Technical Discussion
  >> Home Networking, Internet Connection Sharing, etc.


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User ianfuture
(learned) Mon 07-Aug-17 18:16:48
Print Post

Pfsense -> managed switch - hardware that can cope with VPNs


[link to this post]
 
Wasn't sure if this or one of the other hardware related forums was appropriate, but I'm looking into replacing my current router with a pfsense box and an 8 port managed switch, and eventually some wifi AP's that can reach the back garden not just the house (I'll reuse router for it's wifi until then). The main driver is so i can route all traffic over VPN except those connections/machines/applications that will grumble if they see a non UK IP address. So basically need a lot more control.

Hardware yet to be determined for any of it, but the primary query for here is :

- any recommendations for 8 port managed switches that can handle VLANs and be managed via a web gui , not by some other machine local application? I've previously seen TP link ones come well recommended but not sure if that's the case still ?

- also any recommendations for quiet low power pfsense boxes (self build not an issue) that would be powerful enough to handle VPN traffic on a standard UK FTTC speed connection with overhead to future proof? Assume the budget is approx £200

- are Ubiquiti WiFi access points likely to be the best option to reach back garden through several walls or are there other ways to ensure coverage is more directed or further reaching ?

thanks in advance
Standard User summat
(member) Tue 08-Aug-17 20:44:24
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
I'm using pfSense myself - and plan to do something similar at some point VLAN wise if required, aside for that I'm using roughly what you're looking at.

1. How about a Netgear GS108E (web managed, desktop, fanless, 8 port) which seems to be around £30 ish. Lifetime warranty, too..

2. I recently replaced a very old single core Atom box I've had running for years with an Intel Apollo Lake Celeron (a Gigabyte J3455N-D3H motherboard in my case) which has two gigabit LAN ports. This is in a very small mini ITX case along with a picoPSU, a 4GB stick of DDR3L, and a 16GB SSD. Then a decent 60W 12V laptop style PSU. This solution has been fast and rock solid so far (3 months and counting at this point), and supports AES-NI to accelerate VPN usage. It's passively cooled with zero moving parts. Dead silent, plenty of performance. Not sure how much power it's using but I'm sure it's not much! Not totally certain on cost but I think under £200 for sure. Self build.

3. I use Ubiquiti points - Two AC-Lite APs in my case. I've got them cabled at opposite ends of the house in my case, the range seems pretty good (tested far end of house using a single point plugged in) but I'm not certain you'll get an amazing signal through multiple walls and then at a distance in the garden beyond. Perhaps an AC LR might be more suitable? Not sure really - only way to tell would be to try it!

Consider that to use these AP's (they have no web interface in their own right) you need to run the controller software, buy a 'cloud key', or use a cloud-based controller to manage them. Personally I run mine on a VM on the Google Compute Platform.

If you REALLY can't get an AP closer to the garden, you could buy a second AP and have it uplink wirelessly to the first using the Unifi controller software. That way it can rebroadcast the signal much closer to the garden. Instructions to do this is HERE.

Just bear in mind the potential performance losses using a wireless uplink, given it's having to relay wirelessly.

Edited by summat (Tue 08-Aug-17 20:47:56)

Standard User prlzx
(experienced) Tue 08-Aug-17 21:01:20
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
On the Access points, UniFi would normally be ok, but regardless of vendor you may need one outside. Have a look at the small UniFi Mesh APs (you don't need to use them in a mesh topology but they can be mounted outside).

On the router, have you decided which VPN flavour to run? IPSec will have the best performance as long as hardware crypto accelerated.

EdgeRouter would be well worth considering.

pfSense is worth a look, but you'll need to scan the blog and forums for suitable boards. Previously I would have suggested boards using C2558 / C2758 and up to Xeon D-1541 but there might be more recent / better value hardware.

However. combo of low power / under £200 / FTTC speed VPN may rule out pfSense unless you find a proven model, otherwise start with EdgeRouter (Lite or X). Lite if you don't need to use the router as a switch. X if needing the option to use a built-in switch chip, and doesn't break the bank.

Switches, I find the Cisco SG300 series solid (all features exposed in web UI plus a CLI that is a usable subset of IOS commands), but you might want to look at the SG200 / SG220 / SG250. The TP-Link managed switches were ok but the VLAN interface was a little clunky (but still better than Netgear).



prlzx on iDNET: VDSL / 21CN at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)

Edited by prlzx (Tue 08-Aug-17 21:11:00)


Register (or login) on our website and you will not see this ad.

Standard User choppersrock
(regular) Wed 09-Aug-17 09:38:50
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
Re pfsense box I use prebuilt pc engines amd with intel nics on board. 12 volt unit and no fan, has been running for months with no issue. I am on 2.4 beta too.

Slightly over the £200 but well worth it. I obtained mine pre built from linitx.com

Sky Fibre Pro - Zyxel vmg8324 (v14 bridge mode) + PFSENSE 2.4.0 with ipv6 - ECI cab, G.INP disabled as of 8th April 2016

http://www.mydslwebstats.co.uk user upload ID skyECI
Standard User ianfuture
(learned) Thu 10-Aug-17 12:00:15
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: summat] [link to this post]
 
Thanks for the info.

I liked the idea of a build your own mini PC to use as the pfsense box as it gives me room for steady upgrades if necessary, but I've seen that Intel NIC are better regarding encryption as they have better hardware for handling AES I gather that REaltek NIC. So trying to find a board that does that that doesn't break the bank has been tricky. What CPU do you have on that board ? What CPU usage to you see, and RAM usage? Are you using a VPN ?

So the Ubiquiti AP's need their own piece of software running on a machine to configure and run, or just configure ? If it was just configure, that'd be fine, but if i needed another always on piece of software that'd be a bit of a pain.

I'd seen the Netgear GS108E and similar , i suppose for £30ish it'd be reasonable and i've not lost too much if i have to change.
Standard User ianfuture
(learned) Thu 10-Aug-17 12:06:44
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: prlzx] [link to this post]
 
I had considered the outdoor AP a possibility, just hadn't looked into who made them in detail

my VPN uses Open VPN, and I would want that for any VPN now or in future seeing as it's more open and widely offered
Standard User ianfuture
(learned) Thu 10-Aug-17 12:28:53
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: choppersrock] [link to this post]
 
Which model one do you have? These caught my eye, the linitx.com website looks a bit ropey but the machines look good. What wasn't clear was how powerful the CPU's and the amount of RAM they offered as the website is a little bit random in the details I've found. Do you use a VPN? Do you know what your CPU and RAM usage peaks at ?
Standard User choppersrock
(regular) Thu 10-Aug-17 12:47:47
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
I use this one, being the apu2c4 4gb model with ssd. You do need a serial adapter on the first install for the console but once its installed its not needed. Yes I use open vpn from within pfsense for inbound. I havent seen the box break into any sweat yet. Current mem use at 12%. Cpu temp at 55.
A couple of friends are using the same model.

FreeBSD 11.0-RELEASE-p10CPU TypeAMD GX-412TC SOC

4 CPUs: 1 package(s) x 4 core(s)

AES-NI CPU Crypto: Yes (inactive)



https://linitx.com/product/linitx-apu2-c4-4gb-3nicus...

Been using mine nearly a year and very pleased.

Sky Fibre Pro - Zyxel vmg8324 (v14 bridge mode) + PFSENSE 2.4.0 with ipv6 - ECI cab, G.INP disabled as of 8th April 2016

http://www.mydslwebstats.co.uk user upload ID skyECI
Standard User ianfuture
(learned) Thu 10-Aug-17 16:45:48
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: choppersrock] [link to this post]
 
My concern with these is that I might blow £200+ on something I can't upgrade or reuse easily if the CPU is not up to the job. 1GHz and nearly 2 years old CPU and various reports of less than great performance on outbound VPN make me wary.

One of several:
https://www.linuxserver.io/2016/12/17/review-pcengin...

It'd be great if some one had a VPN on Virgin's highspeed fibre connections and one of these boxes could report the throughput over their VPN connection and if it starts to bottleneck. Any of your friends in that boat who could check ?
Standard User choppersrock
(regular) Thu 10-Aug-17 18:09:47
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
One of my friends replied with this.He is a member here too but cant answer himself right now but I am sure he will when its possible.

Tell them I'm using pfsense ap2u on a FTTP 100/100 connection with Vlans and VPN had no problems at all.

I will ask him to respond when he can.

Sky Fibre Pro - Zyxel vmg8324 (v14 bridge mode) + PFSENSE 2.4.0 with ipv6 - ECI cab, G.INP disabled as of 8th April 2016

http://www.mydslwebstats.co.uk user upload ID skyECI
Standard User kwillers
(newbie) Thu 10-Aug-17 18:41:23
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: choppersrock] [link to this post]
 
In reply to a post by choppersrock:
One of my friends replied with this.He is a member here too but cant answer himself right now but I am sure he will when its possible.

Tell them I'm using pfsense ap2u on a FTTP 100/100 connection with Vlans and VPN had no problems at all.

I will ask him to respond when he can.


A am that friend smile

I'm using pfSense running on a pcengines AP2U system at my house in France. Its Orange Fibre to the Premises (FTTP) on a 100/100 connection. I use various media players and VPN in to the box often. Never had any issues.
The AP2U copes with all I have thrown at it and I get full 100/100 speeds connecting via a Google wifi AP connected to the LAN pot of the pfSense box.

Orange needs the DHCP6c (Yes I run IPv6) and DHCP requests for IP address to be issued over a VAN with a priority of 6. That requires a patched version of the firmware but if you need that capability I can share the patch

Shout if you need more info.

in short you wont go wrong with pfSense and and AP2U.

Plus both choppersrock and I have another friend who is a rather excellent pfSense coder and has tweaked pfSense a few times to make it work with ISP specific authentication requirements !!!
Standard User ianfuture
(learned) Thu 10-Aug-17 21:11:54
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: kwillers] [link to this post]
 
Thanks for the extra info.

Just to clarify do you use an outbound VPN, ie one that encrypts and masks what your ISP would see and get 100/100 without any bottleneck ? That's great if you do smile
Standard User kwillers
(learned) Fri 11-Aug-17 07:22:09
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
No I don't use an outbound VPN

I just run a VPN server on pfsense to allow me to access the network remotly

I'm back in France in a couple of weeks so will test it and see. I'm sure it will still give 100/100 provided the VPN server service is not swamped

Any particular VPN service you'd like me to test
Standard User prlzx
(experienced) Fri 11-Aug-17 22:36:43
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
OpenVPN is great and no criticism of its open-ness, but it's main advantage is having the option of being able to work using port 443/tcp (like HTTPS) even when the client end is behind a restrictive firewall.

This does not apply in your case where your router is the firewall, and OpenVPN will perform better using its native UDP transport.

Also performance will be slow until and unless the OpenVPN code actually gets to benefit from crypto acceleration.

But the notion that it is "more open" than IPsec? No, IPsec is an open standard, you don't require a licence / patents or or have to pay anyone to use it. Indeed, it's part of the IPv6 spec having been added to IPv4 only because it came after IPv4 was already established.

And most open-source implementations are using some version of StrongSwan which you can read for yourself.

On any given hardware, it will be as fast or the fastest because hardware offload / crypto offload has had longer to be developed for it. Have a look at the pfSense blogs on the topic to see where they are going.

That said, to be clear. it's not the NICs that do the encryption e.g. AES , even when using the Intel ones - rather they are recommended because the NIC drivers are better quality, and more packet processing (e.g. headers) can be done by dedicated hardware in the NIC than by a software routine in the driver.

Encryption is still done by the CPU, what matters is whether the firewall software can use dedicated CPU instructions to improve the performance of that, which can mean checking CPU, motherboard support it and also that such features not turned off by BIOS / UEFI .



prlzx on iDNET: VDSL / 21CN at ~40Mbps / 10Mbps
with IP4/6 (no v6? - not true Internet)
Standard User summat
(member) Sat 12-Aug-17 14:54:35
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: ianfuture] [link to this post]
 
The CPU on the board (Gigabyte GA-J3455N-D3H) is a current gen 'Apollo Lake' Celeron J3455 (quad core 1.5ghz, turbo to 2.3, 10W TDP, passively cooled, released late last year), has AES-NI instructions (for help accelerating VPN's and is also a requirement for pfSense from version 2.5 onwards), and two Realteak 8168 gigabit NICs.

Right now mines sitting using at 0.03-0.05 load average on a mostly idle 80/20 connection (pfSense is handling PPPoE via an HG612 Opereach modem). I have 4GB of RAM but it's currently only utilising around 5% of that. I have a of site-to-site OpenVPN tunnel running and I can easily get 50mbit over it without trouble - and I've not yet reconfigured that to use ciphers that take advantage of the AES-NI instructions either.

Under heavy traffic loads it'll occasionally hit around 0.4 load - it's really not an issue for it. A friend had the previous version of this board with the same NICs I have on his 330/30 FTTP connection and it did fine.

Regarding the NICs being Realtek and not Intel - I honestly don't think you will notice any issues with them. You CAN get boards with two Intel NICs but they are pretty uncommon and certainly significantly more expensive. I looked for them when I was shopping and the extra expense wasn't worth it for me personally. The Realtek's support VLANs and I've had zero issues with them. As far as I am aware the encryption is all handled before the network adapters are touched so I don't see how they can help with it. I'd be interested to see where you read that if you could link?

My previous pfSense machine was a first-gen atom (single core) with two ultra-cheap Realtek 8139 cards (fast ethernet only) and that handled the full 80/20 connection I have without an issue too, along with the same OpenVPN tunnel running on it I have now.

Ubiquiti AP's require software to configure them, and allows for ongoing management and monitoring. Without the software (once configured) the AP's will operate with the configs you give them, there is simply nothing in the way of interface on them directly aside for SSH and command line. You can keep the software on your PC and just start it up to make config changes, it doesn't need to be running all the time.

There are also retailers in the UK that supply them with 3-years of cloud-based control as part of the sale.
Standard User ianfuture
(learned) Fri 18-Aug-17 18:52:08
Print Post

Re: Pfsense -> managed switch - hardware that can cope with


[re: summat] [link to this post]
 
Thanks for all the info. Very helpful in determining which way I go smile
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to