pfSense (or other dedicated router) questions

[Nullity]

Would something called "ntop" do it? I found a youtube video from 2013 that shows all kinds of pfsense statistic packages, but it's narrated in a language I don't understand. Around 16 minutes into the video, it looks like there's a per-app breakdown:

On the other hand, doesn't something like this require level7 DPI? Did pfsense REMOVE level7 in a recent build? If it was removed, would that imply that I couldn't possibly get the stats I want from it in a current build?

I don't see ntop/ntopng in pfSense 2.3, so it does not seem to be available currently (or ever?).

and no, L7 filtering is not required for your needs.

pfSense does not have L7 filtering built in to the OS, but you can get comprehensive L7 filtering through snort (which is very likely the better choice).

 

[garyd9]

I don't see ntop/ntopng in pfSense 2.3, so it does not seem to be available currently (or ever?).

Based (https://forum.pfsense.org/index.php?topic=108504.0), it was pulled in 2.3 and will probably come back in 2.3.2. (And stuff like that makes me wonder if I'd be better off just getting one of those little x86_64 boxes and making my own router from scratch with linux and starting with a distro like gentoo.)

and no, L7 filtering is not required for your needs.

pfSense does not have L7 filtering built in to the OS, but you can get comprehensive L7 filtering through snort (which is very likely the better choice).

Okay, so this is an area of confusion for me... I don't want level 7 filtering... I want L7 reporting. Can I use snort as a reporting tool and NOT as a filter?

(I read somewhere that using snort might require >4GB of RAM for all the signatures... so that would certainly impact h/w choices.)

 

[garyd9]

I guess I should register on the "pfsense.org" forum and start plastering pfsense specific questions over there. It seems that it's the most widespread solution for things similar to what I'm doing.

A TRUE hardware router (like the mikrotik CCR1009 mentioned above) might also be an idea, but it's also a purpose built piece of hardware, so if I decide I want to go in a different direction, I have a router that I really can't re-purpose for anything else.

 

[sfx2000]

Would something called "ntop" do it? I found a youtube video from 2013 that shows all kinds of pfsense statistic packages, but it's narrated in a language I don't understand. Around 16 minutes into the video, it looks like there's a per-app breakdown:

Not a big fan of ntop as it is a bit invasive - you're basically capturing all packets for post-processing, and it's not an ideal situation for long term usage compared to other solutions - e.g. SNMP and tools like I mentioned earlier - Cacti, MRTG, PRTG (for Windows), and I would toss in Nagios as well..

 

[sfx2000]

Okay, so this is an area of confusion for me... I don't want level 7 filtering... I want L7 reporting. Can I use snort as a reporting tool and NOT as a filter?

Yes - and don't neccessarily fall into the trap that Microtik is the be-all/end-all - they're good, but they're a lot of effort to set up if you're not a networking expert. SEM will disagree with me, I'm certain of that, but the CCR1009 is still software based as much as pfSense is, or any other router for that matter.

Also consider the Ubiquity EdgeRouter line, they're also quite good, and reasonably priced, and a potential solution, esp. if you're outgrown a traditional all-in-one home router/AP - and the EdgeRouters in combination with their AP's is a pretty good integrated solution.

 

[Nullity]

pfSense is a true hardware router...

He may be referring to hardware offloading or related hardware accel like purpose-made ASICs. pfSense itself is a purely software project but it does support some minimal (and usually discouraged) NIC off-loading.

 

[sfx2000]

He may be referring to hardware offloading or related hardware accel like purpose-made ASICs. pfSense itself is a purely software project but it does support some minimal (and usually discouraged) NIC off-loading.

He's not... or is vastly mistaken... with pfSense, there is a reason why folks prefer intel nic's specifically as opposed to others.

 

[System Error Message]

Yes - and don't neccessarily fall into the trap that Microtik is the be-all/end-all - they're good, but they're a lot of effort to set up if you're not a networking expert. SEM will disagree with me, I'm certain of that, but the CCR1009 is still software based as much as pfSense is, or any other router for that matter.

Also consider the Ubiquity EdgeRouter line, they're also quite good, and reasonably priced, and a potential solution, esp. if you're outgrown a traditional all-in-one home router/AP - and the EdgeRouters in combination with their AP's is a pretty good integrated solution.

I dont disagree with you about the effort required to set them up .
Mikrotik makes routerOS and routerboards which run routerOS, all routers are essentially just the same as your PC, some hardware running an OS. They only differ by software.

Before you think mikrotik is very limitting take a look at the demo website as it shows you what it is capable of in a networking sense. What you cant do with a routerboard/routerOS (without some hacking) is install other software so you cant install snort and other stuff without hacking like you can on a ubiquiti edgerouter.

However a ubiquiti edgerouter isnt as easy as a linux OS when it comes to installing software. Lots of CLI and possible conflicts that you can encounter. Their throughput without hardware acceleration is essentially the same as consumer routers and their available software is rather limiting compared to whats available for debian x86.

So my suggestion is either pfsense with intel NICs or a mikrotik CCR1009. It really just depends on what you want from a router as both will not give file and printer sharing (theoratically you can do file sharing with mikrotik but it is a hopeless cause as they only support FAT16/32 other than their own FS and will only use 1 core). Both routers dont require hardware acceleration to provide the throughput you want with all the configs you like and both vary in their networking features and such, thats not to say you cant get one to do what the other can with some hacking or difficult work (try searching for using pfsense as a NAS). Mikrotik has more enterprise features than pfsense does and built in layer 2 and layer 7 firewall which is really nice but pfsense while lacking a layer 2 while pfsense uses software to do the configs and job for you. So think of mikrotik more of having to make rules that coincide with what you want while pfsense is more ticking checkboxes.

 

[garyd9]

My intention with "true hardware router" was implied in in the rest of the message. If a generic machine is used as a router, I don't consider it to be a true hardware router... I think this perfectly describes pfSense devices. They are PC's that could be just as useful as something else such a NAS or HTPC. (Please, don't get into the specifics of the individual models and why they may or may not be useful as HTPC's. The point is that the device was not designed from the bottom up to be a router.) If I buy one of these and later decide to use something else for routing, I can install linux or even windows and re-purpose the machine to some other duties.

On the other hand, if the device hardware was designed from the bottom up to be a router, which APPEARS to be the case for the CCR1009 (though I could be wrong.. I really couldn't find much info on the hardware) I'd consider it to be a true hardware router. That doesn't make it better - it just makes the device fairly useless for any primary purpose other than as a router.

The Asus AC3200 is also (kind of) a true hardware router based on this definition (and if it was a good one, I wouldn't be looking for an alternative.)

BTW, @System Error Message, I did look at the mikrotik demo, but it was fairly limited. Can it do the type of reporting I mentioned earlier in this thread? I couldn't find any such thing in the demo. (If it requires a special .exe to run, then it's much less useful. Not everyone runs Windows all the time.) Is there a version of the hardware that has the power to handle NAT'd LAN->WAN traffic over 500 megabits/sec, but doesn't have a dozen ports? (I don't need another switch.)

Honestly, I don't care how complex initial configuration is or isn't. Even with an Asus router, I still find myself having to drop into a shell and create scripts by hand to handle special needs (special bridging rules via ebtables and firewall rules via iptables.)

Also, for some reason the file sharing thing keeps popping up. I'm not sure why. I don't need/want a router that does file sharing. I have 2 very nice 6-bay NAS devices that can saturate dual gigabit. I want the router to be a router - but being that all traffic passes through it, it's the logical place to look for traffic reports.

 

[System Error Message]

If you mean a hardware router perhaps you mean embedded. Every router essentially is just a peace of hardware with storage that has an OS installed, usually linux based. If you knew the information me and other experts here know you would find there is no such thing as a true hardware router. What you're saying is that you want embedded where everything is soldered onto the board including CPU.

There are embedded x86 boxes too, some for as low as £100 for 3 ethernet ports but they use realtek and a slow AMD CPU.

Mikrotik CCR1009 has the hardware to handle multiple gigabits of NAT doesnt matter which direction. Mikrotik is very flexible in that any port can be WAN or LAN just like if you use ubiquiti or an x86 PC. All that matters is how you configure it as you can make rules using so many different things from port/interface, protocols/traffic type/mark or even address based whether layer 2 or 3 or layer 7. Mikrotik CCR1009 has been benchmarked to handle 5Gb/s of NAT using no hardware acceleration whatsoever even though hardware acceleration exists on mikrotik in a very flexible way. Some users on this forum have gotten 500Mb/s on CCR1009 maxing out only 1 out of 9 core using PPPOE, VLAN and many QoS and firewall rules with no acceleration.

The CCR1009 is designed in hardware to be a router but that doesnt mean you cant hack it to install openwrt on it or other things to use it as a regular linux server . Facebook uses the same CPU as that router but the 100 core variants as PCIe cards in their servers to do firewall and network stuff and run the webserver part of their site with data handled by the x86 bit.

The mikrotik demo doesnt let you configure, it just shows you what it looks like and what possibilities you can do. For bandwidth reporting there are various ways for it. You can view bandwidth without logging in if you use the graphing feature under tools as a graph (this has hourly, daily, monthly and yearly), if you actually look in the demo under interface -- stats that shows you realtime bandwidth information and stats including packets and link so you can see how unreliable your ISP's PPPOE server or line is which is also logged so you can see when it went down.

If you wish to view realtime stats for user you first have to catogarise the user's traffic for the user. Simplest way to do this is by creating passthrough firewall filter using 2 rules, each using the user's mac address as source/destination. Another way is by automatically authorising the user using radius or hotspot as to make it show up under interfaces or somewhere that lets you view realtime stats. Unlike ubiquiti it doesnt catogarise stats traffic, you have to create rules to isolate the traffic you want to identify in order to get their stats. You can however bind a device to an IP and add the IP addresses to a list and give it a name and use that name instead as your source/destination and go further to specify the source of traffic whether it is internet or LAN by using the in out interface on forwarding chain using source/destination address list, it takes a bit of logic to understand the potential of configurable firewalls as they dont use human readable terminologies.

Mikrotik however has their dude software which you can run the server only on multicore routerboards/x86. This adds networking functionalities (you wont need domotz or spiceworks with this).

There is no mikrotik routerboard that has less ports for the throughput you want. All their ARM, PPC and TILE based boards have many ports. The ARM routerboard is the qualcomm IPC8064 based platform so does 500Mb/s with no hardware acceleration atm (You can think that hardware as beta stage). PPC has been their solid platform for performance in the past outshined now by the TILE based routerboards. However unlike the CCRs you wont get many CPU connected interfaces, with the CCR1009 with SFP+ you get SFP+ on 2 models (modular 10G port CPU connected), SFP (modular 1.25G port CPU connected), 4 CPU connected 1Gb/s ethernet ports and 5 1Gb/s ethernet ports switched. If you dont use switched ports you get better results so just bridge and you can also do LACP with CPU connected ports better with support for RSTP if you bridge. Just think as the CCR1009 as having 1-2 SFP ports and 4 ethernet ports.

The CCR1009 with SFP+ has 2 GB of ram so while it may retail at $500 this is better because it has 2GB of ram. My CCR1036 uses 400MB of ram just on boot as it has 36 cores and a lot of parallelism going on and when my address lists ends up with a few hundred thousand entries it eats up 1GB of ram as i have dynamic rules that automatically blacklist, whitelist and label traffic including host detection as well so i can see whos on my network. The CCR1009 is a 9 core TILEGx TILERA CPU which is very much like a general purpose CPU. It has better logic performance than ARM but sucks at math performance so its bad for 3D graphics but like MIPS is optimised for networking. They come with hardware encryption for AES but with the CPU throughputs you can expect good VPN performance. Like PPC and x86 they suffer less performance loss when doing more complex things like adding more rules and overheads. Mikrotik however will let you create complex networks without punishing you like other routers do. You can assign multiple IP addresses with 1 DHCP client and 1 DHCP server to each interface and an interface can be physical or virtual in the router. Each interface can essentially be part of multiple networks simultaneously.

 

[sfx2000]

My intention with "true hardware router" was implied in in the rest of the message. If a generic machine is used as a router, I don't consider it to be a true hardware router... I think this perfectly describes pfSense devices. They are PC's that could be just as useful as something else such a NAS or HTPC. (Please, don't get into the specifics of the individual models and why they may or may not be useful as HTPC's. The point is that the device was not designed from the bottom up to be a router.) If I buy one of these and later decide to use something else for routing, I can install linux or even windows and re-purpose the machine to some other duties.

No such thing thing as a true HW based router - there will always be a SW component involved - whether it's a WRT-54G, a Cisco/Juniper box, or pfSense running on white box HW.

The pfSense box I run - it's purposely designed to run pfSense - it's very good at it - and it would be a poor choice for a general purpose PC or HTPC - it's an excellent choice on a HW basis for exploring and developing Software Defined Networks as it has both the data plane and the control plane in close proximity - and would be a great device for either purpose (SDN controller or netflow router (configured via OpenFlow API's)...

Maybe you need to step back and learn how routers work - I've designed a few... have you?

 

[mtganzer]

+1 on the Ubiquiti Edgerouter-Lite. Hard to beat at the under $100 price point. Handles my 240/20 cable connection with no problem, and even has memory to spare to run a pretty extensive DNS blacklist. Yes speeds are rated with "hardware offload" enabled, but as of 1.8.5 that now covers IPsec, IPv4 forwarding, VLAN's, and GRE, and IPv6 forwarding and VLAN's. Basically only QoS takes the slow-path through the CPU now. GUI is pretty complete now - about the only things I see missing is DHCPv6-PD settings, which are supposed to be in 1.9. EdgeOS is a fork of Vyatta, based on Debian. The CLI is very Juniper-like, and there is a very active support community over on the Ubiquiti site.

No you don't get all the UTM "stuff" that you can get with pfSense, but but that also takes a lot more hardware and $$$ as you get up there in speed.

I gave up on integrated router/AP's when my RT-N66U running Merlin software would lock solid when trying to tweek IPv6 settings. I ran OpenWRT and tried pfSense in ESXi instances on my home server, but household politics demanded a standalone router. And again, under $100, it was a bargain.

 

[garyd9]

I've gone ahead and decided to use pfSense. If I later HATE it, I can always reformat the SSD and use it for something else.

I decided I didn't like any of the prebuilt options. I want something that has power to spare. Experience has taught me, at least in the computer world, too much power is better than not enough. (Too much power can be dealt with via a fan. If you don't have enough, there isn't much you can do about it.) I VERY seriously considered one of the netgate/pfsense boxes, but I decided that if I'm going to spend $375 (shipped) for their 4 port version, I might as well build something more powerful for ~400 (also shipped.)

Here's my order list (via amazon)

• Supermicro Mini ITX A1SRI-2558F-O Quad Core DDR3 1333 MHz Motherboard and CPU Combo
  
• M350 Universal Mini-ITX PC enclosure PicoPSU compatible
  
• Mini-Box PicoPSU-90 12V DC Input 90 Watt Output + 60W Adapter Power Kit Cyncronix Rating
  
• 2x Kingston Technology ValueRAM 8GB 1600MHz DDR3L PC3-12800 ECC CL11 1.35V SODIMM Notebook Memory KVR16LSE11/8

... will also re-use one of the 120GB SSD drives that I removed from other machines (because they were too small.)

This processor is the same one in the netgate/pfsense SG-4860. That should be plenty of power for 1 gigabit LAN->WAN routing while running whatever processes tickle me at the moment.

The memory is The Flaw in my project. I originally was going to go with a single 8GB SODIMM, but decided (after reading comments on the pfsense forums) that memory performance is important to routing performance, so changed my mind to 2x 4GB modules so they could be interleaved. However, amazon doesn't have availability (for shipping) of 2 4GB ECC SODIMM PC3-12800 modules, so I decided to just bite the bullet and get the 2x 8GB SODIMM's. I realize that 16 GB of RAM in a router is complete overkill, but it was the only way for me to get interleaved memory in a timely fashion. (On the other hand, I'll probably have more RAM on my router than most people have persistent storage. )

Once I have the box up and running, I might decide that I need to add a fan. I really can't tell until I plug it all in.

All parts should be delivered Wed. I hope to get it all up and running for the weekend.

Wish me luck.

 

[System Error Message]

I've gone ahead and decided to use pfSense.
...
All parts should be delivered Wed. I hope to get it all up and running for the weekend.

Wish me luck.

At least you didnt go with ubiquiti, you would've been disappointed as it doesnt have the capabilities of pfsense nor the speed of mikrotik. I think ubiquiti should be labelled as consumer now as their products have been focused towards them only with the wrong information just so people buy them through misinformation.

Try using ubiquiti in the same environment i use it in, it wont handle the load or capabilities. Even the firewall configuration lacks the same flexibility and features as mikrotik's firewall configuration. I can have my network the way i want with mikrotik even in an environment where my ISP blocks NAT and tries to control the network, i can still run my own network without having to configure clients and perform my own control which you cant do with ubiquiti (essentially this is used in layer 2 protection such as a way of blocking rogue dhcp and enforcing your router as the gateway and filter regardless of the settings on clients.)

Memory performance is important to routing if you reach memory bandwidth limit. So if you have more than a few GB/s worth of required throughput than you will have to look at RAM performance as even the CCR1072 has shown that faster RAM improved speeds because CPU throughput was much faster than RAM bandwidth. Below the RAM bandwidth limit you dont have to worry about it so even at 1Gb/s DDR is still fine but if you were to run software and additional filtering software than faster RAM helps.

 

[garyd9]

The pfSense box I run - it's purposely designed to run pfSense - it's very good at it - and it would be a poor choice for a general purpose PC or HTPC - it's an excellent choice on a HW basis for exploring and developing Software Defined Networks as it has both the data plane and the control plane in close proximity - and would be a great device for either purpose (SDN controller or netflow router (configured via OpenFlow API's)...

So much for :

Please, don't get into the specifics of the individual models and why they may or may not be useful as HTPC's. The point is that the device was not designed from the bottom up to be a router.)

Oh, well... Welcome to the Internet Forums where it's damn near impossible to keep a thread on topic. It doesn't matter. I've made my decision that was the basis for this thread. If you want to debate the semantics of what is and what isn't purpose built, etc - please feel free.

Maybe you need to step back and learn how routers work - I've designed a few... have you?

No, I do software. Of course, I started software development a LONG time ago when the software ran on specific hardware (and you couldn't tell a customer to buy more RAM, change processors, etc), so you learned the hardware. However, specifically about routers - I've never written any routing software (and so never had the time to learn the specifics of the h/w.)

 

[garyd9]

At least you didnt go with ubiquiti, you would've been disappointed as it doesnt have the capabilities of pfsense nor the speed of mikrotik. I think ubiquiti should be labelled as consumer now as their products have been focused towards them only with the wrong information just so people buy them through misinformation.

BTW, thank you for replying in this thread and giving me options. The mikrotik looks really interesting, and I think if I was SOLELY interested in a single box for a router that just works once set up, I probably would have gone in that direction.

However, I like to tinker, and pfsense looks like it has more knobs, buttons and dials to play with. If I ever get bored with the ones that it comes with, I can just install another pfsense package and amuse myself some more.

 

[sfx2000]

Welcome to the Internet Forums where it's damn near impossible to keep a thread on topic. It doesn't matter. I've made my decision that was the basis for this thread.

Done then... you've made your bed, now you can sleep in it.

I see no further need for ongoing debate - it's a shed, it holds bikes, who cares what color the bikeshed is?

 

[garyd9]

who cares what color the bikeshed is?

You've never met my wife...

 

[Nullity]

I've gone ahead and decided to use pfSense. If I later HATE it, I can always reformat the SSD and use it for something else.

Exactly. Full PCs are great in that way. Heck, you could install OpenBSD (or almost anything, like maybe Alpine Linux) and roll your own router.

Keep us updated on your progress and good luck!


PS - If you do get on to the pfSense forums, please remember to research your question yourself before posting. You very likely will not get a response otherwise. The forum is not very "noob" friendly...

 

[Nullity]

pfSense 2.3.2 was just released with ntopng support.

Lucky you!