pfSense SG-2440 replacement


#1

Bonjour,

Since it turns out buying the recommended pfSense SG-2440 is not possible at the moment, I’m looking for alternatives. My preference would be for a small machine / router running GNU/Linux with the required number of ports.

The downside is that instead of following the pfSense documentation we would need to adapt to either iptables or some higher level interface. Unless we can run pfSense on any hardware: that would be convenient.

Ideas ?

Thread summary

Native pfSense support

Other


#2

Asked for recommendations on mastodon and got the following:

Native pfSense support

Other


#3

We are running Pfsense on one of these Supermicro 1U units:
http://mitxpc.com/proddetail.php?prod=ER1USMC2558C504


#4

Which version of pfSense do you run ?


#5

We are running the community edition (2.3.4).


#6

Sorry for the naive question but … I’m not yet familiar with the various pfSense bundles and community edition suggests some parts are not included. Were you able to follow the SecureDrop instructions with the community edition or are there bits missing because they are only included in the SG-2440 ?


#7

We followed the SecureDrop Docs on setting up the Pfsense firewall, and it worked fine.


#8

Looking to try pfsense in a small network not related to SecureDrop I stumbled upon the PC Engines systems.
Have these been assessed as not so expensive hardware platforms for SecureDrop pfsense boxes?

https://www.pcengines.ch/apu2.htm


#9

Hello @byeskille,

I have been using an older apu as a SecureDrop firewall, and it works quite well. Unfortunately since there are only 3 nics, I use 1 for wan, 1 for app, and 1 for mon. When I connect my admin workstation, I use a switch on the mon port and use static IP addresses and more firewall rules to restrict mon access to the pfsense admin interface.

While it’s been working very well for me so far, it hasn’t been as thoroughly tested as the alternatives, and it’s difficult to recommend this to the general public for various reasons: the more involved install process (no VGA), the existence of different revisions and the lack of availability through retail channels (in North America, at least).

Alternatives are currently being investigated (see https://github.com/freedomofpress/securedrop/issues/2605).


#10

Raising the idea of replacing with OPNsense: https://github.com/freedomofpress/securedrop/issues/2945


#11

Funny story, Netgate was so alarmed about their competition that they grabbed the OPNsense.com domain name, however then WIPO (U.N. copyright agency) forced them to hand it over to a rightful owner since they were acting in bad faith. Ha.

[¹] https://opnsense.org/opnsense-com/
[²] http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1828

Interesting to see WIPO doing something useful :slight_smile: