Pfsense on Blue Iris PC or Separate PC?

Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I don't personally have Antivirus on my BI computer because it's not useful (it can actually cause serious performance problems if its misconfigured and scanning while BI is recording files).

Although I am a BIG FAN of AV, Anti-Virus is more important on your daily driver where you might click a link or visit a hacked website (just my opinion) as you will probably have hardware firewall (ASUS) plus software firewall (Windows) plus Windows AV (Defender) anyway. If you keep your BI system OS patched it's significantly less risk than that resulting from the cameras themselves. That being said, I have my network segregated a little more than you ultimately you will have to decide based on your tolerance of risk and safe browsing habits.
 

58chev

Pulling my weight
Joined
Aug 30, 2017
Messages
300
Reaction score
143
Location
Etobi, Ontario
@bugsysiegals ,
If you are still looking at an ASUS Router, Check to see if the one you are interested in is compatible with ASUSWRT-Merlin.

Merlin can firewall very well, add-ins like Skynet Firewall, Ad blocking at the router with Diversion, since you mentioned that you are handy with IPTables. Lots to play with when a ASUS router has Merlin Firmware.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I’ve installed Proxmox on a PC and virtualized pfSense for routing, Windows 10 for Blue Iris, and Ubuntu Server for Plex. I then flashed my router back to stock and turned it into an AP. I’ll likely sell it and buy a real AP in the near future but pfSense rocks!!!
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
Thanks! After a month of really playing with iptables I've got it locked down nicely and have OpenVPN working it's just slow with DD-WRT because of bad drivers for Marvel chip routers. I guess I'll try to add the other router as an AP and if it's still bad I'll trade out for something with good open source firmware support.
Perhaps you know already, but hooking up to your VPN means that your max possible speed is capped by the upload speed of your ISP package. It only can go down from there. For example, my ISP package is 200Mb/s down, 10Mb/s up. When I connect by VPN that 10Mb/s speed is the best I can get.

If you are running OpenVPN with TCP you may want to give it a go using UDP instead. As I understand it's a little more possible that UDP is blocked in some places. Personally, though, I have not yet encountered such and it is faster for me, noticeably, using UDP.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Running so many things on a VM isn’t recommended, so hopefully it’s just aa temporary setup for both pfSense and Blue iris!
Could you elaborate a bit on what you mean by running so many things in VM? I'm not sure if you mean it's not recommended to run it at all versus having 2 VM's or more running in VM, etc.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Perhaps you know already, but hooking up to your VPN means that your max possible speed is capped by the upload speed of your ISP package. It only can go down from there. For example, my ISP package is 200Mb/s down, 10Mb/s up. When I connect by VPN that 10Mb/s speed is the best I can get.

If you are running OpenVPN with TCP you may want to give it a go using UDP instead. As I understand it's a little more possible that UDP is blocked in some places. Personally, though, I have not yet encountered such and it is faster for me, noticeably, using UDP.
Yes, I'm aware I cannot exceed my ISP limits and it's funny, I have the same limits as you. That said, with DD-WRT, I was getting less than 1Mbps transfer speed and now with pfSense on a computer I'm getting 11/11 from my iPhone while away from the house. I know there's some different encryption methods which help the speed but wasn't aware of UDP. I can say that when I open the Blue Iris iOS app, it opens immediately, something I was struggling to do in the past on my own WiFi so I'm happy but will check out your tip to try to maximize all I can get ... thanks!
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
If you are getting 11/11 using TCP then I might not bother with UDP.

Dunno how it is with pfSense but on my router to change OpenVPN TCP/UDP you have to make a new config and then import the new .ovpn on all the clients.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
Could you elaborate a bit on what you mean by
more my point is that running Blue Iris on a dedicated machine is the recommended option, and running pfSense on dedicated hardware is also recommended (although requirements are very low), but presently you are running it all on VMs so a problem with the VM software, or hardware takes down all three (your network router & vpn, your security recording equipment, and your PLEX storage). Just a lot of eggs to have in one basket imho but maybe you have a good track record with that Opensource VM. However, I do see the value in trying before you buy dedicated equipment for both Blue Iris and pfSense.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
Dunno how it is with pfSense but on my router to change OpenVPN TCP/UDP you have to make a new config and then import the new .ovpn on all the clients.
This might be true, but I just checked and both my OVPN tunnels are configured as UDP, so would be curious if the OP has UDP or TCP as part of their OVPN configuration (i.e. whether that might be the default or if I just changed it already myself).

Regardless there is some overhead associated with OVPN, I don't see the full bandwidth when connecting over OVPN, and its not "Router CPU" holding me back (since that never goes over like 5%), but phone CPU might also be part of the problem.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Running so many things on a VM isn’t recommended, so hopefully it’s just a temporary setup for both pfSense and Blue iris!
No, I actually plan to stay virtualized for pfSense and Blue Iris. I'll either be running two computers simultaneously resulting in a High Availability cluster for pfSense or will have the second desktop just sitting there in case the primary goes down.

With regards to running virtualized, Proxmox claims to have only 1-3% performance loss using OS virtualization as compared to using a standalone server; however, I'm getting better performance running virtualized and with an inferior processor than running Windows 10 standalone!!! I don't understand it but it's left me very impressed with Proxmox and very disappointed with my standalone gaming computer.

To elaborate with details ... I built a high end gaming computer several years ago (i7-4770k CPU, 16GB RAM, and SSD) but with so many other priorities in life I only got to play a few games before retiring it. After recently buying security cameras, I brought it back online with a fresh copy of Win 10 and Blue Iris. Rather than spending money for another router, I decided to flash my existing router back to stock, set it up as an AP, turn another unused router into an AP, install a quad port NIC in the gaming computer, virtualize pfSense and test pfSense versus DD-WRT/OpenWRT.

During my research about pfSense, there was a lot of skepticism of running pfSense virtualized, as a shared resource, and many recommended a $200 dedicated low power appliance (~10W) for pfSense. Besides not being able to justify $200 for a single purpose appliance, I figured if the Blue Iris computer was going to be running 24/7 I could at least try out pfSense as VM without any additional expense and see how stable this setup is.

After thinking more about power consumption, I was really curious just how much power I might be using/wasting so I ordered a Kill A Watt meter to find out.

Gaming Desktop - 21-25% CPU usage with an average of 92W power consumption running ...
  • Windows 10 w/Blue Iris
  • Virtualbox with pfSense VM
I found refurbished HP desktops with i7 processors on eBay and decided to buy one as a backup for the gaming computer so I'd have minimum downtime with pfSense or Blue Iris should anything fail. Unfortunately I was in a rush as an auction was ending, selected the wrong desktop, and a few days later received a HP 8300 EliteDesk (i7-3770, 16GB RAM, and HDD) for $220. I decided to give it a go anyways and figured I could sell it later if I didn't want it so I installed Proxmox on it, pfSense VM, and Win 10 VM for Blue Iris. After getting it all setup, I decided to benchmark it and the results were very surprising.

HP 8300 EliteDesk - 16-22% CPU usage with an average of 62W of power consumption running...
  • Proxmox
  • pfSense VM
  • Windows 10 VM w/Blue Iris
I then purchased the computer I originally wanted which is a HP 800 G1 (i7-4770, 16GB RAM, HDD) for $215, and received it several days later. I've benchmarked this computer and results are below.

HP 800 G1 EliteDesk - 14-20% CPU usage with an average of 80W of power consumption running ...
  • Proxmox
  • pfSense VM
  • Windows 10 VM w/Blue Iris
I've no idea how this is possible since Blue Iris is running the exact same configs on all machines but it's extremely disappointing to see a like new i7-4770k with SSD be outperformed by a refusbished i7-3770 and i7-4770 with HDD. That said, I can part out the gaming computer and still get $700 for the various pieces so I'll be doing that and either have two 8300's or two 800 G1's running the setup mentioned above for redundancy.

FWIW - I've had the HP 8300 running for over a week now with absolutely no issues whatsoever even while having a Ubuntu Server VM running to begin experimenting with Plex. Once I get all my cameras up and operational I'll only run pfSense and Windows 10 to ensure I don't crash it but I have to say I'm not seeing any issues running virtualized and am very pleased with my results ... feel free to check back months from now to see how my experience has gone.
 
Last edited:

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
more my point is that running Blue Iris on a dedicated machine is the recommended option, and running pfSense on dedicated hardware is also recommended (although requirements are very low), but presently you are running it all on VMs so a problem with the VM software, or hardware takes down all three (your network router & vpn, your security recording equipment, and your PLEX storage). Just a lot of eggs to have in one basket imho but maybe you have a good track record with that Opensource VM. However, I do see the value in trying before you buy dedicated equipment for both Blue Iris and pfSense.
Thanks for clarity. Yes, I figured it was better to go the free route and try on the existing computer before spending any more money. Once I found I liked it, I did buy more computers for redundancy. I'm only running extra VM's at this point because I only have 1 camera installed in the backyard and am not worried about it going down. Once I get more up, I'll only be running pfSense and Windows 10 VM's on a single machine with Plex on another, assuming I find this setup to be reliable. If it isn't, then of course I will go to a standalone Windows 10 machine for Blue Iris ... I'm certainly interested to see how reliable it is!!
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
Some of your concerns might be with the graphics. A used/refurb Optiplex probably doesn't have a high zoot graphics card installed as a purpose-built gaming computer might.

And, a high zoot video card isn't necessarily an improvement to a BI box. In some cases, apparently it can even be a detriment if it doesn't support the video optimization thing (Quick Sync??) that's in those Intel CPUs/processors.
 
Last edited:

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
I actually took the graphics cards out of the gaming rig and sold them. It does have a low end graphics card installed but is a fair point, I should try with the onboard graphics only.

Other than that and perhaps VirtualBox, I can’t understand how the HP has beaten the gaming rig. When I test again, I’ll leave VirtualBox off as another test but I’m fairly certain when I looked at the performance it was mostly all BI consuming CPU.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Based on the benchmark above, which PC would you keep? I'm considering keeping the i7-3770 which is only using 2% more CPU than the i7-4770 at 18 less Watts but am not sure how these numbers will scale as I add 10 more cameras in the future or if there are any other reasons to keep the i7-4770. Your thoughts are much appreciated.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
they are so close on performance I dont think it matters which way you go, but the i7-3770 should have a soldered IHS (the metal top on the processor is soldered), whereas the i7-4770 they started using thermal paste I believe. That thermal paste is only supposedly good for a limited number of hot/cold cycles.

Might explain why the 3770 seems more ENERGY efficient, but 4770 is newer. Clock speed, cores, all the same. Splitting hairs in my book, but saving on power would add up eventually in favor for the 3770.
 

bugsysiegals

Getting the hang of it
Joined
Nov 1, 2018
Messages
179
Reaction score
27
Location
Racine, WI
Wow, I’d no idea!! I replaced the thermal paste between CPU and heat sink assuming I’m good not realizing this.

I’ll use hwinfo to check CPU temp but at the end of the day, IMHO, that makes it an inferior processor when considering aged CPU’s.

If everything scaled the same, the 3770 would cost about $13 less to run per year to run 24/7. It’s not a lot but if running another as backup that’s a free 500GB SSD in just a few years time.

Thanks for sharing that info brother!!
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
279
Reaction score
69
I have been wondering about this topic. I just got another Optiplex SFF to play with. If I load this one up with pfSense and place it between my cable modem and my WRT3200ACM router -- what would be the effect? I like the idea of being able to log network traffic and monitor bandwidth usage so that I can have some idea what is happening.
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
I have been wondering about this topic. I just got another Optiplex SFF to play with. If I load this one up with pfSense and place it between my cable modem and my WRT3200ACM router -- what would be the effect? I like the idea of being able to log network traffic and monitor bandwidth usage so that I can have some idea what is happening.
If you are going to put pfSense between your modem and the WRT router, then you might as well turn off all the routing stuff in the WRT and use it just as additional switch ports and an access point (AP).

Or, maybe, to try to separate into VLANs or something. Guess it depend a lot on why you want to implement it. Normally, afaik, the pfSense box becomes your firewall/router.
 
Top