Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Security How To

The Build

Meet Cerberus, named after the mythical three-headed dog guarding hell. The name was chosen because of the three forms of protection that it provides: the pfSense Firewall, Snort IDS, and the IP-Blocklist package.

Cerberus hardware

Figure 4: Cerberus hardware

Cerberus hardware - rear

Figure 5: Cerberus hardware - rear view

Cerberus hardware - top

Figure 6: Cerberus hardware - top

This is my second pfSense build, the first used a mothballed 550W Pentium Core 2 Duo E6750 desktop with two network cards added to support a total of three interfaces, WAN, LAN and a Guest WLAN access point. Though inexpensive (already had the hardware), it was like killing a gnat with a bazooka. pfSense requires nowhere near that much machine, and left an ATX Desktop box where the much smaller DGL-4500 router used to sit.

When the need for a Drupal developer machine arose, it was decided that a purpose-built, low power small footprint pfSense box would be used to free up the desktop machine for that purpose. Less cost, greener, and not nearly as ugly.

For size, Mini-ITX was selected: a dual NIC motherboard using Intel’s NIC chipset, and supporting up to 3 GB of memory to support the memory-hungry Snort package. The budget was initially around $200, reusing spare parts from the previous build. We were not set on a particular processor; that decision was driven by the motherboard size, memory limit, and Intel dual NIC requirements (wanting to avoid the widely reported problems around the Realtek NIC chipsets). Our only choice of CPU was the Atom processor.

Dual NIC was needed to support all three interfaces, a single NIC motherboard, though cheaper, would have required a significantly more expensive Intel Dual NIC card, pushing the price to about the same point as a mini-ITX server motherboard.

CPU Intel Atom D525 (Pineview-D) Dual Core, 1.8GHz (13W) processor Incl in mobo
Motherboard Supermicro X7SPA-H-D525 Mini-ITX Server $180
RAM 2 x non-ECC DDR3 1066MHz SO-DIMM (running @800MHz) $50
Storage WD Scorpio Blue 2.5” 250Gig drive $40
Ethernet Intel 10/100/1000 PCIe NIC $30*
Case Antec Mini-Skeleton-90 $90
DVD Sony DVD-ROM *
Table 2: Component list

* Reused from previous build

I initially selected the Asus Hummingbird Atom D510 motherboard. But when that was temporarily out of stock, I discovered the less expensive, newer generation Supermicro Atom D525 motherboard. Though scarcer, it sold for the same price as the D510 Supermicro model and for less than the Asus.

The choice of Antec Mini-Skeleton-90 case, though relatively expensive, was completely driven by aesthetics and build quality. All other choices were non-descript boxes. This decision did mean a 2.5” SATA drive would be needed, since the case provides only one 3.5” drive bay for our spare DVD drive, and two internal 2.5” bays. After the build, we realized the DVD drive was unnecessary, the install could have been done from a USB drive and a spare 3.5” SATA hard drive could have been used instead.

To get our third network interface, we reused the Intel 1000/100 Pro board from our first build for the wireless guest AP via a wireless N bridge. If we had not already had these components on hand we probably had gone with a Wireless-N PCI-e NIC (most likely the Asus PCE-N13, which was not supported at the time of the first build).

A note for builders looking at a Mini-ITX build for the first time, the selection and availability is dramatically different than you are probably used to in the ATX world. We found only one vendor for the Asus board, and getting the newer D525 Supermicro board took some wrangling with a very helpful small vendor, who also carried the Antec case (a thanks for personal attention to InterProMicro.com).

Several other components were needed to make this a full-blooded router, which we took from the first build. To expand the number of ports to support our home network, a Gigabit switch was added. The already-mentioned wireless-N bridge was added for guest wireless, and our old wireless router in AP mode for wireless access to the LAN network to provide shared file and printer access to trusted clients.

Port Expansion D-Link DGS-2205 Gigabit 5-Port Desktop Switch $32
Guest Wireless TRENDnet TEW-637AP 802.11b/g/n Wireless Easy-N-Upgrader $45
LAN Wireless AP D-Link DGL-4500 (existing router) -
Table 3: External component list

These components are largely optional and dependent on your requirements. Your current wireless router may already have guest wireless, and the switch is only needed if the number of machines exceeds the remaining ports on your router. With the switch and the router, Cerberus can handle seven wired clients. Additionally, the wireless bridge can be turned off in the absence of guests.

Total base cost was about $360. If you add the switch, the bridge, and the NIC, you are looking at about $470 all in. Yes, it's a little high, and almost twice our budget. But you can get a reasonable case for half the cost and pfSense will run in half the amount of memory and a lesser processor.

Further cost reduction is realized by dropping guest wireless. This would eliminate the third NIC and need for the wireless bridge. And if you have a spare port on your current router, no switch is needed.

These changes would bring total cost below $300– maybe $100 more than a premium router. Of course, the cheapest solution would be our first build, an old surplus x86 machine fitted with the needed additional NICs for maybe $80?

The assembly itself was straightforward, no need for seating of the CPU or cooler, the case provides a power brick, and there is pull-out tray with sufficient cable play to easily wire up the case from there – the fingers pinch a bit fitting in the drives, and cable routing is a bit of a hassle. But this was the quickest build I’ve ever accomplished.

Performance

One of the available packages for pfSense is iPerf, making it easy to measure throughput.

Running iPerf as the server on Cerberus, directly over Gigabit LAN to iPerf on another machine running Windows 7, the average throughput was 236 Mbps, with a peak of 253 Mbps (Figure 7).

Cerberus performance

Figure 7: Cerberus performance

CPU utilization was never over 75%, and under normal usage the CPU utilization rarely exceeded 10%, which means that Atom D410 would probably serve just as well. Surprisingly, running Snort versus not running Snort had a negligible effect on throughput.

More Stuff

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi guys,First time posting in the forums (but long time obsessing over its contents ).I'm one of the hundreds of people with an AC68U. I've just signe...
The Spectre flaw is here to stay apparently https://arxiv.org/abs/1902.05178
I was wondering if I can downgrade a guest network to Legacy while keeping N for main wifi.Why would I be interested in such a setup: I got LIFX bulbs...
Is there a way to set up a VPN client connection at the command line. I'd like to be able to read an ovpn file and write the configuration using a scr...
I come back to WOWLAN once in awhile hoping I can get it working. It works perfectly, perhaps too well since it keeps unintentionally waking up from t...

Don't Miss These

  • 1
  • 2
  • 3