router for home network update

[lifespeed]

It is finally time to updgrade my old Draytek 2130 wired router. It served admirably for nearly 10 years, and can maintain 700Mbit hardware NAT throughput to WAN on my 1Gb Comcast internet, but it is showing it's age with slow VPN encryption and old VPN security standards. And I guess my new router should handle 1Gbit WAN, just because.

The rest of my network consists of a Netgear GS716Tv3 managed "Layer 3 lite" switch, and an Artemis APA1300M 2X2 MU-MIMO wave 1 wireless access point of modest performance. While I do see an approaching need for 10Gbit ethernet capability to support my RAID HTPC/NAS, and a future 802.11ax 8X8 MU-MIMO ceiling access point when both 10Gbit ethernet and 802.11ax become mature, I won't replace these pieces of the network today due to lack of technology maturity, although probably in a year I can upgrade.

On this network I run three SiliconDust TV tuners, a media server, a few laptops, a desktop PC, a VoIP phone, smartphones and tablets, and security cameras. All the screens can stream up to UHD media from the RAID HTPC/NAS, so high bandwidth usage does occur.

I would like to replace the router now. It might be nice if it offered SFP up/down links for future proofing, but really that might be imposing an unnecessary requirement. I think it could be a few years before anything faster than a hybrid fiber/coax network is available at my home, and truth be told 1Gbit down is pretty good. Although 40Mbit up is kind of weak . . .

So I don't want to over-specify the router, which probably means I don't really need more than 1Gbit support, even though SFP to the downstream switch might be kind of cool. And for my Netgear CM1000 cable modem upstream I could use SFP-to-1Gb-ethernet adapter.

So how much hardware horsepower do I need to support my routing needs, as well as VPN encryption? I do use remote desktop and other VPN applications, so I value encryption performance - this will rule out the cheapest routers I think. A 1U rackmount form factor would be nice, although not a necessary requirement. I would like to keep power consumption reasonable as well. I think a modern piece of gear can support both VPN performance and low power, only consuming power when it is working hard.

Perhaps one of the more important choices is router OS and vendor: PFsense, Ubiquiti, Microtik, etc. They all have pros and cons. PFsense seems a bit of science project. I have seen Ubiquiti go through many software iterations, and perhaps some general bugginess and flaky upgrade behavior. Not to sure about Microtik. And of course each software choice has hardware choices to go with it.

Any ideas? Is router SFP up/down a reasonable hardware configuration, or likely to be more trouble/expense than it is worth? Even if I don't get 10Gb WAN tomorrow, 2Gb internet is available soon, and wireless access points are already exceeding 1Gb.

 

[messerchmidt]

Mikrotik switch with 10gbe spfs. Or used ebay one (www.servethehome.com for more info). For a router, i would build my own pfsense box. Again, old pc or used one with intel lan cards. Using a ryzen 3200g with 16gb,120gb ssd, dual. Intel lan as my pfsense box. Got pi hole running on a pi 3.

 

[messerchmidt]

New switch: https://www.servethehome.com/turbocharge-the-quanta-lb6m-with-brocade-turboiron/

 

[messerchmidt]

Pfsense on the cheap. https://www.servethehome.com/hp-t620-plus-thin-client-and-firewall-vpn-appliance/

 

[lifespeed]

Thanks for the tips on 10Gb SFP switches, and an older PFSense thin client. Given the state of flux of 10Gbase-T switches, which is likely what I'll need to connect two desktops and a wireless access point, I think the switch upgrade won't be the subject for today's new hardware.

I have a 1U rackmount chassis I can put the appropriate hardware in for a router if that is the right approach. I'm pretty sure I need the new Intel AES instruction capability for my VPN needs (PFsense approach), so not sure looking at old thinclients to repurpose for a router is the right answer. An intel processor that handles encryption, yet can run at low power under light loads would probably be ideal for the PFSense approach. And possibly could handle 2 ports of 1Gbase-T or 10Gbase-T for router duty, with a separate switch as the upgrade path progresses.

 

[Trip]

For 1Gb of NAT you want a box at least capable of doing 2Gb/s aggregate (for 1Gb full duplex up+down at any given moment). Also, how much VPN bandwidth would you want/need when doing a VPN server/client on the box? Full line rate? Maybe half? Other? That will largely determine whether you can opt for a lower-cost/lower-power MIPS or ARM box like an EdgeRouter, Mikrotik RB3011/4011 or Cisco RV series, or whether you may just want to go straight to x86 hardware and do something like an i5 or i7 embedded appliance or SFF PC with a multi-port NIC. The nice thing about x86 is you can choose to run whatever distro gives you the feature set you want (pfSense, OpenWRT, Untangle, Sophos Community, RouterOS, etc. etc. etc.).

Low-end spend on this will probably need to be $100-150 for a MIPS or ARM solution, and on the higher-end for x86 or Tile, probably $300-$600.

 

[lifespeed]

For 1Gb of NAT you want a box at least capable of doing 2Gb/s aggregate (for 1Gb full duplex up+down at any given moment). Also, how much VPN bandwidth would you want/need when doing a VPN server/client on the box? Full line rate? Maybe half? Other? That will largely determine whether you can opt for a lower-cost/lower-power MIPS or ARM box like an EdgeRouter, Mikrotik RB3011/4011 or Cisco RV series, or whether you may just want to go straight to x86 hardware and do something like an i5 or i7 embedded appliance or SFF PC with a multi-port NIC. The nice thing about x86 is you can choose to run whatever distro gives you the feature set you want (pfSense, OpenWRT, Untangle, Sophos Community, RouterOS, etc. etc. etc.).

Low-end spend on this will probably need to be $100-150 for a MIPS or ARM solution, and on the higher-end for x86 or Tile, probably $300-$600.

I'm pretty sure I don't need the full 1Gb WAN rate for VPN, probably 300Mbps would be fine. I'm thinking of just going straight to an X86 1U Supermicro X10SDV-4C+-TP4F-O D-1518 Xeon with 2 each 10Gb SFP+. This is presuming SFP+ makes sense for the two relevant connections; switch uplink and cable modem (adapted to 1Gbase-T for now), which are all located in the same equipment rack. The switch will need to distribute 10Gbase-T over CAT6A to an access point, server PC, and home office with a small switch and PC.

 

[Trip]

Not a bad strategy. Also, depending how much additional wifi capacity you want to build out and how soon you want to do it, you might want to think about multi-gig (in the interim between now and when 10gb-capable APs arrive, which won't be for some time). Something like an MS510TXPP might serve you well as an interim core switch for such a purpose.

 

[coxhaus]

I guess know 1U are pretty loud. I would not want one in my house.

 

[Trip]

I guess know 1U are pretty loud. I would not want one in my house.

Not necessarily. Many case fans (Supermicro included) can be replaced with Noctua equivalents, or similar, which are whisper quite while delivering almost as much or equal air flow. Additionally, there are also a growing amount of passively-cooled options, such as the Mikrotik CCR1009-7G-1C-1S+PC. So the noise factor is not as black and white as it once was for 1U gear. Heat, on the other hand, may still be an issue, depending on where and how the hardware is deployed.

 

[coxhaus]

Not necessarily. Many case fans (Supermicro included) can be replaced with Noctua equivalents, or similar, which are whisper quite while delivering almost as much or equal air flow. Additionally, there are also a growing amount of passively-cooled options, such as the Mikrotik CCR1009-7G-1C-1S+PC. So the noise factor is not as black and white as it once was for 1U gear. Heat, on the other hand, may still be an issue, depending on where and how the hardware is deployed.

It is hard for me to imagine Xeons can be cooled without loud fans but maybe times have changed. I ran four 3U Supermicro cases so to keep the noise down vs 1U as the 3U fans were much quieter than 1U fans. And yes I had to run a separate Window AC unit to cool my server room independent of my central AC.

 

[Trip]

Xeons, especially the embedded Xeon D stuff, have improved a lot in the power draw and heat departments over the last few years, so the requirements to cool them, even in 1U form factors, have lessened a fair amount.

 

[lifespeed]

I moved all my equipment to a rack in a ventilated closet, so noise matters less than when it was in the living room. But it still matters, will use quiet fans.

 

[lifespeed]

Not a bad strategy. Also, depending how much additional wifi capacity you want to build out and how soon you want to do it, you might want to think about multi-gig (in the interim between now and when 10gb-capable APs arrive, which won't be for some time). Something like an MS510TXPP might serve you well as an interim core switch for such a purpose.

Part of the 10G SFP+ and 10Gbase-T motivation is supporting my next wireless access point. Often these are 2.5Gbase-T or 5Gbase-T. Apparently it is uncommon for 10Gb copper switch ports to support the intermediate 2.5Gb and 5Gbase-T (Nbase-T) speeds? Still early days in 10Gb networking, I bet most 802.11ax access points are only uplinked at 1Gb in actual installations today.