Is there anything 1 level above pfSense?

[Maverick009]

Not a bad idea building using an APU like @Maverick009 said, with modularity for wider array of upgrades.

@aps just remember when buying parts however it also really depends on your use case, for example even OPNSense’s highest end appliance is a Quadcore. Not saying don’t get better hardware with more cores, but make sure you’re getting what you need based on your usage/requirements or its more money, only for little to no gain in real use.

Additionally I’d also suggest getting a dedicated switch for multigig LAN work as the ASIC chips in the switches are designed for that kind of work unlike the x86 or ARM CPUs in the firewalls where they’d just be wasting CPU cycles doing that work through bridging with significantly higher latency especially at higher speeds and more ports in use and at times even likely unable to even reach 5-10Gbps depending on how many ports are in use and what other work is competing for CPU cycles like VPN etc. Some firewalls/router appliances do have switches built in ie like your home router.

I personally have multigig Zyxel XS1930-10 switch handling all my multigig and standard LAN devices. For my use case for example, the firewall CPU has no real affect on my 10Gbe LAN work/transfers unless it's across VLANS as the switch is handling all of it, my firewall CPU cores are rarely ever above 5-10% and that too when I had Suricata or OPNVPN running. Importantly your internet connection will likely actually be your biggest bottleneck rather than a Quad Core i3 or AMD APU.

I pretty much agree 100%. Only reason I mention an APU, is it is cost effective, and most of the equipment that was even prefabricated by the companies that that make Pfsense and Opnsense boxes, was really before APUs became a factor and prior to AMD's Ryzen being a star. I also only mention the 6C/12T APU as the big push over the lesser Core i3 4C/4T CPU, as unless you doing some hardcore networking, the 8C/16T APU would go to waste. The Ryzen 4000/5000 series 6C/12T APU can handle Dual Intel X550-T2 NICs, support NAS capbilities, or also support a virtual instance on to to say run Asterisk as well with maybe 2 cores dedicated.

Again all depends on load and configuration that meets your home needs. The Ryzen APU may be all you really need for quite some time and fits into a cost effective expandable home network. Total cost of a box using the APU with say 16GB RAM, 240GB SSD, Intel I350-T4, and X550-T2, would come around $600-800 but would be all you need.

I also agree with having a dedicated smart switch to take off most of the load, especially if you have several devices connecting at once. If you go with an unmanaged switch, then definitely the Firewall hardware needs to be beefy, as you would be relying on that to communicate and do all the hard lifting on the network.

Just some food for thought.

 

[coxhaus]

Firewall wise Untangle is ahead of pfsense. Untangle is harder to setup but easier to maintain.

 

[ddaenen1]

Firewall wise Untangle is ahead of pfsense. Untangle is harder to setup but easier to maintain.

I would be interested to learn what exactly you found difficult to maintain on pfSense?

 

[Maverick009]

Firewall wise Untangle is ahead of pfsense. Untangle is harder to setup but easier to maintain.

Pfsense and Opnsense are fairly straightforward in initial setup. I cannot figure out what is way ahead in untangle.

 

[Hikari]

Hello guys! I'm on the same boat

Today I have an EdgeRouter X where I installed OpenWRT. It's a very limited Lix distro and I've been wanting to change my router for a more powerful OS. In example, by default it only has root user, its ping is very limited in parameters, and there are some other networking tools not available. And even being limited, it's consuming 210MB of its 256MB RAM.

Now it's been having some odd crashes. I'm still able to enter LuCI and login SSH and its bridged ports communicate, but Internet goes down. Some times I thought it was my PC and I went to the point of reinstalling network driver after reboot not solving, before figuring it was the router. Last time it happened it went fully offline and I had to turn off the cord.

I wanna build a new PC and install opnsense or pfSense, but Intel has been struggling to provide any good hardware lately. My first concern is electicity, and Intel is still on 14nm. 10nm is only coming for mobile and now they are delaying their 7nm too, and they had ported their Ice Lake back to 14nm.

They had just announced Core 11th Gen, it's still 14nm but now it's coming with a nice improvement which is my 2nd concern: 3GIO 4.0! Current Intel network chips are still 3GIO 2.1 x4, which require a full x16 slot as no modern mobo has x4 slots anymore. As I want this router to last at least a decade, I'll for sure need 10GbE on it. It's too expensive today, but I don't wanna have to build a new PC later because of that. For that to be possible, I'll need at least 1 card with Quad 1GbE and another card with Dual 10GbE, which requires 2 x16 slots. If I need more ports, that's 3 x16 slots! Today that's at least a mini-ATX with H470, the problem is that I don't want a big PC for router and H470 also has higher power consumption :/

Now with 3GIO 4.0 we have the possibility of Intel developing new Quad 1GbE and Dual 10GbE that require only a x1 slot, therefore I could use H510 with 3 usable slots. If Intel would make a chip with in example 4 1GbE and 1 10GbE together, maybe 2 NICs, under x1, would suffice for me!

Sadly, Intel also announced that their new CPU will be only for i5 and above, i3 and below won't have 3GIO 4.0 yet. Until some weeks ago I was considering buying a i3-T, it's very rare to find but sometimes it's available, it has a TDP of 35W! i5 also has a T variant, but I had never found one available for DIY.

If I build my router this year, one option would be to buy a normal i5 then disable its Turbo - which would cap it in real 65W - and maybe disable 2 cores, because it's too powerful for a router and I'd not need 4 of them.

If I wait 1 more year, for sure Intel will bring 3GIO 4.0 to i3 and maybe will come with a 10nm, which will reduce consumption.

For RAM, there's no 8GB Dual Channel 3200MHz available, so I'll need to go for 16GB, so be it.

For storage, I suppose that 240GB NVMe is enough. As it's gonna be in a mini-ATX case, I can always plug a 2TB HD later. Another option is to buy 2 SATA SSDs and use them on RAID1. Let's remember that RAID doesn't replace the need for backup and quick restore, but if a single SSD dies I'll need to buy a new one, with no easy Internet available, wait it to ship, then replace it. With RAID1 I can keep the router running while I replace it.

 

[Trip]

@Hikari - Do a 2U/3U short-depth front access chassis, like this one from Plink (or similar), then run whatever mobo gives you the mix of CPU, power draw and expandability you like for the price, and away you go. A chassis that will last you for life, even let you hyper-converge/virtualize other services should you want to, especially if you choose one with one or more 5.25 bays with an IcyDock for drives.

 

[John Davis]

They had just announced Core 11th Gen, it's still 14nm but now it's coming with a nice improvement which is my 2nd concern: 3GIO 4.0! Current Intel network chips are still 3GIO 2.1 x4, which require a full x16 slot as no modern mobo has x4 slots anymore. As I want this router to last at least a decade, I'll for sure need 10GbE on it. It's too expensive today, but I don't wanna have to build a new PC later because of that. For that to be possible, I'll need at least 1 card with Quad 1GbE and another card with Dual 10GbE, which requires 2 x16 slots. If I need more ports, that's 3 x16 slots! Today that's at least a mini-ATX with H470, the problem is that I don't want a big PC for router and H470 also has higher power consumption :/

Intel do a quad 10gbe card (XL710) - just use that, and use vlan trunking out one of the 10gbe ports to a suitable managed switch to feed your 1gbe clients

 

[Hikari]

@Hikari - Do a 2U/3U short-depth front access chassis, like this one from Plink (or similar), then run whatever mobo gives you the mix of CPU, power draw and expandability you like for the price, and away you go. A chassis that will last you for life, even let you hyper-converge/virtualize other services should you want to, especially if you choose one with one or more 5.25 bays with an IcyDock for drives.

That's very pretty Sadly I don't have a rack to place a chassis like that and it'd be too expense to do. I also have some stuff that's not rack mountable, as 2 ISP modens, my NAS which requires at least 4 HD slots and preferably 6, so I'd not have much use for a rack.

Intel do a quad 10gbe card (XL710) - just use that, and use vlan trunking out one of the 10gbe ports to a suitable managed switch to feed your 1gbe clients

wow how come I didn't find that chip! :-x

I had never heard about vlan trunking, could u point some switch capable of doing that? What's the difference of just plugging a port from the network card on a switch, and it split the 10GbE on all its GbE ports?

With vlan trunking, would I be able to plug both my ISP modens (bridge mode) on a switch, and then the router be able to identify them and make the connection (PPPoE in one, DHCP on the other), and then provide LAN connectivity back on the other ports of the switch? That would be very interesting to do!! I need that, because both modens are RJ45 GbE and I couldn't have another network card on the router.

In fact, if that's possible, my router could live with 1 unique 10GbE port, if the switch has at least 4 of them. I could buy another card for my NAS and have it on 10GbE too. My Main PC sadly can't have it, because I have 2 GPUs on it, so I'd need a 10GbE network card that's x1 for it.

 

[John Davis]

With vlan trunking, would I be able to plug both my ISP modens (bridge mode) on a switch, and then the router be able to identify them and make the connection (PPPoE in one, DHCP on the other), and then provide LAN connectivity back on the other ports of the switch? That would be very interesting to do!! I need that, because both modens are RJ45 GbE and I couldn't have another network card on the router.

In fact, if that's possible, my router could live with 1 unique 10GbE port, if the switch has at least 4 of them. I could buy another card for my NAS and have it on 10GbE too. My Main PC sadly can't have it, because I have 2 GPUs on it, so I'd need a 10GbE network card that's x1 for it.

yep sure can - indeed I'm doing it myself ( as the GPON ont is in a cable bay in my garage wheras everything else is in a more central location) - only catch is the ports used on the switch each end of the trunk have to have enough total bandwidth for all the vlans transitting the trunk. If you can rely on your switch to handle the local highspeed traffic so as the only traffic thru the router is wan traffic ( and your wan connection is only 1gbps) then in fact you only need a 2.5gbe link from the switch to the router/pc - a 10gbe trunked link would allow up to 5gbps wan speeds

for your desktop pc - have a look at the realtek based 2.5gbe cards - will still give you better speed to your NAS and are only pcie x1

 

[Hikari]

I had found only 1 store that sells RTL8125 :-x

Does it work with normal cat6 cable? If so, I might plug it on my Main, I think I have a spare x1 on it. But I rly don't have issue on 1GbE for it. It's on my NAS that I need faster transfer, and on it I can get a Intel single 10GbE.

Ok, so what must I search for in a switch to know it's able to do what I need?

My current plan:

1) Wait for Intel 11th, buy a i5 and disable its Turbo and make tweaks on the mobo to reduce its TDP to 35W or less. Or wait for Intel 12th and buy a i3.
2) Buy a H510 mobo with a single x16 slot.
3) Buy a Intel X710-da4 for the router and a X550-T1 for NAS.
4) Buy a switch that supports VLAN Trunking, with at least 3 10GbE and 10 1GbE.

I'd need to connect both ISP on its 1GbE ports. I'm safe to consider top 500Mbps on either ISP, they won't offer it on next few years and won't go above it this decade. And even if I'm surprised, they won't go above 1Gbps, because nobody here will wanna use LAGG or 2,5GbE. And even if they do, its price would be insane.

My NAS I connect directly on X710-da4 and still have 2 remaining ports. Maybe a X550-T2 is enough for my router, specially if the switch has 4 ports.

Then on the same switch I connect the remaining devices close to router, and use 1 port to connect to the AP on my room, where I connect the remaining devices and provide WiFi.

Edit: it's better to connect NAS directly on the switch, else any traffic on it would have to travel thru the router. It's also needed to have at least 1 more SFP+ port available, because my future PC will have a mobo with 10GbE onboard. Then I think the switch must have at least 4 SFP+ ports.

And, of course, when any device tries to reach any modem, they must be forced to pass thru the router, even it having a single connection to the switch. Same for Internet, but in this case it's safe because both modens are on bridge mode and only 1 device is able to connect to Internet thru them.

If needed, I can open a new thread and repost it there.

 

[John Davis]

4) Buy a switch that supports VLAN Trunking, with at least 3 10GbE and 10 1GbE.

4 * 10gbe and 8 * 1gbe (or even 8 * 2.5gbe) is relatively affordable, but once you go past that you're in to SMB rated kit, and prices go up accordingly

If you really want all that in one switch maybe look at the netgear 16 port multigig switch (all 16 ports are 1/2.5/5/10gbe plus it does poe+) - not cheap but very capable https://www.netgear.com/support/product/m4300-16x-299w-psu.aspx

otherwise you can always just stack switches - pick something affordable with 4 (or more) 10gbe combo ports and link a suitably large 1gbe switch with 10gbe uplink capability via sfp+ dac - probably work out cheaper

 

[Hikari]

tnx a lot for the help

I searched for it on stores (mercadolivre.com.br and buscape.com.br) and found no store selling. Oddly, newegg also doesn't have it. Maybe that's why I wasn't finding these devices when I searched for solutions before. X710-da4 also, I only found on Amazon.

Since I'm also waiting for Intel to provide a proper CPU, I think I'll just wait a couple more years before I upgrade my router and remaining LAN devices. At that time these cards and switches should be more accessible :/

 

[John Davis]

I searched for it on stores (mercadolivre.com.br and buscape.com.br) and found no store selling. Oddly, newegg also doesn't have it. Maybe that's why I wasn't finding these devices when I searched for solutions before. X710-da4 also, I only found on Amazon.

newegg carries the netgear m4300 line - but not the 16x model - smallest they list is the 24 port model ( xsm4324s )

newegg also has both the x710-da4 and x710-t4 - as well as startech and supermicro xl710 based cards (xl710 is the ethernet controller chip - but just to confuse things intel also has qsfp+ boards with the model number xl710 to differentiate it from the sfp+/10base-t x710 models)

 

[Hikari]

I use newegg because of its great search system. MercadoLivre's search has very few options and when I search by general text they flood unrelated results.

We've always had issues getting access to more advanced technology, and now with pandemic and bigger economic crisis nobody is willing to import anything.

From all network related cards and devices, managed switch should be the category with lower demand. It's a great solution for me to reduce ports needs on my router, let's hope 10GbE gets more popular on next couple years

 

[coxhaus]

If you are going to push 10 gig on your local LAN for like a big NAS then I recommend one of the Cisco small business L3 switches they make a lot of versions. Your local LAN will thank you for not pushing 10 gig thru a router.

 

[Hikari]

Indeed. In the past I was using router ports to connect the 2 switches I use on my 2 rooms. I had no speed or lag degradation, but still. I bought a new switch a few months ago and now the secondary switch is connected on the primary one, and it connected on the router. Now the whole LAN is connected by switches and router is reached only for Internet, DHCP leases and when configuring it.

 

[avtella]

Zyxel XS1930-10 (~$450) (8x 10gbe Multi-Gig RJ45 Ports + 2 SFP+ 10Gbe Ports) and Netgear MS510TXM (~$450) (4x 2.5 Gbe ports and 4x 10Gbe RJ45 Ports + 2 SFP+ 10Gbe Ports) would both be fine. I have the Zyxel I got it at a discount from an authorized reseller online, rather than buying from the likes of Newegg or Amazon. The Netgear does have two fans vs 1 on the Zyxel and it may be a little quiter overall having looked at data sheets.

Also if you really need SFP+ to RJ45 Trancievers go with WiiTek or 10GTek those are the best ones power consumption and performance wise, WiiTek being the cheaper one. Also note the RJ45 to SFP+ Trancievers in general run very hot so you may not be able to stuff more than 2 of them in a SFP+ only quad port net card when running at 10Gbe, if that's what you are intending on doing.

 

[Hikari]

tnx

Sadly I didn't find either to buy :/

My intention was use RJ45 connector and UTP cable because they are cheaper than fiber and SFP+. Transceiver is expensive, so mixing both connectors isn't worth it either.

 

[coxhaus]

Indeed. In the past I was using router ports to connect the 2 switches I use on my 2 rooms. I had no speed or lag degradation, but still. I bought a new switch a few months ago and now the secondary switch is connected on the primary one, and it connected on the router. Now the whole LAN is connected by switches and router is reached only for Internet, DHCP leases and when configuring it.

If you can live in a flat simple network then fine. The simple solution is running a wireless router. I can't as I need networks local. Layer 3 switching is the way to go for me.

I think your asnswer does not fit with 1 step above pfsense. With such a simple network there is no need for 1 step above pfsen

 

[Hikari]

I think your asnswer does not fit with 1 step above pfsense. With such a simple network there is no need for 1 step above pfsen

Yeah, I was considering doing the same as op. But when I saw the price of managed switches, fiber cable tranceiver and that Intel 11th Gen i3 will be a Comet Lake Refresh and not a Rocket Lake, I decided to step back and wait 2 more years.