Need your advice



  • Hey guys,

    So, I've spent a large chunk of my weekend trying working on my home network.  Since my Netgear N600 WNDR3400v3 seems to be incurring occasional performance hiccups, I've decided to upgrade my network a bit. Now, I only have 50 Mb down / 6 Mb up through U-verse, so I'm not expecting much improvement in overall bandwidth performance, etc. My goal is to improve security, reliability, and hopefully overall performance in tasks such as media/voice streaming and gaming (and overall web experience). Also, I'll be receiving a Lenovo TS440 which I plan on using as a file server in the future.

    I put together a pfsense box: AMD FX-4300, 4GB DDR3, 60GB SSD, Intel quadport i340-t4… from parts lying around and on sale online.

    Here are my concerns:
    Using the box as a "router" or a "switch", I would need to bridge the LAN connections, correct? And doing so results in lesser performance, right?
    My Netgear LAN ports are only 10/100 (another reason why I wanted to upgrade)

    So, with that being said, what are your guys' recommendations on the best setup with my hardware?

    NVG589 (IP passthrough) --> pfsense ---(bridged quad port LAN)--> wireless router as an access point/switch & other PC's/future server ?

    or would you recommend that it's worth buying a switch and:

    NVG589 (IP passthrough --> pfsense --> switch to pc's & wifi AP & future server?  And with this route bridge for dual WAN and/or dual-LAN to switch from my quad port?

    So far, I've got pfsense up and running. It seems my IPv6 config is alright (10/10 on ipv6 test).  However, I notice right now that certain areas of webpages do not seem to load.  I haven't gone through any firewall rules or QoS, yet tho. Could this be an issue with the defaults?

    I tried OPNsense and Sophos for a day, and decided to come back to my original plan of using pfsense lol

    I know it's more of a noob-ish question, but this is not my realm of expertise (obviously).

    Thanks for any input!



  • I'd avoid bridging on the pfsense box. It will work, but will never have the performance a switch will.

    You haven't really given any requirements, so unless you are wanting to do odd things (like a separate wifi network for guests), here's what I'd do:

    1. Put ESXi on the hardware. That will give you a production pfsense instance, and capacity for a couple of other fun things to play with (like a test pfsense instance, sophos UTM, and maybe an asterisk based pbx). You won't be able to run more than two at once, but it still gives you some play room.

    2. Buy an 8 port gigabit switch from monoprice for $20. Connect one of the ESX server's physical ports to it, and connect all your computers, APs, printers, whatever to it.



  • Awesome. So it is recommended to go with a switch.

    What performance benefits would there be to go with ESXi… typically, virtual environments tend to have a hit on performance, right? Granted, it would be nice to have the added benefit of running something like sophos utm on it... what is most common in this regards? pfsense + sophos?

    Also, is there a way I can take advantage of my quad-port Intel NIC? : p  Such as bridging or teaming the LAN to the switch? I can't imagine I would every hardly notice any performance differences there (maybe unless I had a whole lot of file transfers occurring simultaneously or something), but it could add resilience, too, right? lol

    I'm just trying to think of how I can maximize what I've currently got going on hardware-wise.  : )

    EDIT: Also, I believe my priority on the network (for now) will likely be online gaming. So, running GTA 5 with skype, etc. with other users also streaming video simultaneously. I realize that most of this comes down to ISP, but my goal is to minimize (and possibly even improve) any footprint with the routing. In the future, I might be looking into VPN's as well... but that's a topic for another day.

    Thanks so much!



  • @n0nsense:

    Awesome. So it is recommended to go with a switch.

    What performance benefits would there be to go with ESXi… typically, virtual environments tend to have a hit on performance, right? Granted, it would be nice to have the added benefit of running something like sophos utm on it... what is most common in this regards? pfsense + sophos?

    Also, is there a way I can take advantage of my quad-port Intel NIC? : p  Such as bridging or teaming the LAN to the switch? I can't imagine I would every hardly notice any performance differences there (maybe unless I had a whole lot of file transfers occurring simultaneously or something), but it could add resilience, too, right? lol

    I'm just trying to think of how I can maximize what I've currently got going on hardware-wise.  : )

    EDIT: Also, I believe my priority on the network (for now) will likely be online gaming. So, running GTA 5 with skype, etc. with other users also streaming video simultaneously. I realize that most of this comes down to ISP, but my goal is to minimize (and possibly even improve) any footprint with the routing. In the future, I might be looking into VPN's as well... but that's a topic for another day.

    Thanks so much!

    Yes, to take advantage of your quad port, you can create a LAGG or what Cisco calls Port Channel or Etherchannel group which you can use LACP protocol which aggregates the bandwidth together.  So 4 ports would have maximum bandwidth of 4Gbps, though you would only get max 1Gbps per host unless your host has LAGG too.

    Grab a Cisco switch or if on budget, some Netgear/Linksys ones, most can do LAGG/LACP.  I'm currently running a Cisco C2960X as a core switch at home.



  • Ahh, nice!

    A cheaper monoprice switch probably wouldn't support LAGG/LACP? Such as:
    http://www.monoprice.com/product?c_id=105&cp_id=10521&cs_id=1052104&p_id=10927&seq=1&format=2


  • LAYER 8 Netgate

    It will at least need to be web-managed. You're looking for 802.3ad LACP.

    Not quite sure why you want to lagg gigabit ports to your router if you only have 50/6.



  • @FlashEngineer:

    you can create a LAGG or what Cisco calls Port Channel or Etherchannel group which you can use LACP protocol which aggregates the bandwidth together

    More generically, this feature is often termed "port aggregation" and, as Derelict notes, LACP is 802.3ad. You will need a switch with some sort of management or "smart" features for this to be available, n0nsense - it won't be available on a cheap unmanaged switch such as the monoprice unit you linked to. ZyXEL GS1900 series (for 8 port) or GS1920 (24 port and up) are possibly worth a look, though there's plenty of other good switches at competitive price points.



  • This is how I started using pfSense.

    If you're not comfortable with VMware of hyperv; then just do a normal install.

    Ditch the netgear or whatever it is; or reset it and set it up with a static ip and as an access point.

    Go through the pfSense wizard; I'd setup dhcp to start ~.31 and end ~.229

    Speed test it through wired connection.  #'s good?  Then run traffic shaper and use priq (not hfcs) - set the up and down #'s ~90% of what your speed test shows.  During traffic shaping wizard, you will get the ?'s about giving steam / xbox / etc high priority.  Works great (reset states if machines are on).

    Save that config / backup.

    Then look at pfBlockerNG add on.
    Good luck.
    p.s. - knowing your setup; I did not do any link aggregation or similar and I'm running gigabit; tests at 850/250 with traffic shaping.



  • Thanks for your help, guys!

    It seems like link aggregation isn't really cost effective unless you really need it… initially, I assumed that any modern switch could handle it... and thus, if you have the extra ports, why not...
    cables are cheap : p

    EDIT: http://www.amazon.com/gp/product/B00M1C0186?psc=1&redirect=true&ref_=oh_aui_detailpage_o00_s00  I went for this... since I'm sure I'll be using this for the next few years, plus a $15 rebate.  Seems like a better investment than the cheaper $25 models.

    I'm sure I'll be back later when it comes time for optimization and whatnot.

    Appreciate all the help! You guys are awesome.



  • Even if you went with a LAGG setup you won't see a combined line speed increase. What LAGG would give you is multiple concurrent 1GB connections and that use case is highly unlikely in a normal home network setup.

    Unless you have a specific use case for it, and since your asking I'm betting you don't, forget it and stick with the plan you have for a simple un managed switch.



  • ESX has a minimal performance hit. You won't notice it so long as you don't overload it.

    You don't need pfsense and Sophos UTM. They each have their strengths and weaknesses, but trying to use both would be complicated.

    You don't need a LAGG capable switch to use multiple physical NICs in an ESX box. You can configure ESX so that it keeps the same virtual machine MAC address associated with the same physical NIC. That way, a non-LAGG switch sees the same MAC addresses on the same ports and doesn't get unhappy. I may be wrong, but I think that is actually the default (I haven't looked for a while).

    With the setup you describe, you don't need multiple ports anyway. Your clients only hit the ESX box to hit the Internet, and you are limited to way less than gigabit speed there anyway. You clients will talk directly to each other, so you don't need high bandwidth to ESX/pfsense for that.

    Don't worry about the two unused NIC ports. Trying to force them into use won't make anything perform better, and will just make things more complicated.


Log in to reply