Looking for a Router/Firewall

I have recently purchased the following for my home network:

Now, I’m looking for a suitable router or firewall to manage my network (VLANs). Given that I already have a 24 port switch I do not need a router/firewall with many ports and two should suffice, I’m still wondering what will best suit my needs. (If I do end up purchasing a firewall I will end up playing around with various things like IDS, however I also don’t intend to build something beefy just for me to have fun^^)

Currently, I have been looking into the following devices:

Anyway, if someone here has more experience or any good idea it would be more then welcome. Personally, I don’t want to spend too much and my upper limit is around the 250-300$ mark.

Thanks!

1 Like

I would go with an old office PC as your router hardware. (~50-100 USD) and get a used quad port nic pulled from the server for around 10 USD. For example Dell Broadcom 5719 1Gb PCIe x4 Quad Port

The reason I would go with small desktop PC instead of all in one is upgradability. Can you later down the road get one of the Mellanox fiber 10 gigabit nics.

3 Likes

You mean something like this?

Maybe not something quite as old, but basically yeah. I think this one has a shorter PCIE space, so ideally you would want to buy NIC that has a matching bracket. Also, try limiting your search to your local city. Often people have a free local pickup, delivery fees are expensive.

Another thing to look for is support of Intel ® AES -NI on CPU. I think pfsense requires it now. Based on quick google search second gen intel does have it.

If you want, you can also buy a used XEON processor. (10-30 bucks) Most of the time they are compatible with the respective socket on the consumer motherboard.

You will however lose iGPU that you get from a consumer based CPU, so will need an external video card if you want to change settings, but generally PC will boot without any graphics card at all.

3 Likes
3 Likes

I like the R4S, it’s nice and compact and low energy, but not nearly as speedy as that 10year old core i3 (e.g. if you wanted to do ssl bumping and use suricata the i3 might just be barely good enough?)

3 Likes

It was a loose, slightly playful and strong sarcastic suggestion. :smiley:
The OP did not say exactly how much power he needs, it is obvious that R4S hardly has it. :slight_smile:

Perhaps something of this …

But if power is needed large box with strong cpu is indispensable. :slight_smile:

4 Likes

Those boxes are great for tiny servers, but the lack of a second ethernet and no PCIE makes them a bit less useful for a router. I would personally not rely on USB ethernet for permanent setup.

However, if op’s internet is not super fast it should be possible to split that single nic for wan and lan using vlans on the smart switch that they already have, but for the price I would just go for something with two nics.

3 Likes

I agree.
I’m just throwing against the wall to see what sticks. :slight_smile:

Instead of gpu a network… :wink:

1 Like

If you don’t want to mess around too much, get the Netgate. It’s not the best “bang for the buck”-ratio but it does work and will most likely do fine for your network. What you should be aware of when getting “old” hardware is known hardware vulnerabilities (there’s a lot of later generations of x86) which you may or may not care about. If you can stand a bit of thinkering the RockPro64 running FreeBSD and a dual port Intel PCIe NIC can be a good tradeoff that doesn’t break the bank and good exercise in general.

4 Likes

Are you talking about intel me stuff? Wouldn’t that only be an issue when using built-in nic?

1 Like

Transient execution CPU vulnerability - Wikipedia (this is not complete)

1 Like

getting “old” hardware is known hardware vulnerabilities (there’s a lot of later generations of x86)

Let’s drop the buggy x86 and all go to POWER9 hihi :slight_smile: :crazy_face:

2 Likes

Correct me if I am wrong, but isn’t that stuff exploited by having execution permission on the system? So routing packets should be safe in theory.

4 Likes

This is what I used for awhile as a pfsense appliance until I went rackmount. Never had any problems with it and it is cheap enough that if you want to eventually go 10Gb you aren’t going to feel like you wasted your money.

3 Likes

By design it isn’t, see 'CVS: cvs.openbsd.org: src' - MARC for example.

1 Like

Alternatively to OpenSense or PFSense, you could also try Sophos Home. If nothing else, it is a different experience.
Hardware wise, maybe you can get a small industrial PC (like a Shuttle DS10U3).

1 Like

Yeah, that’s definitely something to keep looking for.

It was an interesting suggestion and I did not really know those NanoPis before.

To also answer your question, I currently have a 100MBit connection but I plan to upgrade to 300MBit later, so the router/firewall should be able to handle the throughput. However, everything internal will be connected to the switch and as a result no internal traffic should go over the router/firewall.

Also interesting, at first glance there is the issue with the single Ethernet port but given I have a managed switch I could configure it accordingly. (Don’t know if I want to go this route though…

Yeah, as I have said above it is an option, but not one I would like to take…

Which is very much appreciated, maybe I don’t need/want a NanoPi now, but I might remember them at an applicable time.

Spectre and Meltdown have been fun, haven’t they. Thanks for the suggestion, I will look into it.

This might be a tiny iota over the specified budget though…

What has also come to my attention are the following two Unifi solutions:

  • EdgeRouterX → this would be a very low cost solution, but it would not be a firewall
  • DreamRouter → This would have the benefit of everything being manageable with the Unifi Console, but pfSense is probably much more powerful
  • I have perused the blog linked by @TimHolus and stumbled over a cheap firewall review. I then went ahead and searched for PCs with the mentioned chip (j4125) and found something on Ebay. Currently, this seems like the best bang for the buck option…
3 Likes

When you do inter-VLAN routing/firewall/IPS/etc., then you really want >1Gbit/s throughput.

That network segmentation (which any company bigger than a lemonade stand should be doing!) is the reason why even the smallest appliances can handle multiple Gigabit per second.
At home though, if you have 2 VLANs (your network + Guest Wifi), you already are in the top 10% I would say :wink:

2 Likes

These are “hen’s teeth” unless you’re willing to pay scalper pricing on eBay.
I would just go with the Netgate 1100. It powerful enough for you connection and would be rock solid.

1 Like