50/50 + VPN now planning for 100/100 & more

hda

Europe ?: start with a PCengines APU box.

messerchmidt

build a custom box using off the shelf components

mtk

@hda:

Europe ?: start with a PCengines APU box.

@messerchmidt:

build a custom box using off the shelf components

Any recommended build?

VAMike

The APU2 will be a hard platform to beat for power consumption and can easily handle 50 or 100 Mbps, and has AES-NI crypto acceleration for the VPN.

mtk

@VAMike:

The APU2 will be a hard platform to beat for power consumption and can easily handle 50 or 100 Mbps, and has AES-NI crypto acceleration for the VPN.

Will it also handle the 1Gbps in the internal network?

hda

@mtk:

Will it also handle the 1Gbps in the internal network?

Not unlikely, but a pfSense-APU2 is not a switch !
You could put a switch on LAN and a switch on OPT1, for having 2 firewalled segmented groups.

mtk

@hda:

@mtk:

Will it also handle the 1Gbps in the internal network?

Not unlikely, but a pfSense-APU2 is not a switch !
You could put a switch on LAN and a switch on OPT1, for having 2 firewalled segmented groups.

1 switch (which I have) for the internal network will do - thanks!

How about a build like this: https://mathew.id.au/2014/09/build-awesome-apu-based-pfsense-router/
but with the APU2C4, would that do the trick?

hda

@mtk:

APU2C4, would that do the trick?

Sure.

mtk

@hda:

@mtk:

APU2C4, would that do the trick?

Sure.

Will the APU2C4 also handle the occasional 1-2 OpenVPN connections?

Guest

we currently have a 50/50 Mbps WAN in the house. We plan to use it as a VPN for 1-2 simultaneous connection from the outside into the house, and we plan to upgrade to 100/100 Mbps in the near future.

• APU2C4 will do that job with ease for you
• Jetway NF9HG-2930 too!
• AxiomTek NA342(R), NA361(R) order over the sales team in the UK by phone or email

I tried my luck with a HP T5730w Thin Client but unfortunately it doesn't even boot (not related to pfSense), so I would like to buy some hardware to build a pfSense machine.
As this is for a house low-power should be on a high priority.

Could be also only a BIOS problem, is the latest BIOS installed?

I do leave in Europe so parts/shipping might be a problem.

Shop-Varia sells world wide!
Shop-Voleatech sells European wide!

Any recommendation/advise?

This might be pending on some more things then only the WAN speed or Internet connection speed!

• Squid & Squid Guard & SARG?
• pfBlockerNG / tinyDNS?
• Clam AV Scanning?
• Snort or Suricata IDS?
• http-proxy for caching proposes or not?

Will it also handle the 1Gbps in the internal network?

Perhaps also this is based on more then only one thing!

• VLANs or not
• big or large files or not?
  why sending 3 GBs through the firewall device and not from the PC to the NAS through a smaller
  Layer3 Switch such the Cisco SG300-10(24) or the D-Link DGS1510-20 is!?
• What is all installed an watching or acting to wich side?
  Clam AV, proxy, IDS,….

So in normal it would be no problem but it could be pending on some other different configured thinks.

mtk

@BlueKobold:

we currently have a 50/50 Mbps WAN in the house. We plan to use it as a VPN for 1-2 simultaneous connection from the outside into the house, and we plan to upgrade to 100/100 Mbps in the near future.

• APU2C4 will do that job with ease for you
• Jetway NF9HG-2930 too!
• AxiomTek NA342(R), NA361(R) order over the sales team in the UK by phone or email

I tried my luck with a HP T5730w Thin Client but unfortunately it doesn't even boot (not related to pfSense), so I would like to buy some hardware to build a pfSense machine.
As this is for a house low-power should be on a high priority.

Could be also only a BIOS problem, is the latest BIOS installed?

I do leave in Europe so parts/shipping might be a problem.

Shop-Varia sells world wide!
Shop-Voleatech sells European wide!

Any recommendation/advise?

This might be pending on some more things then only the WAN speed or Internet connection speed!

• Squid & Squid Guard & SARG?
• pfBlockerNG / tinyDNS?
• Clam AV Scanning?
• Snort or Suricata IDS?
• http-proxy for caching proposes or not?

Will it also handle the 1Gbps in the internal network?

Perhaps also this is based on more then only one thing!

• VLANs or not
• big or large files or not?
  why sending 3 GBs through the firewall device and not from the PC to the NAS through a smaller
  Layer3 Switch such the Cisco SG300-10(24) or the D-Link DGS1510-20 is!?
• What is all installed an watching or acting to wich side?
  Clam AV, proxy, IDS,….

So in normal it would be no problem but it could be pending on some other different configured thinks.

Those are very good questions and part of the reason I got the Thin Client was to give pfSense an initial trail to what I actually would like (or need) to use.
And yes, there will be a switch in charge of the internal traffic, but I still want to ensure that pfSense won't become a bottleneck on that level…

hda

@mtk:

…And yes, there will be a switch in charge of the internal traffic, but I still want to ensure that pfSense won't become a bottleneck on that level...

All hosts/PCs/Servers on one LAN of pfSense-box will communicate directly, without travelling the firewall…

mtk

@BlueKobold:

• APU2C4 will do that job with ease for you
• Jetway NF9HG-2930 too!
• AxiomTek NA342(R), NA361(R) order over the sales team in the UK by phone or email

Should even be worried about AES or anything else for the VPN connections?

@BlueKobold:

Could be also only a BIOS problem, is the latest BIOS installed?

I wouldn't know because it doesn't POST at all :)
(All I see is a black screen)

mtk

@BlueKobold:

This might be pending on some more things then only the WAN speed or Internet connection speed!

Here is goes:

• Squid & Squid Guard & SARG?

Nice to have, not a must.
Access limitations are not needed thought…

• pfBlockerNG / tinyDNS?

Yes!

• Clam AV Scanning?

Yes!

• Snort or Suricata IDS?

Nice to have.

• http-proxy for caching proposes or not?

Isn't it similar to Squid?

VAMike

@mtk:

@BlueKobold:

• APU2C4 will do that job with ease for you
• Jetway NF9HG-2930 too!
• AxiomTek NA342(R), NA361(R) order over the sales team in the UK by phone or email

Should even be worried about AES or anything else for the VPN connections?

APU2C4 has AES-NI as well as PCLMULQDQ (so when openvpn supports AES-GCM it'll do well). For now, though, 100Mbps VPN is probably more than the APU2 can sustain. If you need to sustain 100Mbps VPN today you'll need more power. If you need 50Mbps today and more sometime later (post openvpn-2.4), the APU2C4 is probably ok.

The N2930 lacks AES-NI and will probably bottleneck VPN, so will the J1900.

mtk

@VAMike:

@mtk:

@BlueKobold:

• APU2C4 will do that job with ease for you
• Jetway NF9HG-2930 too!
• AxiomTek NA342(R), NA361(R) order over the sales team in the UK by phone or email

Should even be worried about AES or anything else for the VPN connections?

APU2C4 has AES-NI as well as PCLMULQDQ (so when openvpn supports AES-GCM it'll do well). For now, though, 100Mbps VPN is probably more than the APU2 can sustain. If you need to sustain 100Mbps VPN today you'll need more power. If you need 50Mbps today and more sometime later (post openvpn-2.4), the APU2C4 is probably ok.

The N2930 lacks AES-NI and will probably bottleneck VPN, so will the J1900.

Thanks!
are there any cheaper alternatives as this is the first device of the house?

VAMike

@mtk:

are there any cheaper alternatives as this is the first device of the house?

the apu2 is less than $150 all in, I'm not aware of anything cheaper than that.

mtk

@VAMike:

@mtk:

are there any cheaper alternatives as this is the first device of the house?

the apu2 is less than $150 all in, I'm not aware of anything cheaper than that.

yeah, but in EU it's closer to (if not more than) €200, not even including taxes/shipping or the mSata (!)…

VAMike

@mtk:

@VAMike:

@mtk:

are there any cheaper alternatives as this is the first device of the house?

the apu2 is less than $150 all in, I'm not aware of anything cheaper than that.

yeah, but in EU it's closer to (if not more than) €200, not even including taxes/shipping or the mSata (!)…

Have you looked at various resellers? I've seen it less than that, including VAT. You kinda need to buy storage for anything, and there are small/cheap msata drives from many places.

mtk

@VAMike:

@mtk:

@VAMike:

@mtk:

are there any cheaper alternatives as this is the first device of the house?

the apu2 is less than $150 all in, I'm not aware of anything cheaper than that.

yeah, but in EU it's closer to (if not more than) €200, not even including taxes/shipping or the mSata (!)…

Have you looked at various resellers? I've seen it less than that, including VAT. You kinda need to buy storage for anything, and there are small/cheap msata drives from many places.

If you could point out one reseller, that would be great!