Build questions: Can I get this with 3-4 interfaces?

pf123user

I want this machine but with three or four interfaces because I have dual WANs. I like the look and size of the machine. It's perfect for what I am looking for in every way except it only has two interfaces.

Can anyone suggest something similar with either three or four interfaces? I have a target budget of about $200 which falls in line with the device listed in the 2014 thread. It's a home/home office which is why I say that the look and size of the machine is ideal.

From the perfect pfsense box 2014 thread:
https://forum.pfsense.org/index.php?topic=75415.msg411602#msg411602

Shonky

Based on my recent experience, you won't in that form factor or CPU and definitely not for that price.

There are a bunch Atom D2550 type systems with 4-5 Realtek NICs (usually) but not a Celeron 1037U and not in the that form factor. e.g.
http://www.aliexpress.com/store/product/mini-pc-box-Barebone-MINI-ITX-Server-with-fan-Intel-Atom-D2550-1-86Ghz-CPU-4/800900_1845362534.html

But also with Intel NICs
http://www.aliexpress.com/store/product/firewall-server-with-atom-D2550-1-86G-4-intel-PCI-E-1000M-82583v-Lan-support-Panabit/800900_1795849569.html

With Intel but rack mount:
http://www.aliexpress.com/store/product/storage-server-1U-Network-Firewall-support-ROS-RouterOS-Mikrotik-PFSense-Panabit-Wayos-c1037u-6-Gigabit-LAN/800900_1796145507.html

6 port but rack mount.
http://www.aliexpress.com/item/Intel-Celeron-1037U-Industrial-1U-Rack-Server/32319754406.html?spm=2114.32010308.4.166.VOxIKb

$350 for a Netgate unit?
http://store.netgate.com/ADI/RCC-VE-2440.aspx

pf123user

The device I posted a photo of is about $150 shipped. It's barebones so add in the extras and it falls between $200-$250 all-in, maybe $300 max if I push it. I already own the RAM and wireless card so it would cost me about $200.

** In all fairness, that price is for a device with zero warranty, no support of any kind and zero promise of reliability or compatibility with pfSense or BSD. **

The Netgate box listed starts at $350 but with wifi and 30GB storage it comes to about $500 + shipping. At $500 I start to get into the range of the pfSense appliances meeting my requirements of 3+ interfaces with integrated wifi; which the SG-2440 comes to $643 + shipping.

Because both the Netgate and pfSense appliances have warranties, I'm assuming I can't open them up and put my own stuff inside without voiding the warranty. Therefore I have a spread of $300.

How stupid is it, or, is it worth the risk to save $300 and run the WANs through VLANs on one interface? I really don't like the idea of it but it does solve the problem… (Also considering I could purchase two appliances for less than the cost of the $500 Netgate appliance.)

Not trying to upset the pfSense team or store at all, I feel badly and would love to purchase only pfSense branded hardware however it simply is not in the budget at this time.

EricE

Is the integrated wifi really that important?  Usually the router is in a bad location for good wifi anyway.  If you handle the wifi separately there is a lot more flexibility in options for both.

If it's in a good location and integrated would adequate than no worries - it was just another thought.

tirsojrp

@pf2.0nyc:

How stupid is it, or, is it worth the risk to save $300 and run the WANs through VLANs on one interface? I really don't like the idea of it but it does solve the problem… (Also considering I could purchase two appliances for less than the cost of the $500 Netgate appliance.)

What risk? I have a few systems working with a single nic + vlans handling dual WAN, LAN and Guest network with captive portal.

Unless your bandwidth requirement can not be handle by a single gigabit interface, don't waste your money on multiple nic appliances.

Shonky

The device pictured runs around $200 all in as you say. I don't think you'll get $150 shipped. More like $165.

I don't think you can reasonably expect the same thing with more LAN ports for the same price.

You are also getting away from very highly mass produced products to more customised ones and that usually includes a price premium.

I would leave the Wireless AP as a separate device (perhaps running off a dedicated port if it doesn't support VLANs).

pf123user

It's complicated. This is for a home office environment at six different locations (six different home offices). Perhaps if I explain the current setup it may shed some light. Each location is almost exactly identical.

We are using old Dell GX520 desktop computers running 32-bit pfSense (with snort) with Dell PowerConnect 2708 and 2716 switches (the 2716 is  fanless). The pfSense machines have five interfaces and one wireless NIC, an old Cisco Aironet Wireless G card. I make labels or write with a sharpie: "WAN1", "WAN2", "LAN1 (Goes to switch)", "LAN2 (Should be empty)", "LAN3 Your Wireless Router", "SSID" at each interface so if there is an issue they can try to deal with their local ISPs for troubleshooting or I can talk them through things.

Each of them has their own retail wifi solution for their home/family/kids that they plug into LAN3. I set it up like that because we reimburse for one WAN with a static IP and they pay for whatever home internet they want for their family; we had an issue a while back with someone filesharing (torrenting) so this way I can put their home wifi and home network on a separate subnet and isolate it to their home ISP that has nothing to do with work.

I don't really like it but it is what it is and it works. If the Dell GX520's hadn't started dying we would have kept it as-is and done nothing.

@EricE:

Is the integrated wifi really that important?  Usually the router is in a bad location for good wifi anyway.  If you handle the wifi separately there is a lot more flexibility in options for both.

If it's in a good location and integrated would adequate than no worries - it was just another thought.

The router would be in a good location to make use of the integrated wifi however I'd consider appliances without integrated wifi if there are good alternatives available. Do you have any suggestions?

If you see what I wrote above, I have some challenges in general. I'm in over my head half the time, never mind the others who aren't tech savvy at all. The way it's currently set up is that the integrated wireless on each pfSense machine is only used for work purposes to connect to work machines to work networks. Their home wireless routers are used for all of their other wireless networking needs.

My feeling is that if I ditch the integrated wifi it creates issues I don't really want to deal with such as the need for proper wireless networking at six locations (expensive). Other considerations are things like installing proper WAPs which can broadcast multiple SSID's will require either a PoE switch (expensive and loud due to the fans) or power at each WAP (means getting an electrician at each house to install).

I don't even know if the setup described above #1 makes sense the way I described it, or, #2 is or is not best practice or an eloquent setup. On the other hand, I would very strongly consider a device without integrated wifi if it had the right number of interfaces and was also in a somewhat appealing form factor and chassis such as the one pictured.

@tirsojrp:

What risk? I have a few systems working with a single nic + vlans handling dual WAN, LAN and Guest network with captive portal.

Unless your bandwidth requirement can not be handle by a single gigabit interface, don't waste your money on multiple nic appliances.

I know it can be done however, if you see what I posted above, the reason why I am so hesitant about running multiple WANs on the same interface is the support nightmare that could ensue. If someone calls their ISP with a service issue, as soon as they tell the retail support tech "I promise you I know what I'm looking at… the cable is going from the modem and its plugged into the switch" --it's going to be down hill from there...

@Shonky:

I would leave the Wireless AP as a separate device (perhaps running off a dedicated port if it doesn't support VLANs).

My biggest draw to a system with integrated wireless is both its size and footprint. Less wires and cables, power consumption, heat and blinking lights, etc. etc. AND the ability to manage the integrated wireless network.

Most of them them have Apple Airport products. They just plug them in to the port I tell them to and let them DHCP. That gives me no management over the subnet of whatever wireless router they plug in. By getting rid of the integrated wifi it means I need to be able to manage wireless clients.

This has come up before. I avoid it because I know that a proper wireless network means spending a lot of money (which I/we probably can't afford). It also most likely means upgrading to louder and more expensive PoE switches or hiring an electrician to bring power to the WAP, or maybe both.

If I ditch the integrated wireless NIC do you have any suggestions on decent WAPs to be installed permanently as one would in an office or retail space?

Also, it's a little unconventional to have interface ports on two sides of a device however… I have fairly free and unlimited access to a machine shop and metal fabricator (family member). If I dump the wireless NIC out of that device pictured I may be able to use something like this:

http://www.logicsupply.com/components/expansion-cards/admpeidla/

and have him cut the two interface holes exactly where the wireless antennas are mounted, or somewhere else. But then it's a completely custom appliance which I don't think I want anything to do with. As I asked above, are there any other comparable 3-4 interface appliances out there?

Thanks everyone for the thoughts and feedback. Much appreciated.

robi

Are you aware that most PoE Access Points actually have a PoE adapter/power supply in the box? So using a PoE switch is actually optional, by default you should use the little PoE adapter they give you with the AP in the box.

Look at any Ubiquiti product. By default, their power supply brick is a little box with AC power in, and two RJ45 sockets for PoE addition to the cable going to the AP.

robi

Reading your description above, I understand that you want to keep work activity from home activity separate. You have home and work WANs and you also have home and work wireless.
What's the reason then, to handle them all together by the same pfSense box?

Use pfSense for the work WAN and wireless only, and let them buy some any other cheap home router for the home stuff, you don't need/want to support that anyway.

pf123user

The easiest way to explain the reasoning behind everything going through pfSense is "quality of life". Due to the nature of what we do we are highly audited at times and we must always be very transparent. We have been asked for internet activity (websites visited, traffic patterns, devices connected, etc.) in the past. Sometimes we get asked and sometimes we get served subpoenas commanding production.

I can't stop what a high school kid or his/her friends (or an employee on their own personal time for that matter) might do online. I don't want to know or be involved as I don't see that as an employee/employer issue.

On the other hand, the employees are outfitted nicely with stuff for their home offices (computer, printer, tablet, etc.) when they are hired. As things are now (combined everything on pfSense), you can grant access to resources like printers while denying access to other resources such as network storage or computers.

If things are split up into two networks on two routers/firewalls there technically would be no difference between my home and the next door neighbor. Meaning if the kids want to print a school report or mom wants to print out a recipe for a friend, it would be the same as trying to use the next door neighbor's printer to print.

We have taken the position that they don't need to buy two computers, printers, iPads, etc. Even the younger kids know how to switch wireless networks if they use mom or dad's computer and the content filtering page pops up or an online game is blocked. For example, the wife of one of the guys is a doctor. She was looking up some side effect of some drug or surgery or whatever. If I recall correctly she was trying to access and download a report or publication of some sort from Harvard University. It was filtered and blocked due to the content. She switched over to the other wireless network, got what she needed and then was still able to print it without needing to switch back over to the other network.

Not sure if that makes sense or not. Its a little bit more of a pain for us but it makes life a lot easier for the end user. I like being able to change my home thermostat while I'm on a Skype call for work as much as the kids like being able to be on facebook while they print out homework assignments. And, we are a really small company and a lot of the wives know each other and talk. As soon as they find out some people can do something while others can't then it just causes drama.

I realize this isn't a standard networking issue or that there isn't standard hardware to solve this issue. Thanks for the replies.

Maybe I'll try one and run it with the WANs on one interface and see what happens.

robi

Well, all I can say is that these tasks are beautiful indeed. I love things like you described, it's really a challenge to invent such mechanisms keeping user happiness a priority.
(I'd also love to work as an employee in such a quality environment)

As far as I can see, you're trying to achieve professional level, almost enterprise-like level service for the bussiness running behind. One thing to learn in this particular case is that if you want all this functionality, + the nice embedded/low powered/good looking/rock solid hardware instead of the big ole Dell GX520 diying, you'll have to turn to your boss and ask to double the budget for it. If he's able to outfit nicely the employees with "visible" stuff for their home offices like computer, printer, tablet, network storage etc., he should really consider that a central device like a router should not be on the cheap side. Just add up how manny dollars cost the Apple hardware+printers+NASes one employee gets for the home office, ask the boss to buy one tablet less and buy decent background hardware instead.

pf123user

@robi:

Well, all I can say is that these tasks are beautiful indeed. I love things like you described, it's really a challenge to invent such mechanisms keeping user happiness a priority.
(I'd also love to work as an employee in such a quality environment)

As far as I can see, you're trying to achieve professional level, almost enterprise-like level service for the bussiness running behind. One thing to learn in this particular case is that if you want all this functionality, + the nice embedded/low powered/good looking/rock solid hardware instead of the big ole Dell GX520 diying, you'll have to turn to your boss and ask to double the budget for it. If he's able to outfit nicely the employees with "visible" stuff for their home offices like computer, printer, tablet, network storage etc., he should really consider that a central device like a router should not be on the cheap side. Just add up how manny dollars cost the Apple hardware+printers+NASes one employee gets for the home office, ask the boss to buy one tablet less and buy decent background hardware instead.

Fortunately and unfortunately, turning to my boss and asking for more money means looking in the mirror. We are a pre-revenue startup so I can promise you that we are on an eBay and second-hand budget.

I was hoping that someone had found something similar to that original device but with a few more interfaces. We just aren't at a place where we can afford spending $800-$1200 per firewall device when we would need to buy 6-8 of them. Stinks but it is what it is.

I think I'll buy one and try out both WANs running through one interface. Worst case I may be able to print out a card and labels or something with a diagram showing what wire goes where so as to try and make it as idiot proof as possible.

robi

You wrote in your first post that the target budget is about $200. For $400, I think you can find stuff that fits your needs.

thezfunk

I have that box.  There is a number of USB 3.0 ports on the back…I don't stay up on the supported USB NIC options with pfSense but if a supported gig USB 3.0 NIC is supported would that be a possibility?

pf123user

@robi:

You wrote in your first post that the target budget is about $200. For $400, I think you can find stuff that fits your needs.

Considering that reality of that unit would be closer to $250-$300 built, I would say $400 is within reason but at the very high end. Do you have any suggestions?

@thezfunk:

I have that box.  There is a number of USB 3.0 ports on the back…I don't stay up on the supported USB NIC options with pfSense but if a supported gig USB 3.0 NIC is supported would that be a possibility?

While not ideal, I would consider it for use as a second WAN as well as the option to have a second LAN interface in the future. I've ordered one of those boxes so when it arrives I'll give it a shot. Still interested in learning more about a device in the $400 price range mentioned above.

Do you have any feedback on USB >> RJ45 adapters that are reliable? I see some decent name brands in the $40-$60 price range. Do I need to go that expensive or can I stay in the $14-$30 range?

Thanks.