsecurity.techtarget.com/dictionary/definition/what-is-unified-threat-management.html
http://staging.fortigate.com/products/fortigate_overview.html
http://en.wikipedia.org/wiki/Unified_Threat_Management.

 

[supergper]

This is actually a very common misconception. The bottneck is not the hardware its the bus itself. Also, the average read throughput for a USB2 flash drive is around 25MB/sec whereas the average read throughput for a ASA100 drive is 50MB/sec. This has come up before and is pretty well documented all over the net.

That depends on the application. For large files, yes a HDD will be faster, but for small files a quality thumb drive will be faster. Something your transfer speeds are not taking into account are access times. A USB drive has essentially zero access time, a typical HDD has around 8.5ms access time. Your average OS read/write will be done on a USB drive before a HDD will even begin.

 

[xphil3]

You almost cracked me up this morning....all your links for UTM definitions...guess what they have...yes.."antivirus". Wow..big shovel you took with you to dig your hole.

Again, proves it is not an opinion, but an industry standard definition..which is my point. Up above, you were trying to change the definition of UTM. Good luck on that project.
.

I think everyone on this forum has overestimated your ability to read. My posts clearly above stated that a UTM was defined as a firewall with IDS and antivirus capabilities(traditionally). Everything else is just added features. Go ask someone from any government sector(because we have been using them for YEARS!, way before the main stream public) what a UTM is and you will get my direct answer.

I also clearly posted that pfsense can EASILY install any compliant BSD package or source code. Guess what tough guy, HAVP has been complied on pfsense time and time again. It works. So let me summarize this for you since you're having a very hard time understanding(2+2=5?)

pfsense(firewall) + snort package(supported package) + HAVP(unsupported but works) = pfsense UTM. Clear 'nuff? Want more? How about squidguard for URL filtering? How about SPAMD tarpits for filtering? How about any compliant *nix source or package that you can comple?

One last things, are you from RI by any chance because you have ignorance that I have only seen when I lived up there.

Supergper, very good points. Access time is key, you're right about that one. All the tests ive seen around the net have shown standard harddrives beating the USB thumb drives substantially though. You do make very good points once again though.

 

[RavenD]

You can run it off a flash drive fine, dont have to use the embedded version either. Or a CF card with IDE adapter. Just make sure you disable logging so you eat up the drive's write cycles too much.

 

[YeOldeStonecat]

I think everyone on this forum has overestimated your ability to read. My posts clearly above stated that a UTM was defined as a firewall with IDS and antivirus capabilities(traditionally).

Or you conveniently forgot what you wrote in prior posts?
//rewind

Um......snort plugin, squidguard plugin, spamd plugin, plus your routing and firewalling. Sounds like a UTM to me. How is it not? Since pfsense also has a compiler you can go ahead and compile source for a custom device.

a firewall with IPS/IDS and antivirus(which pfsense has.... snort and clamAV) capabilities.

Your first quote, you tried to define UTM as the above....leaving out the "antivirus scanning" requirement. That was my point, that a UTM does have that as part of its definition.

The fact that some people have done their own compiling inside of PFSense to add Clam...that's fine, they have effecitvely "modified" PFSense and changed it into a UTM appliance. But..I maintain my point, that PFSense itself is not a UTM product. By your example of "modifying PFSense with your own custom install of clam"...would be just like taking a Windows XP box...installing some antivirus on it, using built in ICS or some other proxy software (and a few IDS/spam/contentfiltering utilities)...and calling Windows XP a UTM. While you've made your own version of a UTM by that approach, it does not define WinXP as a UTM. PFSense itself does not have AV. That's not an opinion...it's a fact.

 

[xphil3]

Or you conveniently forgot what you wrote in prior posts?
//rewind




Your first quote, you tried to define UTM as the above....leaving out the "antivirus scanning" requirement. That was my point, that a UTM does have that as part of its definition.

The fact that some people have done their own compiling inside of PFSense to add Clam...that's fine, they have effecitvely "modified" PFSense and changed it into a UTM appliance. But..I maintain my point, that PFSense itself is not a UTM product. By your example of "modifying PFSense with your own custom install of clam"...would be just like taking a Windows XP box...installing some antivirus on it, using built in ICS or some other proxy software...and calling Windows XP a UTM. While you've made your own version of a UTM by that approach, it does not define WinXP as a UTM. PFSense itself does not have AV. That's not an opinion...it's a fact.

Dude, are you kidding me? READ!!!!!!! I said.... antivirus. Even in your quote I say antivirus. And my first "try" was not a try. ClamAV *was* a package when I used these devices... I guess they removed it from a supported packages a few years ago and you can no longer install it as easily but you still can. They also did the same with snort. Weird. I still totally disagree with you, but this is going no where. So ill be the bigger man. You're right. Happy?

to the OP: Sorry man, really. I am interested on what you think is faster though, usb2 flash drive or the actualy hard drive? Do a quick "butt-dyno" test

 

[ilikecake]

*Thread necro*

Well, I am pretty sure I will go with the old 2.5" HDD I have lying around, but I wanted to add a few things here. I did a quick benchmark test of a bunch different storage devices using HD Tune including USB drives, SD cards, USB external hard drives, and SATA hard drives. I made a chart of the read speeds and access times. I left the chart at home, so I will post it later, but basically it seems that the solid state storage has much faster access time (except for my ass-old 256mb USB key ) but the hard drives has faster read speed. I don't know which would be better in the context of a smallish firewall distro like pfSense.

Also, I noticed in hot deals this thread about a cheap SSD drive. A lot of the replies state that this drives has stuttering problems. Would this be a problem for somthing like pfSense, or is that only a problem in high performance systems?

 

[ilikecake]

I dunno if anyone still cares about this, But I guess this is better late than never. I did a quick benchmark of all the storage devices I could get my hands on including SATA hard drives, USB hard drives, USB keys, and SD cards. I have attached the resulting plot.



Draw your own conclusions from this.