• You've been granted Beta access to this site, allowing you to explore some of the new features while they're still under construction. More information can be found in the Beta forum.

In need of a new router

linuxha

Active Member
I recently was force to juggle my phone/TV/Inet and ended up paying less and got more. But the internet is now 1.25G/35M. My little Ubiquiti ER-Lite isn't up to the task. I do not want FW/Router with WiFi. I am thinking of going with some thing like a 1U computer with a PCI board. The 2.5/5/10G boards seems in short supply so I think I'll have plenty of time to think.
 
What I have now is:
  • Cable Modem (1G/2.5G)
  • ER-Lite (1G x 3)
  • 1Gx24 manages (x2) switches (3G backbone)
  • Ubiquite AP (1G)
  • Nothing over 1G
I'm also looking for recommendations for the firewall software.
 
I'm also trying to get a bit of future proof. The ER-Lite lasted quite a few years (good). I'd like this FW to last a bit longer since I'm sure I'll be spending a pretty penny for this. :)
 
BTW, I'm now playing with 400G ethernets (optic) bundled into LAGs and I'm hearing the labs will have 800G soon. I was pretty sure I wouldn't ever see 10G into the home but I may live long enough for 40G to the home. And no I'm not building with that much future proof but 10G does sound like a good idea now.

PS: No Microsoft! My mind works best with Unix (Unix/Linux/BSD).
 

pete_c

Guru
PFSense.
 

How to configure a PFSense Firewall
 
There is much documentation and DIY's and videos.  I've been using it now for many years.  Current PFSense box has 6 NICs.
 
2 NICs are for WAN and WAN failover (LTE CPE).
 
It free and easey peasy to install.  You can utilize any PC with two NIC ports to test it on.
 
PFSense runs in BSD.
 

linuxha

Active Member
pete_c said:
PFSense.
 
How to configure a PFSense Firewall
 
There is much documentation and DIY's and videos.  I've been using it now for many years.  Current PFSense box has 6 NICs.
 
2 NICs are for WAN and WAN failover (LTE CPE).
 
It free and easey peasy to install.  You can utilize any PC with two NIC ports to test it on.
 
PFSense runs in BSD.
 
What speeds are you handling? I'm trying to figure out what CPU is enough to handle 2 10G interfaces.
 

pete_c

Guru
What speeds are you handling? 
 
100 - 200 Mb using an Arris Surfboard Docsis 3.0 SB-6190 Gb Modem.
 
The Arris Surfboard Docsis 3.1 SB-8200 specs are:
 
  1. Downstream. Maximum Theoretical Data Rate: DOCSIS 10 Gbps* ...
  2. Upstream. Maximum Theoretical Data Rate: DOCSIS 2 Gbps*
 
Have a look here.
 
pfSense 10G hardware advice
 

linuxha

Active Member
Thanks Pete that's what I was looking for. The link gave me those extra details that will help me when I actually purchase. :)
 

pete_c

Guru
Good news Neil!!!
 
You can install PFSense on any box to get familiar with it while you build your new box.  You can do the same after it is built.
 
Just connect the WAN and LAN interfaces to the LAN inside of your network and shut off the DHCP on the LAN side.  
 

linuxha

Active Member
We have a pfsense setup in our computer museum. It was too easy to setup, so it must be broken. :)
 
I did like it as I was able to get to the command line and figure things out. And since it's a unix I shouldn't have a huge issue learning the intricacies of BSD vs Linux vc any other unix I've used. I'd expect to be able to add snmpd, the equivalent to rsyslogd, netflow, etc. .
 

pete_c

Guru
Yes here have mostly migrated now to using IPv6 outside and inside of the network.
 
One thing now too is using build in AES-NI on the CPUs.  PFSense lets you turn it on and off.
 
Here put a PFSense box in house #2 and a NAS for syncing stuff.  I was using IPSec VPN - well still using it but now also use OpenVPN server.
 
Installed OpenVPN clients on remote Windows, Android, Linux devices.  Works great.  You can test your own PFSense VPN configuration inside of your network enabling Hair Pinning on the PFSense box.  IE: NAT Reflection (system advanced firewall configuration)
 
Use BSD command line here all of the time.  It is just like Linux to me.  With my Linux laptops to PFSense always use SSH and or SFTP to make adjustments.
 
The PHP GUI though if very easy to use.
 
Years ago here started to use GPS / PPS for an NTP server.  I have incorporated the NTP server to the PFSense box.
 
I wrote about here many years ago.
 
PFSense NTP / PPS
 
In the early 2000's was working on an airlines vectoring system which used unix boxes in the towers and a stationary GPS for time / location tracking.  
 
I was very impressed with it decided to move the time syncing at HQ (airlines) over to using an NTP server with PPS and going internal for time syncing.
 

linuxha

Active Member
Thanks, a most useful discussion.
 
I'm not familiar with these forms of NTP. What's so special about them? I normally use open NTP on one internal server. The router is usually a backup. I do this with many services. I've found that this is not so easy with IPv6 and it's forms of DHCP (ask for a /48 or /60 for Xfinity/Comcast). I don't want the FW/router to be doing any other processing other than what it needs to do.
 
BTW, I haven't looked into the 4G backup (limited 5G in the area) yet.
 

pete_c

Guru
NTP with PPS running via a GPS connected to PFSense doesn't really eat much CPU and is much more accurate than using the internet.
 

sic0048

Senior Member
Another vote for pfSense.  It is extremely flexible and powerful, but also pretty easy to use.  There is also a ton of online material to help people. 
 
One thing I really like about it is that it comes out of the box blocking everything.  This means that you have to allow rules to make connections work.  While this might seem a little backwards (you have to set a rule to even access the internet), it is actually much safer.  It might be as basic as having one "allow all" rule in the outgoing connections section that will allow unrestricted access for your network to access the WWW.  Obviously you can make it more secure than that with VLANs, or more strict rules too.  The point is that all unsolicited incoming traffic to your network is blocked by default.  Other systems start out by allowing all connections and you have to write rules to block things.  Forget one rule and your system might be insecure.  I much rather have everything blocked and then write rules to allow connections as I need to.
 

pete_c

Guru
More than likely you will want to build this PFSense box and install using a 1 U / 2 U box. 
 
I am using a 2 U box with a PCiE cable going to a 4 port Intel Gb NIC card here.  
 
There are already built micro PCs with multiple Intel Gb ports but I have not seen any with 10 Gb ports.

I am using an already built micro pc for house #2 with 2 Gb NICs on it.
 

sic0048

Senior Member
Prices on computer parts (even used) have certainly been rising.  If you want a prebuilt option, look at something like the HP T730 or HP 290-p0043w.  Both will need a network card to be added (because they only have one network port standard).  Most people go with an Intel 350-t4 or 340-t4 card.
 

roussell

Active Member
Another vote for pfSense. I’ve ran it for more years than I can remember and never an issue. For my latest built I bought this:

https://www.ebay.com/itm/Supermicro-1U-Firewall-Server-X10SLH-N6-1x-E3-1231V3-4GB-RAILS-PfSense-/174093260810

And added 2 SSDs and bumped the RAM to 8gb. It came with 4 10G NICs and while I only have 400mbps down I ran bandwidth tests between it and a Proliant DL580 also having 10Gb copper and it handled the speeds without issue.

Hope this helps,
Terry


Sent from my iPhone using Tapatalk
 
Top