Router for upgrade to 10 Gigabit WAN at home

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Gagarin0461

New Member
Dec 28, 2020
4
1
3
I'll be upgrading my home internet connection to 10 Gigabit fiber in March. Because of this, I'll need to upgrade my router from a Mikrotik RB4011 since it only has a single SFP+ port, and I need 2x SFP+ for WAN and LAN. I've been looking at the MikroTik CCR2004-1G-12S+2XS, but I'm open to any solution, be it ready made or DIY, as long as it's energy efficient and affordable. By affordable I mean cheaper than the MikroTik CCR2004-1G-12S+2XS but with similar performance, or same price as the MikroTik CCR2004-1G-12S+2XS but with better performance.

My requirements are
  • 10 Gigabit SFP+ ports for WAN and LAN
  • enough throughput for a 10 Gigabit LAN with a 10 Gigabit WAN uplink
  • hardware accelerated encryption for WireGuard
  • energy efficient
  • affordable (budget is ~$500)
Other niceties I'd like to have if possible
  • ECC memory (if it's worth it for a router, not sure)
  • passively cooled and/or silent
Thank you in advance, I really appreciate anyone taking their time to help me out.
 

Tom5051

Active Member
Jan 18, 2017
359
79
28
46
you will likely need more budget.
 

Stephan

Well-Known Member
Apr 21, 2017
979
746
93
Germany
500 budget is tough. Does it have to be an appliance ready-to-run, or are you comfortable with iptables and a self-installed Linux?

For the latter I'd say buy a used Intel E3 Xeon from generation Skylake onward. CPU usually has 2 RAM channels so 2x8 GB = 16 GB ECC RAM to max out performance. 16 GB should be enough for any router. I hate bit errors in RAM, so I always go for ECC. Noctua 120 or 140mm cooler will be silent.

If you get a board like Supermicro X11SAT (https://www.servethehome.com/supermicro-x11sat-f-workstation-motherboard-review/) then that can idle at 37 watts like article explains. Or even less, you might want a variant of the C236 Intel 1151 boards without the -F (no AST IPMI, 3-5 watts less) and an E3 with internal graphics so you don't need a separate GPU. The X11SAT has thunderbolt and a PLX PCIe expander, pretty much useless for your use case and only drawing power (2-3 watts less still). I am using that X11SAT board without -F and Intel AMT KVM with Mesh Commander works nicely, does not need any external KVM etc. for maintenance work.

For network Intel X520 SFP+ PCIe card has two SFP+, cheap, compatible should you investigate pfsense or similar. Any such card will need a bit of airflow, so 800rpm 120mm/140mm internal fan blowing right at that chip and over the entire motherboard might make sense.

Hardware acceleration for Wireguard will be impossible, because it uses ChaCha20 for encryption and Poly1305 for authentication. No current CPU supports this directly. So I recommend Skylake because it has fast single-thread speed with SSE+AVX and that will help Wireguard's crypto. My Kaby Lake E3 will do 1.2 GByte/s chacha20+poly1305 with "openssl speed -evp chacha20-poly1305" as soon as packet size is 256 bytes or larger. Wireguard will be similarly fast, it is well designed.

If you go below 65W TDP CPUs I suspect Wireguard performance will suffer. You really need a cooled SFP+ card for 10GBit/s so if you go for one of those 1 liter tiny boxes, make sure you are not cooking the SFP+ card.

Quality PSU from BeQuiet or Corsair might pay off. Rarely see one die, every 10 years I guess. Both quiet and efficient, unless you try to power a 40 watt idle computer with a 1500 watt monster PSU. That will not be possible efficiently. You probably want the lowest possible PSU like 300 watt to get above 80% efficiency.
 

t4thfavor

New Member
Mar 9, 2021
6
2
3
500 budget is tough. Does it have to be an appliance ready-to-run, or are you comfortable with iptables and a self-installed Linux?
...

Instead of self installed Linux and IPTables, pfSense is an option in the whitebox territory as well. I am using it for the past 15 or so years without any trouble. Hardware will be most important thing to even get close to 10Gbps.

Just thought I'd throw in my $.02
 

RobstarUSA

Active Member
Sep 15, 2016
235
104
43
OpnSENSE is good as well. I also have been wanting to try out FRR. Might be worth looking into/at those if you DIY.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,066
440
83
Instead of self installed Linux and IPTables, pfSense is an option in the whitebox territory as well. I am using it for the past 15 or so years without any trouble. Hardware will be most important thing to even get close to 10Gbps.

Just thought I'd throw in my $.02
You probably going to get better performance on lesser hardware (ie: More energy efficient) on TNSR (than with any BSD-based Sense forks ), which is free now for home/lab usage. It doesn't support WireGuard yet, but you still could get very fast IPSec (especially on CPUs with QAT, like D-2145NT)
 
Last edited:
  • Like
Reactions: t4thfavor

t4thfavor

New Member
Mar 9, 2021
6
2
3
You probably going to get better performance on lesser hardware on TNSR (than with any BSD-based Sense forks ), which is free now for home/lab usage. It doesn't support WireGuard yet, but you still could get very fast IPSec (especially on CPUs with QAT)
From what I understand wireguard is merged into the mainline for pfSense, but TNSR is definitely a better choice for high performance.
 

markonen

New Member
Mar 3, 2021
13
9
3
The MikroTik will work and route packets at 10G, but it doesn't have WireGuard yet. (The feature is being introduced in RouterOS 7, but that's not ready for use and nobody knows when that's going to change).

I have 10G WAN at home and use a Ubiquiti Dream Machine Pro. My speed tests top out at about 4Gbps.
 

t4thfavor

New Member
Mar 9, 2021
6
2
3
The MikroTik will work and route packets at 10G, but it doesn't have WireGuard yet. (The feature is being introduced in RouterOS 7, but that's not ready for use and nobody knows when that's going to change).

I have 10G WAN at home and use a Ubiquiti Dream Machine Pro. My speed tests top out at about 4Gbps.
What is the number of active users? If you have many, you could try and setup dual gateways, send half of them to each gateway and maybe improve your max throughput instead of relying on single stream performance? I would assume (have to since I live in the stone age) that a 10GBPS WAN would supply more than one routable ip address?
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,066
440
83
I have 10G WAN at home.
I deeply envy you. I work for many dozens and hundreds of Billions AUM financial companies in NY, yet to see a single 10Gig WAN pipe. now 10gig metro p2p is more common, but 10gig DIA I haven't seen yet.
 
  • Like
Reactions: Amrhn

markonen

New Member
Mar 3, 2021
13
9
3
@t4thfavor I think ultimately having a bog-standard home internet setup is more important to me than the delta between 4Gbps and 10Gbps (I know, blasphemy!). My Mac is the only device here with a 10G interface, so nobody else can even theoretically notice the speed. And between the Samsung Smart TVs and Xboxes and whatnot, I feel most comfortable with a simple NAT + uPnP approach: it’s what all these devices were designed for.

@BoredSysadmin I know 10g DIA is starting to become a thing in various markets, but it’s not yet here either. What I have at home is a mile of leased dark fiber to a network PoP I‘m running anyway. So the marginal cost of the home connection is just the fiber lease, and the local incumbent telco is, due to their market share, obligated to offer that at a regulated price (~$100/mo).
 

Stephan

Well-Known Member
Apr 21, 2017
979
746
93
Germany
I am a bit miffed and still deciding on why exactly.

But someone remind me, that before I help anyone here again (that I don't know from the earlier days of this now bubbling forum), that I will google the words of the original post to find out, if poster has taken the liberty of spraying his request for ideas verbatim to a bunch of other sites. And then not even reply to anything, like other's time it is worth a damn.

I'll be rather staring a hole into the ceiling for 20 minutes that it takes to formulate a thoughtful reply, than waste my time for random non-STH-ers.