What's new

PC based vs Appliance? Your thoughts

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

deanfourie

Occasional Visitor
So I'm curious on everyone's input on this one. As the title say's, PC based routers vs appliance.

I've been running pfSense for a while now, and honestly I'm a big fan of it after switching from mikrotik.

I'm curious to know everyone thoughts on the pro's and con's of both PC based vs appliance. I'm running my pfSense instance on a Hyper-V machine alongside a TrueNAS VM. I love the flexibility of packages and addons, the dashboard and simple services such as ARPWATCH etc.

Looking forward to your thoughts on this.
 
I like appliances better because they get my clothes clean and dry.;)
 
PC DIY option allows for adding to it as much or as little as you want an more options when it comes to the network speed w/ a swap of the NIC as needed. I'm using a 4 port 5GE card and you would never find that at a reasonable price on an appliance / router. If I wanted to go extreme adding a 100GE card would be an option as well.

Appliances work better for consumers that aren't keen on the technical aspects of making something work from scratch. Buying something and clicking a few prompts works for the general public that don't know the intricacies of networking other than plugging something in and being online.

It depends on the person though ultimately.

I run a DIY box though I built with the intent of rolling several devices into a single PC and provide better performance to all aspects included. I got sick of sub par equipment - router / nas / dvr / wifi / etc. and took it into my own hands to improve the experience. The costs of upgrading individual parts tend to outweigh the benefit of doing so. For instance upgrading the DVR HDD is a PITA but possible but, how much storage do you waste when you can't use the HDD for anything other than the captive implementation. The NAS options are still crap if you want to do anything more than store data / share data. Most hype that they can stream but, they can't transcode due to the lack of resources and stutter/buffer/drop the stream. Router's off the shelf typically prompt for FW upgrades constantly and on occasion break more than they fix when applied. When wanting to use a VPN on the router you're limited by the options the OEM puts into the software. Going open source / DIY though you can use anything you can install / configure and get better speeds from the service. When you're running more than 500mbps and want line speed using wireguard based options you have to either pay heavily for an off the shelf option with a better CPU or build your own.

When you consider some of the wild WIFI options w/ 3 nodes cost ~$1200 vs building your own and deploying 3 x $150 AP's which you probably only need 1 since AP's are designed better than the generic "mesh" junk being peddled to people. When you rake the blindfold off and see things as they are beyond the popular options you find value in putting in a little effort. Being able to properly size different functions within the network vs just making something work makes a difference. For instance most NAS options have bottlenecks in how fast they can push data over the network. For a Raid 10 with fairly decent drives you should be able to push 400-500MB/s but the NAS devices being sold limit them to 100-200MB/s whether it's the NIC being used or poorly implemented backplane or junk CPU to be at fault is up for debate.
 
So I'm curious on everyone's input on this one. As the title say's, PC based routers vs appliance.

I've been running pfSense for a while now, and honestly I'm a big fan of it after switching from mikrotik.

I'm curious to know everyone thoughts on the pro's and con's of both PC based vs appliance. I'm running my pfSense instance on a Hyper-V machine alongside a TrueNAS VM. I love the flexibility of packages and addons, the dashboard and simple services such as ARPWATCH etc.

Looking forward to your thoughts on this.
In my view a critical building block to a network such as a router, should always be bare metal and in the case of pfsense, running on a single device with no other applications. Call me old fashioned but i wouldn't want any interference from anything else on the device that basically runs my network. I even secure mine with pfsense on 2 SSD's in ZFS mirror. Last but not least, it comforts me knowing i could go from 1Gbps to 10 Gbps with just throwing in an Intel X550-T2 and change absolutely nothing else except some settings in pfsense. Just for clarity, i run my pfsense on an X9SCL+-F with Xeon E2-1220v2 and 16Gb ECC RAM.
 
Last edited:
You never responded in your previous thread. What happened with that?
Yea I never got to the bottom of that. I do I guess it was just maybe a incorrect DNS lookup or I was resolving dns from a university on Japan haha, who knows.

What made it even stranger was there were ARP entries for that IP too in my ARP table.
 
Looking forward to your thoughts on this.

I'm assuming we are talking about strictly home networks. Business and DIY are not very compatible.

I had 200kg server rack years ago with rack mounted UPS, Xeon server for pfSense, another for NAS with 4x HDDs, 48-port switch... a lot of junk in the trunk. It was reduced to small UPS, Netgate appliance, 16-port switch, miniPC for NAS, 2x standard EasyStore drives. The "user experience" is exactly the same. The power consumption including 4x access points is perhaps around 100W. I'm past the point of building monstrous DIY with performance to satisfy the neighborhood. I have a family of 4 and 500Mbps ISP line, Gigabit network and >100MB/sec NAS transfers is more than enough.

I have access to tons of used enterprise equipment through one of my businesses. I used to bring home interesting gear (the server rack above), but not anymore. I just don't care about it - I don't need it. By the way, DELL servers sound better than Lenovo when dropped from height on a concrete floor. :D

In my view a critical building block to a network such as a router, should always be bare metal

Correct.
 
I had 200kg server rack years ago with rack mounted UPS, Xeon server for pfSense, another for NAS with 4x HDDs, 48-port switch... a lot of junk in the trunk. It was reduced to small UPS, Netgate appliance, 16-port switch, miniPC for NAS, 2x standard EasyStore drives. The "user experience" is exactly the same. The power consumption including 4x access points is perhaps around 100W. I'm past the point of building monstrous DIY with performance to satisfy the neighborhood. I have a family of 4 and 500Mbps ISP line, Gigabit network and >100MB/sec NAS transfers is more than enough.
Guess that is a process we all go through. I have already downsized from from dedicated servers and a Dell MD1000 with 15 disks for pfsense, TrueNAS with Plex, TrueNAS with Nextcloud and a big fat 48p switch to one for pfsense, One DIY NAS with 4 HDD's running both Plex and Nextcloud, 4 AP's and an old Synology for backup. I am sure over time this will get simplified even further as i am starting to question to what extent Nextcloud brings any advantages to our home.
By the way, DELL servers sound better than Lenovo when dropped from height on a concrete floor. :D
Now THAT is what i call interesting information :D
 
Nowadays deep packet inspection is useless because everything is encrypted.

There is a way in pfSense to set https interception, but it's unnecessary complication for a home network and comes with some issues. IDS/IPS still works for some obvious threats. I have light configuration Suricata running on my firewall. I also have some light IP/DNS filtering set. My home unit is the older Netgate 5100 quad-core Intel C3558 with 4GB RAM and the performance is limited by the Gigabit ports only.
 
It's a matter of personal preference, but I use ETOpen ruleset in few categories like Attack Response, Botcc, CIArmy, Coinmining, Compromised, Exploit, Dshield... than I have a lot of rules Disabled in LAN Rules, the ones that create lots of log messages for network protocol errors, for example. I block for 1h and release, usually good enough. If you want to skip the entire tuning process in Suricata, try Snort with preset categories. It's much easier to use. For pfBlockerNG I have FireHOL for IP blocking and some usual suspects in DNS blocking like Mining, Torrenting, Phishing, etc. It really depends on what do you want. If you trust public DNS filtering, run Unbound in forwarder mode to DNS provider of your choice OpenDNS, Cloudflare, Cleanbrowsing, etc. The configurations are unlimited and there is no really best configuration.

You can try https interception with Squid, but you have to install certificates and some sites detect this in fact MITM behavior. Because it is MITM. If you don't like DoH, block known DoH servers in pfBlockerNG. You can intercept port 53, if you like. You can apply different rules to your VLANs, if you have Guest Network or IoT network, for example. It's all up to you, full configuration control.

All this is outside of this thread's subject though.
 
Maybe I am not advanced like the typical pFsense user but I would say if swapping a card from gigabit to 10 gig would make a difference why not do that with a switch instead? Swapping the card alone might end up overloading other parts of the device.
 
if swapping a card from gigabit to 10 gig would make a difference why not do that with a switch instead?

It really depends on the configuration you want and the hardware you have. If your router/firewall is doing all the work (like in most DIY home setups), better get fast NICs. If it's used for Internet gateway only, ISP speed interface is okay. The rest can be done by the switch, including inter-VLAN routing (different switch for different applications). You can have pfSense box running with single NIC, if you want to. It's called router on a stick. With 2.5GbE NIC and 2.5GbE smart switch you can get Gigabit performance up/down using a single wire. Multiple options again, depending on the goal and budget.
 
In my view a critical building block to a network such as a router, should always be bare metal and in the case of pfsense, running on a single device with no other applications. Call me old fashioned but i wouldn't want any interference from anything else on the device that basically runs my network. I even secure mine with pfsense on 2 SSD's in ZFS mirror. Last but not least, it comforts me knowing i could go from 1Gbps to 10 Gbps with just throwing in an Intel X550-T2 and change absolutely nothing else except some settings in pfsense. Just for clarity, i run my pfsense on an X9SCL+-F with Xeon E2-1220v2 and 16Gb ECC RAM.

On this subject, it happens that i bumped on to a second-hand Silicom X550-T2 last week and since the previous owner didn't know the brand (i had to look it up too) and though it was not genuine Intel, i was able to acquire it for a measly 60 Euros, an opportunity too good to let it pass. In the mean time i plugged it into my pfsense box and after some fiddling (there is always some of that) WAN and LAN interfaces are now on the X550-T2. There is a slight noticeable decrease of latency and but for the rest no noticeable difference in performance. It is just a nice thought knowing that my router is already 10Gbe capable :)
 
That's better than a deal!!!! That's a fire sale.
Yeah, i know. The asking price was 120 but when i asked for a picture of the yottamark label he claimed it didn't have one so he was not sure it was an original so he dropped to 70 and when he wasn't able to supply the original long bracket but an Intel only which fits with a bit of modding, he dropped another 10. In the mean time i manage to figure out it was a Silicom from the pictures he sent so i bought it in a whiff.
 
Bare metal for a router with 2 physical ports. Router on a stick is not safe, it is like running a router on a VM. You need an untrusted input for your firewall to process to a trusted output. You want hardware isolation on your untrusted input.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top