Replacement for RV-340

[Tech9]

Nope, all RJ45 ports are 1Gb and only SFP+ port is 10G.

This router/firewall is made for 10GbE WAN + 10GbE LAN link to switch. Very business oriented configuration.

Also I also see configuration requires the "Omada App."

It's not just Omada App, but Omada SDN software. For this one the best option is running it on hardware controller.

TP-Link

www.tp-link.com

 

[jasonreg]

So as a minor update, our ISP (Rogers in Canada) just rolled out 1.5Gbps download internet over coax into our neighborhood and are laying the fiber optic this summer to match Bell's speeds. After going back and forth with them and the other main provider here I bagged a pretty decent discount while getting the faster service. So, while I had mostly resigned to hanging on to the RV-340 for the time being, I am now faced with the dilemma that unless I make some sort of change I will not benefit from the increased internet speeds.

Assuming I now want at least one 2.5Gbps WAN and at least one (but preferably more) 2.5Gbps LAN port, I have narrowed it down to the following:

1. Netgate 6100. Pros - seems to meet and exceed anything I would want to do, with capacity for future-proofing anything I might need in the next 3-5 years - loads of users and pfsense itself seems very reliable, especially on the Netgate boxes. Cons - steep (but manageable with online help?) learning curve, priciest option out the door, several have noted online that Netgate "may" be abandoning pfsense support in favor of their TNSR software which I believe is subscription based.
2. Firewalla Gold Plus. Pros - marketing says it will do everything I need (brand new product) and is likely the easiest set up out of the box. Cons, (relatively) newish company, cloud based services, have had lots of growing pains though they seem to be on a good path. Many say too much irrelevant info supplied via their app.
3. Ubiquiti DM Special Edition. Pros - relatively simple set-up - great integration within its ecosystem (will likely update APs as a next step). Cons, looks Like I would need to LAG the 1GB LAN ports to achieve > 1GB out of the machine, lots of concern on line with the pace of upgrades and how each prior box seems "abandoned" quickly after the next newest version appears. Lots of users who seem to have tried the good idea but left for something else .....

Would appreciate your thoughts and input. As an aside - Happy New Year Everyone!

 

[Christos]

+1 vote for the Netgate 6100. There is a learning curve for the firewall configuration and interfaces maybe, but it is very stable system and hardware will last for a decade. I don't see them abandoning pfsense in the near future and if they do you can jump to opnsense very easily.

Another option I would consider is the Mikrotik RB5009UPr+S+IN.
There is a bigger turning curve with it, but this machine can do anything and comes with long term support for software updates.

Firewalla is risky because if they abandon their app, there is not a web gui to manage the firewall. Also all services (like ad blocking etc) are built by Firewalla and you cannot add a blocking list from GitHub. I wouldn't trust them for now

 

[L&LD]

Thanks, @Christos, those major negatives for Firewalla may become moot in the future, but for now, proceeding with caution is my take on them too.

 

[Smokey613]

As a current Firewalla Blue Plus user and a former Firewalla Gold user, I too have concerns with their business model.

I will say they are very customer oriented and have made lots of improvements based on customer feedback.

The units are very easy to deploy and configure, especially for novice networking users.

My only CON to using their product is the same as several other networking products and that is a totally “cloud” based management system.

This is really my only concern with eero. If you lose connectivity to their management due to internet outage, you risk the loss of your local LAN connectivity also since the units can’t “talk” to the management system.

At least with Asus and other similar routers, your local LAN will remain operational.

 

[Tech9]

Netgate 6100

There is a new Netgate 4100 with $200 lower price. See if it fits your needs. It can do WAN aggregation 2x Gigabit + has 4x 2.5GbE LAN ports. You may need to change the modem to 802.3ad capable for >Gigabit WAN speed, but you get 4-port 2.5GbE switch included. Also x86 CPU with 4GB RAM.

 

[jasonreg]

There is a new Netgate 4100 with $200 lower price. See if it fits your needs. It can do WAN aggregation 2x Gigabit + has 4x 2.5GbE LAN ports. You may need to change the modem to 802.3ad capable for >Gigabit WAN speed, but you get 4-port 2.5GbE switch included. Also x86 CPU with 4GB RAM.

Yes - have been comparing the two closely. Looks like the big differences are the 2-core vs quad-core processor, extra 4GB RAM and the 10GB SFP Ports. Either way I would be using one of the 2.5GB LAN ports as WAN. I get future-proofing for 10GB SFP but my real concern is more the processor and RAM. I am new to pfsense so not sure what to expect frankly, especially as I add other packages like pfblocker and snort.

My Modem is the XB8 (Arris I think) from Rogers - Comcast uses exact same model - unfortunately only has a single 2.5GB port, the other 3 are 1GB for some reason. As such I currently have it bridged and will run the new router off the 2.5GB port on the Modem.

 

[jasonreg]

My only CON to using their product is the same as several other networking products and that is a totally “cloud” based management system.

Quite concerned about this as well - could be the showstopper for Firewalla.

 

[jasonreg]

Another option I would consider is the Mikrotik RB5009UPr+S+IN.

Interesting read. I think though that between the learning curve and the single 2.5GB port and the warnings about security deficiencies I have read, it might not be what I am looking for.

 

[Tech9]

I am new to pfsense so not sure what to expect

You'll be fine as long as you have no ideas running SSL proxy with full inbound/outbound IDS/IPS. This is not needed anyway. This dual-core CPU is plenty fast for home use and 4GB RAM are more than enough. pfBlocker is not a concern unless you overdo it with millions of blocked IPs and URLs. I'm using 6100 with 10GbE link to switch, 10GbE servers, 2.5GbE the rest network and 150-180 active users. Sometimes APs peak around 4Gbps aggregate traffic and I don't have any AX-class devices. You don't need 6100 for home use. I would go cheaper with DIY x86 box instead.

 

[jasonreg]

@Tech9 - great input - thx. In that same vein then, if I were to go 4100, would you see benefit from the "Max" config (128 GB M.2 NVMe) or would the Base config (16 GB eMMC) be sufficient? Unless I am missing something, that is the only difference.

 

[Tech9]

Well... NVMe is faster, but pfSense runs from RAM and it doesn't matter much. Storage was needed in the past for Squid cache, but with today's fast Internet connections I'm in doubt someone is still using it. All the logs and OS updates will fit in 16GB. There are many "better" things, but at some point you only increase the cost and decrease the returns of investment. This appliance is CAD850 or more around here. I have no DIY option for my business (it has to be standard equipment), but you do for home use. I believe you can get a mini-PC for less and if something goes wrong with your pfSense (expectations) - reuse it for something else (Windows/Linux PC) or try OPNsense, Untangle, Sophos... until you find what you are looking for.

 

[Christos]

"Max" config (128 GB M.2 NVMe) or would the Base config (16 GB eMMC) be sufficient?

/var and /tmp folders can be moved with one click to tmpfs, that lives on RAM, so you have all the speed you need when you need it. Also, 4100 has M.2 slots to add storage later.

 

[jasonreg]

I believe you can get a mini-PC for less and if something goes wrong with your pfSense (expectations) - reuse it for something else (Windows/Linux PC) or try OPNsense, Untangle, Sophos... until you find what you are looking for.

Well, the mini-PC option is interesting. A few options considering the desire for 2.5GB Ports. I am looking at the Protectli Vault FW4C vs Netgate 4100/6100. Certainly the Vault is cheaper - by about $250'ish over the 4100. Weighing pros/cons about the Protectli unit (not really interested in the other cheaper Quotom et al options). Also get pfsense+ with the Netgate options over the pfsense CE with the vault. Neat little unit though.

 

[Christos]

pfsense+ is free for use at home.

 

[jasonreg]

pfsense+ is free for use at home.

Hi @Christos - absolutely correct. My point is they seem to be "slightly" different versions of pfsense and I see many online comments about whether or not they will diverge in development going forward. I fond it interesting that you cannot load pfsense+ directly (on a non Netgate device) - you need to load the latest pfsense CE version, then you can upgrade to pfsense+.

 

[Christos]

whether or not they will diverge in development going forward

pfsense+ has more features than CE.
For example, they introduced boot environments where you can take a snapshot of the router's filesystem and then pfsense can restore itself to the point when the snapshot was taken. Then you can make a change that breaks the firewall or it may gets hacked and compromised, and then with a simple reboot it goes back to the clean state when the snapshot was taken.

 

[Samir]

I've watched the Cisco rv series since their very first rv016. While these are great units for when I used them, they are now dwarfed by what can be had in used or openbox enterprise gear from companies like fortigate. It's night and day. I'll never go back to the rv series or any other smb router.

 

[jasonreg]

For anyone tracking this thread - I thought I would point out a relevant discussion on the Cisco forums where CoreyP319 who identifies as a Cisco employee says:

Hello all,

There is currently no CBR in development at this time, there are decisions being made by management regarding this line. As far as I have heard, the recommendation is to go with Meraki Go. I know that wont be helpful to all use cases. I'd love to see a multi-gig product here though.

Not much help from Cisco.

 

[Christos]

The new Meraki Go has 500 Mbps firewall throughput