Understanding Router on a Stick

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

RobertFontaine

Active Member
Dec 17, 2015
663
148
43
57
Winterpeg, Canuckistan
Naive question time,

I've been trying to wrap my head around the various configurations - pros/cons.

I have an 24 port layer 2 switch and have been slowly working my way towards a pfsense router with default, DMZ, home, work, lab vlans.

Actual bandwidth from the wan is ~150Mbits and the lan is gigabit.

What are the pros/cons of configuring my firewall/router on a stick?
- Is the risk one of MAC Spoofing?
- Bandwidth bottlenecking?

As I understand it my switch handles ethernet traffic within vlans by MAC address,
The router moves traffic between vlans at layer 3 by IP address.

In my home environment I have the ability to plug everything I run into a single switch and it can currently handle all the bandwidth I am sending it a daily basis.

I've been looking at a little J1900 to serve as pfsense router or a use i5 sff box for half the price and twice the watts. I haven't been able to decide why I would choose a multi-nic router over a single nic router.


Thanks
Robert
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
What are the pros/cons of configuring my firewall/router on a stick?
1) if you have multiple internal networks, it will bottleneck
2) it will fail open if someone fumble-fingers the config or (on many soho switches) while the switch is resetting. the real impact of this is probably limited as the internal devices won't readily route to the internet, but it's ugly
3) it leaves the switch open to attacks from the outside. again, in practice this is of limited impact because the switch is probably using a non-routable IP, but it's still ugly.
4) if you're on an ISP topology that provides a WAN that lets you see your neighbors, the last couple of points are more compelling, but your neighbors probably don't know how to exploit this. :)

So mostly it's a matter of aesthetics, but the quality most switch firmware is so bad I'd rather not put it on the public internet if it's pretty easy to buy another NIC and avoid the issue.