A couple of months ago, I decided it was time to build my own home file server instead of purchasing cheap servers from Dell and HP. I was never quite happy with what I got. The Dell boxes were too loud and the HP one was too underpowered. A build-your-own server is not exactly cheap either, so if saving money is your top concern, I would probably recommend against it. My new home file server ended up being exactly what I wanted, a fast Intel Xeon based server that is super quiet and easily upgradeable. I’ll usually get bored and decide to change something, for the sake of giving me something to do. Now on to the software side of things, I had decided to put Windows Server on this machine. My previous server was Windows 2003, and as much as it was functional, the operating system was starting to show it’s age. With time, Windows 2003 is harder to install on newer hardware. It does not support SATA drives without specifying a driver and my particular version was not 64-bit. Who uses only 4GB of RAM these days anyway? The time had come for an upgrade. The choice came down between Windows Home Server 2011, Windows Server 2008, and Windows Server 2012 Essentials. I know some of you reading this, are shaking your heads right now and wondering why pay for another expensive Microsoft OS, when there are excellent choices like FreeBSD, Ubuntu, RedHat, and others. I did look into setting up Ubuntu Server, but for some reason Ubuntu no longer fully supports WebMin, which is something that I thought would be something I would like to have. The other choice was to go with Windows 7 or Windows 8, but honestly, I really prefer to have a file server os.
Microsoft is a company in decline these days. Their consumer products are not really cool or exciting anymore. Where Microsoft still shines, I think is in their file server and enterprise products. Though they are expensive, their ease of use and feature set is still hard to match. Windows Server is still a great server, but the Microsoft way of doing things is looking harder to justify in terms of dollars. For home servers, Microsoft threw consumers a bone with Windows Home Server, but they never really invested themselves. I think a $200 operating system is just about right for this market, however, Windows Server 2012 Essentials is not that product. It is around $400 to buy an OEM license and so it is hard for me to recommend to average home users. Nonetheless this is the product I chose, just because Windows 2008 Server was not cheaper and I figure Essentials would end up supporting my hardware better than an older os.
Once I got past the Microsoft restrictions of Windows 2012 Server Essentials (there are quite a few), I came upon my other problem, which is the focus of this posting. You can’t really run Windows without some sort of antivirus product. The problem was that for Essentials, a what is suppose to be a cheap home business server, there was literally no antivirus that supported it! My preferred antivirus for Windows is ESET NOD32, but since Essentials is a server product, ESET wants you to buy a business license. I don’t understand why there are so few choices for antivirus products when it comes to Windows Essentials and Windows Home Server. These products are aimed at home users and small home office users and yet, every vendor points you to a 5 user business bundle. With ESET not being an option price wise, I started to look elsewhere.
Symantec had just released a version of Symantec Endpoint that supported Windows 2012 Server and you can actually buy one license from their website store. Symantec offers two versions of Endpoint: the normal enterprise version that can be managed centrally using their Symantec Endpoint Server product and a cloud version, which can be managed from a website that Symantec hosts. The cloud client did not support Windows 2012 servers, so that was a non starter. You can install the regular client and if you never install the Endpoint Server software, it still works fine. My experience with Endpoint was the same as what I have in the workplace, this product really is too complicated and slows down your machine. After working with it for a month, I ended up no longer using it. There was an issue with Endpoint that caused my Microsoft backups to fail.
Avira is another product that I tried to use. From my research, it seems Avira is the new ESET. It has a growing customer fan base and the price is affordable for regular Windows users. For business users, you still have to buy 5 licenses and although I found Avira as low as $22 per license, I still did not need 5 licenses. Most of my other machines at home are Macs and the only vendor I found that had a good Mac and Windows solution combined was ESET with their 5-user Family pack, but this does not cover file servers! I found Avira’s interface to be simple to use, but still preferred ESET NOD32. Overall, I think Avira would be my third choice, behind ESET and AVG.
This finally brings me to AVG. My initial research was that AVG has its critics, but overall, it is a good antivirus product. They offer several choices of products and one specific product for Windows file servers: AVG File Server Edition. The 2013 product line share the new Metro inspired tile interface. It is a little dark for my taste, I don’t think the color scheme is at all attractive for a desktop application. The main screen is pretty simple. On the right you have a Computer tile that you can click on to give you more options and information in regards to the computer. Underneath this there is a Remote Admin tile; AVG has remote admin options similar to all business class antivirus products, but you never need to bother with these if you just are running one server. On the top left, you have links to Reports, Support, and Options. In the screenshot below, I have 10 reports that I have not viewed. These are mostly your typical, “Your last scan occurred on…” and “Your definitions were updated on…”.
In general the interface is very simple and effective. Antivirus is suppose to get out of the way of your work and when you do want to look at it, it should be informative and easy to read. AVG does this quite well, except the dark color scheme, I really can’t find too much fault with the interface.
When you click on the Computer tile, you get the Computer protection screen. Here you can see that the Antivirus is enabled, access more Settings and view Stats.
Performance wise, AVG did not slow down my file server like Symantec Endpoint. It scans files faster than Avira. It is still an antivirus, so there is a difference between running Windows without it and with it. When using file explorer my folders would open instantly, with AVG, you do notice a slight hesitation, so you are sacrificing some small percentage of performance for security.
Price wise, AVG File Server Edition is $40 for a single license, which you can buy directly from AVG. There is no annoying 5 business user license requirement. You can also find it cheaper by buying it through another reseller. I was able to find a great deal through the Dell Software store.
Other antivirus that I wanted to try were Bitdefender, Avast!, and Vipre. The most common reasons for not choosing these vendors and others, was the lack of information on Windows 2012 Server support, the 5 user business license requirement, standalone price, and the general lack of trailware versions available for business editions.
I really can’t see myself using any other antivirus other AVG File Server Edition. No other vendor provides a reasonable solution for home server customers at this time.
Over the last few years, I have become somewhat of a politician, when it comes to speaking about the Internet and the undeniable bandwidth problem we have in the US. The difficulty I ran into multiple times was that it is hard to convince people that not having enough bandwidth is a problem at all. Bandwidth is something that most people just don’t think about. It is like breathing, you never realize you need air, until you are deprived of it. It has only been within the last couple of years that people are starting to wake up to the limitations of low performing internet connections. This has been brought on by consumer usage of more internet connected devices, from the smart phone to the iPad. As these devices tap into more and more of the wireless capacity of home routers and cell phone towers, they begin to push the limitations of the land line technology that usually provides the internet connection. This includes T-1 lines, DSL modems, ethernet, and fiber technologies.
The problem then becomes two-fold. We have a capacity issue for individual consumers wanting to communicate and for our institutions and businesses that want to provide better services. With low performing internet, we end up with schools that can’t use technology to teach our children, businesses that can’t provide the type of services that we want to buy, and innovative healthcare solutions that we can’t adopt. My concern is not being able to watch YouTube without the buffering message, it is instead the elderly person who could receive in-home diagnostic care without having to go to the hospital if only broadband was available.
Last year I spoke to a large audience of educators and mentioned the bandwidth issue. They were able to understand the issue personally because many of them use Netflix at home and have had to deal with streaming problems. Between video streaming and gaming, I think everyone is waking up to the problem. However solutions still seem to be unattainable at this point. Regardless of who do you think is to blame for the lack of affordable broadband solutions, the truth is that we as citizens need to deem this issue important enough to do something about it.
It is disappointing to me that technology wise no one has stepped up and come up with an affordable solution to this issue. Looking back in the past, many companies used proxy servers to provide internet to their offices. The open source Squid Proxy is a good solution for caching internet connections. There seems to be a lack of initiative to create a cheap router with a built-in caching squid proxy. Performance wise, you do need memory and disk space to run squid smoothly, but by far I think the biggest deterrent is the complicated problems that proxies create. With a proxy you do have to deal with some sites not working correctly, and UPnP network devices tend to break.
We are kind of left in this limbo state of having limited internet connections and no real viable solutions. The longer we ignore the problem the longer we stall innovation and deny ourselves improvements in education, business, healthcare, and entertainment.
After several months of running pfSense as my home router solution, I now feel that my current Squid Proxy configuration is stable enough to recommend. I have been running the current Squid 3 package that is available in pfSense without many issues. The configuration is pretty simple. Primarily I found that running proxies, including Squid, in transparent mode is just too much trouble for home networks. Transparent mode never quite works right with iOS devices and other media devices, that in the end is not worth the hassle. Instead I manually specify a web proxy in my preferred browsers: Firefox, Safari, and IE. for the iPhone, you can specify a proxy for the wireless connection you are using. It is kind of a pain to have to remember to input a proxy, but you only do it one time and it is easier to troubleshoot one application or device at a time then trying to troubleshoot transparent mode and bring down all usage while you work things out.
I have a small home user network with around 20 different devices all communicating to the router. There are about six computers, and the rest of the devices are your typical smart phones, iPods, game consoles, and media players. The Squid setup is there to speed up web browsing and downloads for the computers and web browsers on the phones and iPods.
There are some basic configuration recommendations on the pfSense Wiki, but once you get past that, there is not much out there as to what settings to use. In general Squid uses two resources: disk space and memory. For my configuration I have settled on a 32 disk cache setting, meaning I have set aside 32GB of disk space to cache to disk. For memory, Squid utilizes memory in two different ways. The first to hold an index of the disk cache and the rest for the rest of Squid functions. To calculate the memory usage, the rule is that you need 10 MB for each Gigabyte of space you are caching.
- cache_mem 640 MB
- maximum_object_size_in_memory 4096 KB
- minimum_object_size 0 KB
- maximum_object_size 4194304 KB
- cache_dir ufs /var/squid/cache 32768 16 256
Using the parameters above, I have decided to utilize 640 MB for cache memory, which is twice the rule. The largest cached object in memory is 4 MB, meaning anything larger than 4 MB will not be cached in memory and will have to rely on disk cache. Lastly the largest file on disk that can be cached is equal to 4 GB.
With this configuration and typically 3 to 8 devices connecting to the proxy, at the most the disk cache grows by a couple of GB a week. More importantly, RAM for the router peaks at 58% in use, which leaves plenty of room for other pfSense functions. The current router has 4GB of RAM and is an Intel Atom CPU based system.
At this time, I have installed pfSense a few times and have been running pfSense for about three months. The experience has been very trying at times and so hopefully my personal notes will help others in deciding if pfSense is right for you. Note that I am trying to use pfSense as a home router and caching proxy, and not as a typical business class network firewall, which is what its actual intent.
With the hardware setup, I had to now install the pfSense software and configure it. The SuperMicro MBD-X7SPA-HF-O has an internal USB port that you can use if you want to install pfSense or any operating system to, but in my case, I was going to use a 60GB SSD drive instead as my main operating system drive. There are multiple ways to do the installation, 1) Make a bootable USB drive and boot from that, 2) CD-ROM installation, or 3) Use IPMI to control the system remotely and install from an ISO image. Since my box has no actual CD-ROM drive, I ended up using IPMI, which works quite well, once you get some experience with it. Once I booted via the ISO image (through IPMI), the installer formatted the SSD drive and copied the necessary files. The rest of the configuration could be done through IPMI, or you can simply hookup a keyboard and monitor to the box, like I did.
Rather than cover the installation process in more depth, I will refer you instead to Overclockers, whose guide covers the installation in more depth than I could ever hope to. It was actually the Overclockers guide and this SmallNetBuilder article that inspired me to build my own pfSense box in the first place.
Helpful Setup Tips
The first thing of note is that you should specify “em0” as the LAN connection. This is contrary to the Overclockers guide. The reason is that the IPMI only works through the first Network Port and I would like to be able to access IPMI internally on my LAN only. You will specify “em1” as the WAN connection. (In the BIOS you can specify a specific IP address for the IPMI setup and take note of the MAC Address; you can then setup a DHCP reservation for the IPMI address.)
For DHCP reservations, it is helpful to have a list of MAC addresses and the IP numbers that you are going to give those devices. This way you can add them all at once during the setup and be done with it. Most of the devices in my home now have reserved IP addresses.
You will want to configure the Admin Web Interface to HTTPS and to a different port number. Basement PC Tech has an excellent guide on how to add a certificate to the Admin interface.
You can add FreeIPMI to pfSense. Reference this post on the pfSense Forum on how to install it.
Since this setup will be used as a home router, UPnP is essential for devices such as the PS3 and XBox 360. The best walk through for setting this up is found on Cqrite.com.
Lastly you will want to install your packages. In my case, Squid 2.79, RRD Summary, Sarg, and Cron were the only packages I needed.
My home setup is pretty straight forward, but for unknown reasons, I had major issues with my Sony Blu-ray Player, Apple TV 2.0, and Playon (software for media streaming from a Windows box). I could not quite figure out exactly why all of these devices broke. Essentially media streaming failed to work period on the Blu-Ray Player. What was strange was that the PS3 was fine. It did not quite make sense why NetFlix worked fine on the PS3, but not on the Apple TV or Blu-ray Player. For a while I thought it was some combination of Squid in transparent mode, however after setting up Traffic Shaping in pfSense, it just decided to work one day. I even did a clean install and started from scratch, and I could never get it to work again. I ended up restoring my original configuration to fix it again. I narrowed down the problem to port 443, in which I could not authenticate with the streaming services.
One package that I wanted to try out was HAVP, which acts as an HTTP Proxy with an Anti-Virus scanner. This proved to be problematic for me. With HAVP my internet downloads were slower and unpredictable. HAVP requires lots of CPU speed, and in the end I found that it was not worth it for me. Plus, I could never get NetFlix streaming to work!
pfSense, The Home Router
pfSense was my Summer project this year and it was very interesting. The hardware I put together makes for a very fast home router and you certainly do notice the difference between pfSense and say your typical $200 router. The Squid proxy works well, in fact it is the best proxy solution that I can think of. However, Squid is still a proxy and proxies in general are difficult and can cause minor issues. The firewall aspect of pfSense is superb, I feel that this is the most secure system you can have for the price. The problem I ran into with pfSense is that it is not really meant for home networking. In a sense pfSense is not your typical plug-n-play device, so this makes it really hard for a non-networking person to work with. I find myself conflicted, because I really like everything that pfSense delivers, but feel that third party firmware such as DD-WRT is a better solution for home networking. The firewall is easier to work with on third party firmwares. The other area where pfSense proves too hard is Traffic Shaping. The QOS interfaces of Linux based routers (DD-WRT, NetGear, Tomato, etc) are much easier to work with and while pfSense actually has more options for managing traffic the setup requires more tweaking.
Up until now, my criticisms of pfSense are based on difficulties due to complexity, but one area where pfSense does come up lacking I think, is documentation. The pfSense.org website has a wiki and a forum, but some of the documentation on the wiki is incomplete and so the better resource ends up being the forum. There is an official book: pfSense: The Definitive Guide. The book is definitely a must if you are serious about working with pfSense. There is also a pfSense Cookbook, but that book is rather worthless as it basically covers screenshots of pfSense 2.0, but without any real context as to how the system actually works, so I would not recommend that book. What would work for pfSense is if there was a guide for home networking, that put together screenshots and recommendations for a typical home network router configuration.
Overall, pfSense can work as a home network router, but it does take time to become proficient with it and it is not as simple as your typical home router. After working with it for a few months, I find it to be a great solution for content filtering in schools. It is very affordable and if you are willing to spend the time, it can be a great solution for your security needs.
After upgrading to Mac OS X 10.8 Mountain Lion, I started to experience problems with Safari 6 and some HTTPS connections. For example I could no longer log into Amazon or even browse forums who used SSL connections. Ironically, I found a post on Apple’s forums that described some of my symptoms, but since the support forums are HTTPS, I could not use Safari. Luckily Firefox still worked. The problem on Apple’s forum went on about SSL Certificate issues and the solution is described on this blog posting, but this problem was specific to Mac OS X 10.7.4 Lion. There is also a bug that has to do with specifying a proxy in Mountain Lion. This seemed more plausible to me, since I use pfSense with Squid Proxy in transparent mode at home, however this also would not explain why only SSL connections had issues and regular HTTP sites worked fine.
After much research, it seems the simplest solutions work best. I had to manually specify my MTU setting from 1500 to 1492 in System Preferences – Network – Advanced… – Hardware – MTU. This immediately resolved my Amazon logging in issue.