|
If you want VPN performance you want hardware accelerated encryption. This is not something most consumer grade routers have. Even the expensive ones tend to focus on wifi range/features and fancy things like USB ports for enternal hard drives and printers. The simple fact is that encryption is hard and routers have low power CPUs that offload most of the actual routing work to hardware accelerators. Commercial grade gear tends to focus on accelerating IPSec or some proprietary TLS based VPN solution like AnyConnect. As a result OpenVPN isn't generally hardware accelerated on commercial grade gear. This pretty much just leaves you with pfSense on an AES-NI equipped CPU. I would try and find some OpenVPN benchmarks for various routers and go from there.
|
#
?
Nov 12, 2018 07:28
|
|
|
|
| # ? Apr 29, 2024 17:33 |
|
|
Yeah. That's pretty much what I was trying to suggest to the OP. The Raspberry Pi will run OpenVPN like dogshit. It will do it, but at a crawl. In addition to not having enough CPU power, the networking throughput on Pi will also be sub-par. Raspberry Pi's have their uses, but running OpenVPN on them and expecting good performance isn't one of them.
|
|
#
?
Nov 12, 2018 07:58
|
|
|
Yeah that's what I was afraid of. I just saw that people were recommending routers with 1,8GHz dual core processors and saying they were real good at OpenVPN poo poo, but they also cost 200+ euros in Finland, and it's a hard sell to the girlfriend when our existing router is good in every other way. I was hoping a Pi or some other system on a chip (which on paper match and exceed the technical specs of even the expensive routers) could've matched it at a fraction of the cost, but no such luck. I did some additional messing around on my desktop PC and discovered that even in optimal conditions I was still getting kinda crappy speeds from TorGuard's US servers, so I'd be going through a lot of hassle to end up with performance I wouldn't really be satisfied with. In the end I'm probably going to take advantage of TorGuard's 7 day refund period, even if it does mean losing out on my Streaming IP fee. Just watching Netflix and Hulu probably isn't worth all the hassle. Thanks for the tips, guys!
|
|
#
?
Nov 12, 2018 10:56
|
|
|
EdgeRouters will offload IPsec traffic as long as it matches certain proposals. No good if your VPN service only supports OpenVPN, but the boxes are like $50 so if your chosen provider has a setup that matches what gets offloaded, then you're good to go.
|
|
#
?
Nov 12, 2018 18:08
|
|
|
Specifically the ERL will accelerate: AES-CBC, 3DES, and SHA1 Since 3DES is unsafe 95% of the time its basically just AES and SHA1, which is all you really need, but you don't get to use anything else either.
|
|
#
?
Nov 13, 2018 07:19
|
|
|
Devian666 posted:Which Modem should I buy? Turns out I'm not the only one.
|
|
#
?
Nov 13, 2018 08:57
|
|
|
Krakkles posted:It might be worth an update to this part of the OP - I've had an SB6190 for awhile and have constant problems (disconnects, reboots, mysterious latency). I have a 6183 you could try out? Just pay for shipping and if you like it kick me a few bucks? Worked flawlessly until I upgraded to gigabit. Speaking of, got my pfSense set up with the qotom box from AliExpress. Anecdotal and based on network conditions but I now get 700-750mbps from Fast.com compare to 400-430mbps from Fast.com when connected to my Edgerouter. Pretty happy. Very easy to get my basic set up going.
|
|
#
?
Nov 13, 2018 09:26
|
|
|
My mate gave me a spare piece of Ubiquiti hardware that he doesn't need anymore that he said I can use as an access point so I assume it's a gateway/switch/router of some kind. I finally have some time to set it up, but before I dig through my closet to find out where the hell I put it I wanted to read up and find out how much work is involved. But i can't seem to find the product in order to read setup manuals. From memory, it's white and cross/star shaped, kind of domed in the middle with four (maybe three) prongs. Does anyone know what piece of hardware this might be? Looten Plunder fucked around with this message at 12:53 on Nov 13, 2018 |
|
#
?
Nov 13, 2018 11:30
|
|
|
sellouts posted:I have a 6183 you could try out? Just pay for shipping and if you like it kick me a few bucks? Worked flawlessly until I upgraded to gigabit. Did you say that you'd bought the RAM module and msata SSD separately? Which ones did you go for? Which Qotom box did you get? Just asking purely for pornographic purposes.
|
|
#
?
Nov 13, 2018 12:56
|
|
|
I love the pfsense software but the future seems a bit murky, no? My official netgate appliance died out of warranty, likely to the atom bug and the only comparable product they sell is a 1.6 GHz dualcore ARM32 box (SG-3100) with plenty of complaints about stability on the forums. They're also working on a ARM64 port for the espresso.bin board (~$79) with a license fee (one-time? yearly?) that may obsolete the SG-3100 when released. So my current options are: 1. buy an official appliance (hefty prices, platform lock-in when buying ARM, possibly a useless paperweight after EOL) or 2. wait for the espresso.bin port and buy the "official" version of that (cheap, probably just enough performance) or 3. buy an unofficial, technically unsupported third party box without supporting the developers and hope for the best (could at least switch to opnsense at some point) I'm using my Airport Extreme for now, still works surprisingly well.
|
|
#
?
Nov 13, 2018 14:43
|
|
|
In my experience any decent desktop box is super stable with PFsense. As far as developers, there is also OpenSense to support, in case that matters. The big thing is use a drat Intel NIC. I recently got a Dell Vostro i3, 4GB, 128GB SSD. Stuck in a $20 Intel dual port NIC and loaded up PFsense. It's been running for the 2 months with zero problems or lockups. I just don't see the point of using low power ARM processors. PFsenses strength for me is being able to use a fat Intel desktop processor without the associated cost of high end enterprise hardware.
|
|
#
?
Nov 13, 2018 16:41
|
|
|
apropos man posted:Did you say that you'd bought the RAM module and msata SSD separately? Which ones did you go for? Which Qotom box did you get? Yep on eBay parts, aliexpress for box. Sandisk z400s mSATA drive and HyperX 4gb ram module Box is Qotom. i5-5200U https://m.aliexpress.com/item/32829499825.html Even if pfSense future is murky this seems to be a pretty good little box to have kicking around that could run whatever.
|
|
#
?
Nov 13, 2018 17:22
|
|
|
redeyes posted:In my experience any decent desktop box is super stable with PFsense. As far as developers, there is also OpenSense to support, in case that matters. The big thing is use a drat Intel NIC. Yeah, I try to keep an eye on power consumption (power is pretty expensive here) or else I'd just get a full PC. I like the look of these: https://fit-iot.com/web/products/fitlet2/ https://www.anandtech.com/show/12006/compulab-launches-fitlet2-sff-pc-for-iot-apollo-lake-passive Passive quadcore Apollo Lake, 2 Intel GBit NICs, console port and built for industry use. Perhaps most importantly it has a 5 year warranty and I can order it locally from a reputable reseller. It also has the option to add two more Intel GBit ports via a passive card (controlled by the SoC). 4G/LTE, USB 3.0 and a 2,5" HDD cards are also available, USB-C may be added soon because the SoC supports it. $199 on amazon (without ram or ssd) fake edit: they also have a tiny lithium ups. :3
|
|
#
?
Nov 13, 2018 17:43
|
|
|
That would probably work pretty well, I was able to get >850Mbps out of an AT&T gigabit fiber link using iptables on CentOS 7 with an ASRock N3150-ITX and the fitlet is a generation newer in terms of the SoC.
|
|
#
?
Nov 13, 2018 18:16
|
|
|
PfSense runs great on a j3355 itx board with 2x2gb RAM and a small picopsu. Even using the onboard (Realtek) LAN controller is just fine. In fact I think I plopped in a second Realtek card and that has also been just fine.
|
|
#
?
Nov 13, 2018 18:29
|
|
|
sellouts posted:I have a 6183 you could try out? Just pay for shipping and if you like it kick me a few bucks? Worked flawlessly until I upgraded to gigabit. ... and I'm going to buy something not-Arris when it doesn't.
|
|
#
?
Nov 14, 2018 19:40
|
|
|
Krakkles posted:I appreciate the offer, but Spectrum came out and [did something] and swear it will work now! You want not-Puma-chipset, not not-Arris.
|
|
#
?
Nov 14, 2018 19:47
|
|
|
Avoid every modem on this list: https://www.approvedmodems.com/do-not-buy-list.html
|
|
#
?
Nov 15, 2018 00:36
|
|
|
Maybe not exactly home networking, but maybe someone can shed some light: at work I recently inherited some HP Switches, 2530-48G J9775A. Is it correctly understood that these guys have no 10Gb ports and no way of adding one (via SPF)? Is it not normal to have a faster uplink port? What do people do? Nothing? LACP?
|
|
#
?
Nov 16, 2018 10:27
|
|
|
bolind posted:Maybe not exactly home networking, but maybe someone can shed some light: at work I recently inherited some HP Switches, 2530-48G J9775A. Is it correctly understood that these guys have no 10Gb ports and no way of adding one (via SPF)? Is it not normal to have a faster uplink port? What do people do? Nothing? LACP? Yep and yep. Most people don’t actually need 10gig. Heck with the way broadband is across the US there’s plenty of people who do just fine with 100mbit fastethernet. But more to the point, SFP modules for Ethernet switches are pretty much standardized at 1gig with a few less common ones for other uses. 10gig modules are typically “SFP+”, 25gig is SFP28, 40gig gets QSFP+ with 100gig getting QSFP28 modules.
|
|
#
?
Nov 16, 2018 12:33
|
|
|
CrazyLittle posted:Yep and yep. Most people don’t actually need 10gig. Heck with the way broadband is across the US there’s plenty of people who do just fine with 100mbit fastethernet. Thanks for your answer. I know most people don't need 10gig, heck, 99% of them don't have a 10gig interface, but I was thinking more that 48 users in aggregate could fairly easily saturate a 1Gb switch interconnect, for instance. Oh well, trunking it is.
|
|
#
?
Nov 16, 2018 15:03
|
|
|
bolind posted:Thanks for your answer. I know most people don't need 10gig, heck, 99% of them don't have a 10gig interface, but I was thinking more that 48 users in aggregate could fairly easily saturate a 1Gb switch interconnect, for instance. Oh well, trunking it is. You're not wrong there, it certainly could. But I'm sure one way they make lower end switches cheaper is to skip out on those ports, even as uplinks.
|
|
#
?
Nov 16, 2018 15:13
|
|
|
I just bought a new house that was wired with cat5 to every room and a couple of other locations that are supposed to be for unifi access points. The low voltage guy wants to install a ubiquiti unifi security gateway and switch with 3 unifi hd wave 2 access points. Installed that will be 1600+. I currently have an original netgear orbi system from my last house and I have perfectly fine wifi coverage throughout the house. It's just under 3000 square feet. It would be nice to use access points just because the wiring is there and I'd rather not see the orbi if I have a choice. But this feels like overkill. How much of what he proposed is necessary? Can't I just use the orbi as a router and connect the access points? Do I really need wave 2 APs? And is this better than a mesh system that will (supposedly) move devices from one access point to another by itself? I could easily keep the Orbi and change it to using a wired backhaul or switch to an Eero. The benefit of these systems seems to be that my laptop connected in the basement should automatically connect to a closer access point if I walk upstairs, right?
|
|
#
?
Nov 16, 2018 18:49
|
|
|
ndrake posted:I just bought a new house that was wired with cat5 to every room and a couple of other locations that are supposed to be for unifi access points. The low voltage guy wants to install a ubiquiti unifi security gateway and switch with 3 unifi hd wave 2 access points. Installed that will be 1600+. I currently have an original netgear orbi system from my last house and I have perfectly fine wifi coverage throughout the house. It's just under 3000 square feet. It would be nice to use access points just because the wiring is there and I'd rather not see the orbi if I have a choice. But this feels like overkill. That's a bit overkill, but will definitely be rock solid. No you don't need Wave2 devices. 3 HD AP's for a 3K sq ft house is nuts. I can almost cover my entire 3400 sq ft house with a single AC-LITE, but have a second for the far end of the house. Hell my neighbors just moved in yesterday and are having trouble getting their internet connected and my AC-Lite covers most of their house as well. Who's your internet provider? I would go with a USG and 1 or 2 AC-Lite AP's and that'll work great. You can also keep what you have.
|
|
#
?
Nov 16, 2018 19:02
|
|
|
Orbis are pretty good. Use them.
|
|
#
?
Nov 16, 2018 19:26
|
|
|
While we are on the subject of which AP, what do people think about the AC LR vs the AC Lite? The LR is about $20 more and if it's claims of longer range are to be believed, that might be something I go for in the name of future use... and the novelty of having working WiFi on the street corner.
|
|
#
?
Nov 16, 2018 19:34
|
|
|
I'm always wary of long distance wifi claims because it's a 2 way street. You can blast a signal out as strong as you want, but the device has to be able to get a signal back to the AP. I can pick up a signal from my AC lite though about 500 feet away from the swimming pool in my subdivision. You want good coverage for you, but not interfering with others is being a good neighbor. If you don't have a use case for the LR, don't bother.
|
|
#
?
Nov 16, 2018 19:52
|
|
|
bolind posted:Maybe not exactly home networking, but maybe someone can shed some light: at work I recently inherited some HP Switches, 2530-48G J9775A. Is it correctly understood that these guys have no 10Gb ports and no way of adding one (via SPF)? Is it not normal to have a faster uplink port? What do people do? Nothing? LACP? The 2530 is the lowest end current model ProVision switch that HP (Aruba) currently sell, so it's very light on features. It's also still available as a 10/100 variant. The 2540 and 2930 series are where you start to see SFP+ modules.
|
|
#
?
Nov 16, 2018 20:16
|
|
|
Curious, How much will having a hard wired connection benefit me as opposed to using wireless? I'm hitting about 60-80ms latency on most games.
|
|
#
?
Nov 16, 2018 23:19
|
|
|
For gaming I always use wired if at all possible. Not just for the response time, but the packetloss/jitter that comes with wifi.
|
|
#
?
Nov 16, 2018 23:26
|
|
|
Tab8715 posted:Curious, Wire it in temporarily, see what the ping drops to. I wouldn't expect wireless to add more than 3-4ms on average (though it will have spikes as local interference causes retransmissions of data).
|
|
#
?
Nov 16, 2018 23:31
|
|
|
skipdogg posted:That's a bit overkill, but will definitely be rock solid. Cool, thanks. That would save me a bunch of money. I have a standard Comcast plan (150 down) and no excessive needs. Right now my primary Orbi is in the basement stuck in a closet, so I like the idea of having APs and just having wired things down in the closet.
|
|
#
?
Nov 17, 2018 07:57
|
|
|
ndrake posted:I just bought a new house that was wired with cat5 to every room and a couple of other locations that are supposed to be for unifi access points. The low voltage guy wants to install a ubiquiti unifi security gateway and switch with 3 unifi hd wave 2 access points. Installed that will be 1600+. I currently have an original netgear orbi system from my last house and I have perfectly fine wifi coverage throughout the house. It's just under 3000 square feet. It would be nice to use access points just because the wiring is there and I'd rather not see the orbi if I have a choice. But this feels like overkill. $1600 to do the same job the orbis are already doing perfectly well? I’d say no thanks and use the orbis. As you said they can use the wiring for backhaul.
|
|
#
?
Nov 17, 2018 08:16
|
|
|
Tab8715 posted:Curious, Generally wired connections are far more stable and faster. I say generally because this is not always the case. Sometimes a regular Cat5 cable is used, which can't transfer data faster than 100Mbps which is slower than a lot of wireless connections, especially if you use a AC router. This isn't an issue if you have a slow internet speed already. 802.11n is limited at a theoretical 300Mbps, and AC is faster than that. So, for example, if your house is wired with Cat5 (not Cat5E or Cat6 cables) or you use a Powerline adapter then wireless will probably be a better choice. Depending on the interference between the device and AP and a bunch of other factors. If you bought 100Mbps, have a wireless adapter sitting next to your device(s) and plug it in instead of using Wi-Fi, you won't see much change. Unless your devices' network adapter is poo poo. That being said, in a typical scenario where you wire your connection, you'll enjoy a number of things that boil down to faster and more consistent speeds. There is next to no interference with wired connections. There is next to no retransmission of data issues, there is blah blah blah. End of the day, there are a lot of things that routers have to do to make wireless connections reliable, and a lot of things that routers need to overcome. Wired connections really don't have to deal with a lot of problems. So wired is better for pretty much everyone if you can manage to plug your poo poo in.
|
|
#
?
Nov 17, 2018 11:22
|
|
|
pfsense is about to adapt some form of integrity protection that may also be used as DRM. I wouldn't mind paying a reasonable price for it but I imagine others may not be pleased with the decision.  https://www.netgate.com/blog/fake-news-annoying-fake-product-serious.html about the chip: https://www.microchip.com/design-centers/security-ics/cryptoauthentication
|
|
#
?
Nov 17, 2018 13:28
|
|
|
Is there an option in the GUI to apply an update that was manually downloaded? I'm not home at the moment, so I can check in an hours time. If there is an option to update from file, then just download the file from Netgate, verify the hash or PGP sig and you're good to go?
|
|
#
?
Nov 17, 2018 13:54
|
|
|
some guys with third-party appliances reported that their VPN passwords mysteriously reset. It could be that their devices shipped a malware infested installation, it even be something stored in the UEFI that overwrites the "clean" installation on every boot. My understanding is that this chip would detect or prevent such changes but it could also function as a form of DRM if netgate discontinues the Community Edition (though they keep saying that they won't). eames fucked around with this message at 18:34 on Nov 17, 2018 |
|
#
?
Nov 17, 2018 14:02
|
|
|
Yeah this really seems like PFSense wants to cut out the gray market folks. It still seems a bit nebulous for what it means for folks who just roll their own, maybe they will have some sort of USB based dongle that does the same thing as their first party chip in their own boxes.
|
|
#
?
Nov 17, 2018 14:22
|
|
|
I've been looking for a reason to switch to OPNSense. This helps.
|
|
#
?
Nov 17, 2018 14:37
|
|
|
|
| # ? Apr 29, 2024 17:33 |
|
|
Yeah. I did take the briefest of looks at OPNSense and there are two things that stop me: 1. Starting my config from scratch. 2. Having the time to lose all my home networking and dedicate an afternoon to loving around and swearing at my firewall settings (see point 1) Does anyone know if OPNSense will import a pfSense config file and apply all your settings reliably?
|
|
#
?
Nov 17, 2018 14:56
|
|