Yeah, I’ll probably put this project on pause until I actually build my new system and just assume that–if I want to manage my network better–I’ll buy more hardware. It’s very possible that getting a new system gets rid of a lot of the inconveniences I’m having with my network–the laptop I’m using has been through a lot.
I’ll have to figure out what the budget options are (older systems, etc) locally, but if they’re close to ~$150-200 USD, I feel like I might as well get something from Netgate with their support in case I make stupid mistakes. Haha
Thanks for all the input, friends!
@DastardlyMuffin, I came very close to doing something that sounds really close to what you’re doing. I ended up using my savings to immigrate instead. Do you use 4G for your internet? A ~$30/month unlimited tablet plan from a T-Mobile reseller was working great for me while I was in the states.
I’ll give you a reason not do to this that is likely pretty compelling:
What if you need/want to rebuild your desktop (or you kill it via a misapplied update or upgrade)?
Guess what? Your router goes down , and you’ve got no internet to fix it with
Small fanless routers that can run pfsense or similar (e.g., as suggested above, an entry level netgate) use very little power.
An SG-1000 (if you can still get one) is plenty for most home users and it would use less than 10 watts.
I’d leave routing to a minimalist device, ideally an appliance. Try to leave complex software stacks off core network devices (or in your case, don’t run it on top of a complex stack of software) to maximise reliability.
A desktop has so much software that can go sideways and break. A very cut down roll-your-own router install or even better, a network appliance OS (pfsense, opensense, routerOS, etc.) has a lot less to break on it.
Routing really doesn’t need a lot of cpu power and any small ARM IoT type device can likely do it in 2019.
I still have a Cisco ASA 5510 with a Pentium 4 based, single core celeron CPU (at 1.6Ghz) in it doing firewalling for several hundred users on a 100 megabit connection. A modern ARM chip will kill it for a home user.
SG-1100 is a nice box. It can push about 900Mbps or a little more depending on the situation.
Of course, without snort / suricata enabled. For ids and vpn it will be able to push about 200Mb/s depending on the situation.
For a home or a small business is ok. A little expensive but … Yes you can buy some cheaper Chinese invention based on x86 and do something similar.
Buying an old pc for this type of task is ok but … It will take a lot of power and if it is to support pf it must have 64bit cpu and AES-NI otherwise it’s a shame to waste money.
If it is to be energy-efficient, it is worth investing in something better even if the purchase cost is higher but the cost of operation will be lower and you will spend less overall in a few years.
Yeah, it makes sense @TimHolus. It would also be a lot easier to move when the time comes for that. 900Mbps or 200Mbps should definitely be fine for any network I feasibly find myself connected to in the near future. My current place only has access to 50Mbps DSL. Haha
@Novasty, the Qotom mini-pcs seem to cost about ~$180+ USD in Taiwan dollars.
The rate varies from day-to-day, but I typically do ~$30NTD = ~$1 USD to make mental math easier. That price is not too far shy of $200 USD before shipping. And some of the comments say the system can come with the wrong CPU, etc. I don’t know if the import process would be easier from China, but besides that a more recognizable/reputable brand for a similar price point seems like a better choice.
How do the CPUs in the Qotom machines stack up against the ones from the likes of Netgate, etc?
Oops, yeah, I thought you recommended the 5005 for some reason. That’s the difference of like $20. I guess, too, if I order the cheapest CPU and they send me the wrong one, I could only fail upwards. Haha
My PFsense box at idle. They do run a little hot being fanless, but I am having no issues. I stuck a USB fan blowing on the top of the box it drops the temps from like 52C to 45C. Been using it for a good year or so already, the 5 day uptime was due to a recent power outage while I was at work and the UPS can only keep it on for so long.
You were very lucky to get that price for an unlimited plan. Here in Washington state I’m paying $75/mo for a 4G LTE T-Mobile unlimited plan. Normally I’d be throttled to 3G speed when tethering after 15GB, but I masked my PC to look like my phone and use openvpn with strong encryption and it works like regular internet, as it should. They still have their “deprioritization” after 50GB in a month, but I’ve managed to escape the throttling by driving out to the country to a small town or rest stop if I wanna play a good game of battlefield during the day lol. I also charge my battery bank as I drive around, and have my 600watts of monocrystaline solar panels in a series-parallel configuration going to an mppt charge controller. Win win cause I get the juice to then use my PC after parking.
Right now I’ve got my OnePlus One tethered off a 5Ghz WiFi hotspot with the latest Android security patches for secure WPA2 encryption and lowest interference when in the city, and have my PC’s WiFi card set as the internet source in the pfsense VM. Pretty nifty.
Right now I’m working on using a few old Android phones of mine to set up an ipcamera configuration and have it stream to a low-powered raspberry pi running fedora sliverblue, full encryption on a 1TB SSD with f2fs on top of LVM2 for optimal wear leveling and performance. I’ve been hit once (T-boned actually) in my van and I want to have some kind of off-grid open source security system that’s always-on and low powered for my van. I then want to take it a step further and have 2 unlimited data plans. One for a phone always in the van, and another for my phone I always have on me. I could then access my off-grid surveillance system remotely from anywhere as long as both A and B have internet access. if not, it’ll always have the local box as a fallback
Also my van is ok. The body and frame are made of cast iron that is also reinforced by my interior wood walls, so it wasn’t much damage. They screwed me over though with their insurance company because I didn’t have footage of the accident and it was my word against theirs.
Without trying to sound like an advert, it’s actually pretty easy to get a plan like that. I used Teltik, but you need to check which carriers will give you good coverage. Teltik is a T-Mobile reseller, which had decent coverage where I lived. When I was driving across country, there were pretty big no-service patches, but T-Mobile is one of the smaller “major” carriers. Mind you, it was a Tablet plan with no phone service or SMS–I used Google Voice for that.
Cricket is a more popular (and more expensive) reseller for AT&T, but when I used them I was pretty happy. I think their popularity has caused the big boss to crack down on them a little more. You could check out the nocontract reddit, that’s how I found Teltik.
Yeah, one thing I was trying to evaluate about mobile living in the US was how much I wanted to deal with 3G/4G latency in the event I wanted to play games. Also, I was worried about latency because I was considering just using a low power client PC and just doing “cloud gaming” on a VM. I may reconsider doing that again after I finish a few things out here, but I think it’ll depend on how 5G looks in the US. Maybe I’ll try mobile living in some random country with good 5G and low latency to could computing services. Haha
Surprisingly I’ve managed to keep a solid 90-95 ping in BF4 during the day while being throttled. During the night or in the country it’s always a good 60ping. If you don’t mask your PC, the carriers have it setup to differentiate and deliberately increase the latency. Pretty lame.
Yeah that’s the main reason why I switched from MetroPCS, a T-Mobile reseller to T-Mobile. I needed the coverage and really notice the difference when travelling. I usually get LTE unless I’m in the mountains. You get what you pay for I guess.
I also use some custom APN settings I was given a while back by a T-Mobile technician who will remain anonymous. It made a big difference in latency
I’ve got a similar box that runs a Celeron N3000 at 1 Ghz (it has 8 GB of RAM and 240GB SSD because i got them super cheap :D).
It sits similarly idle running a VDSL2 connection synched at 80 megabit with Squid and a bunch of other packages running on it. And driving a second USB NIC. Ran fine for a few years before a pfsense update b0rked it (its on my home chores list to rebuild it when i finish playing with my home palo PA-200).
Cisco ASA 5506X run an Atom of some description (C2000 or something from memory). They’re rated to 300 megabit - doing AES from memory.
Seriously, the scummiest, cheapest brand new x86 CPU you can buy in a box will likely be fine for a home environment.
Spend your time/money looking for fanless, a small SSD (no noise/vibration, reliability, reboot speed) and dual NICs. CPU is almost irrelevant for building a SOHO router these days. Anything faster than a Pentium (and by that I mean one from 1996) is good enough unless you’re doing AES crypto or IDS. If you are, just look for something with AES acceleration (which is ~2011 onward).
Anything with AES support should be plenty fast enough at everything else for home router use.
@zevc for 50Mbps you could probably get by with a raspberry pi or some rpi clone/equivalent and just install raspbian/debian or whatever ssh-able Linux on it. That way you get to avoid the whole VM mess, totally worth the $50 you’re likely to spend on it.
Next best thing in terms of user experience would be an Intel nuc / ASRock beebox / qotom this an that kind of thing.
Because you need a case/power supply/network hardware/ram… an i3 option is usually not much more expensive from those Jxxxx or nxxxx celerons and oh so worth it. But for 250/300 you might as well build a headless ryzen3 if you have the space at home. R3 would be good for 10Gbps routing, gigabit VPN-ing easily, minimal power use, can double as a nas for backups, … but takes up space.
@risk my main reservation about using a Pi is, they don’t have a second built-in ethernet port. I suppose there’s nothing wrong with using a USB one? Lots of people seem to do it, and it’s been recommended here.
I’ll try looking into pi router projects and see what’s what. That does seem like one of the cheapest options, and it sounds like it might be strong enough for me…
Can anyone confirm whether or not a Pi could run 50Mb/s through a VPN? If I wanted to route some traffic through one server and other traffic through another, would that bog its processor down too much?
I’ve been using an Apple 100 Mb USB ethernet adapter with pfsense on a 1 Ghz celeron N3000 for years. In theory they take CPU to drive, and that’s bad, but the machine i got only has one nic and i had that spare… and there’s so much CPU on any modern machine that driving USB at 100 megabit doesn’t even register.
I’m not sure if Raspberry Pi do AES acceleration or not (most modern CPUs however, DO). If they can, 50 Mb should be easy. If they don’t… 50 Mb is still probably possible (but check).
CPUs these days, even ultra low power stuff in phones are so much more powerful than even high end enterprise routing gear from a decade ago…
Seems that a pi 3 can do 380 megabit AES (on his recompiled openSSL) if i am reading this dude’s numbers properly (maybe i’m not. but even if i’m out by a factor of 10… we’re pretty close there).
That said
I’d go x86 machine for simple pfsense support. Unless you’re looking for a project to hack on recompiling stuff and messing with compiler flags and other shit… x86 will be much easier from the software side.
I feel like buying a Pi first and trying is pretty low risk. The worst case scenario, I have a toy that maybe encourages me to learn more about computers. Or just turn into an emulator box or something.
For routing, specifically, does the amount of RAM I have matter? (With the Pi 4, my choices are 1GB, 2GB, or 4GB.)
Routing - assuming you’re just doing home user static route stuff, 1 GB (or with a spin of Net/Free/OpenBSD CLI only, even 256 MB) would be plenty.
If you think you might use the Pi for something else, i’d worry more about that “something else” as far as RAM is concerned. 1GB is more RAM than a lot of routers doing routing protocols like OSPF and EIGRP have. My Cisco ASA originally shipped with 256 MB (since been upgraded to 1 GB though).
About the only place RAM matters for routing is if you’re doing internet BGP routing table, and you won’t be
I’d look at the pfsense suggestions and go with that amount though - if you want to do IDS, stats, etc. you may want more.
, and you’ve got no internet to fix it with 
