After some frustration with stability and latency connecting my virtual pfSense router to my cable and DSL modems, I decided to switch to a physical box. I selected the Netgate RCC-VE 2440 as my hardware platform, since it’s the same box that pfSense themselves use as their OEM bundle. It also checks all the boxes with a dual-core Atom CPU, four Gigabit Ethernet ports, and low-power fanless design. Here’s my first impression and installation notes!
An Ideal pfSense Platform
pfSense is the best open source router platform I’ve come across, and it’s only getting better with active development. It supports just about every feature you’d want, from IPv6 to Multi-WAN to OpenVPN, and can perform well enough to keep up with most consumer or small business WAN links.
One limitation, however, is that pfSense requires an Intel x86 processor. This makes it an ideal way to reuse old PC’s but makes it a bit harder to find a low-power integrated platform. Most, like the Intel NUC, have only a single Ethernet port making them less than perfect for a router. It is possible to hack additional ports into these platforms by leveraging Mini PCIe or M.2, but I wanted something more integrated.
The Netgate ADI 2440 board is ideal for pfSense because it was designed for it:
- It features Intel’s Rangeley dual-core Atom 1.7 GHz CPU (C2358), which supports QuickAssist, AES-NI, and power management
- The board has four Intel Gigabit Ethernet ports
- There is 4 GB of RAM soldered to the board, more than enough for pfSense
- 4GB of eMMC flash is plenty for a pfSense load, and the board also has two external USB 2.0 ports, a mini-SATA (mSATA) connector, a full-sized SATA II connector, and two full length Mini PCIe slots!
- It’s ready for Wi-Fi and Cellular, too
- One slick feature is an integrated USB serial console port
Netgate also makes smaller and larger versions of this same hardware platform, ranging from two to six Ethernet ports. But the 2440 is the ideal minimum, with QuickAssist and 4 GB of RAM.
The entire device is integrated, tested, and fanless. And since this is the exact same hardware that pfSense uses for their supported router appliance, it’s perfect for that application!
I chose to buy from Netgate rather than pfSense because the standalone Netgate RCC-VE 2440 costs just $349, a full $150 less than the identical pfSense SG-2440. If you buy from pfSense, you get two support calls, plus the knowledge that you’ve supported the project. But you can still buy support from pfSense if you buy the Netgate.
Installing pfSense on the Netgate ADI
Out of the box, the Netgate ADI/RCC-VE 2440 runs a CentOS 7, but it’s ready for pfSense too. Installation was easy!
To start, you need to use the USB serial console embedded in the Netgate box. Drivers for this are part of the Linux kernel, if you have a handy Linux box or Raspberry Pi. If you’re on a Mac or PC, you need to install the Silicon Image serial drivers from http://www.silabs.com/products/interface/Pages/interface-software.aspx
Next, you need a serial terminal emulator. In a Linux command line or Mac Terminal, you can use the “screen” program to access the USB serial port. On my Mac, it showed up as /dev/tty.SLAB_USBtoUART so the proper command is:
screen /dev/tty.SLAB_USBtoUART 115200
On my Raspberry Pi, it showed up as /dev/ttyUSB0 so the command was:
screen /dev/ttyUSB0 115200
You can now access the serial console for configuration, or anything else really. It’s quite handy! Now that I’m done, I left a USB cable from the Netgate USB console port to my Raspberry Pi 2 “Swiss army knife” server. This makes it easy to access the Netgate box in the future if it’s hung up or I need to do any work on it.
I installed the special pfSense install image for Netgate ADI on a 1 GB USB drive. For reference, here’s the command for Mac OS X, assuming the USB drive is at /dev/disk9:
gzcat Downloads/pfSense-memstick-ADI-2.2.4-RELEASE-amd64.img.gz | sudo dd of=/dev/rdisk9 bs=16k
But your USB drive is almost certainly not /dev/disk9. Use hdiutil to pick the right drive before you blow it away with this command!
Now put the USB drive in one of the USB ports on the Netgate box and reboot. It should detect the pfSense image and boot into pfSense install mode automatically. Your serial console will be very helpful!
I ran auto-install mode, but the simple install couldn’t create a large-enough swap space to handle a dump of the Netgate’s 4 GB of RAM. That’s because it has 4 GB of RAM and only 4 GB of storage! This is plenty for pfSense, but you might consider adding a small mSATA SSD internally if you think it will be a problem for you.
The install will ask you a few simple questions about the ports and VLAN settings. I’m going to assume you’re able to figure these out. I’m using two Ethernet ports for WAN (igb0 and igb1) and the other two for LAN (igb2 and igb3). So my configuration has already diverged from the standard pfSense appliance and I haven’t even done a thing!
Once the initial install is complete, remove the USB drive and reboot the box. Plug an Ethernet cable into one of your LAN ports and access https://192.168.1.1 from your browser for the advanced setup. Then you’re golden!
A few tips:
- Enable “AES-NI-based CPU acceleration” and “Intel Core CPU on-die thermal sensor” in “System: Advanced: Miscellaneous”
- If you’re ok losing their contents, you can move /tmp and /var to RAM in pfSense in “System: Advanced: Miscellaneous” under “Use memory file system for /tmp and /var”
- Make sure there’s good airflow under and over the Netgate box – don’t cover the vent holes!
Stephen’s Stance
The Netgate RCC-VE 2440 is a fantastic pfSense platform for my use. I have a 60 Mbps cable modem and a 12 Mbps DSL modem attached to it, along with a Gigabit Ethernet switch with a bunch of clients. The Netgate box chugs along just fine. The CPU core is a consistent 41 degrees with the dashboard reporting a consistent 20-25% load. The setup as described is pulling under 10 Watts at 110 Volts.
I strongly recommend pfSense as a home office or small business router platform, and I couldn’t be happier with the Netgate RCC-VE 2440 hardware. It’s well worth the money if you have a faster Internet connection or more-demanding use case than a basic packaged router will serve.
Note: I linked to the pfSense and Netgate product pages but I don’t get anything if you buy one of these.
We’ve gone with a pretty similar system recently.
The main difference was we wanted to use it as a clustered proxy to give better internet experience to around ~150 users.
It’s also pfSense on Atom, just with Supermicro boards to gain IPMI access. Ram is not much more than in the 2440 or it’s greater siblings – 8GB (but with ECC), and a Intel S3700 SSD to make sure it won’t stutter at least for the nearest future.
Can you tell a little more about the issues with the virtual pfSense?
I put one up just last night for my intern so he can VPN into his lab ESXi.
My PPPoE connection (DSL) worked fine but had weird latency issues – as much as 2000 ms! I couldn’t track down the issue on my switch (the TP-Link I wrote about here) or the vSphere (6) cluster or VLAN. And the bridged DHCP connection (Cable) was very flaky. It would connect sometimes and not other times. As if the packets weren’t getting through. Both links also had packet loss in excess of 20% at times, which I also couldn’t track down.
So I threw in the towel and went physical. Current latency is 8.3 ms (NAT Cable) and 0.4 ms (NAT DSL) with no packet loss.
Sounds like the right choice to just cut off a few old things instead of tracking it down )
Also thanks for the reply, I’ll make sure to track for icky latency spikes.
The only upside is that the current setup exhibits many similar issues. (can only get better)
Thanks for sharing this hands-on information, Stephen. Unfortunately there’s not that much information out there that provides feedback about hardware platforms for pfSense when you’re interested in a DIY solution. 🙁
FYI: Another interesting hardware option is the APU boards of PC Engines: http://www.pcengines.ch/apu.htm. They are even cheaper at ~ 150 USD (vs. the Netgate at 350 USD). We have been running a couple of pfSense firewalls on these APU boards — and before that the ALIX boards, which are less powerful — and are quite happy with the setup and the price/value ratio. The APU boards are also fast enough to run OpenVPN over faster Internet lines, which is what we do for our pfSense boxes (IIRC they feature some hardware support for AES encryption).
Edit: Since you and Florian listed HW specs here are the key specs of the APU boards:
– CPU: AMD G series T40E APU, 1 GHz dual core
– DRAM: 2 or 4 GB DDR3-1066 DRAM
– Storage: Boot from SD card (connected through USB), external USB or m-SATA SSD. 1 SATA data + power connector.
– Connectivity: 3 Gigabit Ethernet (Realtek RTL8111E), 1 DB9 serial port (console).
Thanks for the great writeup. This had a huge impact on my decision to go the same way with my own pfSense firewall. It had been running on a rackmount Dell PowerEdge 1950 III, but the noise, heat, and power of my rackmount servers was overwhelming. I’ve since replaced the firewall with Netgate gear, and other servers are being replaced now by Intel NUCs.
The Netgate is so ridiculously nicely suited for this work. I’ve got a 100/10Mbps broadband connection from Time-Warner, and even with all of the gaming, video streaming, etc. going on in my house, the Netgate box idles in complete silence as if to beg me to try harder to hurt it.
I’m very, very happy with this purchase decision. Thanks so much for your great writeup.
Anyone here interested in testing how well these units work with OpenVPN?
Thanks!