5 min read

High Speed, Low Drag: Building a home pfSense/OPNsense box on a budget

Putting together a DIY pfSense/OPNsense box for less than $200.
High Speed, Low Drag: Building a home pfSense/OPNsense box on a budget

Background

I've written previously about my ISP, Buckeye Broadband's practice of intercepting and redirecting HTTP requests in order to inject advertisements (I really don't give a shit about free tickets to a golf tournament) and warnings about my data usage (I really don't need to be bombarded daily with an offer to upgrade to unlimited data for $30). Reports seem to indicate that Buckeye is using software from PerfTech, a company which specializes in "in-browser messaging", to accomplish this. Besides the obvious net neutrality and privacy/security concerns over injecting foreign code into websites (is your ISP logging every non-HTTPS URL you visit?), such a practice also has the potential to break websites in today's increasingly JavaScript-heavy world.

To counter this, I've been running all of my desktop's traffic over OpenVPN with AES-256-GCM encryption to a VPS I've set up specifically for this purpose. While this works great on this particular computer, it still leaves all the other devices in my household vulnerable to interference from Buckeye. In order to tunnel all WAN traffic through OpenVPN, I'd need to run OpenVPN on the router itself. Until recently I've been using a Linksys WRT54GL, but needless to say its geriatric 200MHz Broadcom CPU simply wasn't going to cut it. Tomato firmware, tomato performance!

Clearly, the solution to this problem would be more powerful hardware. Since I had no interest in spending $$$ for an overpriced consumer-grade router, which are generally lacking in terms of both configuration flexibility and features, this seemed like a great opportunity and excuse to roll my own build and run a firewall/router distro such as pfSense or OPNsense.

Planning The Build

I wanted the machine to be fast and futureproof without breaking the bank, and came up with the following guidelines:

  • Relatively low cost, on par with high-end consumer-grade routers (<=$200)
  • Reasonably fast but low-power CPU with AES-NI, capable of pushing a few hundred Mbps over OpenVPN
  • Motherboard with integrated dual LAN ports
  • Compact size

The biggest challenge I encountered was finding a motherboard. Since compactness was one of my primary considerations this pretty much limited me to the mini-ITX form factor. Atom/Celeron SoC boards are generally pretty cheap when it comes to the mainstream single-LAN models, but prices tend to skyrocket into the $150+ range for the dual-LAN models. Nope.

I turned to traditional socketed motherboards next and came across the ASUS H110T/CSM. This particular motherboard had just about every feature I was looking for: (thin) mini-ITX form factor, dual LAN (Intel I-219V and Realtek RTL8111H), M.2 2242/2260 SSD support, and best of all, low cost (B&H Photo Video had used/refurb boards going for $50 shipped). As an added bonus, the fact that the H110T/CSM is a thin mini-ITX board and runs off 19V DC power meant that I could power everything with a universal 19V laptop power brick, which can be had for less than $10 on Amazon.

Picking a CPU wasn't too difficult - LGA 1151 and the H110 chipset support either Skylake or Kaby Lake processors, and since the goal was low power and low cost I went with the Celeron G3900, a Skylake architecture 2C/2T CPU that runs at 2.8 GHz and has a 51W TDP. Ideally, the lower-power 35W G3900T would have been better, but this is an OEM chip and would have required separately obtaining a cooling solution. I decided to keep things simple and go for the retail-packaged G3900 which includes a stock Intel cooler. After all, one can always underclock and/or undervolt to achieve similar power savings.

As for the case, I decided to go with the M350 Universal Mini-ITX enclosure. This is a popular case in ultra-SFF circles for its small size - about 8 x 7.6 x 2.4 inches. Not as small as an NUC, but it would look right at home sitting next to a cable modem or wireless access point.

pfSense/OPNsense don't really require a lot of disk space unless you're running a lot of caching/logging software (e.g. Squid), so I decided to go with the cheapest option available - a 16GB M.2 Chromebook SSD, which can be had for less than $10 from eBay. Finally, a 4GB DDR4 SODIMM, also from eBay, rounded out the build.

Bill of Materials

Component Price Vendor Condition
ASUS H110T/CSM motherboard $50.00 bhphotovideo.com Used
Intel Celeron G3900 (Retail) $36.99 Amazon (3rd-party) New
M350 Universal mini-ITX Enclosure $39.95 mini-box.com New
Kingston 16GB M.2 2242 Chromebook SSD $9.99 eBay Used
4GB DDR4 SODIMM $32.10
eBay "Like New"
19V 90W AC Adapter $9.88 Amazon
New

Total: $178.91

Well under $200...not bad. Not bad at all.

Putting It Together

Working with the M350 case isn't too different from any other SFF PC build, only even smaller. There's just not a lot of room to work with. In order to fit the Intel stock cooler and still be able to close the case, you'll need to remove the top plate for holding a 2.5" hard drive and fan. Since I'm using an M.2 SSD that sits flush with the board there's no need for this extraneous piece of metal, thankfully.

IMG_20180516_195642_rs
Even still, it's a tight fit - there's virtually no clearance between the top panel and the Intel HSF!

IMG_20180516_195700_rs
One issue I ran into was that the M350's power switch and power LED header cables weren't nearly long enough to reach the corresponding motherboard headers on the opposite side. Thankfully, I had a box of leftover Dupont cables from a previous Arduino project to save the day.

The finished product

IMG_20180516_195527_rs
With its 19V DC power jack and dual RJ-45 ports, that back panel certainly looks ready for business! The blue power LED on the front is a nice illuminator in dark environments, and the machine is whisper-quiet. The fan is barely audible, especially after setting the fan mode to Quiet in the ASUS UEFI. For increased power savings I also underclocked the G3900 CPU to 2.0 GHz, which should still be more than sufficient.

Loading pfSense/OPNsense onto the system is simply a matter of preparing a USB flash drive installer, plugging it into one of the four USB 3.0 ports on the back, and booting from it. Just make sure you know which LAN port is which - the topmost one (closer to the DC power jack) is the Realtek port, while the bottom one is the Intel port. Otherwise, you may be in for a bit of trial and error trying to figuring out which is WAN versus which is LAN 😉