Building a Supermicro j1900 router, may build another - opinions requested.
-
I just ordered a Supermicro mini itx fanless J1900 board with 2 intel ports and HDMI. It will have 8GB Ram and a 120GB SSD in a M350 case and a pico power supply. I plan to run PFSense with ips/ids, antivirus, openvpn and possibly more. My existing speed is only 25/5 but will probably go up in the future to 50/10, or more if Comcast improves speeds again, as they often do.
I probably overbought, but I also wanted it to serve as a HTPC if I changed my mind about PFSense. (Thus my insistence on HDMI)
It was difficult to find this motherboard. I wanted a mini itx case, dual Intel NICs, a fanless MB, HDMI, and a decently rated processor. No other fanless MBs have dual NICs and HDMI and a decent processor. It's dual nics or HDMI. Mini itx cases are too narrow to use the expansion slot on the MB. This may be the only MB available that meets my constraints.
Assuming I put this to work as a HTPC instead, what other less powerful atom processors could serve as a capable router for this speed and application and allow future growth as a router only? PF sense is new to me and I have no frame of reference for routers like this.
Thanks.
-
For comparison, I run an i3-2100 and it doesn't hit 10%. I've also got 4GB of RAM and a 320GB 7200RPM disk.
I run OpenVPN and pfBlocker, but that's it.
I have two 100/35 connections for the two different WANs, and two LANs. All interfaces are Gbit NICs.
You should be fine with your system, it's going to be very fast.
CPU comparison between our CPUs: http://www.cpu-world.com/Compare/406/Intel_Celeron_J1900_vs_Intel_Core_i3_i3-2100.html
-
For comparison, I run an i3-2100 and it doesn't hit 10%. I've also got 4GB of RAM and a 320GB 7200RPM disk.
I run OpenVPN and pfBlocker, but that's it.
I have two 100/35 connections for the two different WANs, and two LANs. All interfaces are Gbit NICs.
You should be fine with your system, it's going to be very fast.
CPU comparison between our CPUs: http://www.cpu-world.com/Compare/406/Intel_Celeron_J1900_vs_Intel_Core_i3_i3-2100.html
Thank you. I'm trying to stay with fanless mother boards, which necessitates lower powered processors. This may prove to be unrealistic at this time, but, as I said, I'm new with PFSense. I haven't even received my shipment yet. Even then I plan to give the HTPC a quick test with a Windows 7 trial just to see if it can handle normal use in my household. Then, PFSense gets put on about a week later.
I also plan to ease into actual use. At this time, I initially plan to configure it as 192.168.10.1 and put my existing router behind it as 192.168.1.1. (Go LAN on PFSense to WAN on existing router) Then I can ease into configuration without getting the household upset if I mess something up. The internal network should operate as it does now, if I guess right. As time passes, I'll convert 192.168.1.1 to a wireless AP only and have only one subnet.
New question: To configure my Slingbox and other devices now, I have to turn on uPnP for a few minutes and let the network discover everything. Then I turn uPnP off and everything stays configured. Otherwise, ports don't forward. Can PFSense use this shortcut method once I go to one subnet?
-
You will have a slight problem with that configuration. pfSense will NAT out of the box as a default setup and your current router more than likely has NAT enabled too. You'll be dual-NATing, which causes a whole bunch of new issues, especially for things that use UPNP to open up ports for their functionality.
You'd probably want to turn off NAT on the internal router and let pfSense do that. That's my first recommendation.
-
You will have a slight problem with that configuration. pfSense will NAT out of the box as a default setup and your current router more than likely has NAT enabled too. You'll be dual-NATing, which causes a whole bunch of new issues, especially for things that use UPNP to open up ports for their functionality.
You'd probably want to turn off NAT on the internal router and let pfSense do that. That's my first recommendation.
I've read conflicting information about this configuration. When it's called double nat it's bad. When it's called 'cascading routers lan to wan' it's ok and adds security in and of itself.
Right now my router is connected to a comcast cable modem. When I plug it in, DHCP figures out the connection between the router and the modem. How would that be different if i plug it into PFSense instead of the cable modem? Also, if the inside router encapsulates the packet and the PFsense router just sees outgoing info, how does uPnP get confused on PFSense? Remember, the PFSense router and inside router are on different subnets. Anyway, I plan to keep uPnP off on PFSense until I completely change over.
I'm not trying to argue with you. Heavens no. I'm just trying to sort out this config. I get mixed info on Google and nobody explains it in the way I'm asking.
-
@jim1000:
I've read conflicting information about this configuration. When it's called double nat it's bad. When it's called 'cascading routers lan to wan' it's ok and adds security in and of itself.
NAT will never adds security in any real way …. a network without NAT can be equally secure. One day a bunch of idiots decided that it would be a good idea to sell NAT as a security thing.
NAT is a way to work around the ipv4 shortage, and thats about all its (good) for. -
The way UPNP works is that a device makes a request to open certain ports and map them to itself. It makes this request via UPNP to the firewall. If there is another NAT'd device upstream, the ports opened by UPNP on the downstream router won't be open upstream. So incoming traffic would hit the upstream firewall and stop there because those ports are closed. Your downstream router would not send a request upstream using UPNP to open those ports because it thinks it's the perimeter (which it is, although downstream).
You could manually open the ports on the upstream firewall and map them through the downstream firewall to the end device. However, if two devices are using UPNP and are randomizing ports, all bets are off.
So in your architecture, the upstream device is pfSense and the downstream device is your current router.
Keep asking questions, you won't offend.
-
The way UPNP works is that a device makes a request to open certain ports and map them to itself. It makes this request via UPNP to the firewall. If there is another NAT'd device upstream, the ports opened by UPNP on the downstream router won't be open upstream. So incoming traffic would hit the upstream firewall and stop there because those ports are closed. Your downstream router would not send a request upstream using UPNP to open those ports because it thinks it's the perimeter (which it is, although downstream).
You could manually open the ports on the upstream firewall and map them through the downstream firewall to the end device. However, if two devices are using UPNP and are randomizing ports, all bets are off.
So in your architecture, the upstream device is pfSense and the downstream device is your current router.
Keep asking questions, you won't offend.
So the following is wrong …
-
Inside router, 192.168.1.1, maps to slingbox via uPnP. NAT, SPI, DHCP, et al all working. Uses port 5001.
-
Inside router WAN connected to LAN on PFSense router, 192.168.10.1. PFSense router uses DHCP to connect to comcast modem. Inside router uses DHCP to connect to PFSense router.
-
Me, in hotel room across country, links to home slingbox port 5001 via hotel router, internet, isp router, PFSense router, and inside router to slingbox. The hotel router couldn't care less about 5001 unless deep packet inspection said 'drop it'. Same with all others including PFSense, on different subnet than inside router, passes it along to inside router and slingbox since PFSense see it as data to an address.
Instead, PFSense router says stop right here.
Why does inside router see PFSense router differently than it sees all other routers on network? Since DHCP will configure inside router, why does it see PFSense differently than PFSense router sees Comcast router at isp?
How does this differ from internal corporate networks (except for the routing table) that add routers when they run out of nic ports? Doesn't the subnet being configured via DHCP maintain some separation?
Also, still interested in capabilities of lesser powered atom processors, compared to J1900. Are they too weak or do they still offer service for a moderate speed internet connection with lots of services being potentially used?
-
-
I think you misunderstood.
UPNP requests will be accepted by your internal router, but it will not pass those requests up to pfSense, and it shouldn't. So pfSense is blind to the UPNP port opening request and won't open those ports.
But you can connect the devices in the fashion you describe and web/email client traffic should work fine. The problem presents itself when an application opens a specific port on the FW via UPNP and the upstream router has no knowledge of the request. So pfSense stops the incoming traffic as a result.
-
I think you misunderstood.
UPNP requests will be accepted by your internal router, but it will not pass those requests up to pfSense, and it shouldn't. So pfSense is blind to the UPNP port opening request and won't open those ports.
But you can connect the devices in the fashion you describe and web/email client traffic should work fine. The problem presents itself when an application opens a specific port on the FW via UPNP and the upstream router has no knowledge of the request. So pfSense stops the incoming traffic as a result.
We're nearly there.
Since all other routers in the chain couldn't care less about 5001, why does PFSense router care since 5001 only matters to inside router and the slingbox. Doesn't PFSense see 5001 as data just like all the other routers that ignored it? Why does PFSense treat it as anything other than a SPI issue?
-
NAT, that's the reason. And that's where the "dual-NAT" or "double-NAT" issue comes to play.
All other routers just pass traffic through and don't provide NAT. pfSense and your home router both supply NAT, and therefore they need to consciously map ports back to devices.
-
NAT, that's the reason. And that's where the "dual-NAT" or "double-NAT" issue comes to play.
All other routers just pass traffic through and don't provide NAT. pfSense and your home router both supply NAT, and therefore they need to consciously map ports back to devices.
and we're back to 'double nat is bad' but 'cascading routers lan to wan' is ok.
slingbox is 192.168.1.120:5001.
inside router sends it to PFSense router as 192.168.10.5:34567 and internally maps that back to 192.168.1.120:5001
PFSense router tells the world that a.b.c.d:12345 has sent data, which internally maps to 192.168.10.5:34567, the address of inside router and slingbox on pfsense network at this time.
There may be a detail or two wrong above, but where's the problem, other than the inside router on the PFSense network, 192.168.10.5:nnnnn, will be pretty busy? 192.168.10.1 doesn't know about 5001. It only sees a packet for 192.168.10.5:34567.
Wait … I see the problem. The hotel initiated request goes to a.b.c.d.:5001 to start the slingbox and to send commands back and forth. pfsense need to know about it and direct it to the inside router while it's in use. This means I will need to get off the inside router asap and just use it for internet surfing only. Normal internet stuff ok. Outside - in requests will need configuration.
So both answers are right. Cascading routers work in only surfing. Anything complex means double nat is bad.
Back to the original question about atom processors?
-
@jim1000:
Wait … I see the problem. The hotel initiated request goes to a.b.c.d.:5001 to start the slingbox and to send commands back and forth. pfsense need to know about it and direct it to the inside router while it's in use. This means I will need to get off the inside router asap and just use it for internet surfing only. Normal internet stuff ok. Outside - in requests will need configuration.
So both answers are right. Cascading routers work in only surfing. Anything complex means double nat is bad.
Back to the original question about atom processors?
Yes, you got it! If the incoming port is fixed, yes, you can map it all the way back. If it is dynamic, you're hosed.
Yeah, the atom should be fine. I refer back to the link I posted comparing your CPU versus the one I have. You should have no issues.