Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Pfsense replacement home firewall router
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Pfsense replacement home firewall router

Hi there,

I am hoping for some advice in replacing my current pfsense (under esxi) because with the warm weather the little i7 shuttle I am using is powering off.

I am only really using it as a default gateway behind my isp modem which provides pfsense with a public IP. No heavy pfsense usage in firewalling etc.

Ideally a replacement will allow for inbound vpn connectivity (I vpn in using openvpn from my phone and tablet remotely) and also to allow me to configure my nordvpn tunnel and use polic based routing (in effect sending specific source IP addresses over the tunnel)

I looked into the netgate j1900 stuff because I am happy with pfsense but the AES-NI stuff kills that.

I don't mind spending on this to make my setup more reliable (currently out of country and box offline so no remote CCTV monitoring etc) and welcome any ideas :)

I looked at routerboard, and even considered going back to my Asus router (currently just serving wifi).

I'm only looking to push 350mbs downstream / 20mbs upstream with maybe 20 internal devices.

Thanks for any thoughts. :)

«1

Comments

  • jsgjsg Member, Resident Benchmarker

    OpenSense.

    The idea with a j1900 (or N series) processor looks good. 350 MB AES even without AES-NI shouldn't be a problem so that isn't a live or die criterion but it's certainly nice to have it.

    Thanked by 1casualjoe
  • dragon2611dragon2611 Member
    edited July 2018

    Look at the following

    RouterBoard

    UBNT Edgerouter

    UBNT USG

    Synology router (if you wanted an all in one)

    opnsense - I don't think they are going to require aes-NI anytime soon but that might have changed

    Thanked by 1casualjoe
  • athanathan Member

    I prefer a mini AES-NI enabled fanless box with clean Free/Open-BSD setup PF/IPFW paired with DNS/DHCPd/RAdv

    Thanked by 1casualjoe
  • Thanks everyone for their opinions lots of useful reading ahead.

    @athan what aes-ni fanless box setup would you recommend?

  • athanathan Member
    edited July 2018

    You can use whatever you wish; personally I do love Jetway barebones like the following one (I have quite a few of them working great at home and work).

    jetwaycomputer.com/JBC420U591.html

    Not the cheapest, but affordable, ultra small, fast enough, expandable, built like a tank, dual Intel NIC and fully supported by my favorite routing OS (FreeBSD)

    An mSATA minipci card plus so-dimm RAM are required to make use of it though

    Photo is from a recent build:

    Thanked by 2casualjoe Janevski
  • @jsg said:
    OpenSense.

    The idea with a j1900 (or N series) processor looks good. 350 MB AES even without AES-NI shouldn't be a problem so that isn't a live or die criterion but it's certainly nice to have it.

    +1 for opnsense

    Thanked by 1casualjoe
  • I recently built a ~700 USD mini ITX workstation with a ~200 gibit ethernet card. I put openwrt on it and its running very well. Reason is full control to get better at networking, and my routers cut my speeds down to 1/3 of what it was at the modem. Im on fiber so now I get over 650 Mbit/second :D.

    Uses an i3 CPU, 120 GB m.2 ssd, startech ethernet card, asrock mobo, 8 GB ram.

    It is likely overkill but it has room for reuse if i need it to later on or expanding what it runs!

    Thanked by 1casualjoe
  • zkyezzkyez Member

    @casualjoe said:
    Thanks everyone for their opinions lots of useful reading ahead.

    @athan what aes-ni fanless box setup would you recommend?

    I have a qotom box

    Thanked by 1casualjoe
  • JarryJarry Member

    I just built my firewall using OPNsense and apu4b4: fanless, cpu with aes-ni and 4x1GHz cores, 4GB ram, 4x gbit, 3x miniPCIe, needs about 8W power. With case for ~140€...

    http://pcengines.ch/apu4b4.htm

  • Wow that's cheap. How was the delivery / import experience?

  • JarryJarry Member

    I'm from EU, so it was not a problem. I just searched some reseller in DE and ordered. Got it within one week...

    I'm in no way connected with them, but I like it really. Found some old wifi-card from laptop I already recycled, put it into mPCIe, and it works! mSATA-SSD in another port, works too. One can even mount 4G/LTE-mPCIe card (there are two slots for sim-cards). Tested IPFire, OPNsense, SophosUTM, Debian...

    Thanked by 2casualjoe Janevski
  • @Jarry said:
    I just built my firewall using OPNsense and apu4b4: fanless, cpu with aes-ni and 4x1GHz cores, 4GB ram, 4x gbit, 3x miniPCIe, needs about 8W power. With case for ~140€...

    http://pcengines.ch/apu4b4.htm

    I've used their old Geode based boards a few years back (Alix 2D3's) and found them to be pretty solid, not tried the APU's mind.

    Thanked by 1casualjoe
  • cubedatacubedata Member, Patron Provider

    Try Untangle they have the $50/year home package plan and it is worth the money.
    Or Try SophosUTM Home Edition or what other people have said about a routerboard or ubiquiti equipment.

  • @cubedata said:
    Try Untangle they have the $50/year home package plan and it is worth the money.
    Or Try SophosUTM Home Edition or what other people have said about a routerboard or ubiquiti equipment.

    Last time I tried untangle it didn't support IPv6 beyond passing it through completely unfiltered which isn't acceptable for a firewall.

    Thanked by 1rm_
  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2018

    Not to mention paying a yearly fee for... a home firewall? Do you also rent your washing machine?

    Thanked by 1Janevski
  • cubedatacubedata Member, Patron Provider
    edited July 2018

    @rm_ said:
    Not to mention paying a yearly fee for... a home firewall? Do you also rent your washing machine?

    nope, but I use it for more than just a firewall though so my use case may be different.
    and no I do not rent my washing machine.

    plan to eventually buy wfilter ng firewall to replace untangle with
    http://www.wfilterros.com/

  • JarryJarry Member

    Untangle is basically just trialware/demo. Most of interesting and usefull features come with 14 (or 30?) days trial-license. After that, you have to pay...

    And even if I considered full product, I do not find Untangle somehow speciall. Just quite comparable to pfSense/OPNsense. But free SophosUTM/SophosXG stands way above Untangle with all its payware-modules...

  • cubedatacubedata Member, Patron Provider

    @Jarry said:
    Untangle is basically just trialware/demo. Most of interesting and usefull features come with 14 (or 30?) days trial-license. After that, you have to pay...

    And even if I considered full product, I do not find Untangle somehow speciall. Just quite comparable to pfSense/OPNsense. But free SophosUTM/SophosXG stands way above Untangle with all its payware-modules...

    well I agree, planning to also see about dumping untangle though and having the free home edition of SophosUTM and SophosXG though have to figure out again the difference between SophosUTM and SophosXG again though to figure out which one to dump untangle for.

    The only reason still on untangle was because when the home plan started they basically had the full features included for $50/year including all payware modules,etc which is why because that usually costs way more per month/year alone though planning to move away from untangle and move back to SophosUTM and SophosXG free edition though.

  • Hi there, thanks again for all advice.

    I've been looking into these ideas and found it looks like Mikrotik don't allow openvpn + udp.. I wonder why not... That's odd.

  • JarryJarry Member
    edited July 2018

    @cubedata said:

    plan to eventually buy wfilter ng firewall to replace untangle with
    http://www.wfilterros.com/

    I do not want to rain on your parade, but... seriously? I never heard of some "WFilter", so I checked it a little. Honestly, I did not find anything justifying that price (maybe support, but web says "live help is offline"). Filter, shaper, monitoring, reporting, vpn, etc, nothing special.

    Then I checked the web once more. Looks a little amateurish to me (look at that funny "comparison" with appliances and open-source firewalls). BTW, contact email is on different domain "imfirewall.us".

    And if that all is not enough to rise suspicion, look at the telephone-contact number: it has country code +86. Do you really want to have software firewall from China?

  • jsgjsg Member, Resident Benchmarker

    @casualjoe said:
    Hi there, thanks again for all advice.

    I've been looking into these ideas and found it looks like Mikrotik don't allow openvpn + udp.. I wonder why not... That's odd.

    Check again. Maybe earths axis has flipped but I did use/install a couple of Mikrotiks with OpenVPN and also used UDP a couple of years ago. I'd be very surprised if their boxen and or linux had changed so dramatically.

    Thanked by 1casualjoe
  • Mark_O_PoloMark_O_Polo Member
    edited July 2018

    Take a look at Asus RT-AC86U (AC2900). Flash it to Merlin firmware. It should give you 1Gb/s up and down + have the features you need. Easy to maintain, and you can tweak it via cli or add on scripts if needed. Basically a $200 solution with a solid build.

    Which Asus router do you currently own?

  • Thanks @jsg

    https://forum.mikrotik.com/viewtopic.php?t=130152

    https://forum.mikrotik.com/viewtopic.php?f=1&t=124461&p=639307&hilit=openvpn+udp#p639307

    I'd seen it talked about above, would be happy to be wrong :)

    Nordvpn support site says pptp or l2tp..

  • emmd19emmd19 Member

    Consider repurposing an x86 thin client, for example the HP T620 Plus. You can find them regularly for $60-70 on eBay and stick a Intel dual/quad-port NIC in it for another $20. These babies are actually remarkably powerful for their size - they pack AMD Jaguar quad cores.

    https://www.maroonmed.com/hp-t620-plus-thin-client-pfsense/

    Thanked by 2rm_ casualjoe
  • edited July 2018

    I just picked up a couple HP Elite USDT 8200 (x1) and 8300 (x2) boxes for less than $50. They come with i5 CPUs (capable of AES-NI) and 4GB RAM (at the moment) with space for a 2.5" drive. They have one gigabit Ethernet port, but a bunch of USB3 ports where you can use a gigabit capable USB3 Ethernet adapter.

    You could try that for cheap.

    Thanked by 1casualjoe
  • Thanks again everyone, the current Asus is an RT-AC66U AC1750. Repurposing a thin client is a great idea thanks!

    Yeah, I think using something even an i5 is going to struggle unless it's passively cooled properly to avoid the situ I'm in now.

    Cheers!

  • jsgjsg Member, Resident Benchmarker

    @casualjoe said:
    Thanks @jsg

    https://forum.mikrotik.com/viewtopic.php?t=130152

    https://forum.mikrotik.com/viewtopic.php?f=1&t=124461&p=639307&hilit=openvpn+udp#p639307

    I'd seen it talked about above, would be happy to be wrong :)

    Nordvpn support site says pptp or l2tp..

    Those threads seem to be about OpenVPN client plus UDP, in other words OpenVPN with TCP seems to work.

    But don't get me wrong. I'm not in any way a Mikrotik expert. I just happened to install/use a couple of Mikrotik boxen with RouterOS and OpenVPN(server) and it worked fine.

    For your needs I would however anyway advise to go the x86 route and to get one of them atom or jaguar core boxen and to install OpenSense or if you prefer that OpenBSD. The reason I used some Mikrotik boxen a while ago was that it was a made (not by me) decision; they worked well and did their job but I'd always prefer an x86 based hardware plus some foss OS solution for most home, home or SME office situations.

    Thanked by 1casualjoe
  • Thanks again, yeah I'm using openvpn client with tcp and UDP for two tunnels (nordvpn assign client subnet based on the protocol so to have two simultaneous tunnels (locations) I use one on each protocol and push the higher traffic one through UDP).

    I like the x86 idea so long as fanless/not heat issue suffering

  • Mark_O_PoloMark_O_Polo Member
    edited July 2018

    @casualjoe said:
    Thanks again everyone, the current Asus is an RT-AC66U AC1750.

    No Merlin available on that one, just a little too old. Was worth checking...

    Supposedly the AC86U can do 200Mb/s with Open VPN.

    I'm sure a somewhat recent i5 should do better with VPN, but I've read before that OpenVPN is single threaded which maybe the limiter in many scenarios.

    Thanked by 1casualjoe
  • jsgjsg Member, Resident Benchmarker

    @casualjoe said:
    Thanks again, yeah I'm using openvpn client with tcp and UDP for two tunnels (nordvpn assign client subnet based on the protocol so to have two simultaneous tunnels (locations) I use one on each protocol and push the higher traffic one through UDP).

    I like the x86 idea so long as fanless/not heat issue suffering

    I myself run a 7+ years old low power x86 based router without a fan and never had any heat problems. And that box could also do 350 MB/s AES.

    It seems to me that your heat problem is largely due to a wrong processor and mainboard choice. I can assure you that any decent and halfway recent dual core low power x86 can easily meet your AES, OpenVPN, and other router/gateway needs. If you want to be on the safe side just chose a processor with AES-NI support.

    Frankly looking at processor benchmarks and comparing more recent low power x86 with my old one I would even go so far to say that 2 jaguar cores are even overkill. In other words: Such a processor will if you allow it (speedstep, etc) stay far below its maximum speed and such also stay away from any heat problems.

    Thanked by 1casualjoe
Sign In or Register to comment.