(DIY) School Router / School Filter

Hey guys,

I just started a job in a school here in Germany (so apologies in advance if i translate something wrong). One of my first tasks was to get a so called “Time for Kids School Router” (I attached a picture of it’s insides), which is a (rackmounted) router / filter customised for use in schools, back running because it had some problems with the HDD and it’s constantly running at 58 °C CPU Temp on idle. I was planning to replace it with a NAS SSD. It was purchased in 2014 therefore it’s components are a bit old too. It has a Intel Atom D525 (2 cores with 1,8 GHz), 2 GB of DDR2 Ram (upradable to 4 GB) and a total number of 4 Gigabit Networking Ports at the back.

I was wondering whether this performance is still suitable for a school router in 2020. I remembered that you can build your own router with pfsense. So my questions are the following:

  • Can I do same things with a DIY pfsense router (filtering, logging, etc.) than with this old system?
  • Are the components of this old machine enough for our use or what would be suitable specs for a DIY school router when I would build one now? We have plenty place in our network cabinet, so it can surely take up to 4U.
  • Does it make any difference when I would put a 10 Gig NIC in a DIY router?

For context our school has 700+ students, 6 iPad “Boxes” with 15-16 iPads each for use in classrooms (websearching, watching tutorial videos on Youtube, …), WLAN APs are installed in the buildings (mostly Ubiquiti ap ac lite), students are not allowed to log in to the WLAN with there own devices, only teachers (50+) have the PW to the WLAN, so they can use it with there own devices, we have 2 buildings (both with classrooms, the router is conneted to a DSL Modem in the main building) which are connected with several fibre optic cables and cabeling in the wall is Cat. 7. It is also planned that we will get fibre optic internet this fall.

Thanks for your input in advance.

1 Like

Whats their ISP speed?

You could also then a iperf through it to see what kind of speed it is capable of (not going to match real world exactly due to handling way more unique streams.

If you’re going to have filtering with full gigabit internet then that won’t be enough processing power.

1 Like

If its packet inspection deff not, with just a blacklist maybe but still would be rough i would guess.

Too slow for any sort of advanced filtering like IPS/DPI and very likely too slow to route 10Gb.

It makes no sense to fixup that ancient d525 now.

Something like this would make a good router / basic schools server: https://geizhals.eu/?cat=WL-1665267 .

You can either use pfsense or just write some docs / instructions on how you have it set up … maybe make a pair of them.

I suspect you already have some hardware other than the d525, where’s the ubiquiti Unifi controller running?

It all depends on your budget. I would never recommend a regular desktop PC CPU as a router for anything larger than 25 users, simply because it will struggle without hardware accelerated routing.

That said, buy a four port PCIe firewall expansion card, and you will have access to a really great packet filtering pusher. The CPU might as well be a potato, it does not really matter in this case.

Source on 25 user statement? Pretty sure pfsense OEM boxes aren’t anything special.

1 Like

It’s a small school (e.g. not even 10k normie people), and likely with a tiny set of routes … 6core/12 thread will push a few gigabit of imix fine.

there might be some sort of half truth there when you consider some of these people might be working from home via VPN. In that case AES-NI would be a very nice thing to have for that kind of overhead but might still struggle if you had a lot of users trying to use that.

This is easily solved with a dedicated VPN appliance behind the firewall of course. Which I would assume OP might be using in the form of RRAS on Windows Server.

At the school I visited until 2016, we had that thing. It made sieves look like a bucket…

IMO better to “overkill” (within reason) now than have an overloaded box later. Buy a ready box with warranty so when stuff breaks point at the contract and be done with it.

I would also NOT do any DIY except for maybe a fan shroud for the existing box.

PFSense, Ubiquiti and MikroTik both (PFSense being more extensive) provide options to filter based on DNS/URL or do DPI (wich depending on throughput may be rather demanding of the system).

1 Like

Maybe, but unlikely . aes-ni on ryzen should get you anywhere between 1 and 3 GB/s per thread. This won’t translate directly to network performance - worth a test I guess.

Yeah I think a desktop CPU would be fine here but some of those lower power deals like netgate sells might be lacking depending on how they use it.

The CPU in a Pfsense box isn’t anything special, this is completely, 100% true. But to get any sort of real speed in there, you pretty much need a dedicated ASIC or FPGA chip. A general-purpose CPU will not be nearly fast enough to do packet filtering at 1 GBPS for more than a few connections at a time. Chances are your $50 home consumer gigabit router will be faster than a Ryzen 5 3600 at this specific task.

Ryzen 3600 is a good CPU don’t get me wrong, it’s just that it is not very good at switching packets compared to ASICs, just like it is not very good at pushing pixels to your screen.

Routing 1Gbps of ~1500B packets on a 5W Celeron J3455 with NAT and roughly 20 firewall rules, with a realtek chip on one side and an el cheapo usb3 gigabit adapter on the other side leaves about 85% of my CPU idle. (This is a horrible CPU for a lot off use cases btw… I needed a small x86 router back when I lived in an apartment and had no space for a small rack).

In this case we’re not talking about 20year old geode CPUs that Cisco chooses to use in their not yet eol Cisco ASA 5505, or the anemic Avoton CPUs you’d find as main CPUs running the os in your (not-so-)modern big name vendor switches whose sole purpose in life is to twiddle a few registers of asics (which btw is what netgate pfsense boxes use).

10Gbps is very much on the low end what modern CPUs do in software (assuming you don’t have horribly buggy drivers or network stack - which is why I prefer Linux to pfsense and pfsense users swear by Intel nics).
Grab the latest debian minimal image and a pair of 40Gbps QSFP+ nics and DAC cables off of ebay and hook them up to a pair of “gaming machines” to give them a spin. You’ll be pleasantly surprised (or possibly freaked out - if you work in low end corporate IT where you pay tons of cash for big router company contracts).

1 Like

Yeah, but how much traffic are you really routing? Or to put it another way… How often is that line saturated?

This is exponential growth we’re talking about. Your setup is fine for a SOHO or household operation. Not hundreds of concurrent users that needs to filter and traffic shape dozens of ongoing connections all the time.

Please, do yourself a favor and read up on network processor units (NPUs), because what you just said is pretty much the equivalent of “Of course the integrated graphics of an Ivy Bridge Processor is capable of delivering 144Hz 4k gaming!”

Incidentally, this point is pretty moot if you put in a slightly more expensive 4-NIC network card with built in switch core, like this one.

About a gigabit of mostly 1500 byte packets. It can do that whenever - it does that every time I move data between my samba server and my windows box (sitting on different VLANs).

I’m not suggesting that weak j3455, but was giving it as an example of a super weak CPU that can probably deal with a gig of casual browsing YouTube ing and torrenting without looking inside the packets too closely - clock per clock an old sandy bridge might be faster.

Again, I’m not dismissing fancy programmable network cards either, they’re invaluable at high speeds, but they’re not cost effective and they’re a pain to use, not worth it for small volumes under 40Gbps IMHO probably. Definitely not under 10Gbps.

1 Like

Really just depends on how much extra crap your trying to get your router to do, thats why his 25 users comment is toxic. (A lot of routing can be pushed off to the layer 2/3 switches as well)

You obviously did not understand the question. I own a $10 switch that can do the exact same thing and cost a whole lot less. It’s not a matter of how much throughput you have, but how much different each package is.

Any potato can route a single one gig 2 terabyte file transfer these days. But the OP mentioned this:

I read that as “minimum 60 simultaneous users up to 175-200 total users”. So your CPU will need to keep track of the state of 400-500 active connections at any one time, with peaks at 2000 active connections.

I could be wrong here, because I haven’t been experimenting with this in like five years, but last I checked the throughput of CPU-bound firewall routing bottlenecked at around 80 simultaneous connections on a quad-core, and the growth was exponential meaning you required twice the CPU power for 10 more connections, quadruple for 20, and so on. Maybe it could handle 160 filtered channels today, but even then, your QoS will suffer.

Dedicated hardware NIC cards have a lot more parallell channels and use some early filtering tricks and white/blacklists to quickly identify ongoing sessions, which is how they manage to run packets so fast.

Switching is not routing, I am not aware of any $10 switch that is layer 3.

Can go in a pfsense box so your consumer cpu can offload some work. (Onboard nics are generally bad, there are boards that have good ones tho)