From CDZwiki
Jump to: navigation, search
Example Build: "Gatekeeper."

A router/firewall is a necessary device for connecting systems together or reaching out over the internet (too bad you still need an ISP for that).

Our example build is "Gatekeeper," a purpose built pfSense appliance with just a little room left over to grow. It sips power but is capable enough to serve well into the future.

The Super-Effective, Budget Layer 3 Appliance

Most consumer level router/firewall combos are efficient, low-power units intended for home or small office use. These offer rudimentary options for NAT/PAT and other firewall functions, but otherwise tend to be "weak sauce" beyond basic functionality.

For heftier, more complicated work, an enterprise level router/firewall is required. These, however, can be very expensive thus a common solution is to build one's own. This also gives you the ability to specify a system to your liking or needs. In our example, we wish to focus on futureproofing & power use.

Aside from cost, the main difference between these home-brew devices and purpose built enterprise appliances from companies like Cisco is an occasional bulkiness (since an old PC can be used as the base) and a lack of tech support, unless you're willing to pay the developer of the router OS you've selected.

Operating Systems

Home-brew router/firewalls are typically found using two different OSes:

Based in BSD, capable and hearty: pfSense is only limited by the hardware you give it. It's known for its stability, plug-in library, and ease-of-use. pfSense is an excellent OS choice to support any size organization. It has built-in features like a VPN server, DDNS server, full VLAN capability and so on. pfSense is free via the "Community Edition." You can pay for professional support, though there is a large free community out there. If you want a purpose built system, you'll need basic hardware knowledge, else there are pre-built pfSense systems available. Installation is not much different from any other operating system and is well-guided.

Originally created as a firmware mod for Linksys routers, DD-WRT has since reached out to other devices thanks to a talented community of developers and engineers helping the DD-WRT project along. DD-WRT is best for the home or small office setting where a typical consumer level router/firewall wont do, but that doesn't mean DD-WRT can't flex. DD-WRT is free, support is dependent upon the community but is well maintained. Installation of DD-WRT is basically hacking the device - it's akin to rooting a phone, thus some routers may require a ginger touch or specific ritual to function; you may wish to have experience with such mechanics prior to giving DD-WRT a go (there is a possibility of "bricking" your new router).

In our example build, we will go for the reliability of pfSense, and instead of dumping it out on an old system, we will build a custom system for a router-on-a-stick setup.


Asrock n3150m, an example of a small board with a low-power CPU built in.

pfSense can be installed on nearly any old computer you have hanging around, though you'll want at least two NICs to achieve a Router-on-a-Stick setup. Since pfSense is so flexible with x86 hardware, you can purpose build a system with inexpensive hardware and get exactly what you're looking for.

My personal suggestion is to select an all-in-one motherboard with a low-power CPU already built in - these often can be found with dual NICs and PCI(e) slots so you can expand via your available ports. The lower-power CPU will also often mean a power-efficient system in the end, thus a cheaper system to run over-all (and better on our environment).

Motherboard & CPU

For a router/firewall appliance, your motherboard research should be deep - the motherboard will be the most important part! Form factors for an appliance should be Micro ATX or ITX. A combo board with built in CPU will save you a lot of time and money, as will a board with dual NICs. Speaking of, make sure those NICs are reliable with the version of pfSense you intend to use (more on *that* later).

If going with a combo board, I would suggest you check the manual of any potential board to see bus speeds and bandwidth if you plan on adding in any cards.

CPUs don't need to be power-houses for these boxes: in fact we want the opposite. Checking the CPU manufacturer's website for chip specs should reveal the power demand - see if you can find something light. As for speeds, 1GHz or higher with two cores is sufficient. Intel Atoms and Celerons are a reliable example.

Vendor-wise, the motherboard is the heart of your appliance, so this is not the place to skimp on cost. Go with a vendor you (and others) trust, something popular with a good warranty. In my own experiences, Gigabyte has great support and products that last, plus they tend to make the little motherboard/CPU combos we're looking for.

Gatekeeper will rely on a Gigabyte made board based on the Intel Celeron 847.

Memory & Storage

G.Skill memory is inexpensive, reliable & has a great warranty.
SanDisk makes a decent mid-range SSD for less, great for appliances.

Appliances are easy when it comes to memory and storage, especially now that prices for both have come down (sans DDR4, which is still stupid).

For memory, DDR3 is more than enough for a router/firewall appliance and will save a lot of money in the end. Depending on the motherboard you've chosen, you may be looking at standard DIMMs or laptop memory. Laptop memory tends to be a little more expensive for the good stuff and sometimes harder to get. The good news is capacity doesn't need to be high: 2GB is plenty for a router/firewall. Speed doesn't need to excel, either; whatever makes sense price-wise will do.

As for vendors, this depends on who the appliance is for. Don't care if it there's downtime? Buy budget memory from a warehouse vendor, maybe it'll keep kickin', maybe it'll burn out. Else, invest in memory with a good warranty; the "good" stuff will still be inexpensive as long as it's not flashy. For our example build, we're going with 2GB of G.Skill DDR3 PC3-10700, split between two sticks for dual channel. May as well, right?

Primary storage for appliances should be SSD based these days; cramped, warm conditions and low-power PSUs are to be expected, but SSDs can excel here. Plus, you rarely need much storage for a primary disk for a dedicated appliance, so you can take advantage of the lower capacity, lower cost SSDs.

Vendors for storage don't vary as much these days, frankly most HDDs all come out of the same, few factories. That said, go with the ones you know that have good warranties: Western Digital, for example, is one I recommend only for their warranty support. Drives die - unless you wanna throw money away, anticipate this "feature" and get a company who'll bail you out when your array is about to crumble.

A SanDisk Ultra 256GB will be just fine for Gatekeeper.

Chassis, PSU & Other Diddies

There exists many an ITX chassis with nice little PSUs built in.
Intel NICs are known for their reliability and performance.

Your chassis should fit the size and intent of your project. For an appliance, we want small. If you've got with MicroATX, you'll have a plethora of small desktop/set top options. For ITX, your case can get really small for a truly purpose built system. Build quality should be "good enough," I don't like flimsy bits, do you?

Though to be completely honest, if this is just for your own use and you're really on a budget, you can just use the box the damn thing came in and get busy with some extra cardboard and tape.

A reliable vendor for projects like this would be StarTech. Make sure candidate chassis have enough ports and room for all the bits you wish to add.

When building an appliance, you're really going to want to hunt down something with a built in PSU, again, saving time and money. It also saves you the headache of making everything fit in a tiny case when the PSU is already designed to be there.

Else, if you're selecting your own PSU, triple check the form factor and see if you can find high-res pictures of the specific model if it's an odd size or shape - sometimes things just don't line up with the smaller cases.

Cheaper PSUs these days are a lot more reliable than they were 10 years ago, but efficiency will still cost you. Even so, I suggest going with the most efficient - look for 80 Plus. As for wattage requirements, a firewall that goes over 100watts would be as concerning as it would be amusing. StarTech can bail you out here once again.

If you've got the room, you should also look to taking advantage of your appliances available bus ports. For a router/firewall, this mostly means more NICs. Intel NICs are often cited as an example of reliability, though are a little costly. The good news is that other manufacturers make NICs with the same Intel chips for less!

Gatekeeper will handle the chassis and PSU together with a StarTech ITX case, which comes with a 200watt PSU with a neat 4-pin molex adapter on the back. It's cramped, but the SSD keeps airflow decent enough and doesn't generate much heat itself. Low-power CPUs tend not to generate much heat, either; the whole appliance balancing thing is all coming together!

Installation & Configuration

The construction of an appliance can vary greatly depending on the appliance's intended purpose (duh), but they all tend to share the trait of leaving their options open for other uses or users.

With this guide, I've narrowed things down and picked the specific purpose for my appliance of router/firewall, thus the initial configuration will focus on producing a "factory configured" space & power-efficient layer 3 ass-kicker.



Hardware wise, if you're here you must already know how to slap this stuff all together. Else, YouTube is a great source to see these things done in action! Here's an example of something ancient.

That said, slapping together an appliance is no different than assembling other small computer systems - the only real difference one must account for is the necessity of good cable management skills. This is because in an appliance, heat is the enemy & open air space is the cure, or at least the first barrier between your appliance and a meltdown.

Consider, too, that your appliance should be built as a "closed system," even if there's an intent to expand & upgrade later on. This means taking the extra steps to ensure that once the device is sealed up, there's no need to back in again, be it for maintenance for future-proofing: now's your chance to double-check your filter fittings, fans or internal upgrades.

For Gatekeeper, assembly... was painful. Working with small cases can be a real pain in the rear, and I've spent a good portion of my construction time cutting up my fingers trying to snake the motherboard and other bits in chassis, or worse yet, hooking up the front panel connectors.

Since it was a tight fit, I opted to put the memory in first before installing the board. If you decide to go this route, make sure you put something soft under the motherboard before you push the RAM in - you CAN bust your board if you jam the exposed bits on the back into your coffee table, so let the box it came in take the gruff of it.

As for initial, power cable management, luckily the built-in PSU has appropriate cordage - long enough, but nothing really to excess. One zip tie a little positive re-enforcement and the CPU fan is free and clear. The last bit for this installation is the SSD: a quick word on smaller chassis and storage mounts, keep an eye on the manual as you may not spot the proper method for mounting your disks right off! Smaller cases tend to be creative with how they arrange components on the inside, and the disk trays always seem to find their place upside down or pinned to their sides. Gatekeeper's disk options are all laid out on a strip of metal that rests across the top of the chassis. There's just enough room here for the 2.5" SSD, but it's good to know a full sized 3.5" chonker may work if we need it to.

Boot It Up!

Ah, success. Let's get VLAN'n.

As for the OS, this one's easy, 'cause everyone's already done it! pfSense is simple to install and is well covered here.

Once pfSense is installed, you are able to access the local console over VGA (or whatever video output you have) and over IP via web UI once you've taken a moment to set up the network options on the console and have gotten on it's level (heh).

The web UI will give you an almost unsettling number of configuration options for a free, router/firewall OS, but go nuts! It all works! If something isn't supported out of the box, check the plug-ins section. If this doesn't do it for you, take to root and do it BSD style. There's really no limit to what you can accomplish with pfSense.

For Gatekeeper, aside from being the layer 3 end to a layer 2 router-on-a-stick switch and firewall, this pfSense enables: country blocking via external IP lists, DDNS, OpenVPN client & server, NTP server, DNS server, Squid cache server, certificate authority... yeah there's really no stopping a good pfSense appliance.

...or is there?


A fresh new NIC and a dandy PCI riser cable.

So remember that "back to this later" bit with the NICs? Yeah... Gatekeeper is an amazing appliance, however the NICs have a thing or two to say about modern pfSense. Since Gatekeeper's creation, upgrades to pfSense's drivers for the NICs have caused said NICs to become just a bit less reliable under heavy load; the end result being a manual administrator interaction (flipping it). Relaxing the stress on the NICs via TCP offloading helps quite a bit (without noticeable change in performance) but hangs will continue to occur if things get too busy.

The good news is Gatekeeper was designed with expansion in mind. The bad news is the chassis acceptance of such modifications is less than receptacle. This upgrade will work, but wont look pretty.


So, lesson learned: Realtek chips are a problem when things get hairy. The solution? A new NIC! For about $15 I found an off-brand PCI Intel based dual Gb NIC. Paired with a PCI riser cable I should be able to position the card in a cozy spot where I can still access the ports. Despite their habit to crumple under pressure, the built in Realtek NICs should still be very handy for Guest network access and other dedicated/trunk ports.

That said, the chassis isn't going to help us with getting this card installed: the cover will no longer fit. We're taking to the "pizza box" method:light cardboard, tape and a box knife. Does it look pretty? Nope. Will it run? Oh yes, without issue, just try not be ashamed of it.


A fresh new NIC and a dandy PCI riser cable, now attached in a cardboard caddy.
Now positioned, the system is functional, but exposed.
All well.

We'll have to make our own "caddy" to protect the NIC's exposed bits, since it will not be fixed to a rigid frame. Light cardboard makes a decent "sleeve." This isn't something you can always get away with, but with something as low temp as a NIC, the cardboard caddy works just fine, provided you can survive the shunning of your shoddiness from your peers.

Caddy in place, the riser card now needs to be linked up to the NIC, which we'll then noodle into the appliance and link up to the unused PCI port. Checking Gatekeeper's manual, the PCI bus is shared with the built in NICs, but it should be able to handle both without performance loss.

Snaking the the riser in the appliance in a serpentine pattern keeps cable mess down and gives the cardboard caddy a place to rest. This leaves just a few spots exposed, which we will cover up with an extra fan & filter combo and more cardboard.

Eventually, a custom cover can be made on a 3d printer, but until then painter's tape will hold things in place without damaging the components they adhere to.

Now, I've heard the ability to laugh at one's self is a virtue - I hope so, because this appliance's new configuration is hilarious and I can't help but mock my own handy work. All it's missing is "Little Caesar" and pizza grease on the top, but in the end... problem solved!

Gatekeeper no longer has reliability issues (despite its looks) and now it has two extra ports we can use for whatever. Cool!

Realistically speaking, this appliance is dedicated and has assigned seating in a secure spot where moisture, debris and traffic are null, thus the pizza box configuration isn't holding this system back or serving as a liability. Granted, further physical interaction with the appliance is now a more delicate matter, but until a replacement cover is generated, we're left reaping the benefits of a successful upgrade.