Forum Topic

Unified PFSense Users

  • May nakapag pagana na ba dito ng ipv6 galing sa Globe?
    Wala ata talaga silang balak magbigay kahit 60 na prefix man lang. Laging 64 nakukuha ng WAN.
    Tried SLAAC / dhcpv6 method olats talaga walang route.
    Buti pa PLDT nagbibigay ng 56. Gumana agad without issues doon sa isang pf box ko.
  • Hi, guys planning on getting a Pfsense appliance but will be heavily be using OpenVPN as a client gateway for my NAS. Ofcourse andun na din ang ibang pagagamitan like DHCP for my AP, Firewall and etc.

    Do you think this one is already overkill or just right?


    Intel Celeron N5105 Quad Core (4M Cache,2.00 GHz up to 2.90 GHz)
    4 x Intel i225-V3 2.5G RJ45 LANs,
    2 x USB3.0 + 2 x USB2.0
    2 x DDR4 SODIMM Slot, max support 64GB.
    1 x M.2 2280 NVMe PCIe3.0x2 SSD
    1 x 2.5''SATA SSD/HDD.
    1 x HDMI2.0
    1 x DP
    1 x RJ45 COM
    1 x SIM slot(optional),
    1 x MPCIE wireless slot, support WiFi/3G/4G(3 choose 1) connection.
    Support AES-NI,
    ESXI, Watchdog, Auto power on, RTC, PXE boot, Wake-on-LAN etc.
    Full Aluminum Alloy high quality solid-built shell with three-sided ice thorns, excellent cooling performance, Exquisite production craft on outside design.
    Fanless system without cooling fan, noiselessness and durability fit for industrial grade field, work as long as 7x24 hours.


    I know you guys will be suggesting to just use Wireguard but at the moment OpenVPN is the best solution for me. Di ko pa napag aralan maxado ang Wireguard especially the IPTables

    Btw OpenVPN remote server is hosted privately on an AWS Instance.

    Currently I'm using my NAS kasi to connect to the AWS Instance (OpenVPN server) but speeds aren't as good as with my computers/mobile which tops around 500-600mbps, compared to my NAS (DS918+ - Celeron J3455) only getting around 90mbps to 100mbps.

    My goal is to get at least 400-500mbps, I have a gigabit connection from Globe. Thanks Guys.
  • ^ The N5105 can easily do gigabit speeds. For your use-case, it is adequate. Tuning your loader.conf and sysctl can probably get you more performance, but you should be able to hit your target throughput at default settings. Just don't do packet inspections. Suricata/Snort will hammer your device.
  • I know you guys will be suggesting to just use Wireguard but at the moment OpenVPN is the best solution for me. Di ko pa napag aralan maxado ang Wireguard especially the IPTables

    just get wireguard working, if not then just forget upgrading it.

    heck you can even install tailscale on your nas and test it right now, tailscale is basically a layman's equivalent option if you want to connect multiple computer privately, all you have to do is just basically sign up on their website, login the devices you want to join on that tailscale network on your device and poof, your good to go. no firewall rules needed, it just works.

    tailscale is using wireguard engine, the only thing different with tailscale is they just get rid off the complicated stuff and make it very simple , if you can login to facebook or google and download the necessary app, you can set this up.

    -- edited by polka on Jul 05 2022, 03:41 AM
  • ^ The N5105 can easily do gigabit speeds. For your use-case, it is adequate. Tuning your loader.conf and sysctl can probably get you more performance, but you should be able to hit your target throughput at default settings. Just don't do packet inspections. Suricata/Snort will hammer your device.


    Thanks for the input. Will take it from here.

    just get wireguard working, if not then just forget upgrading it.


    Wireguard is very complicated for me atm. Probably need more reading and training. Just need to do a quick solution for now and then probably upgrade later when I am fully confident with the routing NAT, IPTables implementation on Wireguard

    heck you can even install tailscale on your nas and test it right now


    Synology x Tailscale on DSM7 has conflicts with some ports especially 443, so its a No for me.
  • ^ well I guess you will not going to get that 400-500mbps target. more like around 100mbps lang probably slower even with AES-NI.

    so if you really want openvpn, forget that hardware, get a SFF PC with at least 7th gen i3. at least there's a chance you can get that 400-500mbps target.

    or you can get a crypto accelerator card, I dont know where you can get this one but if you manage to get one, openvpn will be blazing fast for you.

    -- edited by polka on Jul 06 2022, 01:52 AM
  • @joseph0829

    May I ask the cost of this appliance? This look similar found in ali express with passive cooling. If so, it might be more practical just building it ur self using mini-itx inside a SFF case.
  • @vanguard

    What are the changes u made in loader.conf and sysct?
  • Post deleted #12422318
  • well I guess you will not going to get that 400-500mbps target. more like around 100mbps lang probably slower even with AES-NI.
    That's interesting an interesting take. Granted, I don't have an N5105 box, but I've seen a J5005 hitting 350Mbps on a single openvpn connection. So a newer gen/Jaser Lake part with a higher base frequency, should be able to hit around 400Mbps with AES-NI. He may probably want to ease off on the ciphers and maybe use an AES-128-GCM.

    Raw speeds alone, the N5105 is capable of driving 2.5Gbps so I'd be really surprised to see it only hit 100Mbps or less with openvpn.

    What are the changes u made in loader.conf and sysct?
    for my specific use-case, I had to modify some parameters on the em and e1000 drivers since I was using a VM and I was fiddling around with inline IDS/IPS.
  • ^routing, sure, openvpn however even with hardware ciphers is a whole different story.

    -- edited by polka on Jul 06 2022, 03:50 PM
  • FYI, native Tailscale package now available. Game changer!

    Globe and Converge users, rejoice!

    * For version 2.6.0 CE and 22.01 Plus and above.
  • ^runs in userspace though. still better than nothing, ease of use of that thing is not something you cant just ignore. unfortunately since tailscale is running in userspace, means the actual interface is not exposed to pfsense so you cant do any firewall stuff in the pfsense, if you try to inspect all traffic that goes in and out on tailscale it all appears under localhost ip.

    -- edited by polka on Jul 17 2022, 04:27 PM
  • ^ Yep, better than nothing.

    Workaround for the traffic management for now: ACLs.
  • @Polka

    Marunong ka subnetting IPv6? Nakakalito kasi. Baka pwede patulong
  • Good day po,
    mag tatanong lang po with installation of pfsense via proxmox ve.


    Bakit i vivirtualize ko yung firewall ko?

    Medyo overkill kasi sa tingin ko yung hardware ko kung barebone pfsense lang , kaya naisip ko to run it sa VM and have other services on the hardware as well, para all in one lang.

    now back po sa tanong ko po, as nag babasa na din ako ng docs and na noonood na ng resources with regards to pfsense and proxmox may question lang po ako, after installing proxmox then creating a vm with pfsense(implying na na follow ko yung instruction sa netgate in installing pfsense in pve) papano ko na maaaccess yung proxmox ? ang IP nya ba ay yung gateway kasi magiging router yung hardware ko,

    Before doing

    172.16.0.0/24

    OpenWRT-> LAN ( andito po yung PVE = static ip of 172.16.0.11/32)

    Aftermath assumption
    PVE with Pfsense -> LAN
    papano ko i access proxmox ko?

    i hope na explain ko yung problema ko ng mas malinaw.

    -- edited by nicejuan on Aug 01 2022, 07:32 PM

    -- edited by nicejuan on Aug 01 2022, 07:32 PM
  • Depende parin sa setup mo yan, if you have a pcie passthrough nic, you will need a physical switch and basically plug 2 lan cables on that switch, 1 for the pfsense lan side and another one for the management interface ng proxmox.

    Else, if you want the lan side and the management side of proxmox on single physical nic, you need to create a virtualize nic for that pfsense vm and make sure to bridge it the same network interface you use with proxmox.

    After that, all you have to make sure that the proxmox management interface is in the same subnet ng pfsense subnet mo.
  • Hindi ko masabi kung ano ang overkill sa hardware. Depende talaga sa gamit mo sa PFSense server.
    I have 800-1400 users of internet where I am working. Dalawang 1gbps from ISP. And take note ha, ang mga ordinary NIC doesn't support some of PFsense' services.

    Hardware ko is from our old Server IBM. Intel Xeon E5-2609 4 cores. But I upgaded it into E5-2690 8cores 16 threads. 24GB RAM. 4 NICS (1Gbps).

    PFsense services I am using:
    1. DHCP server
    2. PFblocker-devel (Maraming feeds ang pinasok ko)
    3. Snort
    4. Squid Proxy (ClamAV)
    5. traffic shaper
    6. ntop
    7. load balancer (2 1gbps internet)

    Reason why nag upgrade ako into Xeon 8 cores? nag na-90% kasi ang processor usage sa Xeon 2609(4cores). After that, 20% na lng sa Xeon E5-2690
  • ^ para lang sa homelab and

    im running i7 coffeelake

    i would like to maximize it for other services
  • @polka


    ganito kasi iniisip ko sir


    yung onboard nic is for pve connection to virtualized LAN (still at 172.16.0.11)
    then yung virtualized pfsense ko assign ko dun sa mga port mainly

    eth0 WAN - eth1- OPT eth2-Pfsense LAN(yung cable papunta sa onboard NIC eth3-Pfsense LAN

    gagana po ba ang ganitong idea?
  • Nice to see a local PFSense thread. Just got something similar to the specs posted above on Lazada—quite expensive, will use a barebones unit and get better quality RAM/NVMe. I'm emotionally ready for the inevitable frustration. Here's hoping the single 32GB RAM module will be compatible with the n5105 and shipped board. Opted for this so I may extend in the future to 64GB if required. For now, walang budget.

    Will echo the sentiment that with such capable hardware, not virtualizing seems like a missed opportunity.

    For any interested, my ultimate goal is to get around Converge CGNAT—experienced a glimmer of hope using Cloudflare Zero Trust tunnels hosted via Docker on a NAS to make it internet-facing (DDNS and port-forwarding were not proving successful) though still have an existing double NAT issue to resolve (ZTE F670L and Omada controlled router and switches.)

    Managed to get the former in IP-passthrough but I'm unfamiliar with what to do next. Any input welcome
  • hi guys newbie here patulong sana ako
    i currently have setup pfsense sa workplace ko. this was setup by the previous IT

    pfsense 2.5.2
    i5-8th gen
    asrock h310m
    120gb ssd
    8gb ram
    2 tp-link 3468


    i have 3 isp isa pa lang ang active globe biz bb 500mbps, tapos yung dalawa is pldt fibrbiz 300mbps and pldt leased line 100mbps

    for now, waiting ako kay globe for bridge mode kasi suggested ng friend ko. nag aantay ako ng feedback nila di daw ma static yung ip address may problem sa end nila. Almost 60+ users na kami sa office di na daw kaya ni globe router kahit may internet man ibabato niya is no connection page.

    suggest din nya na need ko daw mag intel NIC sakit sa ulo si tp-link kasi realtek chipset daw kaso wala ako makita nagbebenta ng NIC specific kasi binigay na NIC i350-t4 or t2 daw nag search ako online wala sa stores dito sa amin. Wala ako makita na i350 pero may nakita ako kay uplift sa shopee kaso i210 yun benta nya

    if na bridge na at configured sa pfsense si globe via pppoe ay ma eliminate yung problem na nagbabato ng no connection page with my current setup? or bibili talaga ako ng intel NIC?

    -- edited by warpme11 on Nov 30 2022, 12:36 AM
  • The best talaga Intel NICs. Gamit ko i350 t4. Kung makakuha ka ng static IP better. Minsan meron connectivity issues kung hindi ka naka Static IP specially under VPN.

    Nasa implementation and configuration mo rin yan. Keep it simple
  • i have 3 isp isa pa lang ang active globe biz bb 500mbps, tapos yung dalawa is pldt fibrbiz 300mbps and pldt leased line 100mbps


    i350-t2 and managed switch bilhin mo (eg tplink SG105e)

    pwede din yung i350-t4 ewan ko na lang kung willing yung boss nyo na magbato ng 10k just for a single card. at least i350-t2 is cheap on shopee and a sg105e switch is around 1.2k+. alternative, you can also get a cheap intel 82575 dual port nic. avoid buying a multiport i210 pwede lang yung i210 if you buy the single port version, the multi port version is just a wacky way of installing 4 i210 chips with a help of pcie multiplexer.
  • polka

    Na experience nyo naba kabag naka VPN minsan yun speed nyo ayaw mag burst? Minsan stucked lng sya sa isang particular speed. Minsan 10Mbps minsan naman 100Mbps
  • ^

    very common with openvpn, though sa pfsense sa company namin we have a dedicated crypto accelerator card that openvpn can fully utilize so we dont have this issue. as for my test, I can consistently saturate 500mbit leased line through OpenVPN.

    the main culprit kasi sa openvpn even with aes-ni is its single threaded, so you only get a performance of single core with aes-ni or not.

    maybe try using wireguard or ipsec.
  • @polka

    willing yun magbato ng 10k kaysa mamahalin na firewall i suggested sophos or sangfor mahal na daw hahahayy. May ma link ka ba na legit store makabili ng i350? wala na kasi stock si uplift e i210 4 port lang available nya eh dalawang i350-t2 bibilhin ko tama ba? kasi 3 yung isp ko. yung core namin is ruijie l2 switch at access switch is mix brand plug and play gigabit switch
  • Mura nlng I350 T4. Kuha ko around $90. Dell brand. Just make sure yun pangalan ng chip naka embosed sa ibabaw nya. Marami fake nyan. Dati available sa Amazon. Alam ko ebay marami pa
  • @warpme

    well I guess given yung boss mo na alam nyang mahal yung recurring cost ng sophos, the license alone is just, buti sana kung perpetual license but this one is subscription base in at the cost around 3 digits.

    @magikmark

    this is true, mas maganda mag hanap ka na lang ng mga server pull out items kesa sa mga brand new in-box items. medyo usisahin nga lang kung anong type ng braket yung kasama sa pulled out nic kasi madalas sa mga yan puro mga half-height braket lang.
  • @magikmark

    may ma link ka na shop pwede bilhan sa amazon?