What's new

Home Firewall for 1Gb fiber feed

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

KeithM

New Around Here
I would greatly appreciate any suggestions for a home firewall that can handle 1 Gbs fiber to the house.

My current setup is a Zyxel USG 20 to a Cisco Sg500 switch.

I have two ports free on the SG500 for uplinks (I use only one, but I can run LAG if needed - though this seems extreme a 1 Gbs).

I currently run VLANS only on the SG500 in level 3 mode (isolate IOT devices like thermostats, sprinkler system etc, NAS, guest wireless network, etc).

Primary use is a source for hosting interactive university online classes, general web use and higher bandwidth multimedia (4K feed - Amazon, Netflix etc, internet radio).
So nat performance is very important and I would like to have some headroom above wire speed.

I have no real need for wire speed VPN bandwidth, but I am looking for the option to do some packet inspection etc.

Here is what I have narrowed it down to what I think can handle the above:

Group 1 running pfsense, opnsense or untangle on one of
1. A kaby lake ULV-series series low power pc (like a Shuttle DS77Ux series)
2. protecli fanless also with Kaby lake ULV-part (like the FWB6x series)

Sadly, I do not have any older pc's hanging around to re-purpose.

Group 2 dedicated hardware
1. Ubiquiti ER-4
2. Cisco Rv340
3. Mikrotik ?

I like the concept of pfsense etc, though I as unsure of the hardware requirements needed relative to routing/firewall performance in my group 1 approach above.

I would like to avoid doing a whole lot of software development (it has also been a while since I did BSD unix kernel development or built a BSD kernel+system from source), but I would not consider that a showstopper if that is what is needed.

Thank you in advance for your time
Keith
 
If doing just basic pfSense, pretty much any modern non-Atom based multi-core CPU from Intel can handle the basics. I am running a Core2-DUO (either an E4600 or an E8400?? can't remember which system is which) for pfSense and for basic firewall duties, it handles a home 1Gbps Internet connection just fine. Only time the CPU really starts to show its age is when I start toying with Snort or VPN and start pushing a couple hundred Mbps through it. I think my VPN (OpenVPN) tops out around the 150Mbps range and Snort starts to puke around the 200-250Mbps mark. I rarely have that kind of traffic load so it isn't a real issue.

Pretty much any of the newer i-series will run circles around what I am running so I wouldn't over think it too much since your requirements appear to be pretty simple.
 
modern atom based CPUs (quad cores and better) are capable of gigabit NAT speeds with lean config. In your case i suggest looking at either mikrotik or AMD fx/intel corei CPU or better. If mikrotik, i suggest the CCR1009 because you can have heavy configs and still have gigabit speeds while if using x86 you will need to have an intel NIC for best results (2nd hand intel quad port server NICs are cheap).

You can also combine both mikrotik and x86 so what features mikrotik lacks is supplemented by x86 such as if you want your own IDS/IPS and separate tasks based on performance and features. For firewall, NAT and other network stuff, the TILE CPU is way faster than x86 but mikrotik lacks features including good openVPN support despite the fact that TILE is very fast in encryption.

With mikrotik, it is easier to actually setup complicated networks and do sniffing, mirroring, etc using the CPU, and the CCR1009 has a good CPU for that but the OS itself lacks a lot of features found on x86 solutions. So either way you're gonna need x86 and you wont need to make software for it, but you will have a whole lot of configurations to do with both mikrotik and x86 solutions.

I dont recommend ubiquiti for advanced routing nor the cisco RV series. neither of them provide the configurable performance required for 1Gb/s as they are both very reliant on hardware acceleration.
 
modern atom based CPUs (quad cores and better) are capable of gigabit NAT speeds with lean config.
No argument here on the modern Atom....many users have no idea that the new Quad Core Pentium they just bought is actually an Atom and wonder why it struggles on certain tasks. I just generally avoid them unless I am specifically looking at a specific price and/or power consumption point.

I think the biggest thing to keep in mind if you want to better future proof yourself a bit on pfSense is to make sure the CPU supports AES-NI.
 
No argument here on the modern Atom....many users have no idea that the new Quad Core Pentium they just bought is actually an Atom and wonder why it struggles on certain tasks. I just generally avoid them unless I am specifically looking at a specific price and/or power consumption point.

I think the biggest thing to keep in mind if you want to better future proof yourself a bit on pfSense is to make sure the CPU supports AES-NI.
Thats why i suggested the full cores, not the cut down/low power. Many people dont know but the fx 8 core from AMD paired with intel NICs is actually a very fast linux router.
 
Thats why i suggested the full cores, not the cut down/low power. Many people dont know but the fx 8 core from AMD paired with intel NICs is actually a very fast linux router.

Clock speed matters more for packets per second with SW based routers - whether BSD or Linux based - less cores and faster clock, and then it's a matter of tuning the sysctl's...

Rangley and Armada 38x can easily do 1GB symmetric connection properly tuned... 1.6GHz seems to be a good place there.

Many of the consumer routers from Asus, Netgear, etc... they do need some tuning, but at the same time, they have to cover so many different use cases... and that effort to tune things to any given use case is outside of the scope of consumer devices, so they cover "good enough"...
 
Clock speed matters more for packets per second with SW based routers - whether BSD or Linux based - less cores and faster clock, and then it's a matter of tuning the sysctl's...

Rangley and Armada 38x can easily do 1GB symmetric connection properly tuned... 1.6GHz seems to be a good place there.

Many of the consumer routers from Asus, Netgear, etc... they do need some tuning, but at the same time, they have to cover so many different use cases... and that effort to tune things to any given use case is outside of the scope of consumer devices, so they cover "good enough"...
not true, mikrotik and ubiquiti are examples where clockspeed dont matter but core count does. The higher the clock speed, the lower the latency. The more computing power in total, the more packets you can process per second.

Intel NICs do save the CPU some cycles and give better drivers however they cant match realtek in latency but the difference is only 100-300 micro seconds
 
not true, mikrotik and ubiquiti are examples where clockspeed dont matter but core count does. The higher the clock speed, the lower the latency. The more computing power in total, the more packets you can process per second.

Intel NICs do save the CPU some cycles and give better drivers however they cant match realtek in latency but the difference is only 100-300 micro seconds

Respectfully disagree - once one gets to certain speed in SW routing - clocks are more important than cores...

Realtek is ok for consumer, as is intel - again, once getting to a certain speed, there are better options, but well outside of price range of most here...

Keep in mind - these days - I'm working on 40Gb and 100Gb devices ;)
 
Thanks for the advice, it is greatly appreciated.

It sounds like I do need to be prepared for some throughput tuning (be careful with hardware selection and system configuration), which is will be fun.
I also understand the point about Intel nics and AES-NI.

Next I just need to look at which intel "I" core line to select (u-series, t-series or standard), which dictates available core count and clock frequency.

So is my logic correct for my two ethernet port use case (WAN & LAN) that: two Intel cores (with SMT off to boost thread performance?) is the minimium and then select for highest peak core frequency?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top