Upgraded to Gigabit line, need to overhaul my network
-
So I recently upgraded my bandwidth, and unfortunately for me my old pfSense router couldn't keep up (Core 2 Duo w/6GB DDR2 Ram could only get about 250mbps).
<snipped>If you were in my shoes, what would you set up for yourself?</snipped>I am in the same boat actually.. I just updated my line to 500/50 and my old pfsense VM just couldn't handle it.. To get instant access to the bandwidth I had to go with a temp install of a unifi usg 3p.. Only reason for this was it is cheap $100 and can route at speed… It handles the 500/50 without any issues..
It only has to be handle the job until nov when get new pfsense hardware. Which is more than likely going to be a sg-4860.. Go big or go home ;) This is the most umph I can get from pfsense/netgate that aware of before go into rack units. I don't have the place to put a rack system - even though would love too..
Have to work out the details with the budget committee (wife), etc.. The $100 usg box was cheap enough to sneak through the budget without much grief.. hehehe
Since your talking about redo of your network - do you have a budget in mind? Have you looked at or have you considered hardware from pfsense/netgate? Vs doing a DIY system? Since you ask what I would do - while the price can be attractive, I personally would stay away from all the china boxes.. But that just me, there are many people that use them and are happy with them.
-
I agree with john on the chinese boxes. IMO official pfSense is supported, official, but you pay for that. DIY is community supported (pfSense has a pretty damn community support system on here, IRC and reddit), and unofficial - but you get amazing price/performance value.
Then there's the chinese boxes. They aren't official, aren't supported, and they fall somewhere in between. You pay more for having the hardware pre-installed in a good looking SFF box, but you don't get any support if it doesn't work right. It is a better price/performance than official pfSense, but me personally I'd either save a lot of money and DIY or spend a little more and buy official.
-
I agree with john on the chinese boxes. IMO official pfSense is supported, official, but you pay for that. DIY is community supported (pfSense has a pretty damn community support system on here, IRC and reddit), and unofficial - but you get amazing price/performance value.
Then there's the chinese boxes. They aren't official, aren't supported, and they fall somewhere in between. You pay more for having the hardware pre-installed in a good looking SFF box, but you don't get any support if it doesn't work right. It is a better price/performance than official pfSense, but me personally I'd either save a lot of money and DIY or spend a little more and buy official.
Yeah, most of the lesser known boxes or older boxes aren't a good choice. The few that work well have their own threads on the forums, but for other cases a DIY build is better. For cases where you want actual reliability and known vendors, the official hardware is the place to go.
So far, our experiences and experiments with the more recent Qotom boxes (3rd gen Intel chips in the Celeron, Core i3 and i5 versions) as documented in the dedicated thread has been quite positive, plenty of guides to get a nice setup going. Other hardware solutions such as re-purposing other branded firewall boxes (like the Watchguard) have similar dedicated topics and information on setup, performance and quirks.
-
Another comment to these china boxes you see on amazon and such that mention pfsense.. They need to be real careful, I know pfsense has actively been going after them.. And they for sure can not have pfsense pre-installed on them.. Unless they have cleared that with pfsense.. Which I don't think any of them have.
I know some threads have linked to some of these boxes, the links have been removed and pfsense has gone after them.. Just my understanding, not official in any way and I might be off base.
But while you can say your hardware will "work" with pfsense.. You can not actually call it a pfsense firewall or hardware or have it installed on the box when shipped to the buyer, etc. Unless you for sure have cleared that with pfsense, etc.
To be honest, while you might save a few bucks doing DIY.. I think getting hardware from pfsense/netgate is better in the big picture. It helps pfsense, it helps you know your hardware is going to be rock solid.. And you get gold to boot ;) That being said if your wanting to build some rocket ship on a shoe string budget - there is that aspect of it too ;)
I am curious to see what kind of info we get from people in the field once the sg-3100 start shipping. This price point is pretty attractive for official hardware I think.. Take into account the gold and access to the book, etc. And shoot your price point is right in line with some of these soho routers that don't do shit ;)
-
J1900 is going to suck for high speed OpenVPN. It's single threaded. Based on the following thread, you'll probably see sub 100Mbps throughput over the VPN.
https://forum.pfsense.org/index.php?topic=115673.0
You won't get Gigabit OpenVPN on any hardware, I think about the best you'll see is probably in the 6-700Mbps range if you go with something like an i3-7350K @ 4.2GHz.
I would say for gigabit throughput if OpenVPN is involved, set your minimum CPU at a J3355 - you should get in the 300Mbps range with that over OpenVPN, full gigabit for just routing.
Upper limit I would pay for is the 7350K @ ~$140.I would recommend a G4620 @~$90 as a good compromise.
Pair that with some good NIC's - if your connection is PPPoE, use em - Intel PRO/1000, if not use igb - Intel i340 or i350.
An I3 7350K is not required for high OpenVPN speeds. I reach up to 800 Mbps with OpenVPN and PIA using a Intel G4400 and an Intel i350 NIC, the G4400 is almost $100 cheaper than a 7350K. The G4620 is probably a good choice as well, but might as well get a G4560 if you're after HT.
@DaddyNugget: it's really the OpenVPN speed you need that determines which CPU suits you best. It's the single core speed that determines its OpenVPN capabilities. So for 300mbps OpenVPN a J3355B might be your best bet, if you need something faster a Pentium (G4400/G4560 etc.) or I3/I5(u) with a high single core speed is required. You can build a J3355B or Pentiums system yourself, same for a I3/I5 system but for a I3u or I5u you will probably need a prebuild system (QOTOM etc.).
-
Wow, 800Mbps single thread on OpenVPN is really impressive!
Are you using fast io and increase buffers?
-
-
Wow! I was doing some homework before work, and figured maybe I would get a single reply before I got back, thanks for all the help guys!
So because a lot of similar suggestions were made, I will rattle off my answers to everyone.
1. I am not looking at any specific manufacturer for hardware right now, but if I decide to go with some Chinese hardware firewall device I will most likely be going through aliexpress. My reasoning here is that it costs $50-100 less than the exact same product on Amazon, and I might be able to score a better deal overall.
2. I have considered the already setup pfsense firewalls, but I haven't commited to these yet for a couple reasons. The first is that I simply enjoy assembling my own pc's and devices. The second is that they were suggesting me a firewall that is higher than my anticipated budget. An SG-2440 w/32GB EMMC storage is $550. If I understand correctly, the emmc storage is slower than a typical SSD and I was unsure if this could impact my performance. A firewall device from AE w/a celeron (I can't pull up the specific one, but it was a 4 core w/AE-NI) w/8gb ram + 64GB mSATA SSD was $400. I didn't realize that pfsense gold came with the hardware, which is making me re-evaluate what I want to buy.
3. Although I have plenty of components to DIY it myself (2port gigabit Intel NIC, Skylake Celeron I am not using, etc) the reason I want to put a bit more time, money, and effort into this is to both reduce my power bill and the size of the machine. My previous build was in a smaller workstation, but was awkward to keep, not to mention it pulled much more than 20W. My thought process is to get something small and capable, but that I won't need to replace for at least 4 years.
4. My network overhaul has a roomy budget because I won't be able to do everything all at once. I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
Thank you again to everyone for your quick and informative responses, the information about the VPN use was certainly helpful. Also I came to the same conclusion about the usefulness of squid if my throughput goes all the way through to my WAN. It just didn't dawn on me until I was in the car.
-
Wow! I was doing some homework before work, and figured maybe I would get a single reply before I got back, thanks for all the help guys!
So because a lot of similar suggestions were made, I will rattle off my answers to everyone.
1. I am not looking at any specific manufacturer for hardware right now, but if I decide to go with some Chinese hardware firewall device I will most likely be going through aliexpress. My reasoning here is that it costs $50-100 less than the exact same product on Amazon, and I might be able to score a better deal overall.
2. I have considered the already setup pfsense firewalls, but I haven't commited to these yet for a couple reasons. The first is that I simply enjoy assembling my own pc's and devices. The second is that they were suggesting me a firewall that is higher than my anticipated budget. An SG-2440 w/32GB EMMC storage is $550. If I understand correctly, the emmc storage is slower than a typical SSD and I was unsure if this could impact my performance. A firewall device from AE w/a celeron (I can't pull up the specific one, but it was a 4 core w/AE-NI) w/8gb ram + 64GB mSATA SSD was $400. I didn't realize that pfsense gold came with the hardware, which is making me re-evaluate what I want to buy.
3. Although I have plenty of components to DIY it myself (2port gigabit Intel NIC, Skylake Celeron I am not using, etc) the reason I want to put a bit more time, money, and effort into this is to both reduce my power bill and the size of the machine. My previous build was in a smaller workstation, but was awkward to keep, not to mention it pulled much more than 20W. My thought process is to get something small and capable, but that I won't need to replace for at least 4 years.
4. My network overhaul has a roomy budget because I won't be able to do everything all at once. I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
Thank you again to everyone for your quick and informative responses, the information about the VPN use was certainly helpful. Also I came to the same conclusion about the usefulness of squid if my throughput goes all the way through to my WAN. It just didn't dawn on me until I was in the car.
Considering your points, the (so far) well tested Qotom is the way to go. Add pfSense gold to that (99,-) and you'll be at ~300 in total. It'll be small, not use a lot of power, and you'll be supporting the project. By the way, getting a $400 thing is a bit high for what you'd be getting. I have not found a PC or embedded system worth $400 on there ;-)
-
@johnkeates:
Wow!
…
until I was in the car.Would you mind NOT quoting the total post, please? The info is already there to read for everyone, we don't need it twice. Right?
-
4. My network overhaul has a roomy budget because I won't be able to do everything all at once.
Mostly here are playing more then one point together and it might be better to know all things you will be reaching.
So if you are telling around that you will be later able to install more then one packet on top of this all, you should
overthink that before buying your hardware. Increasing the mbuf size, squid, snort and pfBlockerNG will be fast
eaten 4 GB!I am planning on running proper Cat6 or Cat7 throughout my home. I will have a proper server cabinet, whether it is in a closet or mounted somewhere, with a patch panel etc. I will also be running at least one PoE AP. My end goal is to have a setup that isn't Jerry-rigged together and falling apart all the time, without paying for an enterprise solution.
Perhaps you may think about a fast switch that will be able to route your network with wire speed can be relieve the
firewall from some work to run one or more packets with ease. Cisco SG200/SG50 series SG300/SG350 series
might be a really nice matching.Ultimately I was originally under the impression that a DiY gigabit router would be $200 or less, but I came to the conclusion that if I am willing to spend $200 for a half-ass firewall, I should instead be willing to pay 2x-3x for a proper one.
The most peoples see only what they are running before changing to pfSense! Its mostly a consumer plastic router that is
ASIC/FPGA based that will do then the entire job, and we are talking here then often over SPI (netfilter) and NAT (network
address translation), but pfSense is a firewall that works with the BSD packet filter and can be turned into a fully featured
UTM device, but without the whole license subscriptions and fees that came along with that UTM devices mostly too.And so the most users are thinking the best plastic router will be around -$200 till ~$300 and they are able to build
a pfSense firewall also based on that budget or limit, it is truth but then often on top of this they have needs that will
be not matching well to that budget as well, 1 GBit/s routing on the WAN, highest OpenVPN throughput given on earth
and so on and so on. -
Lots of headroom in the budget and already running cat6+ and Gb WAN? Go for 10GbE LAN!!! ;D
Definitely get yourself a solid managed switch whether you go GbE or 10GbE.
$200 DIY build (if you don't already have things to reuse) will get you a J3355B build with an eBay i340t2 & SO-DIMM's, picoPSU and small SSD - very power efficient and reasonably powerful. More than that will cost more $$.
Since you're upgrading the whole network and jumping into pfSense definitely go for Gold no matter where you buy the hardware.
-
I thought this was your home installation. :P
It is! ;) But the 6 ports are very attractive to me.. I don't like having to hairpin intervlan traffic.. This gives me the ability to break out vlans onto their own connection and just use a dumb switch I have on the shelf vs having to hairpin on the same physical interface traffic between vlans.
I am a bit short on ports to do all of them currently.. But bigger switch will be next on the list. Until that I will leverage 1 of them to hang my pi network off.. They are all on the same vlan, so I can break them off onto their own interface on pfsense and remove that traffic from the interface handling all my vlan traffic currently, etc.
So of the 6 ports I will be using 4 of them right out of the gate.. Leaves 2 for future growth… Since won't be using wan interface into my esxi host now.. Could connect that direct to pfsense interface for another segment or vlans for vms, etc.
Plus quad vs dual, more ram, etc. Plan on using this box or a while ;) And since my VM was a limitation with playing with other packages like ntopng, and the ips packages - this give me ample performance to play with about any sort of packages I want, etc..
Funny thing is my home pfsense will be bigger than work.. But work is replacing juniper in 2 more branch locations here soon. Prob get 3100 see how fairs before getting the 2nd one to decide if should stick with 2440 or 3100 save couple bucks, etc. Im hoping to move them in to more central locations and bigger load, etc.. But all I could get ahead for was the branch places for now.. So that should be about 10 I think when all said and done..
-
Wow, 800Mbps single thread on OpenVPN is really impressive!
Are you using fast io and increase buffers?
Yes, both, really makes a difference.
-
I thought this was your home installation. :P
Funny thing is my home pfsense will be bigger than work.. But work is replacing juniper in 2 more branch locations here soon. Prob get 3100 see how fairs before getting the 2nd one to decide if should stick with 2440 or 3100 save couple bucks, etc. Im hoping to move them in to more central locations and bigger load, etc.. But all I could get ahead for was the branch places for now.. So that should be about 10 I think when all said and done..
As FYI I think the 3100 is arm based. And my guess here is it will be walked all over performance wise by a decent x86 processor, be that Celeron or I series. Similarly for the 3100 - its an atom based processor so weaker than an I series and possibly the Celeron described above. In general the PFsense pre-built boxes dont really compete on bang for buck in terms of performance. You can get double+ the performance with half/ two thirds the cost. You do get official support and so forth but for a home install I would opt for self built / a china box as its not a mission critical application and you'll get better performance for your money. Buy the gold subscription directly and it is still better value for a home system.
-
Almost all Official pfSense hardware is intended for business, not home users. Just look at the "Best For" section.
Home users paying $450 (not including cost of gold) for a C2358 and i350t4 paired with a 32GB
SSDflash and picoPSU(SG2440), either just want to support the project or don't particularly care about price/performance. A $250 J3355B build will smoke the SG-2440.Conversely, most businesses would be ill advised to DIY their edge router just to save a couple hundred bucks. For them, buying official pfSense hardware is the obvious way to go.
Netgate knows this, hence they correctly claim that most of their hardware is best for businesses.
-
Well I for sure love to support the project that is for sure.. I have been a very active member of the forum for 10 years ;)
The SG-4860 I am looking to get states best for ;)
Best For:
SMB with Medium Sized Networks
Small to Medium Sized Branch Office with heavy loads
Managed Service Providers (MSP) / Managed Security Service Provider (MSSP) On Premise Appliance
Anyone with High-Speed Gigabit Connections
Many VPN ConnectionsWhile I might not have gig currently.. Not sure what I might have next year ;)
The sg-2440, sg-3100 lists
Teleworkers needing an "Always-Up" network or VPN connectionsI am with you though all of their hardware is more designed for business use that is for sure.. I don't think they are pricing them with the home user in mind ;)
If we are going to talk about pricing differences.. Your J3355B build for $250 draws how much power? So in X number of months your up front cost savings could be eaten up by your extra $ per month powering it.. So sure I could put together something for cheaper now - but I am going to have it on for years.. So while I save few hundred now.. When do I start loosing money paying the electric bill? Have to do the math, etc.. I would much rather pay that money up front and support pfsense.
-
I certainly won't argue with supporting the cause, I think that's awesome!
J3355 is low power passively cooled Celeron, i340 is low power NIC, picoPSU 80W has high AC-DC efficiency (I think 88%, haven't looked at spec sheet in awhile?) SSD and SO-DIMM DDR3L also low power - the build has no moving parts. I never measured my J3355B at the wall when I was using it for pfSense.
I currently use it for HTPC with LibreElec (Linux) and measured it with a killa Watt and it pulled I think between 11-14W during high bitrate HEVC 4K playback.So with pfSense shouldn't be all that different.
All that aside, supporting the cause is a great reason to buy official for home! Just not everyone has the means to do so.
-
When do I start loosing money paying the electric bill?
Not before the equipment becomes obsolete.
-
@BlueKobold:
…you should
overthink that before buying your hardware. Increasing the mbuf size, squid, snort and pfBlockerNG will be fast
eaten 4 GB!Perhaps you may think about a fast switch that will be able to route your network with wire speed can be relieve the
firewall from some work to run one or more packets with ease. Cisco SG200/SG50 series SG300/SG350 series
might be a really nice matching.To address your points, I agree that I should have an understanding of my network goals, which I do. I know that my network will not exceed 1Gbps anytime in the next 5 years at least (and honestly, I doubt I will even need the connection I have at that point). I figured I am just going to throw 8GB of RAM into whatever box I have just for the peace of mind (and I am able to upgrade my laptops RAM from 8GB to 16GB, and reuse the sticks from the laptop, getting a double benefit).
Lots of headroom in the budget and already running cat6+ and Gb WAN? Go for 10GbE LAN!!! ;D
Definitely get yourself a solid managed switch whether you go GbE or 10GbE.
$200 DIY build (if you don't already have things to reuse) will get you a J3355B build with an eBay i340t2 & SO-DIMM's, picoPSU and small SSD - very power efficient and reasonably powerful. More than that will cost more $$.
Since you're upgrading the whole network and jumping into pfSense definitely go for Gold no matter where you buy the hardware.
I have multiple gigabit switches, plus none of my devices are able to capitalize on a 10Gbps network. Since 1000ft of In-wall Cat6 is roughly $100, but Cat7 is $350+, I can't justify laying down the cable without having any devices actually be able to use it.
My goal is to run Cat6 to every room, 1-2 outlets w/a ceiling mounted Wireless AP. I can probably get away with a 12-port patch panel, but will get a 24 port anyway just in case I decide to add more ports later. I plan on getting a 4u+ cabinet that I can stuff the panel, my new pfsense router, a larger switch (using my current ones in each room), and potentially migrating my NAS into a rack-mount unit.
So with that said, my budget is roomy, but it isn't unlimited. It is hard to get approval from my wife for spending an extra $500-$1000 for a negligible, if any performance increase. I plan on getting the best 'bang for my buck' as far as hardware.
Thanks again for everyone's input, it has certainly helped a lot.