Router hardware recommendation - > 1 Gbps WAN

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

danb35

Member
Nov 25, 2017
34
4
8
44
So I just pulled the trigger on an upgrade to my home Internet service, which will be (supposedly) 1.2 Gbps, and if I want to take full advantage of that, it looks like I'll need to upgrade my router hardware. I'm currently running pfSense on a Protectli box with 4x GbE ports, and that system's LAN port is connected to a Brocade ICX6450-48P. And I'll likely want to run either pfSense or OPNsense on the new hardware.

What I think I need is something with at least one RJ45 port of at least 2.5GbE for the WAN connection, and at least one SFP+ 10 GbE port to connect to the switch. I don't think I really need more network ports, if I want to route across local networks (which I don't have at this point, but might in the future), even if I don't want to do it in the switch, I'd expect I could use VLANs across a single physical interface for that. But the requirement for one RJ45 port at > GbE, and one SFP+ port at 10 GbE, seems to narrow down the field quite a bit.

I've found this unit on eBay that looks like it would do, though it really seems to be overkill:

But I'd be interested in any other suggestions.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,050
437
83
how's your internet 1.2Gbps is delivered? I mean how does it terminates before the router? Is it just lc fiber?
 

danb35

Member
Nov 25, 2017
34
4
8
44
That's a good question, and I'm not sure of the answer. Since it's coax to the home, I'm assuming the new modem will have a RJ45 jack for the network connection, but that's something I should ask the installation folks.
 

nickf1227

Active Member
Sep 23, 2015
197
128
43
33
I just went through a similar exercise. A new ISP on my area started offering 2Gb Fiber to the Home. Hand off is RJ45 10 gig from an XGS PON ONT.
I picked up this bundle Supermicro X11SSQ-L-DE05B Embedded Intel G4600 Chip plus 8GB RAM 974575260957 | eBay
And an Intel x710-da4 (a Cisco ucs branded one) for.
The whole setup cost me less than 400.

working great!

in your case you are talking about DOCSIS 3.1 with a multi gigabit hand off and non symmetrical speeds. The box you linked would be way overkill. Realistically I wouldn’t even buy a 10 gig network card because on a DOCSIS network you are far better off using less than your allocation and therefore reducing bufferbloat. Trust me, i just moved from an SG 5100 and a 1gig/40mb connection, and I consistently saw better ping times if I limited it to 800mb, and I wasn’t even doing fancy Codel or Pie queuing. Cable companies just over provision the shit out of our neighborhoods
 

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
Since it sounds like DOCSIS 3.x I'd say any quad core (true cores) from the last 4 years will do if it has the PCIe lanes to feed the NICs. You could get 2.5G models from the same ODM Protectli uses, or a Topton as referenced here on STH and run *sense on that. If you want some room for expansion (keep in mind VLAN-to-VLAN firewalling etc.) then getting more than a Pentium and some B3 stepping 2.5G NICs might be worth it, otherwise everything is basically overkill.

The nice thing about the modern software stacks is that it can do a lot with relatively low-end PC hardware. It's mostly when you start doing CPU-heavy things where better hardware comes in to play; think Suricata etc. We have some 1G and 2Gbps connections running on X9 era boards just fine, X10 as well; at the same time, modern 4xxx series SoCs from Intel can push the same traffic with passive cooling and a form factor the size of a small desktop switch.


Well, I wrote all of that stuff but I realise you already know all of it and it's become boilerplate text :p If you have a 10Gbps DAC between your *sense box and the switch you can do inter-VLAN routing and firewalling fine, and at that point it does become a requirement to have a somewhat 'normal' PCIe slot to put a 'normal' NIC in there. One alternative might be one of the edge virtualisation / SD-WAN boxes like the Dell VEP1445. They have small models with a few SFP+ 10G ports on them. HP makes them as well but I don't know the series name they use. Someone had a bunch of open box devices on eBay below 700!

Of course, the referenced bundle in nick's post is even cheaper, adding a NIC, PSU and Case won't be that expensive and because they are relatively low-power you can swap the fan and heatsink out for something bigger so a large slow-running fan will be plenty for cooling. Doesn't even need to be a 19 inch rack case.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,050
437
83
That's a good question, and I'm not sure of the answer. Since it's coax to the home, I'm assuming the new modem will have a RJ45 jack for the network connection, but that's something I should ask the installation folks.
until you figure it out, no point in pre-planning the exact device and connectivity. I went from 200mbps download to 400mbps and the difference isn't life-changing. I assume that the difference between 1gig and 1.2 would be nearly non-existing in real life.
That doesn't mean you shouldn't want a faster than gig router, just slow down a bit and see what you can work with. Not every 10gig BaseT device would support Multigig 2.5/5 - far from it in fact.
 
Last edited:
  • Like
Reactions: altmind

NachoCDN

Active Member
Apr 18, 2016
110
90
28
53
maybe something like this? it's twice the price of the $99 supermicro bundle mentioned above, but it comes with 10Gb nics built in..


...on second thought.. add $65 for shipping...:(
 

Markess

Well-Known Member
May 19, 2018
1,146
761
113
Northern California
until you figure it out, no point in pre-planning the exact device and connectivity. I went from 200mbps download to 400mbps and the difference isn't life-changing. I assume that the difference between 1gig and 1.2 would be nearly non-existing in real life.
That doesn't mean you should want a faster than gig router, just slow down a bit and see what you can work with. Not every 10gig BaseT device would support Multigig 2.5/5 - far from it in fact.
I'd second this. Give the new service a try and see if you'll regularly benefit from being able to tap into that last 200 Mb. If you're doing "typical internet" stuff, you'll be surprised how difficult it is to pull 1Gb+ down for any length of time. If you need 10/multi-gig internally, or for working with servers somewhere else via VPN, that's something else of course. But, most content providers don't worry about serving up streaming/files at the speed you'll be able to consume them, so you're going to wind up waiting on the other end pretty frequently anyway.

I've had Gigabit for a couple years now, and while my family could frequently put a strain on the next lower tier (350mbps) when their put their minds to it, they've never pushed 1Gb to the limit since we've had it.
 

danb35

Member
Nov 25, 2017
34
4
8
44
Thanks for all the feedback here. You're probably right that the most sensible course of action is to wait for the new modem to be installed, and not worry about upgrading the router unless/until I see that it's actually limiting me. I don't like that that means I'd be leaving some potential performance on the table, but it isn't likely to be a noticeable amount.

The unit I linked to is pricey, but there are a few things I like about it: (1) it should have plenty of horsepower to do anything I need to for the foreseeable future, (2) it has the network and other I/O ports on the front panel where they'd be accessible in my rack, and (3) it's proper server hardware with decent remote management tools, including HTML5 iKVM rather than the Java-based garbage Supermicro had used in the past. OTOH, by the time I get RAM and a SSD in it, I'm close to $1k if not more.

I've looked into the little 2.5 GbE units, and they seem like attractive options--compact, inexpensive, and certainly ought to be able to get the job done. The lack of remote management is unfortunate, but I've been living with that already, so it's no worse than what I've already got. My biggest concern there is getting 2.5 GbE into my switch; I understand that RJ45 SFP+ modules that will work at 2.5 Gbps with the Brocade switch are few, far between, and expensive.
 

NachoCDN

Active Member
Apr 18, 2016
110
90
28
53
In Ontario, Bell is offering 3Gb/s up and down and the router provided has a 10Gbe interface ( homehub 4000 ). so pairing that up with 2.5Gb firewall would actually leave some headroom on the table. granted not a problem that most people have. the downside from the previous model (homehub 3000) is that the fibre SFP+ module is built-in vs removable on the homehub 3000

search for homehub 4000 teardown for details. i tried to post the link but it previewed and created a monster post that no-one wants.
 
Last edited:

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Almost any x86 device you put in will do 1.2Gbps of simple NAT traffic. Even that $99 Celeron box :)

But, if you want to do proper threat prevention, then you need things like SSL inspection, IPS, deep packet inspection, etc. and you will want to think hard about exactly how much CPU you need/want.
 
  • Like
Reactions: BoredSysadmin

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
Almost any x86 device you put in will do 1.2Gbps of simple NAT traffic. Even that $99 Celeron box :)

But, if you want to do proper threat prevention, then you need things like SSL inspection, IPS, deep packet inspection, etc. and you will want to think hard about exactly how much CPU you need/want.
Yep. But thinking needs to happen on both ends: your threat model might simply be "close inbound traffic, use ET lists to block outbound traffic, filter DNS". That doesn't take a lot of CPU cycles to do. Most of the resource eating happens with packet inspection where the payload is decoded (or even completely reconstructed for multiple packets) and multiple filters (including heuristics, pattern matching and fancy machine learning) are passed over the contents before it is allowed or denied. This is mostly useful for always-on systems like servers and some IoT.

So thinking about the threat model and then thinking about matching controls to do something about it so a bit of context can be created to spec out the right hardware. But for a home that might be overkill and just going "i5-like performance" is a relatively easy sweet spot to hit.
 

aero

Active Member
Apr 27, 2016
346
86
28
54
@danb35 Is this Comcast Xfinity service by any chance? They, along with other cable providers, support up to 1.2 Gbps overprovisioned docsis 3.1 service. Most likely they will provide a modem with 2.5GE rj45 handoff, however, there are also modems that provide 2x 1GE ports you can configure in a LAG.

I have this service, but have not been interested in upgrading equipment to support 2.5GE or LAGs due to cost for +200Mbps that is rarely achieved anyway.

I was contemplating a Ubiquiti Dream Machine Pro with a 10Gbase-T sfp+ adapter capable of negotiating at 2.5GE.
 

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
@aero I have been bitten by Ubiquiti Dream Machine Pro software more than is worth my time. The hardware is technically great but even simple things like DNS overrides per subnet or outbound NAT redirection aren't possible.
 

Markess

Well-Known Member
May 19, 2018
1,146
761
113
Northern California
Edit: looks like @zer0sum & @oneplane got there ahead of me on some of this while I was typing a novel! :p

The unit I linked to is pricey, but there are a few things I like about it: (1) it should have plenty of horsepower to do anything I need to for the foreseeable future, (2) it has the network and other I/O ports on the front panel where they'd be accessible in my rack, and (3) it's proper server hardware with decent remote management tools, including HTML5 iKVM rather than the Java-based garbage Supermicro had used in the past. OTOH, by the time I get RAM and a SSD in it, I'm close to $1k if not more.
I just spent a month wringing my hands over what to do in my own situation. Here's some thoughts over what I discovered:

1. Horsepower: I've got an Atom C3558 in my pfSense box, and if I try really really hard in testing, I can get it to ~15% CPU and Memory mostly maxing out my 1Gb connection. Netgate uses that same CPU in their Small/Mid-Sized business oriented appliances, so way over powered for my home use on 1Gb. What you linked to has almost three times that performance! Of course, if you plan on using the pfSense box for switching, or IPS, or etc. (I'm using none of these), it will require more. But that's still a lot of power.

2. If you like rack mount with front mounted ports, but want the freedom to design your own system, the chassis is sold separately. SC505-* in this case. SC503 also has front mounted ports, there may be others 1U Chassis | Chassis | Products - Super Micro Computer, Inc.

I've looked into the little 2.5 GbE units, and they seem like attractive options--compact, inexpensive, and certainly ought to be able to get the job done. The lack of remote management is unfortunate, but I've been living with that already, so it's no worse than what I've already got
Other than the initial BIOS/UEFI configuration and OS installation, how much use would you get out of IPMI other than restarting if the unit becomes unresponsive? Even if you don't use the web GUI, you can manage via a terminal and SSH, without the need for an HTML5 console, right? Aside from the extra cost, I think the small boxes exclude IPMI because of limited utility and it makes passive cooling much harder if you add an extra "always on" ~5w to a box that draws only ~15-20w even when its working hard.

Really asking here, as I happen to have IPMI on my current solution and I just don't see a lot of use for it.
 
  • Haha
Reactions: oneplane

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
@Markess indeed, IPMI/Redfish etc. are mostly not as useful as it sounds due to the nature of network applications. If it's offline, it's gonna get a reboot as that'll either fix it or it's broken beyond interactive repair and you can either replace the hardware or reinstall the software and re-import the configuration (that's why automatic off-device configuration backups are important).

There is one specific situation where IPMI has been useful for me: in a dual WAN, dual-firewall setup where there was a a CARP failover because one of the units became unresponsive during a WAN failover. SSH into the other firewall over the remaining wan, start a port forward to the IPMI box and find out what's up. (turned out to be a kernel panic and for some reason the watchdog timer didn't trip to reset it).

I also find myself writing novels in forum posts, I guess it's an STH thing :D
 
  • Like
Reactions: mach3.2 and Markess

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
1,050
437
83
IPMI is for when you're too lazy to walk down to the basement and connect a keyboard and monitor :)
The alternative would be getting (often available for free to IT guys during server room changes/moves) a switched PDU, like APC AP7900B.
I won't pay any more than $50 for such a device but even used ebay prices are too crazy. With this, you could reboot remotely the modem/router separately or together without going down to the basement. Source: this is what I do :)
 
  • Like
Reactions: name stolen