1 Gigabit WAN-to-LAN Hardware

Sin_Chase · 8 May 2012 at 11:55

Morning all.

Going to be building my own router which for the time being only needs to handle 20MBit ADSL - Easy.

However, it's going to need headroom to route/firewall 1Gigabit Down/100Mbit Up Fibre to the premises. This is beyond my technical experience from a requirements point of view.

pfSense recommends server grade/modern desktop kit of at least 3Ghz in CPU processing power but I imagine a little more is going to be needed when I start adding packages and services.

I will need Traffic Shaping/QoS on-top of regular routing and firewalling duties.

Preferably I want a mini-ITX form-factor with modest power usage. My initial research has pointed me in the direction of a Socket 1155 Intel board that also has integrated Dual Gigabit LAN but also has PCI-E expansion.

What are peoples thoughts on a project like this?

Additionally, what kind of hardware would the ISP provide as part of the service? Even the fastest of the off-the-shelf router products only manage ~800Mbps WAN-to-LAN. Are they going to sell a 1Gigabit product with hardware that only can suck down 80% of it?

I've posted here as consumer 1gigabit fibre to the premises is pretty rare and the enterprise environment is likely far more applicable.

Was recommended a RouterBoard RB2011L-IN elsewhere which has a claimed ~950Mbps throughput but I have no experience with RouterOS and it's flexibility.

York · 8 May 2012 at 13:27

This thread over at Ars Technica has some information on using pfSense for multi-gigabit throughput.

In short a decent quad-core should work well, but check the pfsense forums as well. There's a lot of information there on speccing out your pfSense box.

DRZ · 11 May 2012 at 18:52

Sin_Chase said:
Additionally, what kind of hardware would the ISP provide as part of the service? Even the fastest of the off-the-shelf router products only manage ~800Mbps WAN-to-LAN. Are they going to sell a 1Gigabit product with hardware that only can suck down 80% of it?

Cisco do loads of routers that will do this without breaking sweat. 7200 G2 will, 7300 will, 7600s will do up to 25ish, 12000s will do 20. CRS1 will do 40! There are ASRs too, not sure of where they fit in but one of those might be a "fit" too.

Juniper have their equivalents as well, if not better.

Are you actually going to be seeing gigabit throughput on that connection? I'm not sure what your organisation does but it seems incongruent to be running that size of operation from a home-built platform?

Skidilliplop · 20 May 2012 at 23:39

DRZ said:
Cisco do loads of routers that will do this without breaking sweat. 7200 G2 will, 7300 will, 7600s will do up to 25ish, 12000s will do 20. CRS1 will do 40! There are ASRs too, not sure of where they fit in but one of those might be a "fit" too.

Juniper have their equivalents as well, if not better.

Are you actually going to be seeing gigabit throughput on that connection? I'm not sure what your organisation does but it seems incongruent to be running that size of operation from a home-built platform?

Bit ott for the scenario?
Budget option is by far pfSense on a homebrew box. pfSense pretty much goes as fast as the hardware lets it. Critical would be two GOOD gigabit NICs, not onboard carp! Though they're gigabit link speed, cheap adapters can't get close to full throughput.

If budget is no object, a Palo Alto PA500 would probably do it, PA2020 definitely will. But that's £10k and kinda not worth it unless you've got 1000+ users relying on it

kerrgreg · 20 May 2012 at 23:50

Router board stuff ive found to be very nice but ive only used it on my FTTC not on anything as heavy as your usage.

Got a friend using a single Quad core HP DL360 g4 to route BGP at 1GB/ both ways with 4gb of ram. Looks like the main thing is to get a good TCP offloaded NIC theres a few good intel ones out there which are good for this.

DRZ · 21 May 2012 at 14:44

Skidilliplop said:
Bit ott for the scenario?
Budget option is by far pfSense on a homebrew box. pfSense pretty much goes as fast as the hardware lets it. Critical would be two GOOD gigabit NICs, not onboard carp! Though they're gigabit link speed, cheap adapters can't get close to full throughput.

If budget is no object, a Palo Alto PA500 would probably do it, PA2020 definitely will. But that's £10k and kinda not worth it unless you've got 1000+ users relying on it

He asked what an ISP would do. An ISP isn't going to ship a piece of homebrew kit.

What enterprise that needs gigabit WAN throughput is prepared to rely on home-made kit?

Skidilliplop · 21 May 2012 at 16:56

DRZ said:
He asked what an ISP would do. An ISP isn't going to ship a piece of homebrew kit.

What enterprise that needs gigabit WAN throughput is prepared to rely on home-made kit?

No, read the post. He asked what kind of kit an ISP would ship him with such a line, not what kind of kit ISPs use themselves and given earlier he states "building my own router" I think I'm safe in assuming this is purely for comparative purposes. He's building this himself for himself, not an enterprise. Homebrew is fine, not to mention you can buy support for pfSense if you want to, lots of educational institutions do use it in enterprise networks.

On that subject, I realise now I didn't answer that part: Most ISPs terminate on a Cisco of sorts. Usually a 2800 series for 100meg bearer stuff. Can't remember what I've seen on 1Gig lines, but it'll be bigger than a 2800. Whether they'll use the same kit for home users I don't know, I'd imagine something from a lesser name with a cheaper price tag.

kefkef · 22 May 2012 at 07:48

To give you an idea on ISP hardware, we have a 1Gb internet connection supplied and it is terminated on a Cisco 3845 ISR to a pair of ASA5040, it does put most of the bandwidth through, but the bottleneck comes from the IPS cards in the firewalls which can only handle 650mb throughput (to get the full 1Gb we would need to move to ASA5080'ish size firewalls).

Our 1Gb circuits for WAN connections terminate on a Cisco ASR1002 and 100mb terminate on 2951's.

Phrozenpenguin · 22 May 2012 at 12:52

Depends how complex you want to get - if you're after a off the shelf box that will do a reasonable job, check out the Engenius ESR-9850, does 600+ Mbps WAN-LAN. Less with QoS etc turned on. Review Here.

What will you be using this connection for?

Sin_Chase · 26 May 2012 at 16:41

Phrozenpenguin said:
Depends how complex you want to get - if you're after a off the shelf box that will do a reasonable job, check out the Engenius ESR-9850, does 600+ Mbps WAN-LAN. Less with QoS etc turned on. Review Here.

What will you be using this connection for?

Home connection. 1Gbit Down/100Mbit up FTTP.

I found out what they are providing with the service:

http://www.tilgin.com/Products/Ethernet-access/HG2300/Details/

A claimed 1Gbit throughput but screw that for a laugh, no way I am replacing a complex firewall/routing setup with this cheap thing all so the ISP can have remote management and configuration on a cheap termination device.

The 2301 model they provide does not even have Gbit LAN ports, nor Gbit WAN ports according to the official spec sheet. How do you offer 1Gbit FTTP on that?! Unless this is a mis-print, if not I will crucify them for it

When my premises is FTTP enabled I will have a more in-depth conversation with the ISP and TRY to get to someone technical beyond the helpdesk. The support team suggested I asked a line engineer upon installation but 1 - A line install engineer is unlikely to be able to answer my questions and 2 - even if he can, they are already installing the service.

Worst case I am hoping that I can turn the provided device into a dumb one with no NAT/Firewall or otherwise so I can do what I want with my kit. That might be easier said than done, I have NEVER heard of Tilgin and this is no doubt cheap/budget kit (In the words of the ISP "You get a free router with the service worth £50"....50 quid....nice). If the firmware/device is locked down it would seem you are totally stuck relying on the feature set of the gateway to do what you want. That means no complex HSFC Traffic Shaping, Firewall ruling, PPTP/SSH endpoints etc etc. I cannot even find a full user manual for it and have so far not even seen a mention to even basic Firewalling duties!

101001101 · 26 May 2012 at 18:14

Interesting thread with some useful info - do you guys know if you can run a 10Gbps internet connection through pfsense? (sorry to hijack, but didn't want to put up a new post when its related to this one, hope thats ok op)

Just a question, the firewall prices are astronomical.

Yamahahahahaha · 26 May 2012 at 20:25

Short answer: Yes.

Long answer: You'll need a relatively beefy CPU (2nd or 3rd Generation i5 or above, plus lots of RAM, and preferably an SSD for the boot.
To get it to perform additional services beyond Firewall / NAT at 10GbE speeds, you'll need to tailor the hardware more towards those requirements (RAID10 SSD cache for a squid cache on such a large pipe, etc.).

For VPN and encryption services, you'll have to look for specific benchmarks for pfsense under those conditions. The newer high-end Intel chips have AES-NI instructions available, which will accelerate AES encrypted tunnels handily, for example.