Sign in to follow this  
Followers 0
neufuse

Router hardware challenge

35 posts in this topic

Here's what I am trying to do...

 

Find the fastest, yet most power efficient 1U Max height router hardware that I can install a firewall on like pfsense / m0n0wall or similar x86 or ARM based OS

 

I've looked at some of the $500+ prebuild hardware out there that run pfsense, but has anyone else come across anything that fits this criteria?

 

All I need is two 1Gbit NIC's, fast enough routing for 100Mbit internet plus the ability to run a firewall like stated above.

 

And as for low wattage, under 25 watts is what I am aiming for... my desktop Ivy bridge i7 PC runs at 38 watts on normal usage, my router shouldn't be that high also...

 

any ideas?

 

Share this post


Link to post
Share on other sites

Whoa, those look great actually. Bookmarked for future reference when i'm setting up my house from scratch Gonna have a rack installed with a 48port with VLAN tagging and just have some APs around the house! :)

 

I might like this ASUS better for the more powerful CPU but gotta plan out what I want it to do before deciding if I need that much CPU. If it's just routing then the first options will do better.

http://www.newegg.com/Product/Product.aspx?Item=N82E16816110061

More 1U barebones here:

http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N=100007727%20600012596&IsNodeId=1&name=1U%20Rackmount

1 person likes this

Share this post


Link to post
Share on other sites

You know, this past week I've been looking over ASUS' workstation and server products. They're consumer lines are always great and I may give their enterprise stuff a chance to take over where I use SuperMicro.

Share this post


Link to post
Share on other sites

Moved to Internet, Network & Security

Share this post


Link to post
Share on other sites

So what else will this be doing other than pushing 100mbit?  Are you going to be running snort on it, proxy, ntop?  Or just simple firewall/router?  How many users, more users create more states even if not using the pipe.. Your states can go way up, this eats up ram, etc.

 

You going to be doing any layer7 rules, or fancy qos?  Pushing 100mbit doesn't take much - its when you put all the fancy bells and whistles on that you need more horse power.

 

My other comment would be do not limit yourself to 2 nics -- if it doesn't come with more, make sure you can expand..  As to your link, no never heard of them myself.  Box looks nice, and like the amount of nics..  But seems a bit pricey.. You could prob build your own with the same specs for a lot lower I would think?

 

This is kind of small market so the prebuilt stuff seems to have a premium on it for some reason?

Share this post


Link to post
Share on other sites

So what else will this be doing other than pushing 100mbit?  Are you going to be running snort on it, proxy, ntop?  Or just simple firewall/router?  How many users, more users create more states even if not using the pipe.. Your states can go way up, this eats up ram, etc.

 

You going to be doing any layer7 rules, or fancy qos?  Pushing 100mbit doesn't take much - its when you put all the fancy bells and whistles on that you need more horse power.

 

My other comment would be do not limit yourself to 2 nics -- if it doesn't come with more, make sure you can expand..  As to your link, no never heard of them myself.  Box looks nice, and like the amount of nics..  But seems a bit pricey.. You could prob build your own with the same specs for a lot lower I would think?

 

This is kind of small market so the prebuilt stuff seems to have a premium on it for some reason?

right now, I just want something higher then consumer level. The 1U requirement was because I do want to mount it in my home rack. Right now my goal is just something like pfsense or monowall, and user wise it would just be a few of us at home. Not doing anything fancy, just basic home routing really. Not really planning on intrusion detection protocols or anything like that. I was thinking 4 ports on the box itself should be enough, 2 was the minimum. I already have 48 ports on my switches, every room in the house has a minimum 2 Cat6 wired RJ45 ports in the walls already.

 

Yeah it has a premium on it for prebuilt stuff... I was looking at repurposing an old barracuda box and putting a new OS like pfsense on it or something but their hardware is well primitive in terms of the processors and wattage that I can get cheap on ebay...

Share this post


Link to post
Share on other sites

Well I am with you on the pfsense choice - I can say nothing bad about it that is for sure.. Been running it for a few years.  m0n0wall would be a good choice as well if your looking for something with a smaller footprint and less bells and whistles.  I have to say that m0n0wall ipv6 works click click, while I have had some issues with pfsense and ipv6 native - works great with a tunnel like hurricane.

 

Pushing 100mbit doesn't take much - fitting it into a 1u rack as far as cases, etc is prob going to be where some of the cost is.

 

Comes down to your budget - sky is the limit you could spend whatever you want.. If you looking to keep cost low you can go different routes that may or may not fit into your 1u rack..  Have a home rack would be killer, and each room with 2 runs at cat 6 sounds fantastic.. Sweet setup it sounds like!

 

As to the consumer level comment - dude it doesn't take much to surpass that.. The soho stuff is quite often just crap - hardware wise some of it is not bad, but the firmware they put on them is just pathetic.. The problem is they try to make it for the masses that don't have clue one so they leave out all the good stuff.  I would love to see a soho native firmware that has say vlan support on the lan ports - sure many of them provide guest wireless, but how come I can not do vlan tagging on the switch ports?  What about ssh access?  Snmp support?  Openvpn server?  Captive portal? etc. etc..  Firewall with actual logs that show me what was blocked other than just gibberish that you were attacked but not tell me the actual port, etc..

 

Now not sure if my pfsense vm could push 1000mbit -- but I would have to think it could since I see 900mbit to my other nas vm..  And its running on a n40l with other vms running and only given it 512MB of ram..  I would have to do some rewire to test what it could push wan to lan doing nat with firewall, etc.  So don't think you need some highend MB with GB of ram, etc.  Look to good ethernet - your best place to ask about good hardware for a pfsense setup in 1u might be the pfsense forums.

 

If your looking to running pfsense on other type appliances boxes - there is lots of that going on on the pfsense forums, I just don't have access to other appliances to play with or would be active in that section as well.

Whatever you go with - let us know how it turns out!!!  And if you need any help with pfsense just PM me, or see you on the pfsense boards I am very active over there as well.

Share this post


Link to post
Share on other sites

cool, thanks budman.. hoping to get something put together by summer... research right now is key :)

Share this post


Link to post
Share on other sites

I know I started this thread a while ago... but today ordered a APU1C System board from Netgate.

 

PC-Engines-APU-Platform-b1.jpg

 

Low power board that has:

  • AMD T40E APU (1GHz dual core, x86 based SoC)
  • 2GB DDR-3 1066 RAM
  • 2x mini PCI express slots
  • GPIO headers, COM port
  • 3 Gigabit Ethernet ports
  • 2 USB ports

got this mainly to mess with pfsense and have a low wattage board. Basically a unit to play with.

 

My current router just got to the point I couldn't stand it anymore. So figured this is cheap at $149 for everything I need minus storage, but it has a SD card slot to put embedded images on, which pfsense supports.

 

Hopefully it will get here this week and see how it works :)

Share this post


Link to post
Share on other sites

Looks good actually, pretty good hardware for then price. When I get my new place I'll definitely be doing some of this fun stuff too!

Share this post


Link to post
Share on other sites

well this review from IPFire isn't saying great things about this board...

http://planet.ipfire.org/post/pc-engines-apu1c-a-review

 

having said that, i think this little boards are great: with better hardware one can make a fantastic router.

Share this post


Link to post
Share on other sites

well this review from IPFire isn't saying great things about this board...

http://planet.ipfire.org/post/pc-engines-apu1c-a-review

 

having said that, i think this little boards are great: with better hardware one can make a fantastic router.

 

not seeing anything "bad" in that review for a home use.

 

yes, if this was enterprise usage, I wouldn't go this route. but this is a home device, with an ISP that has a max speed of 305Mbit where I'm at, I only have a 120Mbit connection so it shouldn't be a huge hit. I am not going to be setting up VPN servers or IPsec so not having AES instructions on the APU isn't a huge deal. heat, yeah that is a bit hot, but Intel Atom chips are similar, they get hot with passive cooling, this is passively cooled by default.

 

The big plus is the thing only uses 7 Watts of power.

 

Their tests where with the IPFire software, I'm going to be using pfsense, which is a bit more optimized for this apparently.

 

And their tests where with a old BIOS firmware, PCEngines has updated their firmware a lot since then and fixed a lot of issues.

 

Hopefully this will show up this week and I can get some testing done with my setup.

Share this post


Link to post
Share on other sites

not seeing anything "bad" in that review for a home use.

 

yes, if this was enterprise usage, I wouldn't go this route. but this is a home device, with an ISP that has a max speed of 305Mbit where I'm at, I only have a 120Mbit connection so it shouldn't be a huge hit. I am not going to be setting up VPN servers or IPsec so not having AES instructions on the APU isn't a huge deal. heat, yeah that is a bit hot, but Intel Atom chips are similar, they get hot with passive cooling, this is passively cooled by default.

 

The big plus is the thing only uses 7 Watts of power.

 

Their tests where with the IPFire software, I'm going to be using pfsense, which is a bit more optimized for this apparently.

 

And their tests where with a old BIOS firmware, PCEngines has updated their firmware a lot since then and fixed a lot of issues.

 

Hopefully this will show up this week and I can get some testing done with my setup.

 

oh so it's for home usage... then i guess it's ok then. The big drawbacks that review pointed is the networking: because it doesn't have a dedicated coprocessor so it uses the APU, resulting in high cpu resources usage, leaving the rest of the system unusable. How often is that gonna happen? it depends on the type of usage, i guess: many devices accesing the network can make this happen but it's up to you, really (the SSD they used was crap for caching but they say that in the article).

 

The low power is great but the heat is not: this unit should be ventilated at some level.

 

I personally think this boards are great and they should be fun to setup in a cluster.

Share this post


Link to post
Share on other sites

oh so it's for home usage... then i guess it's ok then. The big drawbacks that review pointed is the networking: because it doesn't have a dedicated coprocessor so it uses the APU, resulting in high cpu resources usage, leaving the rest of the system unusable. How often is that gonna happen? it depends on the type of usage, i guess: many devices accesing the network can make this happen but it's up to you, really (the SSD they used was crap for caching but they say that in the article).

 

The low power is great but the heat is not: this unit should be ventilated at some level.

 

I personally think this boards are great and they should be fun to setup in a cluster.

yeah, the fact they are small makes clustering them pretty easy, they even have 1U rack mounts for them so you can install them 2 per U in rack.

 

not completely sure about their review of the network chip either, because I have the same chip on another board and it barely eats up CPU cycles. I'm wondering if their driver their OS is using is out of date or buggy.

Share this post


Link to post
Share on other sites

yeah, the fact they are small makes clustering them pretty easy, they even have 1U rack mounts for them so you can install them 2 per U in rack.

 

not completely sure about their review of the network chip either, because I have the same chip on another board and it barely eats up CPU cycles. I'm wondering if their driver their OS is using is out of date or buggy.

 

So now you MUST do a review in all detail, photos and all :)

Share this post


Link to post
Share on other sites

So now you MUST do a review in all detail, photos and all :)

once I get it, there will be pics as I assemble it and once I get it working hopefully run some ipref commands and get port speeds, CPU loads etc

Share this post


Link to post
Share on other sites

Got the board yesterday, got pfSense installed, so far its able to handle 200Mbit (can't test any higher on a real ISP as that's the largest connection I have access to, anything else will be synthetic tests) symmetric with only 10% CPU load... going to do more testing and set up my firewall then I'll try to get a review done

Share this post


Link to post
Share on other sites

Before you go live with it, connect something gig on the wan, and check how much data you can push..

Share this post


Link to post
Share on other sites

Before you go live with it, connect something gig on the wan, and check how much data you can push..

 

yeah, I'm probably going to do a connection to a gigE port on my desktop and do point to point tests a little later today

Share this post


Link to post
Share on other sites

Well I am with you on the pfsense choice - I can say nothing bad about it that is for sure.. Been running it for a few years.  m0n0wall would be a good choice as well if your looking for something with a smaller footprint and less bells and whistles.  I have to say that m0n0wall ipv6 works click click, while I have had some issues with pfsense and ipv6 native - works great with a tunnel like hurricane.

 

Pushing 100mbit doesn't take much - fitting it into a 1u rack as far as cases, etc is prob going to be where some of the cost is.

 

Comes down to your budget - sky is the limit you could spend whatever you want.. If you looking to keep cost low you can go different routes that may or may not fit into your 1u rack..  Have a home rack would be killer, and each room with 2 runs at cat 6 sounds fantastic.. Sweet setup it sounds like!

 

As to the consumer level comment - dude it doesn't take much to surpass that.. The soho stuff is quite often just crap - hardware wise some of it is not bad, but the firmware they put on them is just pathetic.. The problem is they try to make it for the masses that don't have clue one so they leave out all the good stuff.  I would love to see a soho native firmware that has say vlan support on the lan ports - sure many of them provide guest wireless, but how come I can not do vlan tagging on the switch ports?  What about ssh access?  Snmp support?  Openvpn server?  Captive portal? etc. etc..  Firewall with actual logs that show me what was blocked other than just gibberish that you were attacked but not tell me the actual port, etc..

 

Now not sure if my pfsense vm could push 100mbit -- but I would have to think it could since I see 900mbit to my other nas vm..  And its running on a n40l with other vms running and only given it 512MB of ram..  I would have to do some rewire to test what it could push wan to lan doing nat with firewall, etc.  So don't think you need some highend MB with GB of ram, etc.  Look to good ethernet - your best place to ask about good hardware for a pfsense setup in 1u might be the pfsense forums.

 

If your looking to running pfsense on other type appliances boxes - there is lots of that going on on the pfsense forums, I just don't have access to other appliances to play with or would be active in that section as well.

Whatever you go with - let us know how it turns out!!!  And if you need any help with pfsense just PM me, or see you on the pfsense boards I am very active over there as well.

Quite frankly, if I'm going to build a router, it has to do better than a factory router in every way for the price - otherwise, what is the point?

For that reason alone, 100 mbit is a non-starter; neither of the desktops has a connection that low by default.  (Neither my current router - or the router it replaced - were 100 mbit, on any port, for precisely that reasoning.  And neither was $100 new.)

 

You are talking about basically building a near carrier-grade router - and both pfsense and m0n0wall are great core firewalls for precisely that purpose.  Both also have the advantage of costing very little - or nothing at all in the case of m0n0wall.

 

Consider an x86 - not ARM - 1U motherboard with gigabit and a Core i3 or Core i5 (non-K).  Add two RAM modules - either DDR3-1333 or DDR3-1600 - of matched capacities - 2 GB to start.  That means 4 GB as a RAM floor - more than enough for two VMs (one being your firewall of choice).  The hypervisor choice - even with that low amount of RAM - is plentiful; it can be XEN, a Linux distribution, or Microsoft's own Hyper-V Server - all are free.  (Lastly, the hardware need not be current-generation - any Core i-series CPU will do, as long as it matches the motherboard.)

 

Don't overcomplicate things - but don't overbuy, either.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.