How To Secure: DIY Router at home with PfSense part 1

After years of customer routers abuse you see here, I decided to finally build something small, efficient and exactly what I want/need. Not too big, not too tiny…

My requirements for my routers use to be always “small”: small case, small board, small CPU, small memory and then after using few things like ClamAV, PfBlockerNG, Snort/Suricata… things started to change. Small CPU was not the case anymore: the memory from 2GB to a min of 8GB and ALWAYS ECC (especially those devices are running 24/7… and AES-NI for OpenVPN. You will end up with quite a hustle if you want everything together and also quite pricey. Or… there is always eBay 😉

I didn’t want things super new and latest generation, simply because they are expensive. Yeah, I know, they have better power consumption, speed but also premium. I want ECC, this means I need a motherboard with Cxx chipset and ITX form factor, that means new=expensive. Also, AES-NI on my CPU, so no Celerons, no Pentiums and because of Cxx chipset NOT working with i5 and i7… all I got left is i3 or Xeon.

Then I saw it: Xeon 1220L v3, 1.1GHz with turbo 1.5GHz, it has ECC, AES-NI, 15W TDP (this is a little bit of BS, but I’ll explain it later) and cost £35 used. Got CPU, what about the motherboard? Digging into eBay and found lovely, new(ish) MSI MS-S0891, LGA1150, ITX, C222, ECC ready board, IPMI (didn’t get it going yet BTW) for £78, but without a back shield. I couldn’t believe my luck and it has 2 Intel LANs, OMG… I’m happy!!!

MSI MS-S0891

RAM: 2 sticks of 4GB ECC 1600MHz was just a quick transaction. Next was the case: remember, small… Soon after browsing a few forums, I got something like Antec ISK300-150 with an external (important!) power brick. There is one with internal power supply, but it is noisier and heats up like a toaster.

Antec ISK300-150

OK, we have most of the things I need, time for CPU cooler: Zalman 8900 Quiet

Zalman 8900 Quiet

It fits exactly into the board and is one of the biggest coolers you can fit in this case and one of the best. Also, is bloody expensive with cheapest I’ve found at £45. I got mine without a backplate (again?) for £30 and used 4 separated bolts instead. Alternatively, you can do it with standard Intel CPU cooler for £5, it will work as well.

As I didn’t expect to have 2 Intel NICs onboard my motherboard, I chose to purchase Intel 1000 VT LAN PCIe card with 4x Intel NICs. It has low height bracket option, fitting perfectly my ISK300 case and you can find on eBay for around £30-£35 pounds. Why VT and not MT? Same price and the first one has few options more useful for virtualisation. Keep in mind that this card will add about 5W of power to total consumption.

This is how it looks fully assembled.

My HDD is hybrid SSD+HDD from Seagate and it had a tendency to run up a high amount of head parking. It was solved here, now is a quiet as a mouse ;-). From my stats, it’s not really using the whole 500GB, so next upgrade is £35 Sandisk SSD 120GB from 😉

Power consumption:

Idle consumption is around 30W with small variances. To test the CPU on max performance (not very often you will see that in a home environment), it’s easy with OpenSSL in pfSense/Command Prompt, like:

 openssl speed -elapsed -evp aes-128-cbc & openssl speed -elapsed -evp aes-128-cbc

It will stress both cores using AES-NI (if you have it), so for me, it was around 40-42W  and having a peek at pfSense/System Activity to ensure 2 instances of OpenSSL are running on CPU 0 and CPU 1.

openssl speed -elapsed aes-128-cbc & openssl speed -elapsed aes-128-cbc

This command will ensure to run the same test but without AES-NI on the CPU, so 100% usage, both cores. The result is a nice 46W max. Great!

