I’ve written about pfSense before. It’s a router project based on FreeBSD, a free Unix project that never gained the popularity of Linux but is perfectly capable in its own right. But it doesn’t run on router hardware. It’s designed to run on a PC. But a lot of pfSense builds get expensive. So let’s look at a budget pfSense build. Let’s see what we can do for around $100-$150.
I see a lot of pfSense builds with price tags of $300. If you’re OK with using used equipment, you can build a nice machine for half that. And you don’t have to give up quality either. In fact, I’ll argue that building one my way gains you quality. Let’s get to it.
Budget pfSense build: a retired professional workstation
I’ve written about workstations before, as an alternative way to build a powerhouse PC. But for a budget pfSense build, I recommend picking up a lower-end, small form factor HP Z200 series workstation. If you can find one with a Pentium or i3 CPU, you can get one for around $80. Be careful at the low end of the price scale. You can find a Z for $35, but it will be missing multiple vital components at that price.
A small form factor business desktop like a Dell Optiplex is also a popular choice. It may be a little cheaper and will probably be easier to find. But I like a workstation-class machine. The Z200 looks just like an HP Elite, but it matches up a desktop-class CPU with a server-grade chipset. With all due respect to business-class desktops, workstations are a little more reliable, a little more stable, and potentially just a touch faster.
Why small form factor? Certainly there’s no reason a minitower wouldn’t work. But a small form factor desktop tends to be cheaper, since budget gamers prefer a minitower so they can put a full-size video card in it. And the small form factor desktop takes up less space.
Dell and Lenovo also make high-quality workstations. I chose an HP Z because the 200-series workstations are smaller than anything Dell or Lenovo make.
An HP Z has a desktop-class Intel network card built in. Mine has an Intel 82579LM. I’ve heard people call this a consumer-grade card, but I wouldn’t call it that. It’s optimized for workstation loads and for lower power consumption, but it’s a better chip than whatever is in a consumer-grade router. Realtek makes consumer-grade cards. Intel wants higher margins.
The problem with non-Intel cards
FreeBSD, and by extension, pfSense, works best with Intel network cards. The driver support for Broadcom chipsets just isn’t very good. I’m fine with using Broadcom cards in Windows boxes, but it’s not worth the frustration to save five bucks.
Atheros and Realtek chipsets are fine for casual use, but perform poorly in pfSense. They’ll work fine in testing, but once you’re pumping all your Internet traffic through them, you won’t be happy with them. Atheros and Realtek chips rely much more heavily on the CPU, and they don’t have very good driver support in FreeBSD.
Intel sells its networking chips, alone, for the price of a Realtek-based card imported straight from China. But you can put Intel-based cards in a budget pfSense build. The trick is getting a used Intel card.
Finding Intel cards at a Realtek price
Fortunately there are tons of Intel-based cards on the secondhand market, pulled from retired servers. I’ve never had to pay more than $18 for an Intel-based card, and I’ll let you in on my secrets.
My HP Z has a single PCI slot, a PCI-E x1, and two PCI-E x16 slots. You can put a single-port card in the x1 slot. If you need more than two ports, you can put a dual or quad card in one of the x16 slots. The duals and quads are server-grade cards, which sacrifice power management for raw speed. My dual-port card with an 82571EB chip on it is rated for about 3 watts, as opposed to .75 watts for the chip on my motherboard. I paid around $15 for mine, so you can put professional grade networking in a budget pfSense build.
Don’t use the old 32-bit PCI slot for networking. You’ll get much better performance out of PCI-E.
Identifying Intel cards
Listings that identify the cards as Intel tend to go fastest, and for the most money. Look closely at any mystery card. Broadcom cards usually have the name “Broadcom” stamped across the biggest chip on the card. Intel cards usually have a black finned heat sink on the biggest chip. That’s the easiest clue.
Intel cards also tend to be very consistent in their board layout. Once you’ve seen a few Intel cards, you can probably spot the pattern. A non-Intel card just doesn’t look the same.
The cheapest way to find an Intel-based card often is to find a relabeled one resold by Dell, HP, IBM, or Sun. Here are some searches, sorted by price. This list isn’t necessarily exhaustive, but will turn up a good quantity of Intel-based cards at a good price. If you can’t find a card with the right bracket, scroll to the top and buy the correct bracket for a couple of dollars. Swapping the bracket just requires removing two screws.
You should be able to pick up a single-port NIC for around $10, especially if you shop early in the week. Sun-branded cards tend to be easy to pick up cheaply because they sometimes use weird chipsets. Before you buy any Sun card, make sure it looks just like the HP or Dell cards next to it.
Dual NICs are more expensive, but I can usually find a dual-port Intel-based NIC for around $13. Sun cards can be bargains, just make sure it looks like the equivalent HP or Dell card.
Expect to pay around $16 for a quad NIC. Be aware that many quad-port NICs use a lot more power, so don’t buy a quad just to have one. Dual-port NICs use about 1/3 the wattage, so if you only need two ports, get a dual.
You can get by with a hard drive since pfSense isn’t all that disk intensive, but an SSD lowers your power consumption and makes the machine cooler and quieter. Speed isn’t really an issue, and pfSense needs 16 gigs of storage, so a cheap SSD will do the job. A used 80 GB Intel 320 SSD sells for around $20. There are cheaper SSDs out there, and many of them are fine, but some are less so. The nice thing about an Intel 320 is there are so many of them out there, so they’re pretty easy to find.
You can get a 2.5-3.5 adapter bracket for around $3 to make the drive fit neatly in one of the HP Z’s two 3.5″ drive bays. If you’re willing to wait for one coming from China, you can get one for 75 cents.
You can run pfSense comfortably in 4 GB of RAM, so for a tight budget pfSense build, you may go with that.
But 8 GB is even more comfortable, and you can get that much without busting your budget. When you buy your HP Z, pay attention to the pictures so you can figure out the memory configuration. Look for one with two empty slots. The nice thing about memory is that 2 GB modules are cheap, and an HP Z has four slots, so you can get 8 GB relatively cheaply by grabbing a couple of 2 GB DIMMs nobody wants for your machine’s empty slots. Ideally, look for system pulls with HP stickers on them with a part number so you can check compatibility to be safe. I paid less than $15 for a pair of Micron modules with HP stickers on them.
A Xeon-based HP Z needs ECC memory, but as long as you have a desktop-class CPU, you don’t have to worry about ECC. Used ECC memory can be cheaper than non-ECC due to lack of demand, but you’ll pay a premium for a Xeon and then you’ll have to find a low-profile video card for it. So I recommend a Pentium, i3 or i5 CPU with standard memory for a budget pfSense build.
What about wireless?
Getting wireless networking running on pfSense can be a bit hit and miss. You’ll be happiest if you take your old router, reset it to factory defaults, reload the firmware, and then put it into access point mode, and plug it into your network to provide wireless service. I’d much rather run pfSense exposed directly to the Internet than a consumer-grade router that never gets updates.
Some security professionals say to discard any router you expect may have been hacked. I’m not sure I’m ready to go quite that far, but if you want to be really safe, pick up a new 802.11ac router and use it as an access point to provide wireless behind your budget pfSense box.