Thin Client pfSense Firewall

hp t5740eI needed to move my FW off of a hot ESX server, that was superheating my office. I opted to try my luck with a thin client pfSense firewall.

 

Thin Client pfSense Firewall

A few years ago, I started running ESX on a PowerEdge 2950, for my home office lab. Since I had this workhorse running anyway, it made sense to run all my servers as virtual servers (VMs).

The 2950 increased my office temperature so much, that I had to add a window air conditioner, to offset the central Air, to keep the temperature comfortable. The AC unit is fine, until you get to those spring and fall seasons, where the day is still warm, but the night temperatures plummet enough that it causes the AC’s condenser to freeze up. This leaves me with no AC and an office that is 90° F.

Luckily in the last few years, there has been a shift in the IT market to the cloud. This means that I can do much of my work testing and demos using my companies cloud services and solutions.

Since the 2950 doesn’t need to run all the time, just occasionally when I need to load up a VM to represent a physical appliance, I needed to move my FW and a few Linux VMs off, and onto more reasonable hardware.

My personal home servers that I need to move:

  1. a pfsense firewall, connected to a cable modem
  2. a dedicated Linux box that runs transmission (bittorrent) and openvpn, to a non-logging VPN Service (EarthVPN)
  3. a remote access linux box, that runs SSH and owncloud

Hardware for the pfSense Firewall

I wanted to keep the heat down, so a low powered, thin client would be a perfect solution.

After a little research, I decided on the HP T5740E (if you want to run a 64 bit version of pfSense you should go with a HP t5730 instead, with an AMD Sempron)

  • It leverages a decently powerful Intel Atom processor (N280)
  • It has two DDR3 ram slots.
  • An expansion module, is available, which allows you to install a full height PCI-E card, I need 2 network interfaces for pfsense.
  • It uses very little power, around 12 watts
  • It generates little heat

Info on the Atom processor (N280)

  • Single Core 1.66 GHz, with 2 threads
  • 667 MHz Bus speed
  • 32 bit (Not 64 bit)

The HP T5740E (without the expansion module)

hp t5740e thin client pfSense firewall

I found an HP T5740E on eBay for around $30 USD (actually I found 2, but that’s not relevant for this post)

Expansion module

t5740 expansion module 581264-002

I also picked up an Expansion module (AZ551AA PCI Express Expansion Module Chassis – 581264-002), so I could add an Intel Pro 1000 PT Dual Port Gigabit PCI-E card (listed as supported by pfSense forums).

This is a picture of the thin client pfSense firewall (the HP T5740E + expansion module). You may notice a 2nd T5740E on top of the firewall, that’s another project I’ll cover in another post.

hpt5740e with expansion module for a thin client pfSense firewall

 

The expansion module almost doubles the size, but it’s still a pretty small package.

  • Intel(R) Atom(TM) CPU N280 @ 1.66GHz
  • 2 G DDR3 Ram
  • 4 G Flash drive
  • 3 Gb LAN ports

This should easily handle my 25 Megabit Comcast cable connection.

Thin client pfSense firewall OS installation

Download the pfsense installer

The embedded version is specifically tailored for use with any hardware using flash memory (mostly Compact Flash) rather than a hard drive. Flash memory can only handle a limited number of writes, so the embedded version runs read only from flash, with read/write file systems as RAM disks. The NanoBSD platform has two OS slices and a config slice. One OS slice is used to boot from, the other is used for upgrades, and the config slice is where the configuration resides is held separately.

There are two variations of the NanoBSD platform: The default version which uses a serial console, and another that supports using a VGA console. Each of those variations also comes sized for different sizes of storage media.

  • If you want to use a keyboard and monitor to install pfsense, then you want the VGA console version.
  • If you want to use a serial console cable (null modem) to install pfsense, then you want the serial console version.

Download pfsense, it will download a gzipped file containing the installer as an img file.

Linux and Mac OSX users can use the dd command to directly write the IMG file’s contents to a removable media device, like a usb flash drive. Plug the flash drive into your desktop computer or workstation and run the following command:

sudo dd if=/home/user/file.img of=/dev/sdX bs=1M

If you aren’t on linux or MacOS here’s some help: How to Create Bootable USB Drives and SD Cards For Every Operating System

I booted the thin client from the usb drive (F10 to select boot drive), and used the keyboard and monitor to install pfsense.

pfsense console

Throughput of the thin client pfSense firewall

After importing my config from my VM version of pfsense, I ran a couple speed tests to see if this fw could keep up with my cable connection.

speedtest pfsense thin client

I expected 25Mb download and 5Mb upload, so this is what I anticipated.
EDIT: (I use this thin client pfSense firewall on a 100Mb FIOS connection now and it still handled the throughput with no issues).

Based on the system resource utilization, I think this little firewall could scale up to a significantly faster connection and still be fine.

pfsense thin client system information

Using a low power thin client can dramatically cut your energy usage and heat generation, so using pfSense and a thin client for your firewall, just makes good sense.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Hardware,Security & Privacy - @ October 17, 2015 8:16 pm

Tags: , , , , ,