In this post, I discuss the process of converting an older Intel® NUC Kit NUC5i3RYH mini-PC into a virtualized pfSense router.
This is my current network config that I’ll be putting behind a pfSense firewall.
What is pfSense? pfSense can be installed on a physical computer or a virtual machine to essentially create a dedicated firewall/router network device. It can be configured and upgraded through a web-based interface and requires no knowledge of the underlying OS system to manage. It essentially allows anyone to turn an old PC into a network device that would otherwise cost serious money.
My goal is to introduce a pfSense device in front of my Wireless access point allowing me to completely control my network and make use of many options that come for free when using open-sourced pfSense solution, such as run it as a state of the art Firewall and VPN device:
Complete list of all pfSense features: https://www.netgate.com/solutions/pfsense/features.html
Converting Intel mini-PC into PfSense Router
I own an older model 5 – Intel® NUC Kit NUC5i5RYH with the following configuration: 240GB OCZ-Agility4 SSD, 16 GB of RAM and Intel Core i5-5250U CPU @ 1.60GH, which is running Windows 10 Professional.
I am currently using this device as a Windows media server and it’d be a waste of resources to turn the entire Intel Nuc mini-PC ($400 device) into a dedicated pfSense router. So, instead, I’ve decided to install Oracle VirtualBox on Windows 10 that is already running on this box and then install pfSense as a virtual router. I prefer this solution because it allows me to keep using Intel NUC for other purposes and given I have 16GB of RAM available to me, I can easily dedicate 4-8 GBs to pfSense virtual router.
there are essentially two options for how to go about the job of converting Intel NUC into pfSense, both of which I’ll outline below.
Option #1 – Add a Second Network Interface
Intel NUC only comes with a single Network Interface Card (NIC), but we will need a second NIC in order to have one dedicated to the incoming WAN traffic from the provider’s router and another one for the outgoing LAN traffic going to WI-FI router. I found the following options to accomplish the task.
1. USB 3.0 NIC Adapter – The cheapest (but likely not the most reliable) way to add a second NIC is to buy the USB 3 to Gigabit NIC adapter such as AmazonBasics USB 3.0 to 10/100/1000 Gigabit Ethernet Internet Adapter which costs around 20 dollars and can be plugged into USB 3.0 port on Intel NUC:
2. M.2 to Mini PCI Express cable + Mini PCI-E card NIC Adapter – Another option is to use the Mini PCI-E card NIC adapter. The Mini PCI Express interface can be accessed inside the Intel NUC and requires some work to be done, but this interface would likely be the most solid and the Mini PCI-e supports transfer rates up to 2.5Gb/s via full-duplex channel, data rate auto negotiations, IEEE 802.1Q VLAN Tagging and IEEE 802.3az Draft 3.0 (EEE). One such option is a Syba Gigabit Ethernet Mini PCI Express PCI-E Network Controller:
However, my Intel NUC NUC5i3RYK is a 5th generation device and it does not have the mini PCIe interface like its predecessors, instead, this particular model is using the Broadwell motherboard which has an M.2 slot. M.2 support is great (it also supports M.2 form factors 2242, 2260 and 2280), but it complicates things because to connect the above card, one would also need a cable that converts M.2 to Mini PCI Express.
3. M.2 Ethernet Module – Probably the best option of all, is to get an Ableconn M2-NW-107 M.2 and run a cable from the board out. However, I decided against it, because this is a rather expensive option. Here in Canada, it costs over $60 CAD, while in USA it’s around $27.
4. M.2 Dual Port Ethernet Card for Intel NUC – This device claims to be the M.2 Dual Port Ethernet Card for Intel NUC and is advertised here: https://g2digital.co.uk/m-2-dual-port-ethernet-card-for-intel-nuc-is-ready-for-pre-order. However, I can’t find the order links for the product, so the project might not be alive anymore.
5. Replacement Intel NUC Lid with RJ45 Port – The fifth and the last option while certainly the most elegant, is also the most expensive of all and unfortunately also the slowest. There is an option to buy a replacement lid for Intel NUC that is fitted with the RJ45 connection. One such is made by a company called GORITE, however, the manufacturer only supports 100Mbps (full-duplex via auto-negotiation) connectivity and this is also USB to RJ45 conversion similar to USB 3.0 adapter for $20 that I mentioned above. So I wouldn’t go for this option.
Option #1 – Architecture
Given you choose one of the above options, the architecture diagram would look something like this:
Option #2 – One Network Interface – VLAN Config in a Managed Switch
If adding a second NIC options outlined above is not something you want to entertain, follow my guide at:
pfSense VirtualBox Installation
In my case, I decided to go with Option #1 – by adding USB 3.0 to the NIC adapter, as it was the cheapest way to accomplish my goal. It might not be as stable as implementing a regular NIC, but there are ways to monitor the performance and re-enable the USB 3.0 network adapter if needed.
So now was the time to install pfSense inside VBox. First, I’ve downloaded pfSense-CE-2.4.4-RELEASE-p3-amd64.iso.gz – AMD64 (64-bit) ISO from https://www.pfsense.org/download/
Once done, I’ve unzipped pfSense-CE-2.4.4-RELEASE-p3-amd64.iso.gz into pfSense-CE-2.4.4-RELEASE-p3-amd64.iso file:
Now, it’s time to open Oracle VirtualBox Manager and install pfSense. pfSense is an open-source firewall/router computer software distribution based on FreeBSD, but VirtualBox no longer has FreeBSD as a Linux option, so we’ll just create a new Virtual Machine under Linux (64-bit) version. I’ve added 8GB of RAM to it, but it’ll run just fine with 4GB or even 2 GB of RAM. If you have spare RAM, you can give it a bit more.
On the next screen, I added 20 GB of HDD, that is dynamically allocated, which should be more than enough (4GB is listed as a minimum by pfSense).
Then, once the VM is created, we’ll need to load it from a Live pfSense CD ISO we’ve downloaded earlier.
Right-click on the VM, go to Storage tab and load the pfSense-CE-2.4.4-RELEASE-p3-amd64.iso file:
Then Start the VM by pressing the Start button.
The VM will boot from ISO image into pfSense installer:
And follow through the installation procedure:
It’ll go through archive extraction:
Leave the auto-config on:
And reboot the pfSense:
Once the VM reboots, power off the VM and right click it and go back to settings.
Then remove the pfSense-CE-2.4.4-RELEASE-p3-amd64.iso Disk from Virtual Drive:
The next thing is to set up both network adapters in the VM Network tab settings. Each NIC needs to be configured in bridged mode.
With the first adapter, there is also an option to run it in a NAT mode, especially if your provider’s modem won’t give you more than one IP address. First, try to restart the modem though, as running in a bridged adapter mode on your regular LAN jack might not work out of the box without modem reboot.
Adapter 2 (this is my Amazon USB 3.0 Gigabit Ethernet Internet Adapter), but you can also configure your Gigabit switch on this screen, it’s up to you which secondary NIC you will use here:
Boot up the pfSense VM again and when it asks if VLANs are to be set up, say ‘NO’:
Enter the WAN interface name as auto-detection:
The configuration is automatic afterwards and you’ll see all services being configured and started:
Once bootup is completed, you’ll be welcomed to pfSense 2.4.4, and your LAN connection will be configured to a default static port 192.168.1.1:
You can now login to the pfSense interface at https://192.168.1.1/index.php with a default user name ‘admin’ and password ‘pfsense’:
Once done, go through an initial device configuration:
If you want, you can change your local provider DNS servers to either Google’s (220.127.116.11, 18.104.22.168) or to DNS servers of your VPN provider if privacy is a concern:
On the 4th step leave everything as-is:
Leave the default 192.168.1.1 LAN IP address:
In the next step, change your admin password from default to a new strong password. You can use https://passwordsgenerator.net to generate a solid password, especially if you’re planning to expose pfSense externally.
Once done, just press the RELOAD button:
Your new pfSense router should be up and running now, with the traffic flow on both WAN and LAN.
AutoRun pfSense VirtualBox Image after Reboot (in Headless Mode)
Now that the Intel Nuc is running pfSense in VBox, all I had to do is to make sure that my VirtualBox named ‘pfSense’ will automatically run on Windows Reboot.
To do so, I opened the following directory:
And created a batch file with the following content:
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" startvm pfSense --type headless
Which starts the pfSense VM in a headless mode every time the Windows machine needs to be rebooted.
Speed Testing pfSense
To test the speed at which pfSense is handling your network, simply connect a device to LAN DHCP and run a speed test on speedtest.net.
If you want to do this directly on the pfSense, it can be accomplished from the command line. Select option 8) Shell
Then navigate to cd /usr/local/bin/ and run:
pkg install speedtest-cli
Once installed, execute:
The speed test results in the command line would look something like this:
I hope you enjoyed this article. Leave me a note if there are any questions.