advice about pfsense/opnsense hardware: H87N-wifi

[awediohead]

I'm a noob to DIY networking and routers - beyond having installed Asuswrt-merlin in my RT-AC86U a few years ago, I haven't really been able to mess about and experiment with it because my S.O. is very reliant on a reliable internet connection for communication and study as she's housebound with a disability.

So my idea was to use an old ITX haswell era board to install pfSense or OPNsense on, just to learn and become a bit more familiar initially. Hopefully the eventual end result will be better internet and home network connection reliability, rather than less, but that might take a while! I love learning but my old brain doesn't work as well as it used to these days!

The board is an H87N-Wifi from Gigabyte with a 4670T (45W) cpu installed. It has two ethernet ports, one Intel and one Atheros GbE LAN chip, but I also have an Intel PCIe card with four gigabit ports on it.

I bought the PCIe card off eBay a couple of years ago having watched a few SpaceInvaderOne videos about pfSense on YT. Ed does excellent unRAID server tutorials. Just a few weeks after I got the card we had to move house so everything's been on hold since.

The new house is a disability adapted bungalow which has one coax and one telephone line socket in four of the rooms all of which are unused. I'm eventually planning on replacing these with two ethernet sockets so each of the four rooms has wired internet/home network connectivity with a second wired network exclusively for Audio over IP. My wife's an exceptionally talented musician and I'm trying to set things up to make doing recordings as quick and simple as possible.

So my questions are:

1) Should I only use the PCIe card and turn off the onboard NICs in BIOS or only turn off the Atheros port in BIOS so as to have 5 x Intel based ports? i.e. is the onboard Intel port/chip likely to mess things up or make things unnecessarily complicated? Or should I play around with having them all enabled?

2) I've read/seen videos where people are talking about having a dedicated port for management - hence the first question, combined with wanting to use what I have of course.

3) The board also has a wifi card - is this likely to be of any use or should I just turn it off or remove it? I'm imagining that when this hardware is (eventually) doing router duties then I'll be using my current RT-AC86U and RT-AC68U (currently master and node mesh) just as wireless AP's.

4) The CPU and the 16GB (2 x 8) of RAM currently installed are probably overkill for pfSense but does it actually make sense in terms of power efficiency to remove a stick of RAM? It'll only be running at JEDEC as I'm pretty sure there's no point running XMP profiles. I also probably have a 4th gen i3 CPU somewhere that would draw less power, but I've not yet checked whether it'll do AES-NI and I'm not clear on the difference in power consumption between a more power hungry CPU doing less and a lower power CPU being pushed hard?

Any pointers and advice gratefully received

 

[Tech Junky]

Wow. That's a lot to digest.

More ports are good for redundancy and lag together for bandwidth between it and the switch.

WiFi in the router is not needed but, it can be good for diagnostics.

I run Ubuntu as my network os on my setup as its easier for me to deal with. Hw compatibility is about 100% with debian based os options which would rule out pfsense as it's bad.

If you go homebrew with Ubuntu you could run hostapd and turn the WiFi into an AP for additional coverage.

I would consider for the music/audio side maybe putting it into its own vlan if you want to dedicate or isolate that traffic.

As to the Asus devices. I would sell them and get a couple of APs instead as they perform better for coverage. But, it depends on your budget and goals.

 

[Tech9]

I'm a noob to DIY networking and routers

Instead of sharing with us your plans start with what do you need first.

- what speed Internet line do you have?
- what speed internal network is needed?
- what storage is needed as speed and capacity?
- how many clients are wired and what speed network controllers they have?
- how many clients are wireless?
- was one home router enough for Wi-Fi coverage?

Only then we can discuss routers, switches, storage servers and access points. So far you're only looking for trouble.

 

[awediohead]

Wow. That's a lot to digest.

Sorry!

More ports are good for redundancy and lag together for bandwidth between it and the switch.

This is where I've picked up little snippets that contradict each other - what you're saying about redundancy makes perfect sense, while someone else basically said to avoid anything that wasn't Intel, hence my question about the Atheros based NIC on the motherboard. Maybe that applies more to the specific context of the comment which was about pfSense rather than a Linux based router OS?

I currently don't see a need to LAG ports together - at least not for "phase 1" of just getting things working since wired gigabit should be more than adequate for now. Certainly for audio over IP gigabit is more than I'll ever conceivably need with 64 concurrent recording channels possible, when I'm very unlikely to use more than 16 !

WiFi in the router is not needed but, it can be good for diagnostics.

I run Ubuntu as my network os on my setup as its easier for me to deal with. Hw compatibility is about 100% with debian based os options which would rule out pfsense as it's bad.

If you go homebrew with Ubuntu you could run hostapd and turn the WiFi into an AP for additional coverage.

That's interesting. I doubt I have the CLI chops to do a good job of using Debian/Ubuntu, though OpenWRT is something I'll definitely play with and should have mentioned in my OP.

I would consider for the music/audio side maybe putting it into its own vlan if you want to dedicate or isolate that traffic.

That's the plan - I have a 16 port managed switch from Netgear a friend sold me cheap which should enable me to create a separate vLAN for the audio network. At this stage it's still in its box!

As to the Asus devices. I would sell them and get a couple of APs instead as they perform better for coverage. But, it depends on your budget and goals.

If I can crowbar one the routers into working for a while in AP mode that'd be good for the wallet. However once the ethernet cabling is installed and because all the cable runs will terminate to a patch panel that's centrally located in the house I think just the RT-AC86U will provide good enough wifi coverage. At the moment I've had to position it poorly at one end of the house - hence the Asus AIMesh. That said I take your point about replacing with a proper AP in future when possible.

Thank you for taking the time to reply!

Instead of sharing with us your plans start with what do you need first.

- what speed Internet line do you have?
- what speed internal network is needed?
- what storage is needed as speed and capacity?
- how many clients are wired and what speed network controllers they have?
- how many clients are wireless?
- was one home router enough for Wi-Fi coverage?

Only then we can discuss routers, switches, storage servers and access points. So far you're only looking for trouble.

Thank you Tech9
- what speed Internet line do you have?
Basic UK "fast broadband' which is VDSL and 80 down, 20 up on a good day - not great but perfectly adequate for my small family.
- what speed internal network is needed?
Gigabit is fine for now and all that's affordable anyway since I already have a 16 port switch and patch panel and I'm definitely not buying more.

Re your other questions I think you may have missed the point that I'm throwing together some hardware from old parts I have lying around (and would otherwise probably sell for pennies) primarily to PLAY and learn with. This will happen in parallel with my installing ethernet cables to four rooms and connecting them up to my existing RT-AC86U via the patch panel and switch. At some point, if I've learned enough to feel confident, I'll swap out the Asus router for my DIY one. And if it goes pear shaped, I'll just swap it back.

None of this has anything to do with my desktop computers, phones, tablets and laptops, or my servers, which I didn't ask for advice about. I'm a 'noob' in the sense that I've only ever used routers from the likes of Asus, Netgear etc. I've been running ethernet cable around houses and building PC's for a long time now

Thanks anyway

 

[Tech Junky]

contradict each other

This is mostly due to the OS under the hood. BSD is temperamental and doesn't like to share its toys in the sandbox. (pFsense)

Atheros based NIC

Now, if you're talking WIFI this is actually an advantage for setting up hostapd. I ran an Atheros setup for an internal card with the intent of using it as an AP for several years. There are some funny things that happen with different hardware in different OS flavors. Like I can trick an Intel card into being an AP w/ 5ghz but, it's not great compared to using a different chip card like Qualcomm.

CLI chops

A little trick I use is open the files from the server in notepad++, edit, save, and close. Then just reload the service with the new data. This can also be done with SCP but, I like N++ a bit more. Realistically though you could use nano for a terminal based experience as well. It's just easier for some things to perform them in N++ vs pasting them into the terminal. Being able to double check the FW rules for syntax before locking yourself out and needing to hookup a monitor / keyboard to the system to fix it.

----------------------------

It does seem you've put inn the thought behind converting to this sort of setup and it does pay dividends. Planning is key though to success. The nice thing about either option is if one doesn't work you have at least 2 other options to test with. The "sense" options give GUI's but, realistically you can add GUI options for browser admin duties in basic Linux as well. If you have it setup as a workstation and not just a box hiding somewhere it's fairly easy to navigate these days. I just find it easier to use CLI through SSH.

When I originally setup my gear I had a couple of quad port gig cards to connect thing to instead of dealing with a switch as my plan was to consolidate things into a single box from the beginning. As I evolved things though I'm down to a single 4-port 5GE card of which 2 are bundled to the ISP device for WAN and 1 is to the AP which is 2.5GE. Leaves a spare port for the laptop to connect to if I need to grab / copy large data at 5GE speeds which is more than the Raid of disks can push anyway but, still over 400MB/s when needed.

I would still do an internal Atheros as an AP if AX cards were easier to get ahold of. Now that BE cards should be coming soon w/ double the bandwidth ~3gbps I'll just wait it out. 6/6E is working fine through the AP w/ 1.5gbps speeds.

2 drops per room is a good idea though as it's a pain to deal with in the first place and redundancy is always good.

I'll swap out the Asus router for my DIY one. And if it goes pear shaped, I'll just swap it back.

It will and you'll do some troubleshooting. Rarely do these go off w/o a hitch the first time. Well, I suppose they might if you leave everything w/ default settings. Once you have it working though it's a good feeling knowing you won't get pushed bad firmware ever again. That's the biggest issue with consumer gear these days. Fixing one thing and breaking other things in the process.

 

[Tech9]

primarily to PLAY and learn with

Okay. I was thinking you are trying to help you wife do her things easier. If it's about your entertainment - play and learn.

 

[coxhaus]

My thought is your LAN should be the faster than your internet or you are wasting paid bandwidth. I see no reason to allocate a separate LAN port for wireless. Wireless is slower than wire but use a switch to handle it so plug your wireless into a switch. Best solution a L3 switch but difficult to setup L3 on a switch. I think an L2 switch is better than another port in your pfsense. If you need to use a LAGG port for your LAN if you really need it most people don't.