Searched for this topic, but didn’t find anything particularly useful, figured I’d start one.
What do ya’ll recommend for something that would be a solid Gigabit capable Router. I will probably run Linux for my firewall, as that I’m most familiar with. I’m open to PfSense, or OpenSense, but I’d need some convincing. Perhaps if the packet processing is faster?
Probably will run a couple VPNs, openvpn/wireguard, mostly for roadwarrior, and maybe a couple for connecting up cloud machines. The VPNs won’t be high bandwidth (Max I can imagine would be 200mbit), but it’d be nice to be able to do so.
I plan on also doing traffic shaping to ensure high quality VOIP and SSH. Doesn’t need to do any WiFi, as I’ve got that covered with UniFi goodness.
It’d be super cool if it could have a hardware watchdog, or a way to add one, so that way the router stays up, even if it wedges for some odd reason. I’d like for it to fit in a rackmount case, but it doesn’t have to.
I’m currently running a Mikrotik RB800, and it’s getting the job done, but their openvpn support is absolutely pathetic, and I doubt they’ll have any wireguard support any time soon (been promising openvpn UDP in V7 for over 2 years now). Otherwise, the hardware itself is amazing, runs on PoE, and can do the gigabits, as long as I have fast-track working.
+! for pfSense, though wireguard support won’t be there because pfSense is an enterprise solution that will not add incomplete services with potential performance and security holes to their software package. OpenVPN or IPsec will perform just fine - something like an i3-4130T would blow your performance requirements out of the water for dirt cheap. Follow JDM’s pfSense guide if you so desire.
I would steer you away from traffic shaping, it introduces latency, annihilates throughput, and generally causes more harm than good. VOIP and SSH will be just fine without QoS.
Good to know that an i3 is good enough for gigabit internets
Regarding Traffic Shaping, this hasn’t been my experience. Back in the day when I had only 4mbit of upload, traffic shaping ensured that my VOIP and SSH packets had ultra low latency compared to the HTTP uploads, or whatever else was going on. QoS != Traffic Shaping as well, IIRC. QoS is just packet marking, which may or may not be honored by upstream. Traffic Shaping requires you to actually have an upload slightly lower than the max, so that you organize your packets before they do.
QoS is a ton of stuff, traffic shaping falls under that umbrella. pfSense’s QoS service is a traffic shaper.
If you have extremely limited upload, it may benefit you, but otherwise it’s additional software processing of each packet - added latency and reduced throughput.
As for why pfSense, it is easy to use, and is the most supported whitebox routing software package.
Aight. that’s good to know. I’ve done a linux router in the past, I might stick with it, I don’t mind getting my hands dirty. I didn’t know PfSense included traffic shaping in QoS.
Thanks for the info! Seems it’s much simpler than I thought!
That is true, and has served me very well for my NAS and my Virtualization Server. It’s likely what I’ll end up doing, because the cost simply can’t be beat.
Sadly that HP290 is all sold out. Unless it randomly comes back into stock?
The HP290 does apparently randomly come in and out of stock, folks on the forum have reported snagging it. A Ryzen would be massive overkill for a firewall, but hey I’d be a hypocrite if I told you not to do things overkill…
Linux works just fine as a router, in fact packet latency will probably be slightly better than with FreeBSD (PFSense/OPNSense), depending on what you ask it to do. The main value-add for PFSense is a handy UI, which is good when your network isn’t coming up, family’s breathing down your neck, and you’re trying to muck around with iptables/nftables. OPNSense has decent wireguard support via plugin. Also, nothing wrong with running the VPN on a VM on your server, rather than on your router.
Most server boards (X9SCM-F would be an example) have a hardware watchdog, either via the PCH or the BMC. It’s managed from the OS. In the past, I just set my OpenWRT router to reboot nightly at 3am.
That’s why I use Shorewall. Provides me a friendlier way that I learned back in like 2004 rather than raw iptables. I do currently have my VPN running on a VM, but I’d like for it to be on the thing that does the routing, as it makes a few things easier, especially if I want to do split routing where some traffic goes through the router. The pathing is easier. Also, then my VM server can be rebooted, and fiddled with, while I’m on a VPN I live dangerously.
Thanks for the context! I’ll keep an eye on the HP290. It was sold out again just a bit ago
Good to know, but I’m probably not going to use pfsense for this router. I’m always a fan of sticking more than I need when it’s inexpensive, that way I can experiment with things if i want to.
Just wanted to confirm for you - I installed my HP 290 today as pfSense with a 16GB Intel Optane SSD and no other modifications. It can absolutely handle Gigabit, it flies.
not necessarily just do the cheapest thing. It’s fun!
