Jump to content

brwainer

Member
  • Posts

    3,303
  • Joined

  • Last visited

Everything posted by brwainer

  1. Choosing to “build” a PFSense router with a full PC (oftentimes described as an old PC with an extra ethernet port(s) added via PCIe card) is just one method of achieving a more broad goal - to have a more capable (feature-wise) and usually more stable router, than what is available as a device from the ISP or off the shelf from the usual home router brands. It should be noted that in doing so (PFSense on an old PC or not), a separate wireless access point, and sometimes a separate ethernet switch, are also required. One major reason people start down this path is because they want to split up their home or homelab into separate VLANs, such as isolating IoT devices which have dubious security away from the rest of the client devices. Here’s a long but not exhaustive list of ways to achieve that goal: Build a PFSense/OPNSense/OpenWRT/Untangle/etc router from a PC you have on hand Build a PFSense/OPNSense/OpenWRT/Untangle/etc router from a PC that is designed specifically to be a router, such as Protectli or one of thousands of listings on eBay or Aliexpress Buy a router from the developers of PFSense/OPNSense/Untangle that has that OS preinstalled, providing you a better supported platform and financially supporting the developers Flash OpenWRT or Tomato onto a compatible regular home router - this one is easy if you already have a model that is well supported by one of these projects and just want a bit more features and stability. For example, last week someone else on this forum had an issue that the stock firmware on their Archer router wouldn’t do a DHCP range larger than 256 addresses, flashing it to OpenWRT allowed them to configure it how they wanted with no loss of functionality (this isn’t always a given, especially if the router uses a Broadcom chipset, or is an early AC model). This is the only option on this list that does not require a separate AP to be purchased, and is also a good way to reuse a prior router as an AP if the stock firmware doesn’t have an AP mode Buy a Ubiquiti EdgeRouter or Mikrotik RB-series router - this one is a good option if you want many more true router features, where “true router” means a device that handles packets at L3 and L4 and can speak many dynamic routing protocols such as OSPF and BGP, and are less interested in advanced firewall features like application recognition, intrusive prevention, and DNS-based content filtering. It is also a good option if you want very good price-to-performance or power efficiency when it comes to being a simple router and stateful firewall for a home or business. For example, a Mikrotik hEX at ~$70 USD (IIRC) will out perform everything else in its power, size, and cost categories (including the low cost pre-pandemic of getting a used office PC and adding a NIC), if you don’t need to go beyond stateful firewall. Stateful firewall means you can create normal rules based on IP or port, and can do inbound/outbound NAT and PAT.
  2. This is an April Fool’s listing. Not the first one Razer has made. Due to timezones, “April 1st” starts earlier than you may expect. It is currently 2:54 AM 2022-04-01 in Japan. ”With over 1,333,337 integrated haptic sensors” Just one specific thing that should tell you it’s a joke.
  3. Kaspersky and others on the “Covered List” are banned from use in any project that is partially or wholly funded by the federal government, or will take advantage of subsidies. Private companies and individuals can still use them as they choose. If you look at the “Covered List” you linked, Kaspersky is the only company there that is only a software vendor. All of the companies have a description of what type of products or services are banned.
  4. Look at your server-wide CPU usage and load in the Proxmox dashboard. Even when plex is at full usage, you should see no more than 75% utilization. Its no big deal to make more virtual CPUs than physical. If you want to be cautious, you can change the CPU settings on the smart home manager VM to max 50%, and then set the pihole to also max 50%.
  5. The fact that you have a single 1Gb connection from the i350 card to your switch is why you have a bottleneck at 1Gb. Are you trying to do a speedtest from PFSense? I’m not aware of that being something you can do.
  6. I don’t have an explanation or idea as to why you did not have the i225 card showing up before - unless maybe there was a conflict between it and the BIOS. PCIe Gen2 x1 is 4Gbps. If I understood correctly, you have a single 2.5GbE port connected to the Shaw modem. What do you have connected to the “LAN” port(s) of PFSense? If you have a single 1Gb connection to a switch, that is your bottleneck. If you have set up an aggregated link to a switch, you won’t see more than 1Gb on an individual client. If you have multiple client devices connected to the i350-T4 ports, they will be individually limited but should achieve the full speed combined.
  7. They are getting the hostname from the DHCP request the router sends. “IP Passthrough” means to give the designated device the single public IP instead of a private one, but it is still standard DHCP. After you flash OpenWRT you can change the hostname. If you want to be very careful, you can keep the router’s WAN cable disconnected until you’ve changed the hostname back to Archer_C7.
  8. So, unless you are giving them login information for the router itself, the IP passthrough is only something they are setting on the modem/ONT. If you changed the router's firmware to OpenWRT, they would still see the hardware as being TP-Link, because the MAC Address won't have changed. And because the MAC address won't change, you probably wouldn't even need to have Centurylink do anything when you flash OpenWRT, because the IP Passthrough configuration would only be referencing your router based on its MAC address. The reason you have to call them when you change modems is to update the MAC address, and the MAC address is also how they know what manufacturer made the device. The first 6 digits of the MAC address are called the OUI, and are assigned to manufacturers. By the way, I did some searches for related terms, and I could not find any documentation that indicates Centurylink only supports Cisco and TP-Link routers, for IP Passthrough or otherwise.
  9. Is this for enabling the modem to do IP passthrough, to give your router a public IP on WAN instead of the modem also acting as a router? Can you tell us who your ISP is?
  10. I’m confused. Does your ISP control part of your router? If you went out today and bought a different TP-Link router, would you have to tell them or do something specific? It is very uncommon for an ISP to only “support” certain routers. If we were talking about a combined modem router or ONT router it could make more sense.
  11. Sounds like a hardcoded limit. Maybe you can try OpenWRT: https://openwrt.org/toh/tp-link/archer_c7
  12. You didn’t have to watch the video. I provided a summary of the claims made in the video. The answer to “Why do people recommend DIY routers?” is because it isn’t about performance or efficiency. It is about stability and features. Also, for the average consumer where something from their ISP or off the shelf from Best Buy, Walmart, etc is all they need, they aren’t going to find the videos, forum posts, and blogs that are pushing either DIY routers or vendors like Mikrotik and Ubiquiti. Those are found by people that are looking for more or different, because they want more or different. Or at worst for a channel like TechQuickie, the video is going to be promoted to people who are interested in tech, and then they discover what is available out there.
  13. Sure, ignore the reports of issues, which are exactly answering your initial question of this topic (Why do people recommend DIY routers?). Because none of those problems reported by a trusted technology consultant (YouTube and the ServeTheHome website aren’t where they make their money, its on doing tests for companies) could be valid reasons why people get tired of off the shelf hardware/software and either put OpenWRT on the router they bought, or PFSense on an old computer with two NICs, or possibly find Mikrotik/Ubiquiti/NetGate. I wasn’t talking about the J4125 device. I was pointing you to someone who knows way more about technology then either of us, who had a bad experience with the Spectrum-provided router, including having to reboot it every two weeks.
  14. So Servethhome actually has a recent video that is relevant here: The video is about a new-ish 4x 2.5Gb PFSense (or OPNSense, or Untangle, etc) box, but starting at 13:10 he starts talking (more like rambling) about a spectrum provided router, that seems to have high specs and be designed for their 1Gbps+ service. He makes various claims, including: 14:45 - consistently lower ping-through latency with the PFSense box 15:15 - better local DNS caching (might also be a difference between ISP DNS servers versus something else he chose to use, ISP provided equipment sometimes does not let you specify the DNS servers to use) 15:55 - about every 2 weeks, he would experience extreme sluggishness for wired LAN devices and have to reboot the ISP router, and ended up putting it on a smart plug so it could be rebooted (that’s from the text overlay, not the audio) 16:30 - ISP router has very little or no troubleshooting tools, and is complicated by the combination of the modem and router The video concludes with places/reasons why you may still pick the ISP router, including cost, convenience of setup, and the fact that wireless is builtin. I still agree with you on cost-vs-performance when set up in an average consumer setup. Most aftermarket routers (and probably most ISP routers) probably don’t suffer from the reliability issue mentioned in the video. I do have one more datapoint I just remembered. Verizon Fios’ router units (which are purely routers, although they do have a MoCA port for LAN/WAN over Coax) have very limited NAT tables. The G1100, which was the flagship AC Wave 2 unit, had a NAT table size of 1024 sessions. That is actually not a lot when you have a moderate amount of IoT devices, multiple devices per person, etc. My house network (which is on a separate router and public IP than my lab/server/freelance business network) has about 15 IoT devices and 20 personal devices, and the sessions are idling around 400 and peaks over 1500 (data from last 24 hours, via Untangle). NAT/firewall table size is another example of something that once baked into hardware, can’t be changed.
  15. I understand your basis of argument is the max pps, especially at 64 bytes. But this is where the RFC2544 standards don't really match to reality. A production network, either home or business, is going to have a mix of packet sizes, and average between 500 and 1000 bytes. This is where IMIX comes into play, it is a mix of packet sizes to reflect more real-world. You don't need 2Mpps to keep up with a large number of users all doing a lot of things at once. What is more often an issue (speaking from almost a decade of network engineering experience and related certifications, and being a SME for QOS at my company where we have dozens of network engineers who check each other's work) is not prioritizing packets properly between different applications/types, causing issues especially for live audio/video happening at the same time as "bulk" traffic like streaming media. I rarely see issues with pps in production networks, unless someone has enabled features that definitely exceed the capabilities of their hardware. "More Stable" - Maybe this isn't a valid argument anymore (I do not have firsthand experience in the past few years to tell either way), but definitely from the early 2000s through the mid 2010s, the average router available for sale, and the average modem/router available for sale or from the ISP, would suffer from poor cooling, poor software stability, or both. DD-WRT on the WRT54G (the original alternative router firmware on the hardware it was developed with) had much better uptime and performance consistency than the manufacturer firmware releases. "More powerful" - Some people are probably making a claim about performance, in which I generally agree with your argument that for a comparable price point, a DIY router is not going to out-perform something that is using hardware offloading. For me "more powerful" means in the available features. Again, if something is baked into the hardware, you can't change it. By the way, if a DIY router is overloaded on incoming packets, it doesn't crash. It just drops anything that can't fit into the assigned buffer for the interface - exactly what happens in a non-DIY router in that circumstance. Anything that pays attention to this, like TCP and QUIC, will notice the dropped packets and throttle transmission.
  16. An OpenWRT, PFSense, etc router gives me the ability to do things that a SOHO router never will. The list is extensive, but I’ll call out one thing in particular: ZeroTier. A perfect example of what is possible with vs without hardware routing/NAT is the Unifi USG. With hardware offload enabled, it can sustain near wireline routing, NAT, stateful firewall. But if you want to enable the IDS/IPS feature, or the Smart Queues feature (FQ-CoDel), you have to disable hardware offload, and the performance is limited to around 85-100Mbps. This effect was amplified with the USG-XG (same hardware as the EdgeRouter Infinity). With hardware offload enabled, it can route over 20Gb/s, but with hardware offload disabled it can only do about 1Gb/s. The feedback from Unifi users was that the cost of the hardware compared to the speed available without hardware offload was ridiculous, therefore the USG-XG was discontinued. It was replaced by the UDM series, which has no hardware offload at all, it is doing everything in software all the time. The UDM-Pro can sustain at least 3.5Gb/s with IDS/IPS enabled, and about 9Gb/s with it disabled, at a price 1/5 the USG-XG. Of course, a Unifi router is not the same as a “DIY” router. But the point is the same - having hardware offloading, while very efficient, locks you into the features of the chip. Some things, like a VPN server, may coexist with hardware offloading, but other things like better QOS cannot. I have not seen a hardware implementation yet of the CoDel, CAKE, etc algorithms.
  17. These RJ45 SFP+ modules are themself acting as a little two-port switch, because the SFP+ standard doesn’t technically support anything in between 1Gb and 10Gb. So the module links to its host at 10Gb, and the RJ45 side at whatever. There is also nothing in the standard for communicating this information, or for RJ45 modules to exist at all. If you look at the module type as reported by the switch, it is probably showing up as a DAC or even maybe a fiber module. Mikrotik’s own S+RJ10 module uses one of the unused pin pairs to make an extra metadata connection to pass the RJ45 link speed, this is something proprietary to Mikrotik. It might be a waste of money now, but if you had asked before I would have recommended spending extra on the Mikrotik module purely for this reason. No other company has done this that I’m aware of. https://mikrotik.com/product/s_rj10 They say “link speed reporting is fixed” in the 2nd revision, but truthfully it wasn’t possible to do when they were keeping within the SFP+ standards. They found a solution such that their module can still be used in other manufacturer’s equipment without issue. So, all that out of the way, what are you using as your router? Edit: I’m guessing it is the modem unit? Try putting the RJ45 module into one of your Connect X-3 cards and connecting that to the modem/router, just for more data points.
  18. The U-LTE plugs into any POE port on your network. The controller will create a VLAN for communication between it and the USG. The USG will disable its WAN2 port (assuming you had it in WAN2 mode and not LAN2) and start using that VLAN as WAN2. The system was designed this way so it is compatible with the UDM which only has one WAN port, and the UDMP whose WAN2 is an SFP+ port. With the U-LTE you are locked into Ubiquiti’s AT&T pricing. “The price plan is $15/month (includes 1 GB) and is $10 per additional GB.” Additionally, I think there is a hard limit at like 20GB/month. What you do get with this solution though is the ability to decide what can or cannot use the LTE backup - I think it is based on networks, but I may be wrong. The U-LTE-Pro, only available in Europe, lets you provide a SIM card and carrier/plan of your choice.
  19. We’re using APC’s StruxureWare which AFAIK is built on top of SmartConnect. Our newest UPS’ don’t have the separate remote monitoring cards in them. And there’s enough companies of our size doing the same that I’m not even divulging a security hole by saying this.
  20. I’m not aware of something that does exactly what you are asking for. What I would do is install in-wall access points (e.g. Unifi U6-IW or UAP-IW-HD, Ruckus H550 or H510) that have an integrated switch, and just plug your “daisy chain” cable into a “front” (bottom) outlet and pass it behind the AP. The benefit of this method is you have wireless in every room as well, which is how hotels are designed nowadays. The Ruckus APs would be more expensive, I mention them because they have a pass-through cable channel built in, so the wire can’t get pinched on accident. If you have a position with more than one downstream cable, or need to daisy chain more than two switch/AP in a row, you would have issues with POE and would need to somehow inject more power or provide DC directly to whatever you install.
  21. I assume you mean the ethernet port on the thunderbolt dock. Does that ethernet port on the ASA work with other devices? It isn’t in a shutdown state? Do you get a link indication on both the ASA and dock? Anything in the log when you try to connect the dock?
  22. The company I’m at has over 5000 APC UPS’, all network connected. We have a dashboard that tells us if a UPS is being over-used (more wattage than it will support for our baseline number of minutes in an outage), when a unit’s battery needs to be replaced (and we can order the replacement to be drop-shipped direct from the dashboard, because every UPS has an address and contact info), and if there are any faults with a unit (consistent under or over voltage, internal hardware faults, and more). Without this, it would require significantly more effort to keep track of the units. We know exactly how much work was being done by the NOC before we paid more for the network connected models and the dashboard, and we know that we saved more in labor costs per year than the hardware and license fees. Some of the UPS models also have remote control of individual outlets, or outlet groups, and we also have APC PDUs in the same dashboard where we can control individual outlets.
  23. I had to ask, because it wouldn't be the first time I had seen someone say "The IoT SSID will be a different subnet" without actually intending to use VLANs. Normally when VLANs are in play, there is some indication of it. For example, the line between the router and AP could say "Trunk; Native VLAN 1" or "Untag 1, Tag 2 & 3", and then the ports on the router could say "VLAN 1", "VLAN 2", etc. (implied to be access/native/untagged) You don't seem to have a different CIDR shown for IoT, the Zigbee Hub's IP is within 192.168.88.0/24.
  24. What is going to do the separation of the guest network, if that isn’t a VLAN? In other words, how are guests going to end up with IP addresses in a different subnet?
  25. Either fix whatever is causing BPDUs (the tiny packets that are used for STP and loop detection) to enter the switch from that cable (meaning, disable STP or similar from the device at the other end), or disable the BPDU Guard on that port. BPDU Guard is how you tell the switch "this port should only ever have endpoint devices, it will never have another switch connected to it". It is considered a security or idiot-protection feature, to prevent a dumb or malicious person from connecting a switch or similar device to a network port. For example, many companies have a policy that users are not allowed to install switches or routers at their desk.
×