Home Router Recommendation



  • I've been doing countless hours of research and have put a lot of though into what I want to get for what will become my pfSense router. I'm having trouble determining what's needed for my usage so that I don't go overboard and stretch my budget for this out any further.

    I've narrowed it down, CPU wise, to the C2758, C2750, and the N3700. Supermicro makes mini-ITX boards that are well known around here for each of these CPU's.

    Wants:
    Small, low power box
    Gigabit LAN thoughput (No Gigabit WAN, not concerned about that) _I don't really use VPN at all, or anything else similar. Don't really plan to, but it not sucking at running 1 would be nice. I'll run some packages, but from what I could tell, I don't see like I'll do much that would utilize AES-NI or QuickAssist much at all. That makes it hard for me to stomach the cost of a C2758 build, as when QuickAssist is available, will I really use it anyways? The C2750 with its turbo boost sounds better for me. Perhaps the N3700 is enough. Any help based my usage is appreciated. Some sample stuff on my network.

    AC Wireless Access Point
    Just a handful of wireless devices
    Image backups done regularly
    Nothing too burdensome, but some big file transfers I don't want taking any longer than they have to_



  • This thread may give you some ideas:

    https://forum.pfsense.org/index.php?topic=110371.0



  • Unless you're routing between LANs with pfsense, the only thing you should be concerned with is WAN throughput, since with a single LAN subnet your internal traffic will never traverse your pfsense box.  Even my retired Neoware CA10 with an 800MHz VIA cpu could handle a 50Mbps connection.  Let us know what your internet connection is, and whether you plan to use pfsense to route between multiple LANs and we can give some more specific advice.



  • For about $60 less than the C2758, you can get a C2558 board.  That is the same thing, but with four cores instead of 8.  Same as the SG-4860 in the pfSense store.  It also idles at about half the power.  Even without Quick Assist, it is good for gigabit WAN today

    I'm not sure where you're located, but in the US, the C2750 (~$360) is more expensive at NewEgg than the C2758 (~$340).  They even have a refurb 2758 board that comes in at the same cost (~$270) as the 2558 if you feel brave.

    The Netgate store will ship you a C2558 setup all put together for $550.  For $700, you can get it with an optimized version of pfSense and two support tickets (it will get Quick Assist support first).  Both have a 1 year hardware warranty.  I kind of wish I'd gone that route, just to avoid all the time spent doing research to try to ensure my selections would all work together.

    I wanted to deviate from the popular M350 case and the power supply everyone else seems to use, and I feel like I wasted a bunch of time I could have saved with the pre-made box, though the end result is that I'll have a 2758 for about the same cost as the Netgate 2558.  I thought one of the Supermicro desktop cases looked better then the M350.  Still waiting on parts to show up to report back on how well it worked out.

    As whosmatt says, LAN traffic shouldn't touch your pfSense if you have just a single subnet.  Maybe not even if you have multiple VLANs, if your switch can route those on its own.  Get a good LAN switch and you'll be fine no matter what you go with for the pfSense box.

    You don't mention your WAN speed, what packages you want to run, or preferred budget.  From the details you've given, you won't have to think about any of those details with the 2758 since it will probably be massive overkill, but a few more details could save you some cash by letting you go with smaller hardware.



  • It might be sounding hard, but all is depending on the real use case and traffic, the installed packets
    and the awaited throughput you will need.

    • WAN speed
    • LAN speed
    • number of users
    • amount of traffic
    • installed packets

    If you install pfSense, Suid, Snort, SARG, pfBlockerNG, Dpinger, ClamAV and CaptivePortal
    and all is fine mostly then together with an ISP internet line upgrade you will be not happy.

    Go and get a SG-2240 or SG-4860 to be sure you will be benefit mostly from pfSense.
    Take a mSATA and WiFi card if needed and you will be sorted for a longer time as you
    might be thinking of. Or if WiFi ac is needed go with an UBNT ac WLAN AP. How more
    you pay now or today how longer this box will be really working well for you!

    Let us say you will be paying a C2558 device from the pfSense store (SG-4860) and you
    pay $700 this might be then running for 6 years for you, it is then;
    6 years x 12 month = 72 month and $700 : 72 month = less then ~$10 each month without
    any pain or compatibility issues and pre-tuned on top.



  • If the A1SRI-2358F would actually become available in the wild it would be a perfect fit for what you describe.



  • Thanks for all these informative replies. I've already learned quite a bit more.

    Internet speed is 117/12Mbps. I'm not really concerned about Gigabit WAN. Sure, over time it will get faster, but not concerned about Gigabit WAN speed.

    I didn't realize traffic wouldn't touch router if only going through the LAN. I do intend on VLAN's in the future, so I'd like to be setup for it. So as long as I get a switch that can handle VLAN's itself, that would seem to be fine. Is the typical Smart/Managed switch going to be capable, or is there something better or specific I'd need? I'll need to get one along with the router.

    I convinced myself with more research that the C2558 would be sufficient, not to eliminate any other ones besides the C2758 and the C2750. I hadn't even noticed that the C2750 was actually the most expensive. So cut those two..

    I like the idea of it being custom, not just due to reduced cost. Moving forward, any upgrades can be done without replacing the entire box. I get to pick exactly what I want. I've already spent the time researching anyways to this point. How is pfSense better by it being optimized to their official hardware?

    in regards to packages, I don't quite remember all the ones I wanted to run. pfBlocker sounds familiar, maybe a few others once I look more closely and figure out what I feel is worthwhile and relevant to me.

    Budget wise, I'm flexible. The higher it is, the more I would need to feel benefited from the extra investment. $500 was what I wanted to stay under though.

    Traffic wise, I'm the only user that puts a burden on the network. Streaming, large file transfers, locally and remotely.



  • @Iceman24:

    I didn't realize traffic wouldn't touch router if only going through the LAN. I do intend on VLAN's in the future, so I'd like to be setup for it. So as long as I get a switch that can handle VLAN's itself, that would seem to be fine. Is the typical Smart/Managed switch going to be capable, or is there something better or specific I'd need? I'll need to get one along with the router.

    A Smart/Managed switch is what you want.  Lots of opinions on those.  I have a TrendNET TEG-240WS that seems to work well enough, though the web interface hangs sometimes and needs a reboot and I'm still working my way through VLAN issues. Trying to isolate the guest wifi from the real one, sourcing from the same WAP.  Things aren't working how I expect, but I don't know whose fault that is yet.  Probably mine, at the end of the day.  ;)  The switch itself seems to work fine as a switch though.

    I also am playing with a TP-Link TL-SG108E for another project.  Even using it only as a switch, I see lots of issues with persistent connections through it, so can't recommend right now.  In particular my network debugger works extremely poorly through it (fine through the TrendNet above).  Might be firmware issue, I just recently got it and haven't had time to sort out the issues.

    HP Procurve and Cisco options have been discussed in recent threads here.  Hard to go wrong with enterprise gear, though it can be spendy.  I've also heard good stuff about Dell PowerEdge.  People that know more about those models than I do should make recommendations, but they'll need to know how many network connections you have, etc.  I'm happy enough with my TrendNET for the price that I won't mess with it unless it turns out to be the root of my VPN issues (which I don't expect).

    @Iceman24:

    I like the idea of it being custom, not just due to reduced cost. Moving forward, any upgrades can be done without replacing the entire box. I get to pick exactly what I want. I've already spent the time researching anyways to this point. How is pfSense better by it being optimized to their official hardware?

    There are unspecified optimizations made to the special images the higher cost version of the hardware from the pfSense store use.  I have also seen threads (citation needed) that say the custom images for the pfSense models sometimes get new features earlier than the mainline branches.  In particular, QuickAssist was mentioned in the thread I recall.



  • Internet speed is 117/12Mbps. I'm not really concerned about Gigabit WAN. Sure, over time it will get faster, but not concerned about Gigabit WAN speed.

    Only pending on this you might be happy with the APU2C as a bundle for $173 including shipping and tax.

    I didn't realize traffic wouldn't touch router if only going through the LAN. I do intend on VLAN's in the future, so I'd like to be setup for it. So as long as I get a switch that can handle VLAN's itself, that would seem to be fine. Is the typical Smart/Managed switch going to be capable, or is there something better or specific I'd need? I'll need to get one along with the router.

    The Cisco SG300 or D-Link DGS1510 switches are powerful enough to route the entire traffic
    between the VLANs with wire speed so that workload could be taken from the pfSense box with
    ease. And this switches you will be longer having in usage as the pfSense box mostly!

    I like the idea of it being custom, not just due to reduced cost. Moving forward, any upgrades can be done without replacing the entire box. I get to pick exactly what I want. I've already spent the time researching anyways to this point.

    The other both options are also very strong and capable of routing all you need and upgradeable with eases
    but not so low power using then the APU2C4 named above.

    • Jetway NF9HG-2930 & M350 case & max. 8 GB RAM & mSATA & WiFi card (if needed)
      Able to route 1 GBit/s and lo power using and small
    • ASUS Q87T & max. 16 GB & Intel i350 NIC & mSATA & WiFi (if needed)
      Upgradeable (RAM & CPU) supports a wide range of CPUs from the lower bottom to the high top

    How is pfSense better by it being optimized to their official hardware?

    It is pre-tuned and gets some new features perhaps earlier as the other users, like Intel QAT
    but with a really strong machine that supports AES-NI you could be not doing anything wrong.

    in regards to packages, I don't quite remember all the ones I wanted to run. pfBlocker sounds familiar, maybe a few others once I look more closely and figure out what I feel is worthwhile and relevant to me.

    This would be the most important think here at all after the WAN speed and number of users.

    Budget wise, I'm flexible. The higher it is, the more I would need to feel benefited from the extra investment. $500 was what I wanted to stay under though.

    ASUSQ87T is here for ~150 €
    Intel Xeon E3-1241v3 is here for ~120 € (on eBay refurbished)
    16 GB from Crucial is here for ~80 €
    Intel i350 quad Port NIC is able to get for ~80 € (refurbished)
    mini-ITX case with PSU ~80 €

    Traffic wise, I'm the only user that puts a burden on the network. Streaming, large file transfers, locally and remotely.

    Locally that must not run through the pfSense so a small Layer3 switch will be the best thing to get the
    hands on for getting wire speed.



  • I believe ALIX APU series will work for you, but recently I also built one very low power 4-port router myself, you might refer to this post.

    @Iceman24:

    I've been doing countless hours of research and have put a lot of though into what I want to get for what will become my pfSense router. I'm having trouble determining what's needed for my usage so that I don't go overboard and stretch my budget for this out any further.

    I've narrowed it down, CPU wise, to the C2758, C2750, and the N3700. Supermicro makes mini-ITX boards that are well known around here for each of these CPU's.

    Wants:
    Small, low power box
    Gigabit LAN thoughput (No Gigabit WAN, not concerned about that) _I don't really use VPN at all, or anything else similar. Don't really plan to, but it not sucking at running 1 would be nice. I'll run some packages, but from what I could tell, I don't see like I'll do much that would utilize AES-NI or QuickAssist much at all. That makes it hard for me to stomach the cost of a C2758 build, as when QuickAssist is available, will I really use it anyways? The C2750 with its turbo boost sounds better for me. Perhaps the N3700 is enough. Any help based my usage is appreciated. Some sample stuff on my network.

    AC Wireless Access Point
    Just a handful of wireless devices
    Image backups done regularly
    Nothing too burdensome, but some big file transfers I don't want taking any longer than they have to_



  • Thanks for the additional knowledge. It is actually starting to confuse me and question my approach here, which is good for the long run, but bad until I figure this out.

    I've realized I don't need strong hardware for the router. Perhaps, for simplicity sake, I'm considering official models from pfSense. Even the SG-2220, which I'm trying to determine if it would be enough. 2GB RAM seems like it'd be alright. I can always get a M.2 SATA drive if needed, down the road.

    In regards to the Layer 3 switch which seems ideal for the VLAN stuff and keeping internal traffic at or around wire speed. Small is fine, even 8 ports. Anything much bigger wouldn't fit very anyways and kill my budget. One thing to ask is that I have 4-5 devices I'd connect via Ethernet in my office where router is. I have another switch in the entertainment center for media devices and another desktop that connects to that 5-port unmanaged switch in the other room. Would that switch need to be just a VLAN aware switch, layer 2?



  • I took the easy route and got a SG-2440 and it made no sense not to get the SSD at the same time. Now I have a simple, small, low power and supported box and the work of converting to a SSD is never going to be needed. Deciding on the four or two port versions is a bit more of a challenge, I went with the four port because if I needed more ports in the future I'd have to buy one anyway.

    Unless you need some inter-LAN routing you can hook a good quality switch to the SG-2440 and connect your other switches to it and all your devices will be able to communicate. If you want to segregate the devices and limit communication between the groups then the extra ports on the SG-2440 will allow you to have three LANs and control each of them individually.



  • @stan-qaz:

    Unless you need some inter-LAN routing you can hook a good quality switch to the SG-2440 and connect your other switches to it and all your devices will be able to communicate. If you want to segregate the devices and limit communication between the groups then the extra ports on the SG-2440 will allow you to have three LANs and control each of them individually.

    I'm looking at the Cisco 300 series managed switches that support Layer 3 Switching. I wanted VLAN's at some point, so I'm thinking that the SG-2220 or anything with just 2 Ethernet ports will suffice for this. I still do wonder about whether basic layer 2 smart switches can handle that being connected to Layer 3 Switch, thus eliminating any need for more than 1 LAN port on router.



  • As far as lan speeds, if you have squid installed on the router with local cache turned on the speed in which the client can download from the router will depent on CPU, NIC and storage medium. If you want gigabit lan speed from the router's cache then you will need an ssd, gigabit nic and enough CPU power to push the data.



  • I'm wondering if a Layer 3 Switch if really necessary for my needs. It seems like a piece that is above my needs for such a small network that I have. I want at or near Gigabit LAN transfer speeds, but I have such little traffic. Most of it is from me. No more than a dozen or so devices at any given time, most of them not really doing anything. Simultaneous usage would be just a handful of devices at one time. One man can only do so much. Would a Layer 2 Switch suffice? Are there certain demands my switch must need to deliver Gigabit-ish speeds?



  • Not really, HDD speed is important, but CPU not that important unless you are building intercepting proxy (e.g. HAVP, other content filtering), and you don't even need too much RAM on the machine as well since squid has a pretty low memory requirement. 8 years ago I built pfSense with Squid for my office, just a cheap Pentium D CPU + 2GB ram, and that firewall was serving 150-200 person already.

    @aGeekHere:

    As far as lan speeds, if you have squid installed on the router with local cache turned on the speed in which the client can download from the router will depent on CPU, NIC and storage medium. If you want gigabit lan speed from the router's cache then you will need an ssd, gigabit nic and enough CPU power to push the data.



  • Traffic wise, I'm the only user that puts a burden on the network. Streaming, large file transfers, locally and remotely.

    and

    I wanted VLAN's at some point,….

    Why pumping all traffic through the pfSense box?
    Why pushing large files not from one VLAN to another one directly?
    By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
    For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware.



  • @BlueKobold:

    Why pumping all traffic through the pfSense box?
    Not sure what you mean. I don't want to pump any traffic unnecessarily through anything. I'm trying to figure out the best way to do this.
    Why pushing large files not from one VLAN to another one directly?
    Again, not sure you mean exactly. I don't have plans to push large files from one VLAN to another, probably just on same one. They'd be mostly computer image backups and some other backups as well.
    By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
    For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware.

    If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?



  • @Iceman24:

    I'm wondering if a Layer 3 Switch if really necessary for my needs. It seems like a piece that is above my needs for such a small network that I have. I want at or near Gigabit LAN transfer speeds, but I have such little traffic. Most of it is from me. No more than a dozen or so devices at any given time, most of them not really doing anything. Simultaneous usage would be just a handful of devices at one time. One man can only do so much. Would a Layer 2 Switch suffice? Are there certain demands my switch must need to deliver Gigabit-ish speeds?

    A Layer 3 switch is the fastest, but not only option.  A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic.  With a decent CPU and NICs this won't be a problem.  I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box.  If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help.  Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise.  Even the cheapest "smart" switches support this.  It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load.  Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.



  • @Iceman24:

    If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?

    Yes, absolutely. I responded to an earlier post of yours before I saw this one.  You'll be fine with a Layer 2 smart switch.  They're cheap and work well.



  • @whosmatt:

    A Layer 3 switch is the fastest, but not only option.  A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic.  With a decent CPU and NICs this won't be a problem.  I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box.  If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help.  Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise.  Even the cheapest "smart" switches support this.  It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load.  Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.

    Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.



  • @Iceman24:

    Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.

    Not necessarily.  If you're using VLANs from the start, your internet connection can reside on one of them as well.  In that case you'd plug your modem into a switch port on the VLAN you've designated for internet.  This is how I do it with all my pfsense installs at work.  In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG.  Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense).  What you end up with is a pfsense box with one logical physical connection but VLANs on top of that.  It sounds more complicated than it is, but it's really pretty simple.  Glad to provide help if you need it.

    Quick edit:  In short, you really only need 2 physical NICs for the scenario I'm describing.  Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.



  • @whosmatt:

    Not necessarily.  If you're using VLANs from the start, your internet connection can reside on one of them as well.  In that case you'd plug your modem into a switch port on the VLAN you've designated for internet.  This is how I do it with all my pfsense installs at work.  In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG.  Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense).  What you end up with is a pfsense box with one logical physical connection but VLANs on top of that.  It sounds more complicated than it is, but it's really pretty simple.  Glad to provide help if you need it.

    Quick edit:  In short, you really only need 2 physical NICs for the scenario I'm describing.  Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.

    Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?

    In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.



  • @Iceman24:

    @whosmatt:

    Not necessarily.  If you're using VLANs from the start, your internet connection can reside on one of them as well.  In that case you'd plug your modem into a switch port on the VLAN you've designated for internet.  This is how I do it with all my pfsense installs at work.  In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG.  Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense).  What you end up with is a pfsense box with one logical physical connection but VLANs on top of that.  It sounds more complicated than it is, but it's really pretty simple.  Glad to provide help if you need it.

    Quick edit:  In short, you really only need 2 physical NICs for the scenario I'm describing.  Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.

    Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?

    In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.

    Yeah, I realized after I posted that the last time I did this on pfsense I actually had to do some manual config file editing because there was no LAGG setup in the console.  I haven't set up a box from scratch with a build newer than 2.1 in a while, but the last time I set up a FreeNAS machine I was able to do it all from the console so maybe pfsense has followed suit.  I'll have to fire up a VM and have a look.

    Anyway, basic idea is this:

    Let's say your pfsense box has 2 Intel NICs using the em driver.  em0 and em1.  Without LAGG, when you assign VLANs to one of those NICs (the parent interface), you get a new logical interface.  I'll use VLAN 20 in this example (the actual ones you use are arbitrary for the most part; you have over 4000 to choose from).  So VLAN 20 with parent interface em1 becomes an interface in pfsense called em1_vlan20.  You can then assign that interface as your LAN, WAN, whatever you want.  Rinse and repeat with as many VLANs as you like.  The cable plugged into em1 will carry tagged traffic from any VLAN that has em1 as its parent interface.  The switches job is to interpret this traffic and send it to ports in the same VLAN.  So, if em1_vlan20 is your WAN interface, an untagged port on your switch in VLAN 20 plugged into your modem will function the same as if the modem was plugged directly into a physical interface on pfsense.

    With me so far?  Now, we add one more layer of abstraction to the config.  LAGG (link aggregation group) turns a group of NICs and switchports into a single logical connection.  It can increase bandwidth, be fault tolerant (traffic keeps flowing, for example, if one link goes down).  So, In pfsense em0 and em1 are used to create a LAGG, which then becomes another interface in pfsense, lagg0.  If you define your VLANs with lagg0 as the parent interface, you get (again using VLAN 20 as an example) a new logical interface called lagg0_vlan20.  You can assign that as your WAN port.  As long as the switch is configured correctly, you can plug either or both em0 and em1 into either or both of the corresponding LAGG ports on your switch and the end result is the same as the former scenario except now you've got redundancy and twice the bandwidth, at least in a scenario where you have multiple connections.  A single file transfer, for example, could consume up to 1Gbps while still leaving the other physical NIC free to handle any other traffic on the network.  It's a type of load balancing.

    Whew.  And after typing all that i realize it may be way overkill for a beginner, and definitely not for the faint of heart if the pfsense initial config console still doesn't have the LAGG stuff in it.  But when you see it work, it's pretty rad.

    And an edit.  The TL;DR on all of this is that if you're using VLANs from the start you really only need one physical NIC.  Adding LAGG on top of that setup will increase potential bandwidth and add a layer of redundancy, at the expense of switchports.



  • Here's what it looks like in practice, and please excuse the messy naming conventions, this is one of my oldest and most hacked up installs.  But it works great!


    The config problems I alluded to in my previous post are because, as you can see, you can only add unassigned interfaces to a LAGG.  This box only has two.  Without one configured as a LAN port, management of the box is from the console only.  But that can be worked around.  In my case, I set up all the VLANs on bce0 first, got the box up and running, then used a VM to see what the LAGG config looked like in the config file.  Downloaded my config file, added the LAGG config, and then changed every interface definition from bce0_vlanx to lagg0_vlanx.  Uploaded the modified config, rebooted, and it just works.  It might be easier now.  I know FreeNAS has added that ability into their console based setup.  If pfsense hasn't, they should :D



  • Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?

    To answer this specific question, all traffic to and from the pfsense box will be handled by two cables, on the switch side they are plugged into a LAG port group, and on the pfsense side they are plugged into two NICs configured in a LAGG (the terminology is LAGG, LAG, LACP, and maybe some others depending on the vendor).  We're using VLANS, so all the traffic, WAN included is trunked over those cables.  With the LAGG setup you can unplug one of those two cables from either the switch or pfsense and traffic will be uninterrupted.  The two cables is just to increase the potential bandwidth of the connection between your networks.



  • A quick question before responding to everything else.. What's the workaround for management access?  Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?



  • One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.



  • @Iceman24:

    A quick question before responding to everything else.. What's the workaround for management access?  Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?

    Your LAN interface would be on a VLAN.  So in my previous example your WAN is on VLAN20.  So let's say your LAN is on VLAN10.  Your computer(s) are plugged into switchports in this VLAN.  The computers don't care what the VLAN is; the switch does the work.  So let's say your pfsense box has its LAN interface as lagg0_vlan10, with an IP address of 10.233.233.1/24.  Any computer plugged into a switch port on VLAN 10 that has an IP address in that same network will be able to communicate with pfsense.

    EDIT:  and for remote access, which some may frown upon, I forward port 8080 to 443 from my WAN to my LAN.  I'm not entirely comfortable with that and wouldn't do it in a corporate environment (I'd use VPN instead) but it's an easy way to gain remote access while not using a common port, which are generally more susceptible to attacks from the internet.

    And one more edit, haha:  The example I posted above is not from my home network.  I live alone and have absolutely no need for that kind of setup. I do use pfsense at home but not in that kind of scenario.



  • @Iceman24:

    One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.

    What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top).  You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.

    I realize I'm providing TMI for a home router build. Apologies.  I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :).  Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready.  The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.



  • @whosmatt:

    What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top).  You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.

    I realize I'm providing TMI for a home router build. Apologies.  I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :).  Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready.  The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.

    Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?

    With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?

    I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.

    Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.



  • The more I research VLAN's and think about it, the more I wonder whether I should bother implementing them, especially at the additional cost. Realistically, I'd probably never have more than 40-50 devices, even if I did complete my dream of an advanced smart home, although perhaps closer to 75-80 if I did. Many of those wouldn't always be on or transmitting or receiving traffic, so I don't know that's it worth even doing.



  • For the scenarios you're describing, VLANS let you separate your network into different subnets (that pfSense can manage effectively) without having to have a different NIC and switch for each subnet.

    Without seeing all the intricate details, I would guess you could benefit from perhaps 3 "internal" subnets LAN (most stuff), WiLAN (WiFi stuff) OLAN (Other stuff you want kept separate).

    To implement without VLANS, you need 4 NICs (or one 4 port NIC) - WAN, LAN, WiLAN, OLAN and three switches to connect the different devices.
    With VLANs, I'd suggest two NICs - WAN and MLAN. MLAN can support as many VLANs as you like (depending on the switch usually up to 4095).  In addition you need only one switch, often making cabling a little cleaner.  The "downside" is the switch needs to be configured and documented so you know what ports service which network.

    Cost wise, the VLAN approach will be moderately higher (although there's tons of good used gear available).  Fixed NICs make the design "simpler" to visualize at a glance, but can get more cumbersome if and when you expand to more subnets.

    You can always plan big, but start small - implement a simple 2 NIC WAN,LAN setup and expand it as necessary.


  • Rebel Alliance Global Moderator

    " especially at the additional cost."

    What the few bucks more a smart switch cost?  I don't quite yet have your 40 devices, but getting close with 29 that I can count off the top of my head.  Not counting guest wireless devices that might come on and off the network.

    But as more an more things get connected, iot as we now call it not segmenting your network seems pretty lack view of security.  Does that smart thermostat really need to be on the same network as computers?  Does the dvr made in china need to be on that same network?  What about the game console?  Segregation of your network becomes more and more important when you start adding more and more type devices that may or may not have the best security, and or maybe phone home, etc..

    Now if you had only devices that you control and put the OS on, etc. What about billy bobs laptop that comes over and wants to use your wifi - you sure that thing is not infected with something bad?  Why would you not want that isolated from all your other devices.  Devices that join my guest wifi, I will hand them an IP via dhcp.  And they can ping the gateway to validate they have connectivity.  But other than that they can not talk to any of my other segments, they don't even use my dns - they get handed the isp dns.

    I have another wifi network for my iot devices that do not support eap-tls, I then have my wifi network where I connect my devices via eap-tls.  But even this is restricted and does not have full access into my actual lan network where my workstation and servers and services run.  It has limited access to use my printer, hit my plex server on the plexserver port, etc.  I currently have 7 different segments/vlans on my home network.  This allows me to isolate and limit different types of devices to what they need access to and group them with like devices, etc.

    When it comes to vlan support, you don't need a 1000 $ enterprise class switch to do this.  I just picked up a 8 port gig netgear smart switch for $30 for my av cabinet to replace the aging switch that was in there that had been locking up on me, etc. Pretty disappointed with its feature set, but it does what I needed it to do was the ability to understand vlans.  So in that sense it is fine.  I would like to have been able to monitor it via snmp, etc.  But this works for vlans.



  • @Iceman24:

    Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?

    With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?

    I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.

    Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.

    Regarding the LAGG setup, where you'd have the modem connected to a switchport rather than directly to the router, that was just me rambling about ways to speed up inter VLAN traffic without using a Layer3 switch, which is a kind of router in its own right.  No need to implement that at all.  Just one of many options.

    With VLANs, traffic originating from a host in a VLAN will not hit the router unless it leaves that VLAN, either to go to another VLAN or to the internet.  In other words, a large file transfer between a workstation and a NAS will never hit the router unless the workstation is in a different VLAN than the NAS.

    With pfsense and a $30 smart switch you'll have all the hardware and software you need for a simple network, or a more advanced one.

    All that said, I'll go ahead and make an admission:  I have the hardware, software and knowledge to use multiple VLANs and even multiple wireless SSIDs in different VLANs for guest networks and the like at home.  But I don't, yet.  Why?  I live alone, for one.  I don't share my network with many guests at all, and those I do, I know well.  I have a few devices (my Airport Express devices that I use to stream audio around the house) that don't like to be on a different network than the devices they're receiving audio from.  But that's just my use case.  The post from johnpoz just below the one I'm replying to is a different use case, and a very good example of where network segmentation with VLANs in a home environment is desirable.



  • Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.

    I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.

    Supermicro Mini ITX A1SRI-2558F: $243
    4GB ECC RAM: $33
    120GB SSD: $30 (Already had one, probably no other use for it until now)
    M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
    =$375

    I am missing anything else I'd need, besides a SATA cable? I have a number of those.



  • Supermicro Mini ITX A1SRI-2558F: $243
    4GB ECC RAM: $33
    120GB SSD: $30 (Already had one, probably no other use for it until now)
    M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
    =$375

    Cisco SG300-10PP-K9-NA ~$199

    or

    Cisco SG300-10-SRW2008-K9-NA ~$189

    $375 + $189 = $564



  • @Iceman24:

    Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.

    I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.

    Supermicro Mini ITX A1SRI-2558F: $243
    4GB ECC RAM: $33
    120GB SSD: $30 (Already had one, probably no other use for it until now)
    M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
    =$375

    I am missing anything else I'd need, besides a SATA cable? I have a number of those.

    That motherboard will run off a 12 volt input. Skip the pico psu and get an adapter cable and 12 volt power brick.



  • @Iceman24:

    Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.

    I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.

    Supermicro Mini ITX A1SRI-2558F: $243
    4GB ECC RAM: $33
    120GB SSD: $30 (Already had one, probably no other use for it until now)
    M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
    =$375

    I am missing anything else I'd need, besides a SATA cable? I have a number of those.

    Sounds like a good build to me.  I like the idea of running off a 12V brick as well, but be careful with that purchase.  In other words, read reviews and get a good one.  Those things always seem to fail on me, and can do really funny things when they do, like causing issues that are really difficult to pin down unless you have another one lying around. Actually I guess that sounds like power supplies in general.

    When you're picking out a switch, it might be best to ask around, since the terminology can be confusing.  There's the "managed switch" which can be L2 or L3, and generally comes will a full set of features including SSH access and a command line (which many people, myself included, who have worked with them find much better than a web interface), and then there's the "smart switches" with perhaps just a web interface,  and now "easy smart" with a Java management app, which is what I have at home.  Any of them can do what you want to do in a home network, but the differences in terminology for the various features can be infuriating sometimes.

    Build on. Enjoy.  And keep us updated.

    Matt



  • Thanks, guys. It seems like the most popular one I found that's being used in similar builds is here. http://www.mini-box.com/12v-12-5A-AC-DC-Power-Adapter

    That combo is actually more costly, but seems better, so minor difference in cost is fine. Revised parts list. I added more RAM, too, to be safe and have the interleave benefit, as minor as that may be.

    Supermicro Mini ITX A1SRI-2558F: $243
    8GB Kit of ECC RAM: $62
    128GB SSD: $30 (Refurb Crucial M4, that I've had sitting around way too long)
    M350 Case: $40
    EDAC 12v 12.5a 150w Power Adapter with needed adapter: $44.50
    Female to Female Molex to SATA Cable: ?
    P4 Power Extender Cable: ?
    =$419.50+

    I don't offhand remember pricing on the last 2 cables, too late to lookup. Would this be all and sound good then?