Home Router Recommendation
-
I believe ALIX APU series will work for you, but recently I also built one very low power 4-port router myself, you might refer to this post.
I've been doing countless hours of research and have put a lot of though into what I want to get for what will become my pfSense router. I'm having trouble determining what's needed for my usage so that I don't go overboard and stretch my budget for this out any further.
I've narrowed it down, CPU wise, to the C2758, C2750, and the N3700. Supermicro makes mini-ITX boards that are well known around here for each of these CPU's.
Wants:
Small, low power box
Gigabit LAN thoughput (No Gigabit WAN, not concerned about that) _I don't really use VPN at all, or anything else similar. Don't really plan to, but it not sucking at running 1 would be nice. I'll run some packages, but from what I could tell, I don't see like I'll do much that would utilize AES-NI or QuickAssist much at all. That makes it hard for me to stomach the cost of a C2758 build, as when QuickAssist is available, will I really use it anyways? The C2750 with its turbo boost sounds better for me. Perhaps the N3700 is enough. Any help based my usage is appreciated. Some sample stuff on my network.AC Wireless Access Point
Just a handful of wireless devices
Image backups done regularly
Nothing too burdensome, but some big file transfers I don't want taking any longer than they have to_ -
Thanks for the additional knowledge. It is actually starting to confuse me and question my approach here, which is good for the long run, but bad until I figure this out.
I've realized I don't need strong hardware for the router. Perhaps, for simplicity sake, I'm considering official models from pfSense. Even the SG-2220, which I'm trying to determine if it would be enough. 2GB RAM seems like it'd be alright. I can always get a M.2 SATA drive if needed, down the road.
In regards to the Layer 3 switch which seems ideal for the VLAN stuff and keeping internal traffic at or around wire speed. Small is fine, even 8 ports. Anything much bigger wouldn't fit very anyways and kill my budget. One thing to ask is that I have 4-5 devices I'd connect via Ethernet in my office where router is. I have another switch in the entertainment center for media devices and another desktop that connects to that 5-port unmanaged switch in the other room. Would that switch need to be just a VLAN aware switch, layer 2?
-
I took the easy route and got a SG-2440 and it made no sense not to get the SSD at the same time. Now I have a simple, small, low power and supported box and the work of converting to a SSD is never going to be needed. Deciding on the four or two port versions is a bit more of a challenge, I went with the four port because if I needed more ports in the future I'd have to buy one anyway.
Unless you need some inter-LAN routing you can hook a good quality switch to the SG-2440 and connect your other switches to it and all your devices will be able to communicate. If you want to segregate the devices and limit communication between the groups then the extra ports on the SG-2440 will allow you to have three LANs and control each of them individually.
-
Unless you need some inter-LAN routing you can hook a good quality switch to the SG-2440 and connect your other switches to it and all your devices will be able to communicate. If you want to segregate the devices and limit communication between the groups then the extra ports on the SG-2440 will allow you to have three LANs and control each of them individually.
I'm looking at the Cisco 300 series managed switches that support Layer 3 Switching. I wanted VLAN's at some point, so I'm thinking that the SG-2220 or anything with just 2 Ethernet ports will suffice for this. I still do wonder about whether basic layer 2 smart switches can handle that being connected to Layer 3 Switch, thus eliminating any need for more than 1 LAN port on router.
-
As far as lan speeds, if you have squid installed on the router with local cache turned on the speed in which the client can download from the router will depent on CPU, NIC and storage medium. If you want gigabit lan speed from the router's cache then you will need an ssd, gigabit nic and enough CPU power to push the data.
-
I'm wondering if a Layer 3 Switch if really necessary for my needs. It seems like a piece that is above my needs for such a small network that I have. I want at or near Gigabit LAN transfer speeds, but I have such little traffic. Most of it is from me. No more than a dozen or so devices at any given time, most of them not really doing anything. Simultaneous usage would be just a handful of devices at one time. One man can only do so much. Would a Layer 2 Switch suffice? Are there certain demands my switch must need to deliver Gigabit-ish speeds?
-
Not really, HDD speed is important, but CPU not that important unless you are building intercepting proxy (e.g. HAVP, other content filtering), and you don't even need too much RAM on the machine as well since squid has a pretty low memory requirement. 8 years ago I built pfSense with Squid for my office, just a cheap Pentium D CPU + 2GB ram, and that firewall was serving 150-200 person already.
As far as lan speeds, if you have squid installed on the router with local cache turned on the speed in which the client can download from the router will depent on CPU, NIC and storage medium. If you want gigabit lan speed from the router's cache then you will need an ssd, gigabit nic and enough CPU power to push the data.
-
Traffic wise, I'm the only user that puts a burden on the network. Streaming, large file transfers, locally and remotely.
and
I wanted VLAN's at some point,….
Why pumping all traffic through the pfSense box?
Why pushing large files not from one VLAN to another one directly?
By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware. -
@BlueKobold:
Why pumping all traffic through the pfSense box?
Not sure what you mean. I don't want to pump any traffic unnecessarily through anything. I'm trying to figure out the best way to do this.
Why pushing large files not from one VLAN to another one directly?
Again, not sure you mean exactly. I don't have plans to push large files from one VLAN to another, probably just on same one. They'd be mostly computer image backups and some other backups as well.
By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware.If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?
-
I'm wondering if a Layer 3 Switch if really necessary for my needs. It seems like a piece that is above my needs for such a small network that I have. I want at or near Gigabit LAN transfer speeds, but I have such little traffic. Most of it is from me. No more than a dozen or so devices at any given time, most of them not really doing anything. Simultaneous usage would be just a handful of devices at one time. One man can only do so much. Would a Layer 2 Switch suffice? Are there certain demands my switch must need to deliver Gigabit-ish speeds?
A Layer 3 switch is the fastest, but not only option. A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic. With a decent CPU and NICs this won't be a problem. I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box. If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help. Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise. Even the cheapest "smart" switches support this. It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load. Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.
-
If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?
Yes, absolutely. I responded to an earlier post of yours before I saw this one. You'll be fine with a Layer 2 smart switch. They're cheap and work well.
-
A Layer 3 switch is the fastest, but not only option. A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic. With a decent CPU and NICs this won't be a problem. I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box. If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help. Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise. Even the cheapest "smart" switches support this. It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load. Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.
Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.
-
Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
-
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.
-
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.
Yeah, I realized after I posted that the last time I did this on pfsense I actually had to do some manual config file editing because there was no LAGG setup in the console. I haven't set up a box from scratch with a build newer than 2.1 in a while, but the last time I set up a FreeNAS machine I was able to do it all from the console so maybe pfsense has followed suit. I'll have to fire up a VM and have a look.
Anyway, basic idea is this:
Let's say your pfsense box has 2 Intel NICs using the em driver. em0 and em1. Without LAGG, when you assign VLANs to one of those NICs (the parent interface), you get a new logical interface. I'll use VLAN 20 in this example (the actual ones you use are arbitrary for the most part; you have over 4000 to choose from). So VLAN 20 with parent interface em1 becomes an interface in pfsense called em1_vlan20. You can then assign that interface as your LAN, WAN, whatever you want. Rinse and repeat with as many VLANs as you like. The cable plugged into em1 will carry tagged traffic from any VLAN that has em1 as its parent interface. The switches job is to interpret this traffic and send it to ports in the same VLAN. So, if em1_vlan20 is your WAN interface, an untagged port on your switch in VLAN 20 plugged into your modem will function the same as if the modem was plugged directly into a physical interface on pfsense.
With me so far? Now, we add one more layer of abstraction to the config. LAGG (link aggregation group) turns a group of NICs and switchports into a single logical connection. It can increase bandwidth, be fault tolerant (traffic keeps flowing, for example, if one link goes down). So, In pfsense em0 and em1 are used to create a LAGG, which then becomes another interface in pfsense, lagg0. If you define your VLANs with lagg0 as the parent interface, you get (again using VLAN 20 as an example) a new logical interface called lagg0_vlan20. You can assign that as your WAN port. As long as the switch is configured correctly, you can plug either or both em0 and em1 into either or both of the corresponding LAGG ports on your switch and the end result is the same as the former scenario except now you've got redundancy and twice the bandwidth, at least in a scenario where you have multiple connections. A single file transfer, for example, could consume up to 1Gbps while still leaving the other physical NIC free to handle any other traffic on the network. It's a type of load balancing.
Whew. And after typing all that i realize it may be way overkill for a beginner, and definitely not for the faint of heart if the pfsense initial config console still doesn't have the LAGG stuff in it. But when you see it work, it's pretty rad.
And an edit. The TL;DR on all of this is that if you're using VLANs from the start you really only need one physical NIC. Adding LAGG on top of that setup will increase potential bandwidth and add a layer of redundancy, at the expense of switchports.
-
Here's what it looks like in practice, and please excuse the messy naming conventions, this is one of my oldest and most hacked up installs. But it works great!
The config problems I alluded to in my previous post are because, as you can see, you can only add unassigned interfaces to a LAGG. This box only has two. Without one configured as a LAN port, management of the box is from the console only. But that can be worked around. In my case, I set up all the VLANs on bce0 first, got the box up and running, then used a VM to see what the LAGG config looked like in the config file. Downloaded my config file, added the LAGG config, and then changed every interface definition from bce0_vlanx to lagg0_vlanx. Uploaded the modified config, rebooted, and it just works. It might be easier now. I know FreeNAS has added that ability into their console based setup. If pfsense hasn't, they should :D
-
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
To answer this specific question, all traffic to and from the pfsense box will be handled by two cables, on the switch side they are plugged into a LAG port group, and on the pfsense side they are plugged into two NICs configured in a LAGG (the terminology is LAGG, LAG, LACP, and maybe some others depending on the vendor). We're using VLANS, so all the traffic, WAN included is trunked over those cables. With the LAGG setup you can unplug one of those two cables from either the switch or pfsense and traffic will be uninterrupted. The two cables is just to increase the potential bandwidth of the connection between your networks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
-
One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
Your LAN interface would be on a VLAN. So in my previous example your WAN is on VLAN20. So let's say your LAN is on VLAN10. Your computer(s) are plugged into switchports in this VLAN. The computers don't care what the VLAN is; the switch does the work. So let's say your pfsense box has its LAN interface as lagg0_vlan10, with an IP address of 10.233.233.1/24. Any computer plugged into a switch port on VLAN 10 that has an IP address in that same network will be able to communicate with pfsense.
EDIT: and for remote access, which some may frown upon, I forward port 8080 to 443 from my WAN to my LAN. I'm not entirely comfortable with that and wouldn't do it in a corporate environment (I'd use VPN instead) but it's an easy way to gain remote access while not using a common port, which are generally more susceptible to attacks from the internet.
And one more edit, haha: The example I posted above is not from my home network. I live alone and have absolutely no need for that kind of setup. I do use pfsense at home but not in that kind of scenario.
