I
was quite fond of LinITX PC-Engines pfSense boxes. An 18 month old 2 core 4 GB APU + SSD pfSense box at home has run perfectly since the outset, when I replaced a HP Microserver running FreeBSD+IPFW. Interestingly, the pfSense main display identifies this as a
Netgate APU (which they did once sell) but it is not badged as such.
However, here at my mothers:
- I decided that a 6 month old ALIX (i386) box needed replacement as pfSense 2.4 won't support i386 and nanoBSD is bit of a PITA. Other than that it was fine, other then needing a new CF card now and again.
- The APU box that replaced it would crash every few hours to days. Returned, came back no fault found (and initially no PSU). Still crashing. Eventually returned for a refund.
- While I liked this tiny box, the Netgate SG-1000 was generally slow for speed tests, and specifically very slow for the TBB single-streamed one. People are whinging a bit about this on the pfSense forum. I hope it is a software rather than hardware problem. Returned for an upgrade to a SG-2220 ("reassuringly expensive"?). This should arrive tomorrow. A good thing as ...
- The ALIX box has also started crashing with nothing on the console (much like the APU), suffering filesystem corruption only repairable by rewriting the CF card and restoring the configuration.
Power here in the wilds of Somerset is a bit erratic. I have a UPS but I fear I need to check out everything connected to it.
Do you run pfSense from RAM disk? Would have thought SSD would be plenty fast enough and I get the sense it is unnecessary.The configuration option for pfSense to use RAM disks for /var and /tmp is there to prevent wear failure on CF cards and the like. It is indeed thought unnecessary to run pfSense on SSDs with /var and /tmp in RAM disks. pfSense of itself doesn't do that much in the way of writes anyway and nowadays SSD write endurance is much better than CF card.
If you mean running more of the system out of a RAM disk, I don't recall seeing anything like that and it would probably be quite difficult to achieve, and harder to update. Look at the way ESXi boots itself
Any experience of dual / multi WAN and load balancing?Some. At home I had a FTTC line of my own and an ADSL line supplied by my employer (until they decided they would leech for free on my connection).
Multi-LAN can be configured for failover which usually works provided you choose an appropriate IP address to monitor. Something always up at your ISP. Not something distant where far away contention can cause failover. 8.8.8.8 and 8.8.4.4 (Google DNS) are not good choices!
Load balancing doesn't work as you might hope it to, especially on wildly disparate speed WANs where you can end up with something which you want fast on the slow line, and if you use HTTPS you will need to use "sticky connections". Works pretty well for torrents
Eventually I settled on a failover configuration, with VPN traffic to my employer being specifically aimed at the group with the ADSL connection as the primary.
When I home for long enough I intend to see if I can use USB WiFi to a tethered phone for fall-back.
I liked the idea of trying to use Squid / something else to cache Windows 10 / IOS / Steam / other updates but I am reading this doesn't work? hmmmm At work I had to set up a hierarchy of Squid servers mainly for getting ClamAV AV definitions and FreeBSD source and package tarballs via a slow internet connection of our own, rather than the fast corporate connection when this was switched to using proxies which only supported NTLM authentication. Squid does take some configuring. Out of the box it broke SVN and cached ClamAV definitions for far too long.
Squid is likely to take quite some tinkering to get it working for your needs.
If you have Windows 10 machines, you might try the "get updates from other machines on my LAN" option.
Other things:
At home, my pfSense box connects with PPoE to a HG612, so no need for a router/modem/access point. Though I have another network segment and switch for a samknows box and for access to the HG612's second port for monitoring. WiFi access points are connected to my internal network.
Here at my mother's I have a BT FTTC line, a Home Hub 5B, a BT YouView box, a Vodafone Sure Signal 3, a Fon access point and the pfSense box de la semaine as the HH5B's DMZ box. Getting the Sure Signal to work with the HH5B was a nightmare. UPNP did not work. Port forwarding needed a startlingly large number of ports. As I was under the desk, today I plugged the Sure Signal into the LAN and removed its port forwarding from the HH5B. Sure Signal working nicely. I will probably keep the HH5B (so I keep BT Wifi), the Fon access point (why not?) and leave the YouView box connected to the HH5B.
The pfSense <> pfSense VPN connection between home and mother's home has been rock solid.
The DNS Override facility in the DNS Resolver (containing both my home BIND DNS server IPs) allows me to access home machines from my mothers by FQDN. Non Windows DHCP machines here pick up the DNS search list so I can access home machines just by name. I'll have to edit the Windows registry for my desktop.
There certainly is a lot to play with and learn from, but "if it ain't broke don't fix it" has a lot going for it too.
The configuration backup and restore facility is wonderful. Do make sure you have backups of working configurations and know what they are.