Hardware recommendation for homeuse



  • Hi Guys,

    New to the forum but have been browsing for a while so kind of know my way around. My current setup is under performing for what i need so desperately looking at a more suitable solution.

    I currently have an asus ac68u router running merlin but with my vpn requirements is now heavily under-performing.

    I want the following setup (for home network)-

    • normal setup - DNS, dhcp with static ips etc.

    • openvpn server to access my home cctv unit (without having to open ports)

    • 2x openvpn client (NordVPN) - split connections as required on the network. and achieve full internet bandwidth

    • Internet speeds for 100M line (this is where Asus router really struggles with openvpn)

    • thinking of snort and squid if required - so capable of running those if required

    • NAT and other basic firewall rules

    • Would like to lock down/issolate CCTV so i can block all external traffic to/from it - I can access it only by vpn

    • It'll be connected to modem and into 24 port gigabit switch (so only 2 ports really required)

    Thinking of setting this up on low powered hardware so it doesn't cost an arm and a leg to run 24/7 and also would like to run this in an esxi vmware. Mainly because i also need a unifi controller for my Ubitquitti ac pro so would be good to run this on same machine.

    I have a HP N36L microserver ( only has 2gb ram and the 1 standard NIC). I was thinking to get it up and runnnng i can

    • buy a 16Gb usb to run esxi (or run it off the same 2.5" hdd as below)
    • Buy 4gb RAM (should be enough for the 2 machines?)
    • quad hp Gig NIC
    • 1x 2.5" hdd for vms (already have this)

    I think CPU power wise it'll be fine but my biggest concern is running cost (power consumption) which from other forums sounds like it could be around 45w-60w (potentially costing around £85 a yr to run in the UK which is very high). (unless anyone else on here has any experience on how much power usage this would be?)

    Alternative being either another machine with low power esxi for both machines OR rasberry pi3+ for unifi could controller and a low powered pc for pfsense

    Any help and support would be really appreciated. Hopefully i haven;t bombarded you guys with too much info (or not enough).



  • I don't know what your budget is but you are going to want something with AES-NI support going forward.
    https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

    I'm using an Intel C2558 (15 watts TDP) based board for a 100Mbit circuit used with openvpn and IPsec - you might be able to get away with a C2358 (7 watts TDP). If you look into the C2000 series make sure you're looking at new because there was a defect in earlier revisions. See Intel AVR54.

    Many of the currently sold netgate appliances are based on the Intel C3000 series so a big hint there.
    https://www.netgate.com/products/appliances/



  • Well, your microserver is a bit old. (a 2011 model) 2 core cpu, up to 8 g ram and it needs something like 30 watts of power at least. (I suggest you grab a cheap plug type power meter from ebay and use it to measure total consumption).
    Having said that, especially for vpn performance you do need hardware offload of aes, so a newer cpu is needed.
    If you consider a new microserver the gen10 based on x3216 was a tdp of 15wats and supports AES too..
    With a little bit more power you could also go for 4 cores and run a kvm for other things too.

    Regards



  • Thanks guys for the reply. It's kinda what I thought so wanted to check before I went ahead and spent lots of money trying to fix my old horse.

    The biggest issue I have with new hardware is that here in the UK everything is so expensive. I quickly looked at the c2558 at I'm looking around £400 for descent hardware which is well out of my budget for a router. I would be looking around £150 max. Ideally closer to the £100.

    I think I need to really look harder and shop around a bit for the best hardware and maybe if I can get other uses out of it I can probably increase the budget a bit.



  • @jagradang
    DISCLAIMER: I haven't set this up yet, waiting on shipment will update when arrived if everything worked out.
    I was in the exact same situation as you this past week. I finally decided on buying a laptop with a broken screen off ebay to put pfsense on. You can get these broken laptops really cheap (as-is) and they come with a bunch of built-in benefits.

    • built in UPS (battery)
    • low power (look for TDP 15w or less chips)
    • AES-NI (just about anything 3rd gen Intel or newer has this as well as some 2nd gen chips). you can look up chip specs here: https://ark.intel.com/#@Processors

    Look for one that has Gigabit Ethernet and at least one usb3 that you can plug in a usb ethernet adapter.

    I bought mine yesterday for about $80 USD shipped taxes inc. I only need to pick up an adapter (~$15 USD).

    Tips I learned for narrowing the search on ebay.

    • category: Computers/Tablets & Networking > Laptops & Netbooks > PC Laptops & Netbooks
    • max price: slightly higher than what you targeting ($85 for me)
    • item location: only search within your country (Customs fees kill us on international shipments here so I wanted to avoid that even if the selection was much smaller/slightly more expensive.)
    • sort by: ending soonest
    • Don't forget to include shipping + tax in your calculations.


  • A laptop is an option, just make sure the fans work and take some time to clean it from internal dust.
    Laptops weren't designed to be always on devices, however without high load and descent cooling it will do the job.
    Forget about the usb lan interface. Shaky and unstable in general for what you are trying to do
    Get a cheap managed 5 port switch. It will give you 4 lans at gigabit speed with mininal power requirements and far greater stability.



  • @netblues thanks for the tips!

    edit: does the switch sit between the router and modem? if not don't i need 2 ethernet ports for modem > router > switch?



  • What router?
    If you go for a pf solution, then most probably you will eliminate the router completely.
    Why do double nat to begin with?
    pf most probably will be doing a pppoe call to your isp
    But there are other options too, please provide more info.
    In any case pf being a network box will be taking ethernet either natively or ppp over ethernet.



  • Sorry where I said router i meant pfsense (laptop with one Ethernet).
    Ok so currently I'm connected:

    • cable modem -> Asus RT-AC68u -> LAN

    I figured I would need a usb ethernet to do:

    • cable modem -> pfsense -> Asus RT-AC68u -> LAN

    With the ASUS just acting as an AP.

    You mentioned getting a switch instead of usb ethernet adapter. Since there would only be 1 ethernet port on the pfsense laptop both In(WAN) and Out(LAN) would be over the same cable so I would need some kind of tagging with the switch between the modem and pfsense. Right?

    • cable modem -> switch -> pfsense -> back to the switch -> Asus RT-AC68u -> LAN

    If this isn't what you meant I apologize as I am quite new to the networking side of things. Ultimately the reason for switching to pfsense was because my ASUS router couldn't handle the OVPN connection. The laptop was because I didn't really have much budget and since it is a home network I don't need 100% up-time guaranteed a reboot every so often is fine.



  • If you're lokking for something at around £150, maybe consider something like this:

    https://goo.gl/uDhESU



  • @no_jah said in Hardware recommendation for homeuse:

    If you're lokking for something at around £150, maybe consider something like this:

    https://goo.gl/uDhESU

    Well this is much more robust and straight forward, however I doubt it will be 150 quid with 2 gigs and an ssd.
    The op has already a laptop if I recall ¨)



  • @netblues

    If you select 2gig ram 32ssd, and Q370Y4 bundle you will land at $215, wich is about £168 plus shipping



  • @brett-tech said in Hardware recommendation for homeuse:

    Sorry where I said router i meant pfsense (laptop with one Ethernet).
    Ok so currently I'm connected:

    • cable modem -> Asus RT-AC68u -> LAN

    I figured I would need a usb ethernet to do:

    • cable modem -> pfsense -> Asus RT-AC68u -> LAN

    With the ASUS just acting as an AP.

    You mentioned getting a switch instead of usb ethernet adapter. Since there would only be 1 ethernet port on the pfsense laptop both In(WAN) and Out(LAN) would be over the same cable so I would need some kind of tagging with the switch between the modem and pfsense. Right?

    • cable modem -> switch -> pfsense -> back to the switch -> Asus RT-AC68u -> LAN

    If this isn't what you meant I apologize as I am quite new to the networking side of things. Ultimately the reason for switching to pfsense was because my ASUS router couldn't handle the OVPN connection. The laptop was because I didn't really have much budget and since it is a home network I don't need 100% up-time guaranteed a reboot every so often is fine.

    The managed switch will give you 4 lan interfaces for pf, effectively quadrupling the 1 laptop port.
    It is just that the 4 ports are sharing 2 gigabits of bandiwdth (one 1 one out since we are fullduplex)
    More than enough, as long as you are not routing among your lans moving large files around. (e.g. movies).

    So one port will talk to the modem, and one to your lan.
    The wifi is just a lan device.
    Having said that, perhaps you want to separate the wifi, use a captive portal for guests etc.
    You have two additional ports for that.
    A managed switch sells for $30 more or less, and will give you the joy of hassling with vlans.
    Not that difficult once you get a hold of it.
    As a solution is very robust and reliable.



  • @no_jah Indeed. And there is a possibility it will also incur some customs fees, lets say another 40 quid?
    So we are not looking at 150.
    Moreover, the laptop has a screen and a ups.
    For an office not really important

    For a home, it another story



  • I also try to play around with laptop, and four usb nics trought usb 2.0 hub, it's working but no prformance at all, better deal with vlans and managed switch can handle gigabit port of laptop on board and or additional PCI express 34 network card for WAN side is a must for psycally isolate network, like this: Link:
    http://amzn.eu/d/5DlC62R
    and of course laptop must to have pci express card 34 slot too.

    Anyway my first choiche for home office pfSense router is APU box , look great piece of hardware for my customers :D duh.

    Goodbye



  • Thanks for the replies, pretty sure I understand what is going on now. Do you have an example of a managed switch I could reference when looking for something similar?



  • @brett-tech
    D-LINK DGS-1100-08. Retails at 32 euros, with 8 ports. A bargain.
    What you are looking is 802.1Q feature.



  • @brett-tech

    How many ports do you need?
    I can recommens Netgear smart switches, I have one GS724T v4 (24 ports), and a couple of GS108T v2 (8 ports)



  • Great thanks for the help guys! Definitely don't need anything too heavy duty 8 ports is plenty. If in the future I get more into the networking side of things or my needs change I can upgrade then.



  • @brett-tech I advice you to avoid tp-link SG xxxE series at all, they do not handle vlans propely, I have some v2.0 hardware and its gets packets errors with only one vlan trunk setup.. too bad. (If the newer hardware revision/firmware fixed this issue, I don't know lol)


  • Rebel Alliance Global Moderator

    So the v3 hardware of those did have a firmeware update that was suppose to fix their utter lack of vlans.. Finally!!! But I do not have v3 hardware to test with only v2... But yeah in general I would stay away from that tplink line of cheap smart switches.

    Not love for the v2 hardware last time I checked which was maybe a month ago..



  • @Babiz Good to know, thanks for the warning. The D-LINK recommended above looks to be very good value compared to the others I'm seeing (about 1/3rd cheaper). Would I need PoE for anything?


  • Netgate Administrator

    Probably not. Not unless you have devices that require PoE, typically wifi access points or VoIP phones.
    Even then they can usually be powered locally as an alternative.

    Steve



  • Yeah is enough trowing 30 bucks. for... ☃ I'm think about five years of life (EoF cycle) of this devices) ... or more?! Many factors get in playng for a good evalution. 🍄
    Much time too 😸

    For my customers. I install just ubiquiti everywhere to all, for my home I go trought with some crappy and cheap devices, haha!
    I tell you @Brett-Tech . my tl-wa501n is indisctructible over years and years of streaming packets, absolute amazing if you think it.



  • @stephenw10 @Babiz Thanks for your input. As you said I don't have anything without it's own power adapter nor do I foresee getting one in the near future.


  • Rebel Alliance Global Moderator

    Unless you were going to put in a lot of camera's or AP - you can just use the POE ejectors.. Sure its always nice to have poe on your switch for future proofing, etc.. But unless you have current or real near future need of adding some poe stuff.. Save the money and use injector if you add some poe device.

    I want to add some camera's - when that happens I might get a poe switch to connect them all too..



  • I’m currently using this switch as a cost effective VLAN capable device:

    https://www.zyxel.com/au/en/products_services/5-Port-8-Port-Web-Managed-Gigabit-Switch-GS1200-5-GS1200-8/

    Interested to hear what others think about it.

    I’ve also had a HPE 1820 PoE+ switch . Costs more but since they consider it enterprise (small business) it comes with limited lifetime warranty. I had HP replace one (faulty port) - no questions asked - and the replacement unit came with UPS express next day. Thats pretty good for a 200$ device.

    I’ve also had to make a decission between PoE injectors and PoE switch for cameras. At the end i went for a low budget entry level NVR (Hikvision) for the following reasons:

    • comes with 4x PoE ports (more ports available)
    • will fit a 3.5” HDD for centralised recording
    • saves you the $$$ for on-camera microSD cards
    • separates the cameras from the rest of your network

    After all, for the same price of a PoE switch, i got more functionality with the NVR.



  • @jagradang said in Hardware recommendation for homeuse:

    HP N36L

    I’ve had a similar setup with Esxi and you may be able to get away with your 2GB (4 would be better).

    • 1VM with 1GB for pfsense
    • 1VM with 1GB running unifi controller and pihole

    If you do have a NAS (QNAP, Synology with x86 CPU) you could run the free Version of Nakivo and Backup your VM’s automaticaly to the NAS.(max 2 VM’s for the free version)
    Nakivo works quite well using VM snapshots... if you stuff sonething up, you can roll back the entire VM...

    If your Pfsense only has 1GB of RAM I wouldnt run snort...



  • @gcu_greyarea said in Hardware recommendation for homeuse:

    @jagradang said in Hardware recommendation for homeuse:

    HP N36L

    I’ve had a similar setup with Esxi and you may be able to get away with your 2GB (4 would be better).

    • 1VM with 1GB for pfsense
    • 1VM with 1GB running unifi controller and pihole

    If you do have a NAS (QNAP, Synology with x86 CPU) you could run the free Version of Nakivo and Backup your VM’s automaticaly to the NAS.(max 2 VM’s for the free version)
    Nakivo works quite well using VM snapshots... if you stuff sonething up, you can roll back the entire VM...

    If your Pfsense only has 1GB of RAM I wouldnt run snort...

    I decided against using the N36L as it won't really be future proofed and the cost involved to get it up and running wouldn't justify the end. The comments on this topic have definitely been really helpful though!!

    I'm currently looking at either purchasing a prebuilt pfsense unit from aliexpress (some good units on there from one of the links posted above) or sourcing the components and using it as a mini project to have a play with. Going the dedicated hardware for pfsense rather than the esxi option now. Been reading through some other topics on here an google and it might not be worth the extra effort (and reliability).



  • If your going to build something yourself, i might be a good idea to look at some second hand parts, for instance from Supermicro.



  • @jagradang

    If you like reliability you could get one of the negate appliances with the benefit of a purpose built platform and also supporting the project. I'd personally go for the 5100 as it has an intel CPU and no fan. However, for home use I think the price is prohibitive and I can see the appeal of the chinese mini PC's you mentioned.
    Even then I'd recommend going down the virtual path. I currently run my ESXi environment on an i5 with 8GB of RAM and a SSD.
    It quickly turned out that most of the resources simply go to waste.
    For my 50/20 connection all I need is 1 core and 1GB of RAM. Since then I have added another core as I have 4 IPSEC Tunnels and inbound OpenVPN connection.
    Initially I was reluctant about running pfsense virtual but gave it a shot anyway. In the beginning I used vt-d to pass through physical NICS into pfSense, but now I just use vmxnet3 without passthrough. There is no (noticeable) performance penalty.
    As I mentioned before - the advantages of going virtual is that you can better utilise your hardware by running other "Always ON" services on the same host. In addition I can scale pfSense resources up/down quickly as required by adding RAM and CPU as I need. Since I'm still learning pfSense and other software the virtual environment has another advantage. I can quickly stop and start different pfSense instances to try out various scenarios and thanks to vmware snapshots role back if required.

    If all you need is a physical appliance to run pfsense you could go with a small Atom based appliance at 7W -15W. However, once you go larger with a custom build the power consumption will definitely go up and in my setup I was wasting a large amount of resources and energy (despite CPU power management)...



  • @gcu_greyarea you have tempted me back into the esxi option. I have a dell optiplex 3040 which i don't really use much so tempted to switch that to esxi, convert the existing win 10 on it to virtual and add a dual nic. Just need to work out what its idle power is so i can decide if it will be expensive to run or not. Just going to buy a power meter to gauge how much it uses in its current state.



  • @jagradang said in Hardware recommendation for homeuse:

    @gcu_greyarea you have tempted me back into the esxi option. I have a dell optiplex 3040 which i don't really use much so tempted to switch that to esxi, convert the existing win 10 on it to virtual and add a dual nic. Just need to work out what its idle power is so i can decide if it will be expensive to run or not. Just going to buy a power meter to gauge how much it uses in its current state.

    Please report back on your power meter readings at idle. I would be interested in the results.



  • If your Dell optiplex 3040 has the i5 CPU (Core i5-6500) then you"ll have 4 physical cores which give you 12 Ghz for ESXi. That's more than sufficient to run pfSense, Unifi controller & Windows 10.
    TDP for this CPU is 65W but for your use case it'll probably be lower.

    https://ark.intel.com/products/88184/Intel-Core-i5-6500-Processor-6M-Cache-up-to-3-60-GHz-

    If you can afford/justify the expense you could get a UPS instead of a power meter. Go for the cheapest pure sine wave UPS with an LCD Display.
    (e.g. CyberPower CP1000PFCLCD PFC Sinewave UPS System)

    The LCD Display will give you a reading of consumed power (in Watts) which is close enough. A power meter would be more accurate, but with a UPS you can safely shut down your ESXi host.
    There's a NUT Client foe ESXi which will safely shut down the VM's and ESXi host once a low threshold is reached.....



  • @jagradang Hello, I want to advice you, if you think to buy a Multimeter, You will consider one with clamp, for make safe, easy and clean measure, without messing around the metal case 🌩 lol , aiso you will check grounding connection on your outlet AC power source and cable, finally you'll be safe. :D
    On the market , there is many kind of "clamp multimeter" and maybe you don't need more expansive tool, but almost accurate for measuring energy flow (like Ampere scale from 1-5 milliAmps to 16-25 Amps) around 20 bucks is enough I think.
    Also I'm electrican for job, so I'm feel to write about this kind of stuff is my pleasure and safety rules in my job is an essential part. 🦌
    Well only for said this I'm go to bananas 🍌 sorry for my poor english writing.

    In conclusion, according to me, one other way to check power absorbing is. looking at your Electricity Bill counter/meter device and get some Electricity Bill Calculator to figure it out.
    For example : when you take note of counter number above meter, and take it again after exactly one hous, well you get some kilowatts/hours number by difference.
    Bill meter if you don't know, is Some kind of "pulse" counter and basically one KW/hrs is a defined amount of pulses (may be change from region to region and type/model of meter) and more fast pulses/blinks equals to more energy absorbing in real time.
    So energy provider can remotely read your amount of kw/hrs generated trough time and other data transmitted from your root power meter (usually placed outside of bulding on wall or under defined technical room among same others meters) , indeed you can also check this easy way if you are householder and paid energy bills.

    Regards.



  • Just buy a power consumption meter.
    You need measurement on a daily/weekly basis, not spot measurements
    As for the ups... Its nice, however consumes electricity and it won't show total consumption

    As for using a clamp meter or a multimeter for power measurements, well, leave that to profesional electricians. Definitely not worth the hassle/danger.