So as the title says, I’m building myself a home router and server, and I have few questions…
But first here are the requirements:
idea is to have it all in one: router/file-media-cloud-build-(and if I think of anything else that too) Server
so definitely virtualization
silent, small footprint - it will probably be set in living room
Gigabit Ethernet
the least possible amount of devices and cables
maybe I will update GPU so it can be used for light gaming
I want this build to be budget friendly so I will go with used parts, except for the HDD’s …
Having all that in mind this is the hardware that I think I will get:
Motherboard: micro-ATX x58
CPU: Xeon L5640 or X5650 (6c/12t)
RAM: 12GB, ECC low-powered would be great
SSD: 120GB for Hypervisor and VM’s
HDD’s: 2x3TB WD Red or Seagate IronWolf
PCI-e cards: 4xGbit Ethernet, Audio, GPU (if I use PSU from brand pc something as low powered as it can be )
Case and PSU: Dell OptiPlex 790/Fujitsu Esprimo E720 something like that, the slim version of case, with support for micro-ATX motherboard and ~300-350w PSU that I can use
Gigabit switch, Wi-Fi AP…
I’ve found these parts on local ads and everything would be ~370eur/450usd and the HDD’s (new) are like half of that, I have the SSD
Software: Proxmox, PFSense, Freenas, Plex…
Questions:
Do you think that one Xeon 1366 6c/12t would be good enough for everything?
Do you think I could get something less powerful like Xeon x3440 (1156) or maybe even i3/i5 sandy/ivy-bridge?? That would be even cheaper and simpler, but with less cores …
Would you recommend any other software?
The main question: I would like to have my server and the rest of network behind the router, would it even be possible to setup hypervisor and VM’s like that, even if I manage to set it up like that it seems wrong and hypervisor is still not behind router? Should I setup router as separate device? Any other reason for separation? Even if they are two physical machines I could make them fit in one case, a little bit bigger than planned maybe, but the more I think about it seems like better idea…
What do you guys think? What would you change? Any suggestion would be appreciated, I surely didn’t think of everything…
So right off the bat my suggestion is to keep your router as a separate appliance. PFSense makes a great router/file server/etc by itself. But hassling with PCI passthrough to get network cards into the VM is such is a pain and in the end you are better off getting a $250 China PC from Amazon (https://www.amazon.com/gp/aw/d/B01AJEJG1A) and using that for a router while building yourself a mid-range gaming PC or buying a Dell or iBuyPower prebuilt. With that you can run VMs on your desktop via Hyper-V (windows) or KVM/LXC while keeping your network unaffected by your PC.
It certainly is possible to run your router in a VM. Personally I don’t like to, because I don’t want my internet access to be down when I’m doing maintenance on my server.
Some people would argue it is more secure to have your firewall in a separate physical machine.
This isn’t really necessary for a router VM.
A lot of the value proposition of used office computers is that they already come with most of the parts you need. I’m not sure why you would want one just for the case/PSU. If you want to go that route, I would just get one with an i5 or i7 instead of trying to cram a Xeon in it. I’m not familiar with the Esprimo, but for the Optiplex I think you need the mini-tower form factor to get two 3.5" drive bays. It’s still pretty small, and it will give you a couple more options for a GPU.
Second the suggestion to keep server and router seperate.
For a home router you can get by with something like a NUC. Seriously. You don’t need more than 1-2 cores, you don’t need more than 1 Ghz CPU. Any low end cheap CPU on a low end good brand board with 4 GB of RAM will be heaps.
Running a whole heap of software on your router just results in a much larger attack surface.
I myself am running pfsense on an Asrock Beebox with a USB nic as a second adapter for VDSL2 (yes, USB NICs are crap, but it is good enough for 75 megabit VDSL2 sync, and has been stable).
It works fine, rarely breaks a sweat. it has a dual core celeron N3000 CPU running at 1Ghz.
Well the main thing that I really need right now and that will be useful and convenient to have is a NAS, and I don’t want to buy off-the-shelf solution. I want to make it an all-round server, media center, router, and all that good stuff…
I’ve started this topic to get me going and more determined
I like the size of this thing and that it has 4 Gigabit NICs, but I would like to go with more budget friendly option. And I would avoid ordering from ebay/amazon for this, because of my location, shipping and customs can be quite high and waiting time can be really annoying.
Well is it more secure? I don’t have any experience with pfsense, yet…
I’m not saying I won’t use the rest of that PC, just not for this build
It’s just that I like the design of optiplex 790 DT and the size would be good for everything planned, at least on the server part. As for the PSU I’m hoping I’ll find the one with enough sata cables, it’s not a problem to modify it but would avoid that… I was thinking of xeon because of core count, ecc suport and prices (1156/1366 xeons can be pretty cheap)
For my router needs I would probably get away with single-board arm thingy if it has at least 3 Gigabit NICs.
Good point, maybe… But more layers and complexity can also benefit in that regard if they are configured properly (it can be painful to setup and to maintain)… or is that wrong?
The same thing can be applied as for the China PC GrayBoltWolf has suggested.
I don’t have a connection that fast, and I don’t need it atm… All that horsepower, I’m planning to use for the virtualization of other stuff mentioned… I was just thinking if I can fit router in that as well it would be great from space point of view, it’s not a must, and I’ll probably make it separate…
Main justification for putting a real CPU in your router is if you have a gigabit connection and want to run a VPN client. SOHO routers can’t run OpenVPN at reasonable speeds; even fast modern ones like the Asus RT-86U top out around 300Mbps. Otherwise I agree, get a cheap enclosure with a bunch of intel NICs and an Atom CPU. Or just run a SOHO router for that matter, they work great for most usecases.
We are on the same page, I just got impression from your first reply that you think that I need powerful router, so I was just trying to clarify that that was not the case…
Yea good point, I apparently forgot to mention that, but I did think of one extra ~500GB or so HDD for VMs only…
So as for the router side of things, I’m thinking of getting something like Bay Trail Celeron, that would be without a doubt powerful enough, power efficient, with PCI-e slot and it can be found pretty cheap… what do you guys think about that?
But for the switches and access points I don’t know what to look for at all, please help…
I need like 4x Gigabit port switch and Wi-Fi AP, maybe that can be all in one for two workstations and the before mentioned server and my mobile connections…
And then just one more basic WiFi AP so I can test and play around with that one … What do you think, what would you recommend?
Just some cheap stuff Linksys SD2005 Gigabit Switch is this any good ?
Depends how many clients you’re planning to hang off your gigabit link via VPN.
To get gigabit encrypted throughput you will need a decent CPU with AES acceleration, but if you’re talking only one or a couple of clients, your limit will possibly be on the client end, or internet bandwidth between the client and your box.
That said…
Cisco ASA5506X are rated for something like 300 megabit AES encrypted throughput and they run an intel ATOM in them.
So get thoughts of things like Ryzen 5s, 7s and Intel i7s and stuff out of your head (for a dedicated router/firewall box) if you think they’re required for the throughput required. They just aren’t
To the OP: what’s wrong in your mind with the ASUS BeeBox? It’s a brand name box, warranty, etc. Sure my sample size is one… but it has been 100% hassle free for the past 12 months in my experience, and is fanless - no moving parts. There’s nothing to screw up.
Mine has a 240 GB SSD and 8 GB of RAM in it to run a few router/network related services (squid, bandwidth reporting/packet capture analysis, etc. - but mostly because i got those components cheap from the shop i bought it off at the time.
It’s massive overkill for a “broadband” 100Mb/40Mb connection like i have.
If you’re on gigabit you might need beefier hardware, but if you’re not… even low end CPUs have been plenty for 100 meg, even with encryption, for years.
Sure. i never said you’d do gigabit with an Atom. Don’t think the OP mentioned gigabit (on the WAN, gig on the LAN sure)? Gig for home is very rare still.
More confirming though, that things like Ryzen 7s, Xeon, etc. are not required. Well not unless you’re very much an edge case.
Best bet for the OP if you’re looking to size stuff - check out the Cisco ASA series Firewalls (or your network vendor of choice) and look up what CPUs they have in them.
PIck the model that does the bandwidth you require with the feature set you require and that’s the CPU you’d need for full firewalling and crypto at that line-rate approximately.
Most upgrades at home depend on an internet connections so as said above a dedicated device for just that is best. Worst case scenario is you take down your PFsence Vm to do maintenance, something goes wrong. No internet to fix it the server because the PFsence VM will not spin up.
Of course there is hotspotting a cell phone etc as the backup. I tend to tinker and break stuff to much at home.
Once again I have “broadband” connection,nowhere near to 1Gbps…
I would like to have Gigabit for my Home LAN connections between workstations and home-server…
I’ve already replied to that but here…
For ASRock BeeBox I would need to spend ~250eur or I can buy cheep used Dell with i3/i5 for 4 or 5 times less than that… I think even that it is a little bit bigger, and uses a bit more power, I think DELL is a clear winner here, I don’t care about warranty, the fact that it is a brand box(even if they both are), and I’m ok with some hassle to make it working, I like that otherwise I would not choose to build my own router on budget …
Lets go back on the switch and access point what used gear should I look for? Gigabit switch 4 or max 8 ports, AP smth. like b/g/n 150Mbps is ok…
Would it be overhead to have DoS, IDS, SPI, one more firewall on switch/ap even with those set in pfsense router as well ???
Switches are cheap, get an 8-port managed switch for $39. No reason to buy used. Even a 16 port switch only costs $100.
Same for the access point, buy something like a T-mobile branded Asus RT-AC68u for $80 new. It can be flashed to a stock RT-AC68u and then you install Merlin firmware for a ton of functionality. You’ll get great wireless performance out of this guy.
And honestly, unless you’re doing stuff that actually needs a beefier box like IDS or running a high-speed VPN client, you could basically stop there and be done, using it for firewall, routing, and NAT too. I have one myself and it handles my gigabit connection beautifully.
