Thin Client pfSense Firewall
A few years ago, I started running ESX on a PowerEdge 2950, for my home office lab. Since I had this workhorse running anyway, it made sense to run all my servers as virtual servers (VMs).
The 2950 increased my office temperature so much, that I had to add a window air conditioner, to offset the central Air, to keep the temperature comfortable. The AC unit is fine, until you get to those spring and fall seasons, where the day is still warm, but the night temperatures plummet enough that it causes the AC’s condenser to freeze up. This leaves me with no AC and an office that is 90° F.
Luckily in the last few years, there has been a shift in the IT market to the cloud. This means that I can do much of my work testing and demos using my companies cloud services and solutions.
Since the 2950 doesn’t need to run all the time, just occasionally when I need to load up a VM to represent a physical appliance, I needed to move my FW and a few Linux VMs off, and onto more reasonable hardware.
My personal home servers that I need to move:
- a pfsense firewall, connected to a cable modem
- a dedicated Linux box that runs transmission (bittorrent) and openvpn, to a non-logging VPN Service (EarthVPN)
- a remote access linux box, that runs SSH and owncloud
Hardware for the pfSense Firewall
I wanted to keep the heat down, so a low powered, thin client would be a perfect solution.
- It leverages a decently powerful Intel Atom processor (N280)
- It has two DDR3 ram slots.
- An expansion module, is available, which allows you to install a full height PCI-E card, I need 2 network interfaces for pfsense.
- It uses very little power, around 12 watts
- It generates little heat
Info on the Atom processor (N280)
- Single Core 1.66 GHz, with 2 threads
- 667 MHz Bus speed
- 32 bit (Not 64 bit)
The HP T5740E (without the expansion module)
I found an HP T5740E on eBay for around $30 USD (actually I found 2, but that’s not relevant for this post)
I also picked up an Expansion module (AZ551AA PCI Express Expansion Module Chassis – 581264-002), so I could add an Intel Pro 1000 PT Dual Port Gigabit PCI-E card (listed as supported by pfSense forums).
The expansion module almost doubles the size, but it’s still a pretty small package.
- Intel(R) Atom(TM) CPU N280 @ 1.66GHz
- 2 G DDR3 Ram
- 4 G Flash drive
- 3 Gb LAN ports
This should easily handle my 25 Megabit Comcast cable connection.
Thin client pfSense firewall OS installation
Download the pfsense installer
The embedded version is specifically tailored for use with any hardware using flash memory (mostly Compact Flash) rather than a hard drive. Flash memory can only handle a limited number of writes, so the embedded version runs read only from flash, with read/write file systems as RAM disks. The NanoBSD platform has two OS slices and a config slice. One OS slice is used to boot from, the other is used for upgrades, and the config slice is where the configuration resides is held separately.
There are two variations of the NanoBSD platform: The default version which uses a serial console, and another that supports using a VGA console. Each of those variations also comes sized for different sizes of storage media.
- If you want to use a keyboard and monitor to install pfsense, then you want the VGA console version.
- If you want to use a serial console cable (null modem) to install pfsense, then you want the serial console version.
Download pfsense, it will download a gzipped file containing the installer as an img file.
Linux and Mac OSX users can use the dd command to directly write the IMG file’s contents to a removable media device, like a usb flash drive. Plug the flash drive into your desktop computer or workstation and run the following command:
sudo dd if=/home/user/file.img of=/dev/sdX bs=1M
If you aren’t on linux or MacOS here’s some help: How to Create Bootable USB Drives and SD Cards For Every Operating System
I booted the thin client from the usb drive (F10 to select boot drive), and used the keyboard and monitor to install pfsense.
Throughput of the thin client pfSense firewall
After importing my config from my VM version of pfsense, I ran a couple speed tests to see if this fw could keep up with my cable connection.
I expected 25Mb download and 5Mb upload, so this is what I anticipated.
EDIT: (I use this thin client pfSense firewall on a 100Mb FIOS connection now and it still handled the throughput with no issues).
Based on the system resource utilization, I think this little firewall could scale up to a significantly faster connection and still be fine.