List of routers for FTTNx2 and VPN

[arthurdent2]

I would recommend you build (or buy) a pfsense box. I built one using some components I already had + some extras. Popped it in to a fractal design node 202. It can handle everything I throw at it and then some.

Depending on your supposed download speed, the 2220-4860 should be where you are aiming. 4860 if you are closer to gigabit speeds. But I believe there are throughput sizing guides already out there for these things. The Asus routers fall flat on their face once you get up to the upper echelons of speed. And they fall on their face when you scan them from the outside with nmap.

Keep in mind, these pfsense boxes are not designed to be used like a switch as well as a firewall, so you don't *need* 4 ports on them. The additional ports default to being treated as DMZ type networks. Not something you can't bypass, just something to keep in mind. A recommended basic home setup would go something like this:

sonic.net demarc -> pFsense box -> switch -*> optionally you would have your WAP attached to the switch

In your case you can configure the Asus router to function in a bridged (WAP) only mode. Just my $.02.

[pratik]

I would recommend you build (or buy) a pfsense box. I built one using some components I already had + some extras. Popped it in to a fractal design node 202. It can handle everything I throw at it and then some.

Depending on your supposed download speed, the 2220-4860 should be where you are aiming. 4860 if you are closer to gigabit speeds. But I believe there are throughput sizing guides already out there for these things. The Asus routers fall flat on their face once you get up to the upper echelons of speed. And they fall on their face when you scan them from the outside with nmap.

Keep in mind, these pfsense boxes are not designed to be used like a switch as well as a firewall, so you don't *need* 4 ports on them. The additional ports default to being treated as DMZ type networks. Not something you can't bypass, just something to keep in mind. A recommended basic home setup would go something like this:

sonic.net demarc -> pFsense box -> switch -*> optionally you would have your WAP attached to the switch

In your case you can configure the Asus router to function in a bridged (WAP) only mode. Just my $.02.

Thanks a lot for input.
I didn't even know about pfSense, I read here and there but disregarded it until now.
So this is the first time I went and investigated about pfSense.
I still don't understand what exactly is : "Popped it in to a fractal design node 202"

And by 2220-4860 I'm assuming you are referring to : https://pfsense.org/products/ those. Those are good boxes but kinda on expensive side so I'll stick with Zotac and install either pfSense or openWRT x86 on it.

I'm reading through few threads like: https://www.reddit.com/r/networking/com ... h=c5443201, it looks like people really prefer pfSense over other alternatives. I'm familiar with openWRT and tomato so just trying to see differences before I switch.

One thing it seems pfSense is built for x86 to start with as opposed to all other alternatives start with embedded.

I don't mind having one port acting as DMZ like functionality. As for sonic.net demarc (I don't understand what exactly is it). I'm looking at https://en.wikipedia.org/wiki/Demarcation_point and I think it just stands for VPN server (all traffic going through Sonic VPN). And yes even if I go openWRT I've similar structure in mind (Sonic -> Zotac -> ASUS (switch and bridged WAP)) -> all other devices

[forest]

I believe VyOS is another option for x86 routers. It's based on Debian linux, but has a router and firewall configuration system that I find much more intuitive than low-level linux configs. I've been running its cousin EdgeOS (both are descendants of Vyatta) on my EdgeRouter for a few months, and I'm pretty happy with it.

[pratik]

I believe VyOS is another option for x86 routers. It's based on Debian linux, but has a router and firewall configuration system that I find much more intuitive than low-level linux configs. I've been running its cousin EdgeOS (both are descendants of Vyatta) on my EdgeRouter for a few months, and I'm pretty happy with it.

Thanks.
I did quick search and:
pfSense (GUI) vs VyOS (CLI)
pfSense (packages) vs VyOS (no packages)

I think because of those 2, I'll go with pfSense.
I may read / try VyOS in VM just to understand but not going to go with it on main VPN client router (Zotac PC)

[pratik]

Ok here is list of all distros available and little bit of comparison:
http://www.mondaiji.com/blog/other/it/1 ... all-distro

[arthurdent42]

I would recommend you build (or buy) a pfsense box. I built one using some components I already had + some extras. Popped it in to a fractal design node 202. It can handle everything I throw at it and then some.

Depending on your supposed download speed, the 2220-4860 should be where you are aiming. 4860 if you are closer to gigabit speeds. But I believe there are throughput sizing guides already out there for these things. The Asus routers fall flat on their face once you get up to the upper echelons of speed. And they fall on their face when you scan them from the outside with nmap.

Keep in mind, these pfsense boxes are not designed to be used like a switch as well as a firewall, so you don't *need* 4 ports on them. The additional ports default to being treated as DMZ type networks. Not something you can't bypass, just something to keep in mind. A recommended basic home setup would go something like this:

sonic.net demarc -> pFsense box -> switch -*> optionally you would have your WAP attached to the switch

In your case you can configure the Asus router to function in a bridged (WAP) only mode. Just my $.02.

Thanks a lot for input.
I didn't even know about pfSense, I read here and there but disregarded it until now.
So this is the first time I went and investigated about pfSense.
I still don't understand what exactly is : "Popped it in to a fractal design node 202"

And by 2220-4860 I'm assuming you are referring to : https://pfsense.org/products/ those. Those are good boxes but kinda on expensive side so I'll stick with Zotac and install either pfSense or openWRT x86 on it.

I'm reading through few threads like: https://www.reddit.com/r/networking/com ... h=c5443201, it looks like people really prefer pfSense over other alternatives. I'm familiar with openWRT and tomato so just trying to see differences before I switch.

One thing it seems pfSense is built for x86 to start with as opposed to all other alternatives start with embedded.

I don't mind having one port acting as DMZ like functionality. As for sonic.net demarc (I don't understand what exactly is it). I'm looking at https://en.wikipedia.org/wiki/Demarcation_point and I think it just stands for VPN server (all traffic going through Sonic VPN). And yes even if I go openWRT I've similar structure in mind (Sonic -> Zotac -> ASUS (switch and bridged WAP)) -> all other devices

Hey there, going to try to address all the questions, but if I miss something please forgive me.

Fractal Design 202 is a case:

http://www.fractal-design.com/home/prod ... s/node-202

It's only a little bit longer than the original Xbox One. It is cramped, but if you are just using a motherboard, some sort of 2.5" drive and a NIC it's fine. Mine is whisper quiet.

You are correct on the models. They sell a range of models and depending on your plans and speeds the 2220, 2440, or 4860 would fit the bill nicely. Since you already have the hardware no need to repurchase. You should be able to install pFsense to it and give it a try. One thing you could to do look around at the interface is use some virtual machines to just give it a spin and see if it will work for you.

pFsense is extremely robust and is fairly simple to configure. You would probably want to tweak the defaults a little bit to make things "just work". But if you do decide to go the pFsense route you will have a full blown firewall that should perform better than OpenWRT in almost every test you can throw at it.

Just be sure you understand the caveats of something in a DMZ before you make that decision. I believe you can tweak the OPT ports to function like standard LAN ports, but that wasn't the intention of the design as I recall.

A demarc is a demarcation point. Put simply, it's where sonic.net's responsibility ends, and yours begins. In a sonic.net FTTH install, their demarc would be their router (since they support it). The argument could be made that it is technically the ONT box that is installed as part of the FTTH install. If you remove their router from the mix and use your own, their responsibility would end at the ONT box. Anything passed that would be your responsibility. Typically you can consider a modem to be the demarc.

With VyOS, I would shy away from it if you aren't too command line savvy. While a fork of VyOS is what Ubiquiti uses (http://ubnt.com) in all of their gear, a lot of the features aren't available in their GUI and would likely not be available in any GUI you could find (this is purely speculative). To unlock a lot of the potential of the Ubiquiti gear you need to use the command line to tweak features.

Did you end up buying the box from Amazon, or was it something different? Sorry if you already answered this, it wasn't clear to me.

I would shy away from combining both your router/firewall in to your HTPC. Let the router/firewall do the duty it was designed for and get something else for the HTPC.

[pratik]

Hey there, going to try to address all the questions, but if I miss something please forgive me.

Fractal Design 202 is a case:

http://www.fractal-design.com/home/prod ... s/node-202

It's only a little bit longer than the original Xbox One. It is cramped, but if you are just using a motherboard, some sort of 2.5" drive and a NIC it's fine. Mine is whisper quiet.

You are correct on the models. They sell a range of models and depending on your plans and speeds the 2220, 2440, or 4860 would fit the bill nicely. Since you already have the hardware no need to repurchase. You should be able to install pFsense to it and give it a try. One thing you could to do look around at the interface is use some virtual machines to just give it a spin and see if it will work for you.

pFsense is extremely robust and is fairly simple to configure. You would probably want to tweak the defaults a little bit to make things "just work". But if you do decide to go the pFsense route you will have a full blown firewall that should perform better than OpenWRT in almost every test you can throw at it.

Just be sure you understand the caveats of something in a DMZ before you make that decision. I believe you can tweak the OPT ports to function like standard LAN ports, but that wasn't the intention of the design as I recall.

A demarc is a demarcation point. Put simply, it's where sonic.net's responsibility ends, and yours begins. In a sonic.net FTTH install, their demarc would be their router (since they support it). The argument could be made that it is technically the ONT box that is installed as part of the FTTH install. If you remove their router from the mix and use your own, their responsibility would end at the ONT box. Anything passed that would be your responsibility. Typically you can consider a modem to be the demarc.

With VyOS, I would shy away from it if you aren't too command line savvy. While a fork of VyOS is what Ubiquiti uses (http://ubnt.com) in all of their gear, a lot of the features aren't available in their GUI and would likely not be available in any GUI you could find (this is purely speculative). To unlock a lot of the potential of the Ubiquiti gear you need to use the command line to tweak features.

Did you end up buying the box from Amazon, or was it something different? Sorry if you already answered this, it wasn't clear to me.

I would shy away from combining both your router/firewall in to your HTPC. Let the router/firewall do the duty it was designed for and get something else for the HTPC.

Thanks for explanation.
I've bought http://www.newegg.com/Product/Product.a ... -_-Product (Drew mentioned it in one of his posts). I wanted something in form factor of amazon link (4 ethernet ports) however that CPU doesn't have hardware AES-NI support, so I bought Zotac (Newegg) instead.

Yes downloading pfSense as I type, going to try it on PC VM.
And I felt similar about VyOS for now it seems very CLI based, I don't want to dabble with it for now (I can get it working after reading through posts/documentation but I'll forget all that in near future due to lack of use and will face same problems when I've problems).

Using pfSense box as HTPC is not at all a priority, but something I may try just to see how well the Zotac can handle it (more like just cause I can). However this is only if I feel comfortable trying on my network after getting everything set-up.

[Guest]

+1 for pfSense. Running the 64-bit distro from a small SSD on a Supermicro A1SRi-2758F board in a SC101i case which is quite a bit smaller than the ATT 5268AC modem for FTTNx2... Hardware crypto is enabled. 37 mbps via Sonic's VPN (128 bit); 28 mbps via another VPN provider (256 bit). Using all 4 interfaces on this board. LAN WiFi is served via a UniFi® AP-AC-LR which works great. Will never deal with consumer grade routers again. Good luck!

[pratik]

At the start pfSense webUI is quite handful,
However there are bunch of videos on youtube about setup.
Right now running VM with pfSense and another VM with Ubuntu connected to pfSense to get used to the interface.

Parts are delivering tomorrow so hopefully tomorrow by this time I can report back

[pratik]

Ok got the box installed pfSense, installation itself was quite easy.
Figuring out ethernet ports and assigning them was bit work but nothing really back breaking.

Now I'm at OpenVPN client config page and it's quite overwhelming, I'm trying to find some useful info online but if anyone know exactly what each field on the page means, I would really appreciate it.
[EDIT]: Found a link: https://forum.pfsense.org/index.php?topic=76015.0 I will try following it

And don't try to setup DMZ for 2 devices at same time (in PACE webUI) for obvious reasons: you can't get same IP address for 2 devices. This is quite stupid but yea I did it and tried figuring why my other router was misbehaving.