Home Network Control

[Chuckleb]

@Gary Gapinski : I was researching this yesterday and pfsense has interesting instructions on blocking the use of alternative DNS servers. This could help limit the outbound DNS and avoiding. You can punch holes for known good devices.
Blocking DNS queries to external resolvers - PFSenseDocs

@halfelite : You don't need $200-300 APs to do multiple SSID/VLAN tagging. The Unifi AP AC Lite for $85 can do it.
Ubiquiti Networks - UniFi® AP AC LITE

 

[tby]

I'm curious if his openvpn limitation was cpu related though it would have been nice to include resource usage along with his testing.

I've been wondering about that. I've seen it suggested that a J1900 can manage Gigabit openvpn, the 1037U w/ AES-NI seems like it ought to do > 200Mbps at the very least. I've ordered one of these "Ars" boxes to replace my router. Probably going to run Sophos XG but I'm definitely going to do some Linux benchmarking before I throw it into Production at home...

@Gary Gapinski : I was researching this yesterday and pfsense has interesting instructions on blocking the use of alternative DNS servers. This could help limit the outbound DNS and avoiding. You can punch holes for known good devices.

A better option is to just re-direct DNS queries. My Tomato router has a checkbox for that.

Redirecting all DNS Requests to pfSense - PFSenseDocs

 

[Deslok]

It does look like it hit ~200 with open vpn

but shouldn't the J1900 and 1037U be roughly equal in anything cpu bound? the 1037 is faster per clock but the j1900 has twice as many cores

 

[Patrick]

interestingly ArsTechnica just did a write up on building their own equipment Numbers don’t lie—it’s time to build your own router I'm curious if his openvpn limitation was cpu related though it would have been nice to include resource usage along with his testing.
How power hungry the pc is really is limited by your willingness to spend money on it up front, Avoton and Xeon-D sets with network acceleration would likely be fastest but cost more than say a pentium j1900 or i3(heck even a core2 system) although it might be a chance to virtualize things and put several appliances on one box to consolidate which helps both price concerns overall.

I would just offer that the C2558 Rangeley chip is an absolute beast for ~14w.

I read that Ars link - I really want something scripted to do a similar test for STH. I think they may have been missing a graph though and other than run a bunch of nginx instances (arbitrary 10k?) on different ports, there is not too much information on how that was setup.

 

[Patrick]

A better option is to just re-direct DNS queries. My Tomato router has a checkbox for that.

Redirecting all DNS Requests to pfSense - PFSenseDocs

Of note, this often makes your web browsing slightly faster as well. Going from something like Google/ Comcast DNS to local saves a few ms on each lookup.

 

[canta]

not old atom processor, baytrail d, and braswell are good candidates for low power consumption

the main question is, how much do you want to spend $$

 

[tby]

but shouldn't the J1900 and 1037U be roughly equal in anything cpu bound? the 1037 is faster per clock but the j1900 has twice as many cores

1037U has AES-NI while the J1900 does not. The 1037U should murder the J1900 on AES crypto.

The perfect pfSense box of 2014 ($109/1037u/dual-lan/fanless/wifi/usb3/mSata/SD)

Those numbers are just a bit lower than I get on an L5640.

 

[PigLover]

not old atom processor, baytrail d, and braswell are good candidates for low power consumption

the main question is, how much do you want to spend $$

Baytrail D (J1900) is fine and a great performer for general routing and running squidguard and/or Snort/Suricata. For the OPs application, as a medium performance home router and Squidguard at 300/300, it would work fine (acutally better than fine - pretty darn good really).

But if you are interested in things that require encryption the lack of AES-NI is crippling, an QAT is very helpful. Even though its lower clocked, the N3700 is probably a better choice if you are doing any VPN and you really want C2558 (QAT) is you are going to support TLS, e.g., in a Squid3 reverse proxy for light hosting.

 

[tby]

I would just offer that the C2558 Rangeley chip is an absolute beast for ~14w.

Compared to the Ars box it's a lot more money for 25% more Passmarks. Plus those evil UDIMMs.

PassMark - CPU Performance Comparison

In my late-night AliExpress hunting I also came across some i5-4258U dual-NIC systems < $300 delivered. That is a 28W monster!

Buy Products Online from China Wholesalers at Aliexpress.com

 

[canta]

Baytrail D (J1900) is fine and a great performer for general routing and running squidguard and/or Snort/Suricata. For the OPs application, as a medium performance home router and Squidguard at 300/300, it would work fine (acutally better than fine - pretty darn good really).

But if you are interested in things that require encryption the lack of AES-NI is crippling, an QAT is very helpful. Even though its lower clocked, the N3700 is probably a better choice if you are doing any VPN and you really want C2558 (QAT) is you are going to support TLS, e.g., in a Squid3 reverse proxy for light hosting.

I vote for braswell N 3XXX since has AES hardware
C2558 is more expensive and support more too asn you mentioned.

this is just a matter of what is suitable and how much spending

I am using A4-5000 miniitx, since my own J baytrail -D has no AES, this is crippling the overall scenario
well. A4-5000 has AES-IN, and more 5 watt consumption

 

[canta]

Compared to the Ars box it's a lot more money for 25% more Passmarks. Plus those evil UDIMMs.

PassMark - CPU Performance Comparison

In my late-night AliExpress hunting I also came across some i5-4258U dual-NIC systems < $300 delivered. That is a 28W monster!

Buy Products Online from China Wholesalers at Aliexpress.com

do your own risk with no support and no bios update


do you set total $28 Watts?

the headless is better equipped with low power graphical card or nada.

I would suggest to get a good one than picking from no-where china where the cut all material to sell cheap.
this is just me since needing running 24/7 for many years with minimal down time,

 

[canta]

I've been wondering about that. I've seen it suggested that a J1900 can manage Gigabit openvpn, the 1037U w/ AES-NI seems like it ought to do > 200Mbps at the very least. I've ordered one of these "Ars" boxes to replace my router. Probably going to run Sophos XG but I'm definitely going to do some Linux benchmarking before I throw it into Production at home...




A better option is to just re-direct DNS queries. My Tomato router has a checkbox for that.

Redirecting all DNS Requests to pfSense - PFSenseDocs

you need AES or not?
if need AES. get N3XXX intel board....

my suggestion is try to get AES hardware supported, if you needed in the future...

 

[halfelite]

@Chuckleb Thanks for pointing to the unifi ac lite. I did not see it listed on their store.

Great information going on in here. Looks like I have many of great no so expensive choices.

 

[WeekendWarrior]

This is a very interesting subject. Kudos for raising it. I'll be following this discussion closely.

 

[PGlover]

Here are the systems the lower-end pfSense branded appliances are built on:

Firewall Router Desktop System Appliances

Pretty sure the high-end is a rebranded SuperMicro board and chassis, but I haven't followed that thread to it's completion.

That is correct.. The rack mount version is a rebranded SuperMicro board and chassis. My pfsense PC is a WatchGuard box loaded with the pfsense software. Check out the pfsense forum.

 

[Nnyan]

With two young girls (wifi cell phones, tablets and their own PCs) who are growing and learning quickly I have a few protections.

1. Re-evaluating home firewall (pfSense and Sophos UTM)
2. Kids devices use OpenDNS (Home VIP)
3. Cujo (should be getting this next month, got in early and got two cheap, we'll see how that goes)
4. Dashlane to generate a unique and difficult password for EVERYTHING.
5. Norton AV on EVERYTHING (I am evaluating Sophos Home AV).
6. Just started testing OPSWAT Gears.
7. Glasswire Firewall on PC's. Too early to say much about this.

And followed a few guides about securing your home wifi/internet, pretty basic common sense things.

 

[capn_pineapple]

~Snip

1. I am currently running, pfSense - No issues, very secure quite customisable. I will be changing that over to Sophos in the near future though because I use it at work and am more familiar with it (especially the IPS side of things)
2. Again you can set this up either on pfSense/Sophos with a DNS forwarder to OpenDNS with DNS being resolved internally (makes things ever so slightly faster)
3. Why bother if you're getting a UTM style firewall (Sophos/pfSense w/Suricata/Snort/Squid)
4. Good thinking, I've been looking into this as well, have been using LastPass however they got bought out by LogMeIn (urgh price-hikes)
5. Don't you dare, Norton is one of the worst intentionally installed viruses this side of 127.0.*.* it's in the same boat as Java and Flash. Sophos@Home is pretty awesome providing you don't go above 10 devices.
6. Again seems the same as Sophos@Home
7. This is essentially something you get for free with the Sophos stuff so you don't really need an additional vendor.

 

[Fritz]

I'll second the comment on Norton. Worst piece of garbage ever to infest a computer.

 

[Churchill]

Here's the $10,000 question: Can Sophos' UTM 9 function as a site to site VPN server? I've seen responses where people said it could and could not.

I want to run 1 of my servers out to a VPS over a VPN over a site to site connection and I can do that with PFSense but unsure if Sophos UTM 9 Home edition will do that.

 

[markarr]

Here's the $10,000 question: Can Sophos' UTM 9 function as a site to site VPN server? I've seen responses where people said it could and could not.

I want to run 1 of my servers out to a VPS over a VPN over a site to site connection and I can do that with PFSense but unsure if Sophos UTM 9 Home edition will do that.

Yes it will. I have a pfsense to Sophos (Home) VPN setup right now between my colo and home.