Dream Machine Pro or pfsense

[ehiggins]

Hello

I'm currently building a new house. I will have gig up and down internet service in the house. The house is two stories and 2800 square feet. I have three ceiling cat 6 ceiling drops and then a few more cat 6 wall panels.

My current router is the Asus Ac86u. I also have an 8 port poe+ switch.

Due to the size of the house, and all ethernet cables being located in the basement, I'm looking to move to dedicated access points.

I'm considering the following options :

Ubiquiti dream machine pro, my switch, then 3 NanoHD access points. I like that ubiquiti also has in wall if I need additional coverage.

Netgate sg-3100 is my other options. If I go this route, I'm leaning towards 3 Tplink eap245 v3 and tp links associated controller. I'm told the controller facilitates roaming. The eap225 was reviewed by SNB and it scored excellent.

The final option is to keep the asus, turn the radios off, and have it route for 3 APs. This is the cheapest option. I don't know if it has the throughput for firewall and gig service.

The network will have approximately 20 devices hooked up.

I'm looking for feedback on the different setups.

 

[netwrks]

UDM-pro is not ready for prime time. "You can verify that be reading all the issues on the Ubiquiti forum. Go with the pfsense..

 

[jass]

Hello

I'm currently building a new house. I will have gig up and down internet service in the house. The house is two stories and 2800 square feet. I have three ceiling cat 6 ceiling drops and then a few more cat 6 wall panels.

My current router is the Asus Ac86u. I also have an 8 port poe+ switch.

Due to the size of the house, and all ethernet cables being located in the basement, I'm looking to move to dedicated access points.

I'm considering the following options :

Ubiquiti dream machine pro, my switch, then 3 NanoHD access points. I like that ubiquiti also has in wall if I need additional coverage.

Netgate sg-3100 is my other options. If I go this route, I'm leaning towards 3 Tplink eap245 v3 and tp links associated controller. I'm told the controller facilitates roaming. The eap225 was reviewed by SNB and it scored excellent.

The final option is to keep the asus, turn the radios off, and have it route for 3 APs. This is the cheapest option. I don't know if it has the throughput for firewall and gig service.

The network will have approximately 20 devices hooked up.

I'm looking for feedback on the different setups.

If you have an "retired" pc collecting dust somewhere, it would probably be more than enough to run/start playing with pfSense for free. If you're not already familier with pfSense, it could also be an idea to check out OpnSense which someone claims to be a bit more intuitive. Which also would run fine on a retired pc with 2 or more nics. This way you could test out both options and make up your own mind for free at least until you have decided which solution is right for you. And then eventually buy some specialized hardware if you still feel necessary

 

[Val D.]

Netgate sg-3100 is my other options. If I go this route, I'm leaning towards 3 Tplink eap245 v3 and tp links associated controller.

I use Omada setup at the moment, just with a different pfSense box. The WiFi performance is excellent for the price. The software is not as nice looking as UniFi, but stable and functional. You're not going to "work" much with this software anyway. OC200 takes care about roaming and offers some extra configuration settings, not available in APs page. Bandwidth, usage, clients, etc. is all there, plus map of your place with APs coverage, etc. other fancy looking stuff, not really needed.

This is what it looks like from OC200 https://emulator.tp-link.com/oc200/index.html#statistics

 

[Trip]

True, UDM-PRO isn't quite production-ready (probably won't be until later this summer at UI's typical pace/quality of development), so pfSense for the gateway plus whatever switching and centralized wireless floats your boat.

For the gateway: Netgate appliance, SFF PC with a multi-NIC card or an embedded appliance off Amazon would all work.

For wireless, you could still do UniFi, even one of their switches if you want to converge control planes. Otherwise, Omada has the same Qualcomm SoC's in their EAPs for lower cost. Software isn't as slick or mature, nor do they have integrated switching, but baseline functionality is there and link-layer quality is at least as good as most corresponding UAPs, if not better in some instances.

 

[ehiggins]

Thank you for the responses.

I'll try to get a dual nic card and put it in an old pc. Try out pfsense at my current house just to make sure I'm not in too deep.

I'm judging by the replies that keeping the asus for routing is a worse option than pfsense.

 

[avtella]

Hello

I'm currently building a new house. I will have gig up and down internet service in the house. The house is two stories and 2800 square feet. I have three ceiling cat 6 ceiling drops and then a few more cat 6 wall panels.

My current router is the Asus Ac86u. I also have an 8 port poe+ switch.

Due to the size of the house, and all ethernet cables being located in the basement, I'm looking to move to dedicated access points.

I'm considering the following options :

Ubiquiti dream machine pro, my switch, then 3 NanoHD access points. I like that ubiquiti also has in wall if I need additional coverage.

Netgate sg-3100 is my other options. If I go this route, I'm leaning towards 3 Tplink eap245 v3 and tp links associated controller. I'm told the controller facilitates roaming. The eap225 was reviewed by SNB and it scored excellent.

The final option is to keep the asus, turn the radios off, and have it route for 3 APs. This is the cheapest option. I don't know if it has the throughput for firewall and gig service.

The network will have approximately 20 devices hooked up.

I'm looking for feedback on the different setups.

Rather than spend like $300-400 on the ARMv9 based SG-3100 you may be better off spending $200-300 on a more powerful Intel based Qotom or similar box which is upgradable and install pFsense/Opnsense yourself, because if you use something like the pFblockerng package with Top Level Domain blocking enabled it can use quite a bit of ram depending on lists sizes.

 

[jass]

Thank you for the responses.

I'll try to get a dual nic card and put it in an old pc. Try out pfsense at my current house just to make sure I'm not in too deep.

I'm judging by the replies that keeping the asus for routing is a worse option than pfsense.

It depends...

I'm not having any experience with your partiticular router (ac86u) but I know that if you plan to use asus built in Aiprotection etc my ax88u max out at around 600-700MBit with Aiprotection etc enabled...

If you want those security features enabled, I don't think your router will be able to use all your bandwidth. If you're not planning to use these features, it might work very well for you...

Asus Wrt or Merlin have a incredible nice and user friendly GUI and lots of nice functionality, but to weak hardware for all functionality enabled to max out GBit line. So it all comes down to how much functionality/security enabled and your need for speed. Max speed and security/functionality in your case will require a OpnSense/pfSense solution... It all comes down to your need and wants...

 

[Val D.]

I'm judging by the replies that keeping the asus for routing is a worse option than pfsense.

In my opinion RT-AC86U is not a router to count on. Not good reliability rating (mainly dead radios complaints), unresolved intermittent bugs (soft reboot issues), not enough RAM to run many things in the same time (killed processes), etc. Read the usual complaints here on SNB, there are many. I had one of those, developed a habit to check it frequently to make sure it's working properly. I don't have it anymore, as you can guess. Few of the regular SNB members had to use their warranty already due to various malfunctions.

We have a thread discussing pfSense hardware and some settings here:
https://www.snbforums.com/threads/pfsense-computer-bulid.61903/

You can do more with pfSense and with better control, the hardware has no limitations and is easy to upgrade, the software does everything with no need of using (and sharing data with) 3rd party service providers, the system can be transferred to another hardware, etc. Setting it up though may take some time, depending where you start from. Good thing is easy to follow tutorials are available for all main functions and packages. You can use your RT-AC86U as a backup router during the setup process.

 

[ehiggins]

Thank you for the pfsense build link, it sounds like that is the way too go. I have a few months until the house is built, so I should be able to get familiar with it.

I appreciate all the feedback.

 

[sfx2000]

Netgate sg-3100 is my other options

Mixed feelings here... mostly because Netgate and pfSense are in a bit of transition.

the 3100 is a good platform - e.g. Armada 38x, good hardware - but it's a dead end with the lower end 1100 based on a customer spin on the EspressoBin - long story, but basically pfSense on ARM is a bit of a science project... and Marvell isn't focusing on further development on the low end ARM's these days with Armada 38x and 37xx series,

Also that the pfSense team management folks - Jim Thompson, etc - they're putting more focus now on TNSR these days, which is a completely different code base.

pfSense isn't bad - heck I run it, on netgate HW - but I also recognize the the end is close with my replacement cycle.

 

[Trip]

Mixed feelings here...

I would say the simple remedy is to run a 1U x86 firewall, be it Supermicro, white-box (example) or whatever. Then you've got the flexibility to replace the distro with whatever you want, whenever you want.