Embedded Systems and Thin Clients

Posted on by

One of the more attractive options available for setting up a new pfSense system is to use pfSense on an embedded system or a thin client. Although pfSense is based on FreeBSD and will run quite well on a white-box PC, there are several reasons why you might want to use an embedded system or thin client:

  • Potentially lower initial cost
  • Smaller form factor
  • Easier to maintain than a PC
  • Lower operating cost

If you are looking to use an embedded system, Netgate sells several network appliances with pfSense pre-loaded. The most inexpensive of these is the SG-1000, currently selling for $149 (U.S.). For this, you get an admittedly bare bones pfSense system, with a WAN and LAN interface, a 600 MHz ARM processor, 4 GB of eMMC storage, and 512 MB of RAM – in other words, a system that meets the minimum specifications of pfSense, but not much more. Still, this may be enough for your needs, and it saves you the trouble of loading pfSense onto a system. If require a more sophisticated pfSense appliance, however, the price becomes steeper: the SG-3100, with 3 network interfaces, a 1.6 MHz processor, 8 GB of storage and 2 GB of RAM costs $349.

Installation onto a thin client offers many of the advantages of an embedded system. Unlike embedded systems, thin clients are typically general purpose computers, but like embedded systems, they are generally small in size, are low power consumption devices, and often have low per-unit costs. There are some disadvantages of using a thin client instead of one of the Netgate pfSense appliances:

  • You will have to make sure the thin client you choose meets all the hardware requirements.
  • Most thin clients have a single Ethernet port, so you will likely have to install a network card, and many thin clients have limited expansion capabilities or require a separate module in order to install expansion cards.
  • You will have to load pfSense onto the thin client yourself.

If this does not intimidate you, then you can install pfSense onto a thin client for a fraction of the cost of an embedded system. Thin clients suitable for running pfSense can be found on the secondhand market for a reasonable price. You will need to factor in the cost of a network interface card and possibly the cost of an expansion module, but in spite of this, installing pfSense onto a capable thin client can still be a worthwhile project. In the next article, we will cover the the process of installing and configuring pfSense on a typical HP thin client.

 

 

Hardware Requirements

Posted on by
The current version of pfSense has the following minimum hardware requirements:
  • CPU – 500 MHz; 1 GHz recommended
  • RAM – 512 MB; 1 GB recommended

pfSense also requires a 64-bit Intel or AMD CPU. A CPU that supports the AES-NI instruction set extensions or another hardware crypto offload is recommended (such a CPU will be required, starting with version 2.5). For Intel, you will require a Westmere-based processor or newer (2010-present), and for AMD, Bulldozer-based processors or newer (2011-present).

You will also need at least 1 GB of disk space (that amount will increase if you install multiple packages and/or use pfSense as a proxy server, which will require your system to cache pages).

The minimum requirements are just that – minimum requirements for pfSense; to take full advantage of the capabilities of pfSense, you may require more than just the minimum. This will depend on the following factors:

  • The speed of your Internet connection (you will want to run pfSense on a system that will be able to handle the speed of your connection without becoming a bottleneck)
  • The amount of logging you want to maintain and/or packages you wish to install
  • The number of concurrent connections your network will maintain
  • Whether or not you plan on using VPNs

The speed of your connection will dictate how fast of a processor you require. The minimum specification of a 500 MHz processor is valid up to about 20 Mbps. For faster connections, you will need a faster CPU. While PCI network cards will prove adequate in many cases, if you have an Internet connection faster than 100 Mbps, you will need PCI Express (PCI-e) network cards.

Establishing and maintaining a VPN tunnel is a CPU-intensive operation. As a result, the more VPN connections you maintain, the greater your CPU requirements. You can also offload VPN encryption onto specialized hardware, although generally the more cost-effective option is to acquire a more powerful CPU.

pfSense is a stateful firewall, which means that active connections are tracked. This requires memory, and each state requires about 1 KB of RAM. If the number of connections exceeds the number of states that can be held in memory, unpredictable things can happen, such as existing connections being dropped. To avoid this, make sure you have enough memory to hold the maximum number of states you anticipate existing simultaneously on your network. If you use peer-to-peer software, each peer-to-peer connection is a state, so you may need more memory than just the minimum amount required by pfSense.

You will also want to give some consideration as to the type of network card used. Cheaper NICs will often have smaller buffers, and once the buffers become full, packets will be dropped. Cheaper NICs also may have problems with Ethernet frames larger than the maximum transmission unit (MTU) of 1500 bytes. VLAN frames include VLAN tags, which increase the size of a frame beyond this 1500 byte threshold, so take this into account. It is for these reasons that Intel network cards are generally recommended: they all have large buffers and have no problem with large frames.

Taking these factors into consideration before purchasing hardware for your pfSense router/firewall will help ensure that you get the most out of your pfSense installation.