Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    My home-gateway saga, ending with pfSense

    Off-Topic & Non-Support Discussion
    1
    1
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SoulChild
      last edited by

      Hi everyone,

      I just thought that I would share my story here.

      The story begins about a year ago, when I moved house. I had a new ISP, and they decided that it is in everyone's best interest for their customers to use their routers.

      They are a utter pieces of crap: wifi is horrendously unreliable and very bad range, when torrenting, the box actually crashes half the time because it can't handle all the concurrent connections, it's a energy-inefficient(I measured it at about 20 watts!!) and worst of all: it's managed by using a web page on my provider's homesite(yes, you can't configure it locally, you need to login your local provider's homepage and then there's limited options that are pushed to your home router after a while)

      I'm a network engineer and I thought: that's just wrong, we can do better.

      First off, I got rid of the wifi-router that my provider gave me and they exchanged it(begrudgingly) with a modem-only. Meaning, it's just a dumb modem that gives me a public IP on whatever I connect to it.

      Great!

      Attempt 1: Linksys
      Now, obviously, linksys is not a bad brand, so I connected my old linksys router. Upgraded it to DD-WRT and started working. Everything was pretty much great, but there is a problem: the DD-WRt firmware somehow limits the downloadspeed to 100megabit(I have 200 megabits downloadspeed). Hmmm, i'm not paying for 200 megabits/s only to be able to use half because some programmer hardcoded 'speed 100mb' somewhere.

      Downgraded the linksys back to factory firmware. It's going at 200mb, but I hate the default linksys firmware.

      Furthermore, this router is old and unreliable(I think some components are broken). It needs a reset every other day or so, not ideal.

      Attempt 2: pfsense with virtualbox
      Since I'm not really familiar with KVM and I didn't feel like paying for another hypervisor, I decided that virtualbox is worth a try.

      Everything works, but the performance is unreliable, especially during gaming. It spikes allot, despite the processor not being stressed. I'm thinking it's just the fact that the virtualbox hypervisor is fine for just a desktop hypervisor, it's not really suited for dedicated hosting…

      Attempt 2:cisco ASA
      Being a network engineer, I managed to find on the cheap a ASA 5506-x firewall.

      Great! Amazing! That will surely solve all my problems!

      Performance was great, but...

      The problem is simple: unless you're willing to dish out huge amounts of money  in licences, it's pretty much a very standard router/firewall... All the cool firepower/IPS features are licensed and very expensive.

      Furthermore: the asa does not:

      -Support IPv6 Delegation
      That sucks! That means that despite my provider giving me IPv6 ranges, the ASA doesn't accept these for internal use...

      -No UPnP support
      Well, ok, that's to be expected I suppose. ASA's are not consumer devices, but it would have been nice to at least have it tucked away somewhere.

      -No web-page for configuration
      Ok, I know that ASA used the ASDM, but there's a major issue: I have a 4K display at home. Those java applets are un-usuable on 4K displays. They simply don't scale. You need hawk-eyes to be able to read it... I had setup a virtual machine, then scale it up X3 and then the ASDM was readable. But not really a good solution...

      So I sold the ASA(luckily didn't make a loss of it), and after fiddling in the past 6 months with pfSense, I decided the time has come to do it properly.

      I have a Intel NUC that is used as media-center(and still is so). I was trying to figure out a way to use the power of this NUC(intel i3 processor, broadwell) to leverage it to PFsense without compromising the media-center functionality.

      So I did :)

      Step 1:

      Buy this switch: http://nl.tp-link.com/products/details/TL-SG108E.html

      It's basically the cheapest switch I could find that supports .1Q tagging. This is not needed if your board has 2 network cards. I made 2 vlans: vlan 10 is the internet, my modem is connected to this vlan, and the rest is vlan 20: my internal network.

      I had to upgrade the NUC anyway because there's a new LTS of Ubuntu that came out a couple of months ago. Formatted it, installed ubuntu server 16.04, installed kodi and the misses was happy again her TV shows worked like before.

      I installed KVM and installed pfsense on it. My worry was, the networking part. Didn't do much research and just decided to try the following:

      I made the interface towards the NUC a trunk, untagged frames are internal network, vlan 10 tagged are internet packed.

      In pfsense, I made a vlan interface after installation: vlan 10 for internet access, together with the normal interface for LAN traffic. Much to suprise, this automagically worked without issues! I immediatly got a DHCP public IP(and IPv6 as well for added bonus!)

      setting up routing and NAT was a breeze with the wizard, my only worry was performance.

      So a little test: speedtest went full blast: 199megabits/s. Processor spiked a single core at 80%. Considering I gave pfsense 2 cores, very acceptable.

      Resposivness: excellent, especially with VirtIO drivers in KVM.

      Power usage: it's running on a device that is on anyway all the time. The NUC itself is maxing 36 watts under full load, but much much lower idle, as it is most of the time. I should measure this for accurate numbers, but I estimate 10-15 watts is accurate. Not bad considering that this NUC is running:

      -Ubuntu server baremetal, also running Kodi as mediacenter
      -Ubuntu server virtualized(running transmission and sickrage, plex server)
      -pfSense Virtualized

      IPSec IKEv2 VPN for mobile use was a breeze to setup. And all the fun features such as DHCP reservation for a few VM's was easy as pie.

      So there we have it: I now have a fully functional super-strenght home-gateway that is independant of any hardware platform. If I ever replace my NUC, simply load the VM's back into the new hypervisor and done.

      Thanks to the pfSense team for their efforts. In my opinion, for my use-case you have soundly beaten ASA ;)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post