Firewall / Gateway / Router recommendation?

nitrobass24

Moderator
Dec 26, 2010
1,082
126
63
TX
Just moved to a new house and I now have an ATT Uverse 1gbps connection. Which sounds great, but my old Sophos box just cant seem to do much beyond 200mbps.

I recently bought a UBNT USG, but after messing with it for about 5 hours I put it all back in the box. Besides the fact that it didnt have IDS or other UTM type features it lacks any sort of UI to do basic tasks. Even though its a UniFi product line, you cant really configure anything on it through the controller. Everything must be done on the CLI, which isn't what I am looking for.

So on to the requirements
1. Support 1GBPS LAN to WAN throughput
2. Includes UI for NAT / Firewall Rules
3. Supports some sort of SSL VPN
4. Silent No Fan

Nice to haves
4. IDS / IPS
5. Web Application Firewall / Reverse proxy

Ideally, I am looking for an out of the box solution, but am willing to identify suitable hardware on which Sophos/PFSense type software is installed on as well.

TLDR
Fast Internet
Slow firewall
Need a Fast & Silent firewall for new internet
 
  • Like
Reactions: Patrick

nitrobass24

Moderator
Dec 26, 2010
1,082
126
63
TX
Slow / Quiet could be in the cards, what do you have in mind?

I do run a 3 node Vsphere behind this as my home lab, but am not inclined to move my firewall / gateway device to it.
 

Keljian

Active Member
Sep 9, 2015
429
71
28
Melbourne Australia
Slow / Quiet could be in the cards, what do you have in mind?

I do run a 3 node Vsphere behind this as my home lab, but am not inclined to move my firewall / gateway device to it.

Just thinking i3-6xxx with 4-8 gig of ram on a low cost board. Being that it's only a 54W peak chip (with idle much lower), and has aes-ni (with all the trimming), you could easily put pfsense/sophos on it and call it a day. If you needed very quiet, you could get something like the scythe big shuriken and drop an antec 120mm truequiet fan on it with minimal effort.
 
Last edited:

Patrick

Administrator
Staff member
Dec 21, 2010
11,805
4,760
113
@nitrobass24 I do have a pfSense machine (C2758 based) that can handle 1Gbps WAN. I hit 280mbps over OpenVPN and 600mbps over standard WAN at some point using a few test machines. There were other active boxes behind the appliance and etc but that was enough for me to say OK.

I have a feeling by SSL VPN you mean does not require software installation.

I agree with @Keljian that an i3 with even a stock heatsink/ fan is going to be near silent.
 

nitrobass24

Moderator
Dec 26, 2010
1,082
126
63
TX
Good to know a c2758 was already on the shortlist, but its quickly rising to the top.
Give your experiences with the Xeon-D stuff, do you think it is suited for this type of application?
 

Patrick

Administrator
Staff member
Dec 21, 2010
11,805
4,760
113
Good to know a c2758 was already on the shortlist, but its quickly rising to the top.
Give your experiences with the Xeon-D stuff, do you think it is suited for this type of application?
For a standalone pfSense - D-1518 or Pentium D1508 would likely be enough. I use Chelsio 10GbE/ 40GbE with pfSense and Intel 1GbE.

Another great one was the E3-1125C. If you could put a larger fan on it (e.g. not use 1U screamers) super platform.
 

BackupProphet

Well-Known Member
Jul 2, 2014
793
283
63
Stavanger, Norway
kingmakers.no
I picked up one of these $99 supermicro servers with a single L5630 and turned it into a router/firewall running FreeBSD. I get 350mbit/s over OpenVPN. Average power consumption is 65w. I could probably get it down to 50w by moving the motherboard into a desktop chassis.

PFSense has also excellent support for SNORT ids.
 

tullnd

Member
Apr 19, 2016
57
7
8
USA
I just built a pfsense box. I used a C2558 supermicro setup to save a few bucks over the C2758. It's more than capable. I built a rack based model and ended up paying about $500 for everything, with a decent sized SSD...which is way overkill even for what you're doing.

I've tested mine with a 1Gb GPON fiber setup(1Gb/250Mb), but I use it daily on a dual WAN 300/20 Cable and 30/5 VDSL(waiting another year or so until the GPON FTTH is available at my new home).

I imagine the i3 setup's recommended above would be the cheapest option and could be done very, very quiet. Also, if you have any parts laying around you can scrounge up, you can probably save more there.

The only real concern about building something for pfsense(over purchasing) is making sure the ethernet is Intel if you want the most reliable driver support. But remember, even if you can score a super cheap motherboard that doesn't have Intel onboard, you can easily buy a dual or quad PCI-e card to add on to a small m-ITX box and use those instead.
 

mumford

New Member
Jun 25, 2016
22
7
3
53
I have gigabit at home (900Mbps down) and I use this Mikrotik router. Fanless, with stateful firewall. Average power usage is 16W. Mikrotik has a desktop Windows App named winbox for configuration (also runs on Linux using Wine). I bought it from the Ebay store of an authorized dealer. Ebay has 8% - 10% cashback (Ebay bucks) often, and the final price is a bit below $400.

Mikrotik's OS is called Router OS, using a Linux kernel. It has hardware encryption but multi cores is not optimized. 2 out of the 9 cores do most of the work. Customers are waiting for the next major OS release to take advantage of all the cores. It has no problem handling gigabit speed, with 25 firewall rules, NAT, DNS services, and more. But I don't use VPN, so I am not sure if it can handle gigabit VPN now. It definitely will with the next OS.

RouterBoard.com : CCR1009-8G-1S-1S+PC
 
Last edited:

nitrobass24

Moderator
Dec 26, 2010
1,082
126
63
TX
Update:

I wound up buying a Supermicro C2558. Re-installed Sophos and restored a backup configuration. Still seem to be some issues with throughput when using the IPS functions, though.

Results with NAT / FW / WAF / Reverse Proxy.


Results when I turn on IPS


Seem to be limited by software as I am not pushing the hardware when I run the test.
RAM & CPU all under 20% utilized.