It's finally here! - Advice needed

Morning All,

So after quite a lot of frustration and a some very helpful advice from the likes of Pheasant and Co here: Leased Line ECC's

We've finally had the cable laid by contractors this week connecting our rural office to the local POP for SSE (NEOSNetworks now i think?) inside a Peak District exchange i'm told.

It's a 1GB Bearer, which will be set at 500/500 profile for now to see how we get on and if we need to increase it.

Has anyone got any suggestions on a good router and separate firewall to use with this leased line? I do have some kit arriving that comes with the contract but i'd appreciate any advice.

Edited by Whitehall11 (Fri 02-Apr-21 10:24:35)

I'd start with the supplied kit, especially if it's a managed service (i.e. the router is part of the end-to-end service). Note that some of the Cisco 1U boxes are very noisy - best kept in a cupboard.

If it's something you're managing yourself, then I think the number one consideration is something you are comfortable to administer, followed by what sort of features you need.

For power and value for money, I like Mikrotik routers and pfSense/Netgate firewalls.

For an office on a 500M service, just the firewall by itself probably does everything you need, without a separate router. I have an office on a 500M+500M service, where we use an old PowerEdge R220 running pfSense CE, connecting directly to the provider's ethernet presentation.

In data centres I have good experience with the Netgate XG1537, but that's massive overkill for what you need. SG-5100 or SG-3100 would be fine.

You should note that it has recently been announced that pfSense CE (free version) is going to diverge from the commercial version of pfSense for Netgate-branded hardware.

At home I use Mikrotik RB4011 for both routing and firewalling. This particular device doesn't have a VLAN-capable switch built in (even though many of their cheaper devices do), which means switching tagged VLANs has to be done in software - I find 800-900M of iperf3 traffic saturates one core. However if you're not trunking VLANs to it then it's not an issue.

Mikrotik don't charge any subscription fees for access to software updates, which counts for a lot in my opinion.

However, these days there's lots of kit which can handle 500M with ease, so pick something you are familiar with.

In reply to a post by candlerb:

You should note that it has recently been announced that pfSense CE (free version) is going to diverge from the commercial version of pfSense for Netgate-branded hardware.

Out of interest, any idea what the implications of this will be?

In reply to a post by dect:

In reply to a post by candlerb:

You should note that it has recently been announced that pfSense CE (free version) is going to diverge from the commercial version of pfSense for Netgate-branded hardware.

Out of interest, any idea what the implications of this will be?

Here's their view:
https://www.netgate.com/blog/pfsense-plus-pfsense-ce...
https://www.netgate.com/solutions/pfsense/plus-faq.html

My view: they're aware of the architectural limitations of pfSense; they want to rebuild the framework and GUI in a better way; but they don't want to release it as free software for anyone else to use and commercialise.

I suspect that over time pfSense CE will stagnate and diverge from pfSense Plus. This is a shame, because even if you're using Netgate hardware, it's great to be able to do testing in VMs and commodity hardware. Maybe Netgate will sell licensed software-only versions for such users - in the way that Mikrotik sell their Cloud-Hosted Router (CHR) as a software appliance. But they haven't said they will do so.

If pfSense CE is not well maintained then it could be forked, or the community focus could move to opnsense (existing earlier fork, I don't know what state it's currently in). Either way though, it'll still be different to what you get on Netgate hardware.

In reply to a post by candlerb:

For power and value for money, I like Mikrotik routers and pfSense/Netgate firewalls.

I'm a big fan of Mikrotik and have deployed their routers to service sites with 200+ web-browsing clients, 50 VLANs, VPN endpoints, DHCP, various flavours of NAT etc on 1000/1000 leased lines without issue.

I have never felt the need for a separate firewall device, but perhaps there is something I'm missing. Networking isn't the focus of my career, it's simply a useful ancillary skill I pick up as I go. Do you find you gain additional functionality adding a pfSense/Netgate box or is there an improvement in ease of use/visibility of statistics?

In reply to a post by ft247:

I have never felt the need for a separate firewall device, but perhaps there is something I'm missing. Networking isn't the focus of my career, it's simply a useful ancillary skill I pick up as I go. Do you find you gain additional functionality adding a pfSense/Netgate box or is there an improvement in ease of use/visibility of statistics?

For home or small to medium office use, a single box is fine. The Mikrotik and Netgate can both do a reasonable job of routing and firewalling.

In a data centre, I want to separate out the jobs. Border routers do BGP and traffic failover: with multiple uplinks you don't want to do any NAT here, because send and return paths may be different. Some things need direct Internet access, outside of the firewall. And some things do need to be behind a stateful firewall (or a failover pair).

Thanks, that makes sense.

Thanks, it will be interesting to see where this ends up

In reply to a post by candlerb:

If pfSense CE is not well maintained then it could be forked, or the community focus could move to opnsense (existing earlier fork, I don't know what state it's currently in). Either way though, it'll still be different to what you get on Netgate hardware.

Interesting, as I've been thinking of migrating to a BSD based router, either pf or opn ; as colleagues are running opnSense successfully that might be the safer route today. It does seem to be at least well updated project.

I'm using Untangle - comes in three home use flavours, free(with limited functions), Home Protect Basic($50/year - more functionality), Home Protect Plus($150/year - most functionality for home use). What I really like about it is the fine grain control you have over network host traffic - so for instance you can set up multiple VPNs(OpenVPN) and route different hosts over different VPN tunnels by just adding a "tag"(string of characters) to a host's traffic. Takes minutes, very easy. I run it on standard x86/64 hardware.

Edited by Spud2003 (Sat 03-Apr-21 20:14:12)