What hardware to replace BT Inifnity Home hub and add firewall functionality ?



  • All,

    From reading other threads here, it seems like pfSense can replace the BT Home hub used in the FTTC solution in the UK - http://forum.pfsense.org/index.php?topic=37001.0

    I would really appreciate some help / advice with specs and UK suppliers of suitable equipment. I'm looking for a fanless solution and I think the new ALIX board would be a good fit, but since it doesn't actually exist yet, I'm looking for other options.

    I have 5 public IPs on my network that I want to provide firewalling services for. I also have 6 desktops / consoles that connect out.

    The network stats that I'm trying to maintain are as follows:
      ping to google.co.uk - between 9ms and 16ms
      Down speed - 38Mbps
      Up speed - 8.5Mbps

    On the 5 target machines, I want to allow all outgoing traffic and block everything except between 3 and 5 ports per host (http, https, ssh and a few others). On one of the 5 target machines, I currently see between 200 and 400 new TCP connections per minute.

    Ideally I'd like this machine to act as a WiFi AP as well, but I've not researched how possible that is with pfSense yet, so this is a lesser requirement.

    Any advice on boards / pre-built machines in the UK that fit this requirement would be greatly appreciated!



  • Wonder if you have to clone the original modem's MAC?  The guy who started that thread is usually really helpful.



  • No - from what I understand, it just works - they don't lock you to any specific router. A number of people are using commercial routers from different manufacturers.

    I'm just trying to find an all-in-one solution that includes the firewall in the box so I don't have to run a second machine as a firewall in the house.


  • Netgate Administrator

    You don't have to have to clone the MAC, the original modem is still used and the PPPoE connection appears completely standard.
    Do you have 5 public IPs on a home connection? I wasn't aware you could do that without stepping up to business or that the homehub could handle it.
    Which homehub do you have? I am using the HH3 as a wireless access point behind my pfSense box, it's quite easy to make it do that. I've not used a HH4 but I imagine it could also do it. It's a more capable AP than a card in a pfSense can ever be, there is no 802.11N support for example.

    You should be aware that the homehub is also a stateful packet inspection firewall in it's own right. It just far less flexible that pfSense.

    If you need something fanless then your best bet is an Atom box. That will restrict what you can do with it in the future though. A box built on a low end Ivy Bridge CPU can be achieved for around the same price but to make it fanless will require a far better cooling solution because of the maximum Wattage.

    If you need something pre-built how many interfaces are you looking for?

    Steve



  • I've got an HH3 on a business connection - hence the 5 IPs :)

    I'm looking for 3 interfaces ideally - WAN, internal network and public facing network.  I tried to set the HH3 up for what I need, but I found it to be quite limiting.

    An atom box would do the job I'm sure - I just have no experience with building them (PSUs, boards, enclosures, etc.) so I'll have to go do some reading / research.

    Thanks :)



  • I could recommend the hardware in my sig. All credits for discovering this goes to the man who refuses to let me buy him a cup of coffee for his great, great, help  ;D



  • @Hollander:

    I could recommend the hardware in my sig. All credits for discovering this goes to the man who refuses to let me buy him a cup of coffee for his great, great, help  ;D

    I'd not seen your post, but thanks. It's still more than I want to spend, but I'm running out of other ideas, so I may have to go that route.

    I just wish the new ALIX boards would happen. They seem ideal.

    Edit - one small problem - I can't find your board anywhere in stock at the moment. Bah. I knew it was too good to be true!


  • Netgate Administrator

    Yep I was thinking about getting one myself but Intel seem to have discontinued it.  :(
    Perhaps it was taking custom from their more expensive boards, too good.  ::) There are a couple of other similar boards available from other manufacturers but none have Intel NICs.

    If you only need two NICs there are some thin clients that people have used. Search the forum. They may be underpowered for your purposes though. What connection speed do you have? What services are you wanting to run?

    Steve



  • @stephenw10:

    If you only need two NICs there are some thin clients that people have used. Search the forum. They may be underpowered for your purposes though. What connection speed do you have? What services are you wanting to run?

    Steve

    I'd ideally like 3 NICs, but I'm prepared to settle for 2.

    My WAN speed is 40 down, 8 up and I host a number of services on public IP addresses on my LAN. I also have a number of workstations and devices that need outbound NAT. I don't do any VPN from the firewall box - any VPN stuff is client based from PCs on the network.

    I've not completely tested, but I'm hoping that on a 2-device setup I'll be able to have a public IP address with a 192.168 alias on the same NIC.


  • Netgate Administrator

    Ah yes, sorry, you already stated your connection speed, I should have read back. ::)

    If you don't want Squid, Snort or vpn in the box then a thin client should be fine for you. Let me see if I can find a link…...
    Edit: http://forum.pfsense.org/index.php/topic,64420.0.html
    Many of those HP models seem suitable after adding an extra nic.

    Steve



  • @stephenw10:

    Ah yes, sorry, you already stated your connection speed, I should have read back. ::)

    If you don't want Squid, Snort or vpn in the box then a thin client should be fine for you. Let me see if I can find a link…...
    Edit: http://forum.pfsense.org/index.php/topic,64420.0.html
    Many of those HP models seem suitable after adding an extra nic.

    Steve

    I'll have a look at those - thanks.

    I saw some posts about HP / Dell PCs, but I need this to be really quiet. The thin client looks like a good call for that.



  • @Anonymouslemming:

    @Hollander:

    I could recommend the hardware in my sig. All credits for discovering this goes to the man who refuses to let me buy him a cup of coffee for his great, great, help  ;D

    I'd not seen your post, but thanks. It's still more than I want to spend, but I'm running out of other ideas, so I may have to go that route.

    I just wish the new ALIX boards would happen. They seem ideal.

    Edit - one small problem - I can't find your board anywhere in stock at the moment. Bah. I knew it was too good to be true!

    My apologies for resurrecting this thread, but I am thinking about a similar scenario. I would like to have pfSense put in place of my BT Home Hub connection (home user).

    Have you considered looking at any of these? (are they suitable?? - I'm not much of a hardware guy)
    http://linitx.com/category/alix-apu-firewalls/178/113,176,178


  • Netgate Administrator

    Yep those will work fine as long as you have a separate modem. I understand that some BT devices now have the VDSL modem built in.

    The ALIX box is good for ~85Mbps and the APU for 350-400Mbps. That's without running any packages.

    Steve



  • @stephenw10:

    Yep those will work fine as long as you have a separate modem. I understand that some BT devices now have the VDSL modem built in.

    The ALIX box is good for ~85Mbps and the APU for 350-400Mbps. That's without running any packages.

    Steve

    I've just recently switched ISP's and I've got one of these BT Home hub 5 boxes. It does indeed do away with the separate modem, the VDSL is built in. I'm looking to set up a pfsense router for the first time and I'm also looking at one of these http://linitx.com/product/linitx-apu-1c-4gb-3nicusbrtc-pfsense-msata-firewall-kit-blue/14230

    Is this not possible with having the built in VDSL?

    Ignore this one mate you just answered in the other thread : )



  • Is the VDSL you refer to the fibre port?

    If so, this works on talktalk routers just like a normal Ethernet port, in other words, I can plug my pfsense into the talk talk fibre port and then serve the net over the talktalk's wifi.

    Are BT having a US based IP address accessing the routers and downloading usage data with these new hubs or is it restricted to the home hub 3's I've seen?

    If you go into the BT home hub logs, you will see it in the home hub 3 logs, but yet to setup one of these new fibre one's so cant check.


  • Netgate Administrator

    Nope. The HH5 has the VDSL modem built in so it has an RJ11 socket that connects directly to the openreach face plate on the master socket (or filter I guess if they've brought those in for VDSL yet). See this review for pics.

    Steve



  • If we are talking about the red socket, thats what I call the fibre port, its identical to the heuwei talk talk routers.

    I know BT or openreach were talking about rolling out two different fibre services some time ago, one which I suspect is the more common rollout is the fibre to the larger than life green street cabinets and then copper to the property, basically shortening the adsl cable as its no longer going to the exchange but in some instances, they can place a small equivalent of the green cabinet, in this case a small grey box of sorts, to the outside of the property and then you have fibre to the property which has a different setup AFAIK.

    I suspect it will be possible to put the BT HH5 into bridge modem and just use them as a modem much like how we do it with the talktalk routers, which can then feed onto the pfsense box. Without seeing one of these devices in the flesh, thats still mainly a WAG though, parents might be getting it soon although BT having been trying to push a leased line instead of fibre and thats way more money for what they need.


  • Netgate Administrator

    Exactly, that have two services both being referred to as 'fibre'. The common one is FTTC where the service is fibre to the green cabinets and then VDSL to your house from there. Much more expensive is FTTH where the fibre is terminated actually in the customer premises in some fibre to ethernet box.
    The HH5 can operate on both those services. It has an Ethernet WAN (the red port) for FTTH but it also has a VDSL modem (the grey port) for directly talking to FTTC cabinets.

    Steve



  • I've just received my Pfsense box this morning and I'm about to go about installing it. I'm just wanting to clarify. I have the BT home hub 5 as mentioned above but I also have an old BT open reach modem from a previous ISP. Is it going to be best to use the home hub 5 with the built in VDSL or the old openreach modem and just use the HH5 as my wireless access point?

    Secondly how exactly do I go about it if using the old openreach modem? does it need to be unlocked and then configured somehow?


  • Netgate Administrator

    I would use the old Openreach modem. That way you know exactly what is happening on your connection. You can always fall back to using the HH5 instead if you have some problem and getting it to work takes longer than you think.  ;)
    To use it set it up the WAN as a PPPoE interface and connect it to the modem.

    Steve



  • It looks like I've got one of the problem BT modems. https://hackingecibfocusv2fubirevb.wordpress.com/ I've got the /r model and it would seem this is a pain to unlock. I guess my best bet is to order one of the HG612 models on ebay.


  • Netgate Administrator

    You don't need to unlock the modem to use it with pfSense.


Log in to reply