New Router + UTM

[fields987]

Hello everyone. I’m new here so please forgive any etiquette faux pas. They are unintentional.

I’ve got an ASUS RT-AC68R with merlin and a Pace 5628AC in pass through/DMZplus mode. If I connect to my routers Wi-Fi, I lose 25mbps on downloads vs connecting to my pace Wi-Fi. As far as I can tell, the main differences are 3x3 wave 1 on ASUS vs 4x4 wave 2 on the pace. Is it reasonable to assume 1 less stream and no mu-mimo would account for this? Ive offloaded everything except user devices to 2.4ghz band. I’ve tested multiple channels, and been through all of the professional settings. I did see some optimization but still not getting same dl speed as on pace. Far as I can tell I don’t have have a problem with signal strength in my house, but I’m open to mesh solutions- would prefer triband for dedicated backhaul. Any recommendations on hardware so I can take full advantage of my bandwidth?

Also, since I’m thinking about upgrades anyway, I’m wanting to get the best UTM solution for home office with IoT. How does AiProtection and Skynet stack up against things like pfsense, firewalla, bitdefender box, Netgear armor, or threat management on the unifi dream machine?

Thanks for the help!

 

[degrub]

And what is the wireless hardware configuration of your testing device ?
There are plenty of threads here on choices regarding mesh. Do some homework. Then ask more specific questions with details on your physical situation.

Most will say use wired backhaul for good reason. Even with dedicated radios for backhaul, you still have to have very good wireless connections for high bandwidth which is often not the case when folks are looking at mesh.

local firewall and VLANs are usually adequate to isolate IOT devices.

 

[MichaelCG]

3x3 vs 4x4 will not matter much if your clients are only 1x1 or 2x2 capable. Wave1 vs Wave2....that could make a difference possible. Are you disabling the other radio while testing?

Some of the modern ISP gateways can hold their own. I know my Google Fiber WiFi is technically faster than my UniFi gear on a single device....it just can't cover my entire house and doesn't allow for any configuration customization.

As for the ask about comparing firewall and security features? It really depends on how much "effort" you want to put into it. Some of the other solutions you mentioned have more advanced features built in that do not require "customization" to get working. It will always be a trade off on how much tinkering you want to deal with. pfSense, OPNSense, SophosXG, etc...they all support all kinds of stuff in a clicky clicky type manner. All depends on your requirements, skill set, and level of effort you want to put into keeping your network secure as well as running.

My requirement were more than what a typical consumer router could provide, so I had used pfSense for years (m0n0wall before that) and a year or so ago I switched to SophosXG.
- 100Mbps+ IPSEC VPN (not as critical anymore since I changed jobs)
- 100Mbps+ OpenVPN
- Transparent Proxy w/AV
- Explicit Proxy w/AV
- Web Filtering (this is what pushed me to SophosXG from pfSense)
- IDS/IPS (this is really overrated for consumer/home use)
- extremely granular firewall policy features

The advanced firewall and VPN are why I used m0n0wall in the first place. I moved to pfSense when that project retired. Then moved to SophosXG to get better built in web controls. SophosXG struggles on IPv6 a bit and has some more limitations in its VPN support when compared to pfSense.

To NOTE: Many consumer routers can meet the VPN performance requirements I listed out...they could not when I started this journey many years ago. Amazing the performance changes in the past few years out of these small boxes.

 

[Trip]

AC68R - BCM single CPU and BCM4360 for 5Ghz.
5268AC - BCM with Quantenna co-processor and Quantenna 840 for 5Ghz.

AC Wave 2 could allow for a faster downlink on a 160Mhz channel width, plus more optimized airtime fairness with MU-MIMO, but would depend on support from the client you're using. The extra spatial stream, even though typically not usable by most wifi clients (with 2x2 radios), does increase the AP's receive sensitivity, which can improve dB to the endpoint, possibly establishing a faster link-layer as a result. Beyond that, the 5268 also has a dedicated 5Ghz co-processor, and potentially better driver performance from Quantenna, as well as better radio co-compatibility with your endpoint used for testing. That being said, the 5268 is widely reported to be high-performance but flaky, as I'm guessing Pace never really went the full mile on stabilizing and developing the firmware well enough. So from an overall perspective, it's yet another mediocre ISP gateway. Shame.

First order of business is to get the best AT&T gateway you can that is truly non-blocking in pass-through mode and is stable. If that's the 5268 then so be it.

Next is your gateway solution. As @MichaelCG inferred, you can get as granular on this as you feel you need to. Asus's AiProtection is based on TrendMicro's definitions, which aren't bad, but it's only a single source of truth, so somewhat limited on its own. Skynet provides enhanced insight and control, more akin to what you'd get out-of-the-box with NGFW/UTM distros like Untangle, Sophos UTM/XG Community, etc. I would lean towards running an actual NGFW/UTM distro on a wired box, versus AsusWRT and their hardware, since I like using purpose-built components versus consumer-grade all-in-ones, but that's just my perspective.

If you want to go the wired UTM route, I would run low-power, generic x86 hardware, be that a cheap SFF PC with a multi-NIC card in it, like an HP T620 Plus off eBay, or an embedded box like a Protectli/Qotom, or a 1U rackmount appliance like a Supermicro or white-box, short-depth barebones server. Any of the former will give you the ability to test and switch distros to until your heart's content.

For your access layer, if you don't do an all-in-one, then discrete switching and wifi is the logical pairing with a wired-only firewall. If you feel compelled to pick a whole-house consumer mesh product, I'd make sure it's at least wired-backhaul capable. IMHO, Eero Pro is usually the only one worth looking at. Otherwise, if you can wire in all (or most) of your nodes straight away, then I'd go right to SMB or enterprise wifi, for better airspace management, VLANs, etc. Ubiquiti UniFi has options for both switching and APs all in a single control plane. Other options would be TP-Link Omada or Aruba Instant On for wifi; Cisco SG, HPE or refurb enterprise for switches.

Hope that helps!

 

[jdibber]

Hoping I can jump in with a related question. I was looking at used T620s and Qotom minis (as noted above), for a home office firewall/VPN with a WAP. My intent is to connect all devices through the router instead of loading VPN software on each device.

(1) My understanding is the mini-PC should give better OpenVPN (pfSense) performance than using a WiFi home router (e.g. ASUS w/ Asuswrt-Merlin). Is this correct?

(2) I'm looking at the below two mini-s. Would one be better than the other (Is VPN performance primarily determine by processor speed)?

QOTOM: Intel Core i3-4010U CPU @ 1.70 GHz, 8 GB RAM, 120 GB SSD

T620: AMD GX-420CA APU SoC @ 2GHz, 4GB RAM, 16GB SSD

(3) For a little more cash, the newer HP T730 has a 2.7 GHz processor. Would this be considered a better unit?

many thanks

 

[Trip]

Hi @jdibber - Yeah, the RX-427BB in the T730 will give you roughly 30% more muscle than the GX-420CA, and 40-50%+ more than the i3-4010U. The i3 draws only 15W compared to the 35W of the HP, though, but if you don't mind something a little more power hungry, the HP is a decent option for sure. Can't really go wrong with any of the three, to be honest. All depends on how much throughput you really need.

 

[jdibber]

Thanks, Trip...based on my initial question, I'm new to the game. The house has 100/100 mbps line. Oddly, I get 120 mbps upload speeds. Never had bandwidth issue using a few laptops, phones, appleTV/roku/Tivos connected to the network using a crappy G1100 verizon router. My main reason for going to a thin client, from what I read (thanks SNB), is to limit the performance hit that a traditional consumer router used as VPN would have.

- How would I asses my throughput needs?

- I read that the Dell Wyse 5070 thin client (Pentium Silver J5005 1.5Ghz Quad-Core) would have better performance that the HP T620. Based on processor speed alone, that seems contradictory. Is it b/c the 5070 is a newer chip set? From spec, it draws 9.7 watts (idle w/RJ45).

 

[Trip]

While it's true that the J5005 is a fair bit more desirable power-wise, as long as it delivers enough clock (1.5Ghz), all of the Wyse 5070's that I could find on eBay that will take a multi-NIC card -- mind you, not the tiny/micro/mini form factors, but the USFF form-factor -- were $400+. At that price, there's way more attractive stuff out there, for sure. High-clock i3 desktops or Qotom/Protectli, etc. Even an SG-3100 straight from Netgate is fair game at that price.

 

[jdibber]

Looks like I stole this thread! Every so often, you can find a 5070 extended chassis w/ PCIe slot for under $200, shipped on ebay. I believe the 5070 was released in 2018, whereas the T730 and T620 were 2015 and 2013. The HPs seem so old. Of the 4 units discussed, the 5070 has the slowest clock speed. Does this imply it would be the worst performer? Or worded differently, is this something I would notice?

 

[Val D.]

(1) My understanding is the mini-PC should give better OpenVPN (pfSense) performance than using a WiFi home router (e.g. ASUS w/ Asuswrt-Merlin). Is this correct?

Yes and No.

The PC in my signature running pfSense can do >400Mbps on OpenVPN, but very few commercial VPN servers allow speeds >250Mbps anyway. RT-AC86U/RT-AX88U routers have CPUs with hardware AES support and can also reach 250Mbps. So, no matter what equipment you have on your side, the VPN speed is limited to what the server you connect to is capable of. For home use RT-AC86U should be good enough, but it has relatively low reliability rating and can't really do what pfSense can on x86 hardware (due to limited hardware resources).

 

[jdibber]

For home use RT-AC86U should be good enough, but it has relatively low reliability rating

This was one of the reasons I started looking into the thin clients + AP.

thanks again

 

[jdibber]

Hey Trip/Val D

I read on this site that, generally speaking,

Clock rate is more important than number of cores, as OpenVPN is single-threaded.

How should chips with 'turbo speed' be assessed? e.g. clock speed of 1.6 Ghz with turbo speed of 2.1 Ghz (4 core Celeron N3150) vs a chip with no turbo speed (2 core 2.0 Ghz i3-5005U). Although I'm not sure if Celeron and Intel chips can be directly compared.

thanks again

 

[Val D.]

How should chips with 'turbo speed' be assessed?

As you probably expect, the performance of CPUs with Turbo/Burst (whatever it is called) speed is assessed at maximum clock rate. The CPUs in your example though have different cores and Core i3-5005U at 2.0GHz is actually almost 2X fast than Celeron N3150 at 2.1GHz in both single and multi-threaded tasks. Both CPUs have AES-NI support though and are good option for power efficient x86 router applications. Both CPUs are faster than what you can find in any consumer router currently on the market.

Although I'm not sure if Celeron and Intel chips can be directly compared.

Celeron is an Intel CPU.

 

[Val D.]

This was one of the reasons I started looking into the thin clients + AP.

Thin Clients with expansion slots used to be cheap, but the sellers/refurbishers quickly realized what those products are used for and the price increased a lot. Some sellers even offer Thin Clients with Intel Quad Gigabit NICs pre-installed. There are some HP T620 Plus offered like this on eBay. The price though is closer to some Qotom boxes, so it doesn't always make sense. If you have space and the power consumption is not your main concern, off-lease SFF HP/DELL PCs make good server-like performance pfSense boxes for cheap.

 

[jdibber]

Thanks, Val D. I was just using these as examples based on some units I was looking at.

Core i3-5005U at 2.0GHz is actually almost 2X fast than Celeron N3150 at 2.1GHz in both single and multi-threaded tasks.

I assume when you note "single-threaded tasks" that it is equivalent to the Passmark single thread rating. Where do you get information on multi-threaded tasks? And of the two, is one more germaine to running OpenVPN?

Finally, more out of curiosity, the Celeron N4100 at 1.1 GHz (turbo to 2.4 GHz) is close to, or beats, the Passmark ratings of the i3-5005U at 2.0 GHz. Is that because its a newer chip? Would it be considered a faster chip for this application?

Similarly, the Celeron N2830 @2.1 GHz (up to 2.4 GHz) has a Passmark single thread rating of almost half that of the above two.

 

[Val D.]

Finally, more out of curiosity, the Celeron N4100 at 1.1 GHz (turbo to 2.4 GHz) is close to, or beats, the Passmark ratings of the i3-5005U at 2.0 GHz. Is that because its a newer chip? Would it be considered a faster chip for this application?

You probably realized already Intel markets same core architecture chips with different names depending on the target market. Often they use even the same processor die with features enabled/disabled like portions of available cache, extension instructions, turbo boost, hyperthreading, etc. You can't really tell by name only what the expected performance will be, especially between different generations CPUs. Some i3 are actually faster than some i7, for example. This is where benchmarks like Passmark come handy, even though not very accurate. A faster performing CPU in benchmarks is also expected to process the tasks faster in real life conditions.

 

[jdibber]

So, in addition to processor speed, should I be just looking at the Passmark single threaded rating when comparing processors? Or to the other scores come into play?

 

[Val D.]

So, in addition to processor speed, should I be just looking at...

Better look at what's available/possible for you to use as x86 router. There are many types of CPUs, but most Qotom/Protectli etc. boxes come with few specific ones to chose from. What exactly do you need, what you are planning to run on it and what's the budget? Otherwise we can evaluate CPUs performance forever without coming to any conclusions.

 

[jdibber]

I've been looking for a 2.0 GHz, AES-IN processor (laptop class for efficiency), 4G RAM, 32G SSD, preferably fanless. Used or new, sub $200. Things were going swimmingly well until your comment that the Core i3 was 2x as fast as the Celeron. This let me to believe I should be looking at more than just processor speed. pfsense.org notes NIC card quality is important and strongly recommends Intel over other mfgs.

I plan to run most devices (home office/household) through the VPN, using pfsense for basic firewalling with addons (pfblocker). I want to ensure the VPN service is the bottleneck and not the hardware. Would like something newer than the 2013 (HP620).

 

[Trip]

"How much do you need" typically equates to throughput in Mb/s or Gb/s for any/all services you're looking to run on the box.

A Celeron of a certain clock/generation may still be doable, if, for example, you only need a few or several hundred Mb/s of simple firewall rules and/or SQM. Of course, if you want symmetric gig over OpenVPN, we'd have to move up into high-clock i5/i7 maybe even Xeon embedded... but I think you get what I'm saying.

So, even just ballpark, any idea on how fast you want to be able to go with this thing, and what services you're looking to run apart from the ordinary stuff (NAT, FW, DHCP, DNS, etc.)?