The Project TinyMiniMicro form factor represents an excellent opportunity for home-labbers and power-conscious small businesses alike to do something special. In an extremely small footprint, these devices can perform many tasks that once required 1U servers to accomplish. One of my favorite tech purchases ever was a Netgate SG-5100 firewall. That device is fast. It allows me to saturate my 400/30 connection with traffic shaping, full IPS/IDS, DNS filtering, and even more services. Doing all that, I never hit over 50% CPU utilization. The purchase was made as a future investment, with gigabit internet in mind.
When Patrick first announced Project TinyMiniMicro, one of the first things that came to my mind was pfSense. This build will be based on the low-cost HP EliteDesk 705 G3 Mini. For under $200, can I build a router that comes close to an $800 one? Of course, this may not be the solution for everyone. You may require an active support contract with a robust SLA for your firewall, but it is certainly worth exploring for some.
Some Considerations Before Proceeding
One of the first considerations to keep in mind is that the HP EliteDesk 705 G3 I will be using only has a 1-gigabit ethernet port. It is a Broadcom NIC, not an Intel one. Historically speaking, Intel drivers on FreeBSD (which pfSense is based on) has had better driver support. However, the bge driver-based Broadcom NICs are well-enough supported at this point to proceed. Still, we only have 1 NIC port which his challenging.
That does not mean we cannot use this platform for pfSense, however. Since pfSense natively supports VLANs, we can use the HP EliteDesk 705 G3 in conjunction with a managed switch to accomplish our goal. VLANs allow us to have multiple, isolated, networks inside of a single switch. More importantly, it allows us to bring multiple networks (WAN/LAN) to our pfSense router over a single cable. We are limited to 1-gigabit of overall throughput, though, and we will not be able to build a LAG for redundancy.
We need a managed switch to accomplish the goal. Since managed switches allow us to tag VLANs on an interface, this is a requirement. In order to accommodate this need, we worked with the STH community and got a managed 24-port Brocade ICX6450 up and running. A special thanks goes to community member fohdeesha for putting all of the information we needed in one place.
You do not need an enterprise-class switch to do this, however. Any small-business smart switch, like the Netgear GS110EMX we reviewed, will do.
A look at our Network topology
In our How to build a lab series, we took a look at my network. In order to begin the testing process for this pfSense deployment, we are going to install it on the test bench. Exactly how that will look can be best described in the below diagram:
pfSense will use VLAN 99 as the WAN, and VLAN 991 as the LAN. For those following along at home, instead of plugging your managed switch into another switch as we have here, all you would have to do is plug your ISP modem unto a port untagged on VLAN 99. In that configuration, no other devices on your network should be on that VLAN. All client-side access will take place over ports untagged on VLAN 991.
Setting Up pfSense
Setting pfSense up to do VLANs is actually very straight forward. if you need help getting started with the installation, please read Netgate’s installation guide. On your first boot after installation, pfSense will go through an initial setup wizard. The very first question it will ask you is Do VLANs need to be set up first?
Your answer should be Y. It will then ask you to select your interface. On our HP EliteDesk 705 G3 it was bge0, so we typed that in. It will then ask you to specify the VLAN tag, enter 99. It will ask again, enter 991. Then a third time, you should enter nothing.
Next enter the WAN Interface name, type bge0.99. Then it will ask for the LAN Interface name, type bge0.991. It will ask you if you want to proceed, press Y. It will then put you on the pfSense management screen. We set our LAN interface’s IP address by pressing 2 in the menu. Ours is set to 10.99.20.1/24. After following the prompts for changing that, it asked us if we wanted to enable DHCP. We said yes.
After that, we can go over to a PC connected to our network and log into the web interface. The default username is admin and the default password is pfsense. It will walk you through another setup wizard to do things like choosing your DNS servers, time zones, etc. Once you have gone through those prompts, you will land on the Dashboard page.
Initial Testing Results
pfSense has many plugins that you can install. To do so, you go to System on the top menu bar and then click Package Manager. We installed the iperf3 plugin to see if it could properly route at gigabit in its default configuration. The HP pfSense router will act as the client, and my SG-5100 firewall will act as the server.
With the results in, it can do gigabit without breaking much of a sweat. CPU utilization was hovering around 35%. As we found in the Project TMM review, the HP EliteDesk 705 G3 Mini’s AMD Pro CPUs are not particularly fast which means this is an excellent result.
What about traffic shaping and IDS/IPS? For traffic shaping, we are going to use fq_pie, which is derived from the Common Applications Kept Enhanced (CAKE) project. The CAKE project was founded to combat the phenomenon known as Buffer Bloat.
They define buffer bloat as “the undesirable latency that comes from a router or other network equipment buffering too much data”. This increase in latency comes into fruition as you utilize higher percentages of your internet connection. For that reason we setup Traffic Shaper Queues on our own network. Lawrence System’s has a walk-through guide on setting this up.
For IDS/IPS we use Suricata. Intrusion Detection/Prevention systems are a security feature in modern firewalls. They use deep-packet inspection to snoop on every packet coming into, and going out of, your network. Their mission is to find exploits and malware and alert you to their presence, and optionally, stop them in their tracks.
Setting up Suricata is very complex and requires its own article. If you are interested in this topic, I can refer you to Lawrence System’s YouTube page again to get you going. One thing worth noting is that the bce-based NIC that is running in the HP 705 G3 does not support inline Suricata blocking, and you have to use the legacy method. This creates some additional CPU overhead. Ironically, Suricata out-of-the-box was blocking iperf and I needed to adjust the ruleset to allow my testing.
With traffic shaping and Suricata turned on we are still getting gigabit speeds, though we are down a few megabits. The CPU utilization only went up a few percent.
While I did not run the HP EliteDesk 705 G3 through a battery of tests, I was able to run some basic testing to show its viability as a firewall. Something to additionally consider is VPN performance. Since the AMD A10-8770E CPU in my unit has AES-NI crypto acceleration, It should perform fairly well in that category.
While I am not drawing a like-for-like comparison between this unit and the likes of the Netgate SG-5100, it is worth looking at it as a benchmark. Since pfSense is a software firewall, CPU performance is very important. In that arena, the A10-8770E in the HP EliteDesk 705 G3 out-performs the Atom C3558 in our Linux kernel compile test.
CPU performance is not everything for this application, however. Power consumption is something worth considering. The HP EliteDesk 705 G3 pulled about 10 watts idle in our testing. These numbers are right on target, with the SG-5100 rated 7 watts idle. Of course, the EliteDesk can scale to much higher power numbers so the Netgate unit is more power-friendly.
On the flip side, being limited to only 1 interface has its drawbacks. Having to purchase a managed switch is an added cost. Having no ability to build a LAG is unfortunate. It can also be a show stopper not to have a dedicated interface for a high-performance device, or to have a dedicated interface for a DMZ. The Netgate SG-5100 has all of these features.
However, these HP units are selling for around the same price point the Netgate SG-1100 is selling at. With that said, if the added comfort of using the vendor’s own hardware to run their software is nice to have. If that weighs heavily on your decision making, the SG-1100 is also a great firewall. If you buy hardware from Netgate, you also have the option to purchase a TAC contract. You do not have that option with third-party hardware.