Router/Firewall home lab build for my dumb ISP very picky rules

Might seem a bit of stupid thing to post another thread about a topic just discussed and sorry for the inconvenience, but here I am.

So. A bit of background. I live in a country that has some of the best Internet plans. High speed for dirt cheap. But nothing in this world is milk and honey, isn’t it? So here we go…

Right now, for equivalent of $6 you get 500Mbps mirrored, for $8 1Gbps mirrored, and now the new sauce, for $9 you get 2.5Gbps mirrored but is not guaranteed, they say that you will get minimum of 1G up and down, and the big boy stuff, for $10 you get 10G mirrored, but really max you will get 8 down and 7 up, mostly 7 down and 6 up and guaranteed 1up and 1 down. Nothing troublesome until this point,right? Here comes the kicker.

The over taughtful dudes that call the shots, still want to use PPPoE and they somewhat software locked the network such as, you need to use their equipment, otherwise the distribution switch won’t provide internet connection. So yeah, bridge mode for the win because I want some nice functionalities like VPN, DNS filter, etc.

The question for the honorable persons that are gonna see this thread is: What should I use as hardware and software for this bloody router if I wanna go 10G? Most of the internet people say that pfsense is not the thing for 10G (BSD reasons), Linus from LTT say that Xeon D does get 10G in pfsense but that seems to much $ for a home lab, I’m not familiar with vyOS to go enterprise way. Some suggested switch with routing capabilities, but in my limited logic and non existing experience with those, I think PPPoE will kinda kill it.

At this moment, double NAT-ing seems the way to go, but I want other opinions. What do you say?

P.S. Sorry for the eventual wrong spelling.
P.P.S. I’m a home lab fan boy with not so much experience and I’m willing to crunch my brain to get what I want, but, please, take me easy.

I’m thinking an old ryzen (3600 or something), and a dual port intel x550-t2 (that you can get from ebay).

What’s your budget?

(I’m assuming you’d go for 10Gbps, because why not - for 2 coffees a month)

1 Like

There you go; I corrected spelling and grammar. I was going to suggest looking into Netgates other product solutions, but then I remembered @CronosMade said he had minimal networking experience, so that might be a little advance for him. He is also willing to crunch his brain to get what he wants. They offer a limited free trial of their other product offering, but you have to contact them to enquire about it. I haven’t personally used it because pfsense fulfills all my needs, and the product is a software Router without a firewall. Also, TNSR only has a command line interface, unlike Pfsense, which has both a web interface and a command line. Finally, TNSR isn’t open source, unlike Pfsense, which is open source.

If your I.S.P. has your connection as looked down as you say, bridge Mode isn’t going to work, meaning you can’t replace the device provided by your I.S.P., so basically, you will be in a double Natted situation.
TNSR, the ten gb software router solution.

Well, first of all, yeah, I kinda YOLO it.

As a budget… it depends. Let’s say for now, something like $400-500? Might throw it aside and do it just for 1Gb, the proper way, if the budget is gonna be blown out of water. Any money that I’m not investing in this “toy” is gonna be used for other “toys” :rofl:

Thank you.

I guess that this is the reason why TNSR is not so popular, right?

I might throw it in a VM or something to see what is up with it, but I’ve searched it vs pfsense and in the netgear’s comparison the PPPoE bit is kinda missing from TNSR?

Welp, I’ve read that when the modem is in bridge mode, it does not do NAT. It might be the first site that the search engine threw my way, but they were a consulting company after all. Here it is

Sophos XGS 126
Does not do 10G over a single interface.

Not XGS then :thinking:

Well, on most firewall (-appliances) you can set No-NAT for entire networks or specific hosts.

Unrelated rant

I have the same problem, ISP keeps using PPPoE and no routers work properly other than what they provide and for some reason, Windows. I don’t understand what is wrong with their PPPoE server. I find it very hard to believe that the implementation of PPPoE on both pfSense / FreeBSD, on Linux / OpenWRT and on whatever OS Asus and Tenda were running (probably Linux) are all broken. I even lowered the MTU, but that was not the issue.

Somehow, all those routers connect to the PPPoE server, work for a while, then even if you try restarting them, they won’t connect. If you give it lots of tries you maybe can get it to reconnect. I make it work a few times, but it was mostly random. Windows PPPoE worked all the time (no wonder, because they started up connecting people’s computers directly to the internet back in the Windows XP era, they weren’t offering routers until a few years ago). And they keep pointing that if you try calling them “it works on windows, so it’s your devices.” Really? 5+ devices all are broken or have a borked PPPoE client? REALLY?

I have 1Gbps FTTH and use NAT behind NAT. I get decent speeds when they don’t throttle me. I stopped caring about that, too desensitized to care anymore. Had a whole story of their stupid router borking after I requested it be put in bridge mode. Now it’s back to NATing, but I can’t access the management interface (no credentials) and that Chinese junk can’t even reset itself to factory defaults anymore, no matter how much I try. I can’t do port-forwarding anymore on it, I’m stuck with what I have now (which is just my openvpn server).

Note that even if you get a better PC as your router, you might be limited by the PPPoE’s MTU, unless they increased the max size on their server. If you can, test their 2.5 Gbps before you buy or build a router.

I doubt you’ll do 10G no matter what you do using PPPoE on x86 but you might get away with mpd (http://mpd.sourceforge.net/) in FreeBSD if you have a reasonable fast CPU and decent NIC. You might want to ping the author about its performance characteristics unless you’re going for appliances that does PPPoE hw offloading.

There are three main reasons why TNSR isn’t as popular as Pfsense. The first reason TNSR isn’t popular is that it has only a command line interface. The Second reason TNSR isn’t popular is it doesn’t have a web interface. The third reason TNSR isn’t popular is it doesn’t have a built-in firewall.

Why would someone be interested in TNSR who uses Pfsense? There is only one reason Since TNSR is a custom Linux distro (which isn’t open source), it has better 10-gigabit routing support than FreeBSD. So my statements about TNSR are only my opinion; I haven’t contacted Netgate or done a poll to see if my statements are facts.
If you like to know more about my opinions about TNSR, just let me know, and I will edit this post and hide the details, so those who aren’t interested aren’t forced to read the whole post. I can get pretty wordy.

I have great doubts that the OP will want to pay subscriptions in such amounts for TNSR…

@TimHolus It takes me some time to craft a post @CronosMade posted his budget while I was writing my reply. If I had seen his budget, I wouldn’t have suggested TNSR.

TNSR is popular right where it is supposed to be, ie enterprise… TNSR is not very much intended for the home.

TNSR is not a typical product that categorizes itself as a firewall, it’s a vrouter software. it should be compared to Cisco IOS or Junos OS or even RouterOS, VyOS.
It is a router that should route packets as best as possible, possibly filtering with fw is a side detail.

1 Like

Yeah. That is the plan for the moment.

Welp. I don’t feel like buying a professional product is worth it for my whim to have 10G for home lab, only because I want a VPN to my home network and I don’t want the internet to be the bottleneck. ( my ISP offer free DDNS for all plans so that’s why I’m able to do the VPN part).

Well I think I can do that. It seems that their infrastructure was built with 10G in mind and basically the upgrade is a new ONT for me + some software change on their part.

That’s just sad :confused:

My bad.

Well I think I’m gonna brake the internet for a few days after I get my upgrade to 2.5G as @Biky suggested and see what I can get going with a VM/ build like @risk suggested. That should be easy on my wallet :joy: I’ll try to find best combo SW+HW for my case and if able, go for 10G.

Well, thanks everyone for your input. Maybe I’ll try to experiment with these things and do a follow up. I guess few people can have the possibility to have this kind of perfect conditions ( high speed, low price and being forced to use PPPoE ) and to experiment to get a decent homelab machine.

Just buy the strongest x86 pc you can afford and pack there pfsense / opnsense / ipfire… :slight_smile:

2 Likes