DIY-Solution or SG-1000 or SG-3100? Home-Office Tunnel for small networks



  • Hi Forum,

    i would like to change my router at home and the router in my office. I would like to have a stable tunnel (IPsec?) between those locations, where also Windows shares can be accessed through the tunnel. I first tried it with pfsense on a VM on my Qnaps, but Windows shares just dont want to work. So i guess it is better to change the routers and place the pfsense where it belongs: in the front of my networks.

    My Cable-Internet has 125/10 at home and 80/12,5 in my office. OpenVPN via Qnap worked. Not fast, but about 80% of the ISP uplink-speed. There are two-three Laptops involved, that should also be able to connect from the raod via LTE->VPN. In the office are only three people, at home are 4-6 people. So its a quite small network environment.

    I found the ZOTAC CI327 and the SHUTTLE DH110, but it seems, as if those are not 100% reliable. Worst thing would be, that i am in holdiays for one week, the box goes down and i am not able to reach my shares in the office via VPN for the whole week. So i am not shure if a DIY-Solution is that great or if should better go for a SG-1000 or SG-3100.

    2.5.0 is comming closer and i do not know what to choose now. What would you suggest? DIY, SG-1000 or SG-3100?

    thx for your helpd in advance :)



  • If you need something now, I would recommend two of these…

    https://store.netgate.com/MBT-4220-system.aspx

    If you need more ports, use a switch with it.

    If you don’t need something immediately, I would wait for the new product release depending and then compare specs with what you need/want.

    You mentioned VPN. If you are even considering using OpenVPN, mark the SG-1000 off your list. Not enough horsepower. I can’t speak to IPSec, only OpenVPN on it.



  • I have a couple of friends using HP T620-Plus thin clients with either a 2 port or 4 port half-height Intel or Broadcom gigabit PCIe NIC installed. The machines are 2Ghz quad core AMD, and support AESNI. The thin clients and NICs can be found for reasonable prices on eBay. One thing to note is that the T620-Plus comes with a variety of memory and storage options. A box with 4G RAM, and 16G SSD should be sufficient for a basic firewall. Upgrading the storage is possible, but can be pricey. Another thing to note is that the box has a single Realtek interface onboard. I have only ever used the Realtek interface as a local hands-on rescue interface, and do not rely on it to pass routine traffic.

    For VPN tunnels I have switched from IPSec to OpenVPN on a high port because my ISP throttles IPSec on the residential side.



  • @bfeitell said in DIY-Solution or SG-1000 or SG-3100? Home-Office Tunnel for small networks:

    The thin clients and NICs can be found for reasonable prices on eBay.

    I've always wondered about that. Every time I see a T620 on Ebay, it always has 5-20 guys watching it. I've always been suspicious of auction-snipers and I wonder how much that unit really sells for when they always have a lot of eyeballs. I've been in that situation where I watch an auction that is listed for $X, and when the time comes, the snipers move in and the item finally sells for $X+++.



  • It has to be the T620-Plus to take a NIC. Save a search for the item "buy it now", and have eBay email you notifications. You might catch one coming through for less. For a nice "refurb" with all the plastics, an AC adapter, and stand you're looking at ~120 + shipping. I have definitely seen nice ones come through for less. The hardware is surprisingly snappy. Before it got relegated to firewall duty my friend was using one as a super compact desktop, and for actual work it was quite acceptable.

    Caution: The T610-Plus is only dual core, and does not support AESNI which will be required when pfSense 2.5 drops.



  • And you guys think, the T620 Plus is a reliable solution? Something that lets me sleep at night? i am a bit of a scaredy cat...but my router in the office is a Asus RT-16 on DD-WRT...so...maybe it can't get worse anyway :)


  • Netgate Administrator

    You are limited by the upload speed there at both ends so VPN will never be that fast.

    I would still want an SG-3100 there though. Or the MBT boxes as linked above.

    You don't need 4GB of RAM for the vast majority of setups.

    Steve



  • The HP thin clients are pretty darn robust. My friend specced a T620+ and a UPS for his sister in law on the West coast, to run her home network along with a Ubiquiti POE switch, and a trio of access points.

    Another friend has a T620+ teamed with a dd-wrt router in AP mode for his home/home-office.

    Yet another friend has an HP T5730 thin client hot-rodded with a dual core cpu, and using a USB ethernet dongle to drive his home network with multiple vlans across a cheap DELL powerconnect switch, Ubiquiti AP, and a Rosewill/dd-wrt AP connected over powerline ethernet for his room mate. That last junky USB ethernet setup includes segregated leasholder, room mate, and guest vlans to share cable internet, with limiters, along with a vlan dedicated to a Cisco VPN terminator connecting a video phone, and a voip phone for telepresence language interpretation in courtrooms across the country.

    I have also managed several systems based on the dual core HP T610+.

    The HP thin clients are pretty tough and reliable little machines.

    The multi-core AMD chips do run on the warm side when compared to Intel devices, but they are designed for it.

    Here is a snap of the status for my friend's sister in law's machine. It lives in a closet with the POE switch, also runs the Ubiquiti UniFi controller, and collects stats via ntopng. It will idle down to 800Mhz under powerd. It will not be updated to 2.4.4-Release until the PPPOE issues are ironed out.

    0_1539211327569_Screen Shot 2018-10-10 at 6.40.20 PM.png



  • Thank you all for your suggestions. I will decide between SG-3100 or a HP Think Client. But i will also have a closer look on the MBT-4220.

    You helped me very much, because the essential point, that you showed up is: Do not use a DIY machine in productive environment if you don't know exactly what you are doing.



  • And all of a sudden i see those APU2C0 boxes :) they seem to be another cool solution, right?



  • @syserr_01 I wouldn't go for an APU2C0 unless I was buying in volume; you only save $7 by dropping the third ethernet port. Similarly for $26 I'd probably get the 4GB RAM rather than the 2GB RAM because why not. But otherwise, yeah, they're useful and low-cost boxes. The main issue with them is that the cost varies widely depending on where you are. In the US they're ~$150 total. In some places they cost more than building out a mini-ITX intel box. The weirdness of international trade.



  • @syserr_01 said in DIY-Solution or SG-1000 or SG-3100? Home-Office Tunnel for small networks:

    ... the T620 Plus is a reliable solution? Something that lets me sleep at night?

    @bfeitell said in DIY-Solution or SG-1000 or SG-3100? Home-Office Tunnel for small networks:

    The HP thin clients are pretty darn robust.

    Sorry, have to disagree here.
    We put a couple of those devices behind touchscreens to work as their brains and connect to the control system. Four out of 5 failed within the first year of use. So reliability score is nowhere as good as expected.

    This also means that I wouldn't sleep well knowing I rely on these devices.

    When it's important to you to have the service up and running when you're away then nothing beats new, reliable hardware custom made for this task.
    Granted, these can fail as well but it's not as likely.