Gigabit NAT router suggestion

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
I'm not really sure if this is the right place to post this, but I appreciate any advice anyone may have. I'm helping a private school in the US that has approx. 300 students with a tight budget get ready for the coming semester and they need to offer remote participation to any students who are more comfortable staying home due to COVID-19. In light of this, I'll be installing 25 cameras in the classrooms and students who are at home will be able to remotely participate with the rest of the class. In addition, there will be classes of about 20-30 students in the building at any given time who will need to simultaneously watch videos on the internet throughout the day as part of their coursework.

The school currently has a Meraki Security Appliance (MX84) which allows 320Mbps throughput with security features enabled. FIOS will be installed this month with a 1Gbps pipeline to the school. Due to the increase in video bandwidth, I'm concerned that 320Mbps limit imposed by the router will be inadequate. Since the school has a very tight budget, I am looking for a new router (hopefully not Meraki) that will support Gigabit throughput with NAT. I need the router to properly support VLAN tagging. I've been considering Ubiquiti gear, but I am hesitant to go that route since I'm finding very little information regarding how well they work in a school/business environment. I've been pretty impressed with Ruckus switches, but I have never used any of their routing equipment. Can anyone provide a recommendation for a reliable, NAT capable router with gigabit throughput? The school would be quite happy to go through eBay if we can get a good deal on used enterprise gear that would fit the bill. Ideally, this would not need to be licensed. I'm hoping to keep the price under $400.
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
1G throughput is not that much, so unless you have very strict requirements to buy something "enterpris-y" like Cisco/Juniper/etc., I would get (or maybe find?) some hardware that is based on an Intel or AMD CPU and install pfSense on it, adding a 4 port gigabit NIC as needed (steer clear of knock-offs from China).

There are of course loads of options on eBay, like the one discussed in this thread:

Currently HP's thin client series is rather popular here (though I do not have first hand experience with them myself) in the form of the HP T730 and HP T620 plus. These models are very affordable on eBay, perform well and has a PCIe slot where you can install an additional NIC.

Another option might be Netgate's (the company behind pfSense) SG-3100
 
Last edited:
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
Thank you for the suggestions!

I'm really liking the SG-3100 suggestion and the Supermicro server suggestion. Performance-wise, do either of you expect the Supermicro server to outperform the SG-3100 long-term? I'm thinking the price would be very similar for both of these when everything is done.

Also, if I purchase the Supermicro server, would a flash drive be adequate for running the OS or would it be better to purchase a hard drive or two?
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
The Supermicro server should be much faster than the SG-3100, so if a platform like that works for you, I'd say go with that over the SG-3100.
Keep in mind that the listing is a little unclear as to whether you need to add a CPU and RAM, but as far as I know it is a great seller, so if you ask I am sure they can supply you with the needed hardware. In fact, I just searched their shop on eBay, and here is a listing that should have CPU and RAM:
www.ebay.com

1U Firewall Router Server 6x 10GBE E3-1270 v3 32GB RAM X10SLH-N6-ST031 2x PSU | eBay

Power: 2x Power Supplies. Rear Bays: Bay. Caddies Included: 4x 3.5" Caddy. Front Bays: 4 Bay 3.5. Motherboard PCI slots: 4 Slot. Chassis PCI slots Backplane: TQ. Motherboard: X10SLH-N6-ST031.
www.ebay.com

In terms of storage, you should get a SSD for it, though rotating disks will also work (at least software wise).
pfSense no longer supports/recommends that you install it on a USB key.

You may want to consider using SATADOM's, I am not sure the board supports it (though I suspect it does), but if it does, it would be a fairly simple solution for storage.

Whether you should go with one or two disks, it all depends on your budget, pfSense does support a dual disk mode (though I forgot if it is a RAID-1) for redundancy.
 
V

Vesalius

Active Member
Nov 25, 2019
254
195
43
pfSense will setup a ZFS mirror with 2 drives for redundancy from the installer. Don’t think it does other flavors of raid, at least transparently from the installer. Big community to help with pfSense and you can pretty much get YouTube walkthroughs from pros on everything you would want to do. Would also second a ssd.
 
BoredSysadmin

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,054
438
83
Rolling your own pfSense is ofcourse will be very economical in terms of materials, but will it be worth the long term in terms of your time spent - I'm not so sure. Will it get timely security updates, will it scan files/sites for malware?
My suggestion is to skip rolling your own and go with proven security vendor, like Sophos specifically XG135 model will not limit your usable bandwidth even with security features enabled.

Sophos XG 135 Rev 3 TotalProtect Bundle with FullGuard License, 24x7 Support - 3 Year - Corporate Armor

Learn everything you need to know about the Sophos XG 135 Next-Gen firewall, and save on all your bundle options. Corporate Armor
www.corporatearmor.com www.corporatearmor.com
 
S

Scarlet

Member
Jul 29, 2019
86
38
18
Beware of the idle power consumption of the supermicro x10slh-ln6tf, be sure to read through the linked thread. The board idles at about 80w (with dual 10GBit controllers eating 15+ watts each). The SG-3100 on the other hand idles at 5w (see spec sheet).
 
T

TheCodeLife

New Member
Mar 29, 2019
25
3
3
Thanks all for the suggestions! For the school, I don't believe power consumption is an issue due to the way billing works. I like the Sophos idea, but the price is too high for their budget, at least for now. I'm aware that time-wise, pfSense may be more time-consuming, but the school doesn't have much choice at the moment.
 
V

Vesalius

Active Member
Nov 25, 2019
254
195
43
Tom Lawrence from Lawrence systems has a great playlist of youtube tutorials on pfSense, Pfblocker and more. Recommend his video if you need any help.

www.youtube.com

pfsense Tutorials

Most recent pfsense tutorials
www.youtube.com www.youtube.com
 
  • Like
Reactions: Amrhn
C

chicken-of-the-cave

New Member
Mar 13, 2020
18
8
3
RTM said:
You may want to consider using SATADOM's, I am not sure the board supports it (though I suspect it does), but if it does, it would be a fairly simple solution for storage.
Click to expand...
SATADOM's are convenient and very space conscious, but they are not performance beasts in anyway. I had a few fail by observing very slow performance overtime, without any prior indication that the DOMs need to be replaced.
For a firewall platform like pfSense, where there will be the occasional log / flow statistics read/write to the disk, it should be okay.

Based on my experience, I would avoid running an OS on this long term.
Anything non-production use cases, go nuts.
 
C

coxhaus

Active Member
Jul 7, 2020
109
36
28
I ran pfsense with a layer 3 switch for over a year and it was rock soild. The problem was I spent too much time patching pfsense and they would break stuff. So you also needed to test all the patches. They also prefer you to run layer 2 so pfsense can be in charge and using an L3 switch they talk down to you on their forums. With 1 of the patches web pages response got very slow. Speedtest was still fast. So I dumped pfsense and went back to a router. They may have fixed it now but I got tried of it all.
 
You must log in or register to reply here.
Top Bottom