10 GBE Router

takeawaydave

Member
Aug 20, 2013
62
2
8
Thinking of repurposing a slightly surplus HTPC machine in to a 10GBE Router for home use.

HTPC runs a slightly old Intel Core i5-4590 (3.3 GHz) on an Asus Z97i-Plus desktop class motherboard and is in a Streacom FC-5 case.

Idea is to keep cost a down and simply add in a 4 port 10GBE port - but no sure how much real through put this would achieve if PfSense were loaded and running.

Any suggested builds ?
 

RTM

Well-Known Member
Jan 26, 2014
877
330
63
Thanks @tjk for the link. What’s the suggestion ?
I hope I am not overstepping here, but I think the point is (probably) that you won't be anywhere near full 10G routing with that hardware, unless you use a software solution like TNSR.

Of course, you are probably better off using a L3 switch to do internal routing on your home network and use a smaller device as firewall between home and internet.
 

takeawaydave

Member
Aug 20, 2013
62
2
8
No, you're not overstepping at all @RTM - Thank you for the comment. I am fairly aware that the desktop board mentioned above might fall well short however in terms of a minimum purchase to set up TNSR on bare metal what would a current hardware solution be in terms of low cost.

My ISP is able to offer me an upgrade to 10GBE for the price of the new SFP+ module but I don''t really have the means to fork out on too much hardware at the moment.

For example I was looking at the following Supermicro Motherboard X10SLH-LN6TF earlier but shipping to Europe is way too steep in price.
 

RTM

Well-Known Member
Jan 26, 2014
877
330
63
In that case, I don't really have a great recommendation for you, I suggest you start with the hardware you already have + NIC and TNSR for home+lab.

Do keep in mind that TNSR is a router solution, and not really all that comparable to a more firewall oriented solution like pfSense, one key difference is that TNSR does not do Stateful Packet Inspection (SPI) (which is part of, but not the whole reason why TNSR is faster), which is an important feature security wise. As with everything, it is a trade-off of performance vs security, that only you can decide whether you want to make or not.

You may also be better off with a "hardware router", I am not too well versed in this area, something like Mikrotik's CCR2004-16G-2S+ (it is very new though, so be sure to check the Mikrotik forum for experience from people) might be a reasonable choice (it only has two SFP+'s though, so one uplink and one for your switch perhaps?).

In any case, what is the rest of your network like?
Can you even make use of a 10G internet connection?
It matters because, there is a big difference between being able to route (and firewall) a couple of gbps and 10 :)
No, you're not overstepping at all @RTM - Thank you for the comment.
I was implying that I might be overstepping, by explaining what @tjk meant by that link thus assuming I know what he was thinking, but no matter, I am sure it should be fine otherwise I would not have posted anything at all ;)
 
Last edited:

RTM

Well-Known Member
Jan 26, 2014
877
330
63
Oh and another thing, you may want to report your original post, and request having the thread moved to the "networking" section, I suspect you will find more help there.
 

Stephan

Well-Known Member
Apr 21, 2017
527
327
63
Germany
I suspect the hardware might even do 10 Gbps with large packets (1500+ byte frames) and no firewall rules just routing, but no chance at high packets/sec with small frames (64 bytes). Pfsense being BSD is usually a small factor worse in performance than Linux. Add filtering rules and you are dropping to 2-3 Gbps fast. Update CPU microcode to post-Meltdown-fixes with insane context-switch slowdown and you might get only 1 Gbps.

Recommend two two-port 10 Gbps cards to aid in cooling because you are looking at 20 watts when loaded for those cards alone. So you will need a fan blowing at the cards. Also probably cheaper than newish https://www.servethehome.com/intel-x710-t2l-a-better-dual-port-10gbase-t-nic-review/.

If you only want to connect devices, get a 10 Gbps switch instead. Most will have a fan because of above mentioned power consumption of 10GBase-T. If you can, skip 10GBase-T and switch to SFP+ and suitable DAC cable or module and fiber.
 
  • Like
Reactions: takeawaydave

tsteine

Active Member
May 15, 2019
125
62
28
@takeawaydave

If you don't want to pay the cost for bare-metal TNSR, the bottom line is that TNSR is really just a bundle of open source technology with a proprietary management plane, which uses FRR/FD.io(vpp)/Kea/Unbound under the hood for the most part.

There is no reason why you can't install a linux distro of your own choice and set up FD.io yourself to achieve the same level of performance, and complement with your own choice of DHCP/DNS software.

That being said, FD.io has a pretty sharp learning curve.

FDio - The Universal Dataplane
 

tsteine

Active Member
May 15, 2019
125
62
28
No reason - except that this is REALLY hard, and even harder to get right/secure. Which is why people built things like TNSR.

As I said, it does have a learning curve, but it's certainly doable for someone familiar with linux system administration and network command line configuration, the guides in recent FD.io documentation have become much better as well.

VPP as a Home Gateway — The Vector Packet Processor v22.02-rc0-429-g03e40e623 documentation (fd.io)

Access Control Lists with VPP — The Vector Packet Processor v22.02-rc0-429-g03e40e623 documentation (fd.io)
 
  • Like
Reactions: takeawaydave

takeawaydave

Member
Aug 20, 2013
62
2
8
Thanks for the previous comments. Due to personal reasons I haven’t managed to follow up on this till now. I am needing to slightly change what I am going to do here and build a more secure zone in my home network for working from home with required VM’s.

Looking on
netgate.com an adequate appliance with 10GB throughput seems to be based on an Intel Xeon Processor D-1537 - a low TDP class 8 CPU (Intel Xeon CPU D-1537 @ 1.70 GHz) based machine.

Plan is to virtualize TNSR on to ESXi 7 running on PowerEdge 630 which is currently running with 16 CPUs x Intel(R) Xeon(R) CPU E5-2630L v3 @ 1.80GHz.

I have a a double X520-DA 10GB card - one of the ports is used for a 19 GBE DAC connection to a Synology NAS (provisions ESXi datastore over iSCSI)

Could the remaining 10GB port be passed through directly to the TNSR VM with a 10 GBE uplink to suitable 10 GBE switch?

On the internal side then set up a new ESX i vSwitch with multiple VLAN’ed port groups in order to build out the VM environmen.

I’ve cross posted in to Networking as well: https://forums.servethehome.com/index.php?threads/virtualizing-tnsr-alongside-vms-on-esxi-7.35405/
 
Last edited:

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
839
312
63
As I said, it does have a learning curve, but it's certainly doable for someone familiar with linux system administration and network command line configuration, the guides in recent FD.io documentation have become much better as well.

VPP as a Home Gateway — The Vector Packet Processor v22.02-rc0-429-g03e40e623 documentation (fd.io)

Access Control Lists with VPP — The Vector Packet Processor v22.02-rc0-429-g03e40e623 documentation (fd.io)
pingback :