What Router are you Running?


gzibell

Recommended Posts

Hey All, 

 

Hoping to get some advice on what router/firewall you guys are running.  I had been running a netgear router flashed with DD-WRT for quire a while but that died.  We use the meraki product line at work so I brought one home and used that for a few months.  The one really nice thing the meraki offers is the reporting.  It is really nice to log into the management interface and see what devices, applications, etc are using bandwidth and how much.  This can be filtered by day/week/month or custom time frame.  Not that I need this reporting, but seeing SSL Encrypted traffic accounting for the majority of my usage for some reason makes me sleep better.  

 

I setup a pfsense box and have been using that for a couple of weeks on hardware I had laying around.  It does the job but the reporting that is available is pretty minimal.  I tried some add-on packages but could’t find one that I felt was worth it.  I have it running on desktop hardware so the electricity cost will be much higher than an embedded device.  Might takes years to make up the purchase price of a decent router but I can also re-purpose that hardware for something else.  

 

I started looking at the edge router/unifi security gateways as I currently have 2 unifi AP’s.  Seems like the USG might be an ok option.

 

If your using something that you love that gives you any cool bandwidth reporting let me know.  Struggling to make a decision. 

 

Thanks!

 

Link to comment
1 hour ago, tdallen said:

Asus, but I'm looking at the USG and EdgeRouters right now as well.

The USG devices look pretty slick connecting to the unifi controller and since I already have the unifi AP's it seems like the way to go. I tried their controller demo and they have some application reporting but no way to filter it by day/week/month.  Actually there is no time reference at all so the data is sort of useless but I imagine that will improve.  Attached a pic of what that dashboard looks like. 

 

The Edge Router Lite (ERLite-3) apparently has the identical specs to the USG but the EdgeOS or whatever powers it is more mature with more options.  I guess you can still do everything on the OSG but you have to jump into the cli to get some of it done.  I think for the basics, lan, port forward, dhcp either would be fine though.  The impression I get from the internet as a whole is go with the edgerouter over the USG. 

 

Anyone have either than can comment? 

 

 

Capture.PNG

Link to comment

I have both actually. I started with the ERL and it is by far more powerful with the options you can set from the GUI/CLI. I lacked the skills to program a lot of it however. I found that the USG is better suited for me as it works natively with UniFi controller. I do not use the advanced features the ERL offered anyhow. I liked the UniFi controller setup and it auto configured the USG for me. It is kind of like unRaid vs full blown Linux solution involving CLI setup and everything. If you need features that are not currently offered in the UniFi controller then the ERL is going to be the better option for sure.

Link to comment

That makes sense.  I like playing around with stuff but I like it when stuff just works even better.  unRaid has ran like a champ for me since the day I set it up and I am continuing to add to my setup to expand the functionality.  Setting up unRaid was pretty much the best decision I have made right after Plex and buying 50 pairs of the exact same socks.  I hate trying to find matching socks. 

 

Even went through a HDD failure a few months after moving all my data over.  Replaced the drive and everything rebuilt from parity without issues.  That finally got the wife on-board with the idea too.  Tried to explain it before that happened that if we lost a drive her 100K pictures would just be gone.  Never really made sense until the drive failed.  Made explaining the cost of CP Pro pretty easy too.

 

The more I think about it the more I feel like the USG is the way to go.  Keep it simple and it has most of what I will ever need/want.  I assume there is no issues with the USG utilizing my 100/100 connection to it's fullest?  We have fiber right to our house so we can get 1Gb/1Gb connection if we want to pay for it.  Whatever I do get I want it to be something that will handle the load I have now and what I might have tomorrow. 

 

Is the USG good enough or is jumping to the pro a good idea for future proofing?

Link to comment

pfSense.  Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views.  I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply.  Runs around 30W at full load, 10-15W average.  Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something.

Link to comment

I am using pfSense on unRaid for routing control, multi-WAN, firewall and some tp-link EAP's for wireless access points. The system works well for me, though I do wish pfSense had some better visual reporting of traffic etc as the photos above in this convo have.

 

My current weak point, is I do not have a suitable backup for my pfSense VM. If unRaid goes down, I would need to plug my old Asus flashed to dd-wrt in. I would lose any of the configuration changes I have made in the last year as well as dual WAN setup. But its a risk i am fine with.

Link to comment
2 hours ago, unevent said:

pfSense.  Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views.  I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply.  Runs around 30W at full load, 10-15W average.  Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something.

 

Looking to do similar myself, though with a MSI board and a dual port Intel NIC.  pfsense is excellent, at work our firewall is pfsense running on an old Core2Duo Optiplex, though with pfsense 2.5 coming that needs AES-NI I'll have to upgrade that to something more modern.

 

I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN.

Link to comment
2 hours ago, unevent said:

pfSense.  Use ELK, Greylog, pfLogstash, etc. to get your reporting with the pretty views.  I run it on AMD 5350 Kabini and ASRock AM1H-ITX with 16GB, 4-port Intel card and external laptop power supply.  Runs around 30W at full load, 10-15W average.  Snort, pgBlockerNG, Squid, OpenVPN, Radius server, probably forgot something.

 

Any chance you can point me in the right direction on the reporting side of pfsense?  Did some searching after reading your post and it seems like the pflogstsh docker is no longer in development, is it still good?  ELK look like that needs to run on a different machine/VM.  I did install the squid package looked at the options and decided I didn't have the time for that right now.  I would really like to get pfsense setup for some nice reporting though but not sure where to start.

 

 

1 hour ago, NotYetRated said:

I am using pfSense on unRaid for routing control, multi-WAN, firewall and some tp-link EAP's for wireless access points. The system works well for me, though I do wish pfSense had some better visual reporting of traffic etc as the photos above in this convo have.

 

My current weak point, is I do not have a suitable backup for my pfSense VM. If unRaid goes down, I would need to plug my old Asus flashed to dd-wrt in. I would lose any of the configuration changes I have made in the last year as well as dual WAN setup. But its a risk i am fine with.

 

Yeah I toyed with that idea as well, the pfsense vm part.  My two hangups were what if unraid goes down that means no internet at all without swapping in a different box.  And the security side of things.  Just seems like having the pfsense vm is somehow less secure that having a physical pfsense box.  The general consensus from a security standpoint was a firewall should be a firewall even though I found no evidence at all that a VM of pfsense would be less secure than a physical box. 

 

I would like to get the eqipment I am currently running pfsense on back for other purposes but I would have to purchase a multi port nic card to do that so for right now until I figure out if I am going to stick on pfsense or move to a USG or something else leaving it as is.

 

 

34 minutes ago, HellDiverUK said:

 

Looking to do similar myself, though with a MSI board and a dual port Intel NIC.  pfsense is excellent, at work our firewall is pfsense running on an old Core2Duo Optiplex, though with pfsense 2.5 coming that needs AES-NI I'll have to upgrade that to something more modern.

 

I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN.

 

What is running your unraid server?  I did setup openvpn through pfsesne and it worked fine but since I was switching routers in and out I figured it would be easier to run it as a docker on unraid with only the port forward setup in pfsense.  That way if I can swap and change as much as I want and all I have to setup is 2 port forwards (Plex and OpenVPN) and my current setup is back up and running.  My unraid box is currently and i5 16GB ram so it handles the openvpn connection with no problem. 

Link to comment
46 minutes ago, HellDiverUK said:

I currently have a TPLink VR2800 router/modem combo, but it chokes running OpenVPN.

 

Started similar, but with 600MHz MIPS ASUS router running Tomato.  I miss Tomato's configuration GUI and QOS, but pfSense is much more powerful/capable.  With the Kabini I can do VPN using PIA strong encryption to the full 100Mbit Internet I have which is usually around 14MB/s.  OpenVPN being single threaded my only suggestion is to favor higher clock speeds vs. more cores at lower clock and of course AES-NI hardware support.

Link to comment
12 minutes ago, gzibell said:

 

Any chance you can point me in the right direction on the reporting side of pfsense?  Did some searching after reading your post and it seems like the pflogstsh docker is no longer in development, is it still good?  ELK look like that needs to run on a different machine/VM.  I did install the squid package looked at the options and decided I didn't have the time for that right now.  I would really like to get pfsense setup for some nice reporting though but not sure where to start.

 

The logging/display would/could be done separately in a Docker or VM on unRAID.  pfLogstash in Docker form here on the forums will work for pre 2.4.x release.  The grok filters need an update to work with the latest pfSense release (which was release a couple weeks ago or so).  Graylog is also available in a Docker here and can also spin up a VM using Ubuntu Server which I did for a while , but also needs filter update for 2.4.1.  There are a few 'traditional' ELK stacks in Docker flavor floating around as well.  There is a package or two available on pfSense to do some logging/sorting such as which websites an IP visited, but no fancy graphics like what is available using the external tools.  Regarding running pfSense in a VM on unRAID , my suggestion is to not do it without an in-place backup to take over the tasks when you stop the array or shut down the server.  I like KISS principal when it comes to network security, get a low power-draw dedicated system to run your firewall.  There are numerous guides on the 'net for setting up just about anything pfSense.  Squid is a caching proxy server and has limited use these days since Internet pipes are fat and fast.  I only use it for some minor additional filtering and for basic antivirus (clamav) on unencrypted traffic.

Link to comment
16 hours ago, gzibell said:

What is running your unraid server?  I did setup openvpn through pfsesne and it worked fine but since I was switching routers in and out I figured it would be easier to run it as a docker on unraid with only the port forward setup in pfsense.  That way if I can swap and change as much as I want and all I have to setup is 2 port forwards (Plex and OpenVPN) and my current setup is back up and running.  My unraid box is currently and i5 16GB ram so it handles the openvpn connection with no problem. 

 

Similar here, an i5-6500T.  I prefer having the VPN on the router - the VPN isn't much use if the server dies/crashes or the network switch craps out or something.

 

My previous router, an Asus RT-AC87U could run OpenVPN no problems, but it had a fast dual core SOC.  I'm not sure what the TPLink has under the hood, but it's not as fast as the Asus.

Link to comment

Edgerouter Lite with 2 AC ARs for coverage. I looked at the USG but felt I needed a little more. I always ran into uses with segmenting guest traffic, IoT traffic, VPN, nat loopback, and separate DNS server all rolled into one mix.

Not too much of a command line guy on routers but I have been learning after setting several things up. All I can say is I am impressed so far!

One day I might do the pfsense thing if I can find something to run it on that works great and isn't power hungry.

Link to comment
54 minutes ago, digiblur said:

One day I might do the pfsense thing if I can find something to run it on that works great and isn't power hungry.

What spec is your unRAID server?  I've just gone back to running pfSense in a VM as I've managed to free up a PCIe slot for my nic that only cost me £60 and it's barely using any resources:

 

5a06b499b26ce_FireShotCapture4-Woody.localdomain-Status_Dashboard-http___172_30_12.1_.png.a32626ac7db512478e8905b733c08d43.png

 

I've assigned 2 cores from my server.  Admittedly, this is before setting up squid, vpn, snort etc (I'm doing a fresh install rather than restoring my backup) but they still only took my CPU usage to around 25% from memory.

 

Compared to the ISP provided, netgear, d-link etc kit I've run over the last twenty years, pfSense is amazing.

Link to comment

Ubiquiti EdgeRouterX  (about $50.00US)

 

I got it because it was the only one that I could find locally without built-in WiFi when my previous router failed.  (I use an access point when WiFi is necessary.)  It was a bit of a bear to setup because of the lack of a GOOD set of instructions!  (Don't tell your Mother to buy one expecting it to be a plug-and-play device!!!)   I did get it working and after getting  on the Internet, I could download the manuals for it

Link to comment
  • 3 weeks later...

I use an untangle next gen firewall. The paid version now $50 year for all apps for home use.

I have 3 networks in it wan, lan and wifi.. All wifi devices but mine get the net but not the lan.

It is running on a cheap 5 watt celeron 4 core micro itx system.

 

Ads, viruses, unwanted countries, unwanted applications, and unwanted sites by category   blocked.

Great reports and network tunneling like tunnel bear for the whole  lan.

 

john

 

Link to comment
On 11/7/2017 at 11:13 PM, sadkisson said:

I have both actually. I started with the ERL and it is by far more powerful with the options you can set from the GUI/CLI. I lacked the skills to program a lot of it however. I found that the USG is better suited for me as it works natively with UniFi controller. I do not use the advanced features the ERL offered anyhow. I liked the UniFi controller setup and it auto configured the USG for me. It is kind of like unRaid vs full blown Linux solution involving CLI setup and everything. If you need features that are not currently offered in the UniFi controller then the ERL is going to be the better option for sure.

 

I also started with the ERL. This is a so called prosumer product. Don't know if it is still the case but back then the default factory setting was very sparse and you needed to configure everything. This isn't a problem if you know your way in networking (something I do for a living). The CLI is very powerful and allows you to do a lot more than the average home router, performance of the box is excellent, it actually outperforms more expensive Cisco and Juniper (professional) gear. Ubiquiti made a nice promo about it with subtile references.  See:

 

 

If you are really into it, you can make custom functions and add these to the GUI. I've made a couple and actually Ubiquiti took my DNS manager and have put it in their product :)

 

The USG is based on the same hardware as the ERL, so performance wise top notch. The approach here is more accessible for the average user, most important features are preset and out-of-the-box experience is better. Under the hood there still is CLI, which gives access to the same advanced features as the ERL (though some trickery needs to be done to make CLI changes stick).

 

The Unifi controller (available as a Docker container on unRAID) makes it very easy to manage both wired and wireless devices from a single interface. That is what I am doing at the moment. Certainly recommendable.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.