Netgate/PfSense with JamKazam online band jamming tool.
-
Hi. I'm considering moving to a Netgate/PfSense solution to improve the network security at my home.
I have searched this forum but cannot find a specific reference to my issue so I decided to create a new topic here in the hope that someone can advise.
I play guitar and I use the internet to have virtual jam sessions with my fellow band members using a software product called "JamKazam". It works very well. But one thing it does not like is high network/internet latency and its developers go to some lengths to overcome high latency problems when using their product. Its hard enough staying in time within a band without having network latency add to the problem.
Has anyone here had any experience specifically with JamKazam via a Netgate/PfSense setup?
In general, should I expect latency to worsen if I introduce Netgate/PfSense in place of my vanilla ISP router/firewall/switch?
-
no experience with JamKazam, but if you replace your current router with pfSense you should be able to control latency and buffer float better via QoS and limiter rules. I wouldnt run Snort or other IDS plugins for pfSense if you are worried about latency/buffer float. Also make sure your pfSense machine is powerful enough and you use intel server ethernet cards (i340 or i350 for example)
with pfSense you will have way more control to prioritize the JamKazam traffic over other traffic on your network.
pfSense i5-4590
940/880 mbit Fiber Internet from FiOS
BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
Netgear R8000 AP (DD-WRT)
-
In all likelihood it won't make a significant difference. There are a number of variables at play so.... it depends!
I have worked with another customer who used JamKazam though and once we had the required port forwards open it worked fine. They were using an MBT-4220 for reference.
Steve
-
Thanks for your reply. I had not considered QoS as a control for a (potential) latency issue, but I guess its an obvious thing to use when you think about it.
I'll probably go ahead, but take time to chhose the hardware platform carefully, taking into account the NiC type.
-
Thanks for your reply. This is all new stuff for me.
Bearing in mind comments from @paint regarding the choice of NiC and your mention of the MBT-4220, I'm now wondering which hardware platform to look at.
I was considering the SG-2100, which I was thinking would be more than adequate in terms of processing power and throughput for my mostly single user home network, but I am now considering the SG-3100 on the basis that its more expensive and therefore more powerful. The problem I have is I dont know how "powerful" a platform I need.
I obviously dont want to pay more than I need to but I also dont want to compromise given my particular use case, so I'm inclined to over-spend rather than under-spend.Is the SG-3100 likely to further minimise any potential latency issue? Any advise is welcomed.
Steve
-
@steve-c said in Netgate/PfSense with JamKazam online band jamming tool.:
nsidering the SG-2100, which I was thinking would be more than adequate in
who is your internet provider and what are the upload and download speeds?
-
@paint Well I'm in the UK and the provider it BT (British Telecom). Download speed is 73Mbps, upload 20Mbps.
-
@steve-c is it cable internet? With those speeds... I dont think QoS or pfSense will make much of a difference
-
It will be FTTC (VDSL) using PPPoE.
The SG-2100 will be more than sufficient there.
Steve
-
@stephenw10 I wish I had seen this topic earlier.
Opening a port is not needed. What's working well is to set up a NAT 1:1 rule from the WAN to the IP address of the JamKazam client. Nothing else seems to be required, but I do have UDP ports of the JK application set to a starting number of 12000, primarily so I can pick out the States of the specific UDP connections being used by the application.
-
If you setup a 1:1 rule (all ports) but don't add any firewall rules to pass that inbound on WAN then all you are actually doing it setting outbound NAT for that IP with static source ports.
In that case a single outbound NAT rule would also work and it would not redircet incoming traffic that you might otherwise need for, say, a VPN.
Steve
-
@stephenw10 Thanks, Steve. That's good to know.
Last year when I was trying to get things working with your help, I tried a number of strategies to get to a functional configuration. I had a rule for a range of forward ports based upon JamKazam guidance. Thinking that this could lead to a vulnerability, I tried disabling the rule and things still worked. The configuration hasn't changed since.
The application and the server algorithms have evolved quite a bit since I first started using the service. With that in mind, I just checked functionality with 1:1 NAT disabled and was surprised it was able to connect with the server and establish UDP peer connections. In addition, it didn't complain with a pop-up diagnostic as before. So, perhaps 1:1 NAT isn't necessary anymore. I'll try to see how well it works without it over the next few days and report back.
-
@spacecase I've tried a few spot checks during active sessions over the last few evenings, but my testing was limited. After experiencing what might've been disruptions of session stability when I disabled 1:1 NAT, I quickly reverted back to my baseline configuration.
Forwarding the configured UDP ports at the router doesn't seem to make a noticeable difference, which seems to be consistent with the alternate configuration approach at this link.
