pfSense Router Build part 1 - Hardware

Hardware

Network Interface Card
Intel I340-T4 Network Adapter

Motherboard
ASROCK Q5000M AMD A4-5000

Memory
Gskill DDR3 8GB

Storage
Intel Solid State Drive

Power Supply
Seasonic SS-400FL2 Active PFC 400W PSU

Case
Silverstone MLO4 Mini-ATX HTPC

Wireless AP
Ubiquiti UniFi 802.11ac UAP-AC-PRO-US Access PointM

After many years of enjoying consumer “routers” – which are actually three devices conveniently merged into a single device with a handy web configuration interface (router, switch, and wireless access point) my networking needs finally reached a point where I had to step up to “enterprise” grade devices. The desire for VLANs and other advanced network management features/services left me searching for alternative solutions to just buying another off-the-self solution. Also, watching a perfectly good (and still useful) consumer router become a security nightmare due to stagnated firmware and/or loss of vendor support left me wanting more control over my connection to the Internet. While your ISP rules your modem with their firmware (unfortunately), you have control and choice over what router you run along side it. The answer to my problem was to put together an open source router with parts hand selected to support the features and functionality I was looking to have for my network. After researching prosumer and entry level enterprise grade routers, I stumbled upon pfSense. pfSense emerged as the winning option, as it is an open-source solution for getting an enterprise grade router out of commodity hardware by providing the software to run it for free (both libre and gratis). This guide is a tutorial and step-by-step guide to help you build the same router I decided to assemble for myself. The intention is to help understand how hardware specifications impact options for what you can do with the router. I made some specific design choices for how I wanted the router to be (physically) and what I wanted it to do (networking and configuration. The next section helps explain how and why I made the design choices I did. Without further ado, lets get into the design criteria...

Primary Design Criteria

1. Silent (No Fans) / No Moving Parts

Since I have to sit next to the router, I do not want it to make any type of noise. Fans are annoying, and they can fail causing the router to overheat. I’d rather just avoid fans and moving parts (like spinning disk hard drives) and just make the entire router solid state. This increases its durability and longevity, at least in theory. Hopefully coil whine isn’t a problem.

2. Low(er) power consumption than enterprise routers while maintaining a similar feature set

Traditional consumer “routers” typically have a low power footprint because they use low power CPUs like MIPS or ARM. Since it stays on constantly, making sure it is as power efficient as possible is important. Enterprise routers are power hungry (due to cooling) and are loud. Most of the pfSense builds I found online were either on embedded cpus or on traditional desktop computers. Keeping a desktop on generates too much heat and noise and pulls more power at idle than most dedicated devices. I wanted to avoid this as the goal is to keep it somewhat affordable to run 24/7/365, but not sacrifice the “horsepower” needed to run applications like suricata and snort on the box and support encrypted VPNs.

3. CPU with AES-NI to support VPN encryption features in upcoming Ver 2.5

There is a lot of talk in the pfSense community about having the AES-NI instruction set as a requirement in version 2.5 for on board acceleration of encryption for VPNs. I decided to just get a CPU that has the instruction set so any future dependences on it could be managed. Sadly, this requirement made finding an appropreate motherboard a bit of a challenge, as many of the low power cpus from intel (the celerons and atoms, for example) are feature deficient in this regard.

4. Security Device – Build a dedicated device

“Do one thing and do it well” is a good philosophy to live by. When it comes to a security device its best to make it dedicated. Why risk having other things run on the box or add unnecessary complexities (like virtualizing a pfSense instance). As we all recently learned from spectre and meltdown, things can talk even if we don't intend them to. Thus, all this box does is run pfSense and its supporting extensions.

5. All in One Box (Router/Switch/Wireless Access Point)

Because I have become used to the ease of consumer routers providing all three network functions, I wanted to ensure that my box maintained that profile and capabilities. As such, I selected a wireless access point that is well known to be comparable and supported by pfSense and a case big enough to accommodate both the guts of the router and the wireless AP. The NIC chosen is a 4 port nic so teaming can be done to a switch that is purchased for future expansion (probably a Cisco Sg300-10). The modem takes 1 port, and the wireless AP takes another, leaving 2 remaining on the intel NIC and the onboard NIC (a realtek with known compatibility problems). I also decided that I want it to have a similar physical profile to a consumer router so it can sit on a shelf and behave like a single device. I am going to modify the case to “integrate” the wireless AP into the router.

Parts Choice Explanation

Motherboard has low power (15w) quad core CPU with AES-NI instruction set

The CPU is a 1.7Ghz quad core to support pfSense routing/switching and run the wireless AP as well as extra applications and a VPN server. The AES-NI will support version pfSense 2.5 with the encryption hardware acceleration.

Motherboard PCI-E slot is x4 for quad port Intel Server NIC

It was difficult to find an ITX motherboard with an embedded CPU that had a PCIE slot that ran faster than x1. This motherboard has an x16 slot that runs at x4 for a small increase in size to micro-atx while keeping an embedded cpu.

Power Supply is 80 Plus Platinum and fanles

Meets the high efficiency and zero noise requirement. Seasonic is known for its quality power supplies.

Case is low profile mini-atx with top PCI slot to route PoE power and Wireless AP cable to NIC

This case is designed for HTPC builds so it is in a horizontal configuration like a set top box. There is enough room inside to mount the PoE adapter needed to power the wireless AP and there is an extra pci slot placed horizontally on the case to easily run the PoE power adapter cable and the PoE power ethernet to the wireless AP cleanly with minimal case modifications. A notch will be cut in the case to allow for the three prong power cord to fit through.

Enough space in case to mount PoE adapter internally for Wireless AP power and mount AP bracket to top of case for “clean” solution

The case will have holes drilled in the top of the case to ensure that the Wireless AP mounting bracket will hold the WAP in place on top of the case. This is the idea to provide a “clean” design, and make it similar to a consumer router in appearance, though in a larger footprint.

Alternative Build Ideas and Parts Choices

This router can be built significantly cheaper by using a less expensive case with power supply included in the price and mounting the AP on the side door that can be removed from the case. A significant portion of the cost went into the power supply, as well as getting an onboard CPU board that was fanless and met the specifications required for the build. These two places are the most logical place to begin cutting costs. Most of the cheap CPU onboard motherboards I found that had CPUs with AES-NI were of the AMD variety. Biostar sells a cheaper dual core and quad core versions of the AMD onboard APU boards with a fan that would most likely work very well for a much cheaper price. They are also Mini-ITX form factor and the PCIE x16 slot runs at (x8) so you can run a fast NIC in the slot without any problems and use the onboard video for when you need to configure it. Some of the Mini ITX cases also are in a “cube” format and may prove to be a better choice for a smaller, more vertical footprint than an HTPC set top box. The nosier the part, the cheaper the build :-). If you want more insurance, you can build this with one of the lower power intel xeons compatable with ECC ram to ensure the router is more stable while being more in line with typical enterprise grade routers.

Tools and Accessories Required