Home network hardware and setup

DavieJG · 30 Nov 2018 at 10:39

Hi guys.

I'm looking to set up a fairly straight forward home network with some traffic going out via VPN. My connection is around 30 down 7 up so nothing special.

The network will consist of a gaming PC, a few laptops and the usual mobile devices. I want QoS such that the gaming pc gets the lowest latency and I want the option for each wireless device to send it's traffic via VPN or via the standard connection (probably via the option to connect to a VPN WiFi or standard wifi). Some ports will always go via VPN.

My intended setup is an bt openreach huawei hg612 3b modem, with a d525 atom pc running pfsense and then a wireless access point.

The modem seems to be universally recommended as the cheap go to and I've just picked up the itx pc on the cheap to try this out. It doesn't have aes-ni but hoping that shouldn't be an issue on a modest 30M connection.

The pc needs a network card. I'd probably go quad port, it must be pci-e x4 and I've heard Intel is the way. Can someone post the exact model number of the best card for this application?

As far as access points go the seems to be lots of good things said about the ubiquiti access points. Is this the right part for my application where I want essentially two networks to connect to, one VPN and one non-vpn? Is this a good option for working with pfsense?

Any help appreciated. Cheers!

eikomagami · 30 Nov 2018 at 11:32

Secondhand Intel i340-t4 is a good choice for the network card if you need 4 ports. Are you planning on running it bare metal or in a hypervisor?
Unifi AP's will support 2 networks fine. I just use 1 SSID and set rules in pfsense on what routes out over the non-VPN and everything else is routed over the VPN as default.
I would advise something with AES-NI if your planning on getting a faster connection and as it will be required in 2.5 onwards.
I ended up with a qotom q350g4 running EXSI with pfsense and the unifi controller.

BigT · 30 Nov 2018 at 12:43

Your setup will be similar to mine if you go with a UAP and pfSense. To answer a couple of your specific questions.

1. If you wanted then yes you can have 2 SSIDs on the UAP and depending on which the device connects to can determine if it goes out via a VPN or not. You'd tag one SSID on a particular VLAN with it's own DHCP server on the pfSense box and have an alias for that range route out via the VPN as its gateway

2. While you are correct in that not having AES-NI won't be a problem given your internet speeds, do be aware it will mean you won't be able to upgrade to pfSense 2.5 when it comes out. You're basically consciously choosing an end of life solution. I don't know your budget but I've been running successfully with a Partaker mini PC that has six NICs built in for nearly a year now with no unscheduled downtime. Small form factor, AES-NI CPU and no compatibility issues with pfSense that I've found. You can get them with anything from Celeron 3865Us up to i7s I think. Bottom of the range would be more than adequate in your scenario.

DavieJG · 30 Nov 2018 at 14:10

eikomagami said:
Secondhand Intel i340-t4 is a good choice for the network card if you need 4 ports. Are you planning on running it bare metal or in a hypervisor?
Unifi AP's will support 2 networks fine. I just use 1 SSID and set rules in pfsense on what routes out over the non-VPN and everything else is routed over the VPN as default.
I would advise something with AES-NI if your planning on getting a faster connection and as it will be required in 2.5 onwards.
I ended up with a qotom q350g4 running EXSI with pfsense and the unifi controller.

Thanks for the reply. Sorry for my ignorance but i dont know what a hypervisor is. The mini-itx box i'm getting is £40 so not a huge investment. I understand that whilst 2.5 is coming it is still at least a year away and I assume they will maintain 2.4 with essential fixes for some time. Either way £40 is not a lot to try this out. Can i ask where you sourced your qotom box from? I cant see any UK sellers?

If i were to get something like IBM 94Y5167 49Y4241 Intel I340-T4 Quad Port Ethernet Gigabit PCI Network Adapter refurbished for around £24 do you think thats the route to take?

BigT said:
Your setup will be similar to mine if you go with a UAP and pfSense. To answer a couple of your specific questions.

1. If you wanted then yes you can have 2 SSIDs on the UAP and depending on which the device connects to can determine if it goes out via a VPN or not. You'd tag one SSID on a particular VLAN with it's own DHCP server on the pfSense box and have an alias for that range route out via the VPN as its gateway

2. While you are correct in that not having AES-NI won't be a problem given your internet speeds, do be aware it will mean you won't be able to upgrade to pfSense 2.5 when it comes out. You're basically consciously choosing an end of life solution. I don't know your budget but I've been running successfully with a Partaker mini PC that has six NICs built in for nearly a year now with no unscheduled downtime. Small form factor, AES-NI CPU and no compatibility issues with pfSense that I've found. You can get them with anything from Celeron 3865Us up to i7s I think. Bottom of the range would be more than adequate in your scenario.

Again thanks for the info. Did you get your partaker from the rainforest? As above i think i'm going to run with my cheap solution for the time being (already bought it) as it'll be a good learning experience then i can move to another setup down the line if needed for 2.5 (when they iron out the inevitable early bugs). It looks like something new would be around £250?

Steveocee · 30 Nov 2018 at 14:13

I wouldn't get too hung up on a quad port network card. If you end up connecting your LAN into that then you end up using the CPU to switch the packets. If you stick with a single LAN port and run that into a small 8 port switch it'll give likely better performance but certainly more efficiency for LAN>LAN transfers.

DavieJG · 30 Nov 2018 at 14:18

Steveocee said:
I wouldn't get too hung up on a quad port network card. If you end up connecting your LAN into that then you end up using the CPU to switch the packets. If you stick with a single LAN port and run that into a small 8 port switch it'll give likely better performance but certainly more efficiency for LAN>LAN transfers.

Could you recommend an appropriate switch or are they all much of a muchness?

i340-t2 is down to £18. For the £6 is it worth just having the extra ports?

Steveocee · 30 Nov 2018 at 14:39

DavieJG said:
Could you recommend an appropriate switch or are they all much of a muchness?
i340-t2 is down to £18. For the £6 is it worth just having the extra ports?

I couldn't answer that for you. Additional ports is only going to be useful if you have multiple WAN inputs as additional LAN ports could easily run through 1 interface over VLAN.
An example would be this https://www.overclockers.co.uk/tp-link-8-port-10-100-1000mbps-desktop-switch-tl-sg108-nw-155-tp.html
Dumb L2 switch which is cheaper, newer, double the ports and would be more efficient pushing between it's own ports.

My comment about LAN2LAN traffic is probably only valid if you move traffic around your LAN though to and from local servers.

If you are already building the PC then go nuts and grab a quad port anyway but I would loosely advise trying to not switch through the Atom if you can.

DavieJG · 30 Nov 2018 at 15:19

Steveocee said:
I couldn't answer that for you. Additional ports is only going to be useful if you have multiple WAN inputs as additional LAN ports could easily run through 1 interface over VLAN.
An example would be this https://www.overclockers.co.uk/tp-link-8-port-10-100-1000mbps-desktop-switch-tl-sg108-nw-155-tp.html
Dumb L2 switch which is cheaper, newer, double the ports and would be more efficient pushing between it's own ports.

My comment about LAN2LAN traffic is probably only valid if you move traffic around your LAN though to and from local servers.

If you are already building the PC then go nuts and grab a quad port anyway but I would loosely advise trying to not switch through the Atom if you can.

Most likely there will be no significant LAN2LAN traffic but I'm all in favour of going the optimal route regardless.

Steveocee · 30 Nov 2018 at 15:26

It won't hurt, I tend to try and build my networks now with a router purely for routing, 1 LAN out to what I term the "core" switch and then splay the network out from that. Each item then gets to do it's all at what it was designed for. (Router routing, switch switching and wireless ap's for wireless access).

DavieJG · 30 Nov 2018 at 16:13

BigT said:
Your setup will be similar to mine if you go with a UAP and pfSense. To answer a couple of your specific questions.

1. If you wanted then yes you can have 2 SSIDs on the UAP and depending on which the device connects to can determine if it goes out via a VPN or not. You'd tag one SSID on a particular VLAN with it's own DHCP server on the pfSense box and have an alias for that range route out via the VPN as its gateway

2. While you are correct in that not having AES-NI won't be a problem given your internet speeds, do be aware it will mean you won't be able to upgrade to pfSense 2.5 when it comes out. You're basically consciously choosing an end of life solution. I don't know your budget but I've been running successfully with a Partaker mini PC that has six NICs built in for nearly a year now with no unscheduled downtime. Small form factor, AES-NI CPU and no compatibility issues with pfSense that I've found. You can get them with anything from Celeron 3865Us up to i7s I think. Bottom of the range would be more than adequate in your scenario.

Can i ask which UAP you use? It seems to come in many different flavours

eikomagami · 30 Nov 2018 at 16:39

DavieJG said:
Thanks for the reply. Sorry for my ignorance but i dont know what a hypervisor is. The mini-itx box i'm getting is £40 so not a huge investment. I understand that whilst 2.5 is coming it is still at least a year away and I assume they will maintain 2.4 with essential fixes for some time. Either way £40 is not a lot to try this out. Can i ask where you sourced your qotom box from? I cant see any UK sellers?

If i were to get something like IBM 94Y5167 49Y4241 Intel I340-T4 Quad Port Ethernet Gigabit PCI Network Adapter refurbished for around £24 do you think thats the route to take?

Again thanks for the info. Did you get your partaker from the rainforest? As above i think i'm going to run with my cheap solution for the time being (already bought it) as it'll be a good learning experience then i can move to another setup down the line if needed for 2.5 (when they iron out the inevitable early bugs). It looks like something new would be around £250?

A Hypervisor would be something like ESXI or Hyper-V and allow you to host a few VM's on the same hardware.
I would pick a 2 port card and a switch for a simple machine thats just running pfsense. Cant mention competitors here but search for "qotom q350g4" and its the first result.
Current set up is modem > pfsense box > Switch. There are 2 x AC-LR and 1 x AC-Pro attached to the network for wifi and a spare to avoid the complaints when im tinkering with something. Hope that helps.

BigT · 30 Nov 2018 at 19:56

DavieJG said:
Can i ask which UAP you use? It seems to come in many different flavours

I run three LRs. Covers a 3,500sqft home and the garden which is about half an acre. The house itself is T-shaped and I’m able to site a UAP at each end of the T in the attics which works well for coverage.

BigT · 30 Nov 2018 at 19:58

DavieJG said:
Again thanks for the info. Did you get your partaker from the rainforest? As above i think i'm going to run with my cheap solution for the time being (already bought it) as it'll be a good learning experience then i can move to another setup down the line if needed for 2.5 (when they iron out the inevitable early bugs). It looks like something new would be around £250?

I did indeed and £250 at a later date should be sufficient.