5/5 GBE internet - What hardware (router)

[RasmusDC]

Need help, i am moving to another house, and saw i could upgrade my internet, running 500/500mbit fiber, but can get 5/5gbit for the same price, so went for it.

 

now that is all fine, got a call today from the company, asking if i wanted the base modem, or the full router pack, which were QUITE expensive, overpriced. and he said it was not the best router setup, so he would recommend med just getting the modem.

 

Running a AC68 today, and yeah that is not going to cut it, from what he said the Modem delivers 10gbe over an SFP+ port.

 

are there any consumer routers that will support and create a local network from a SFP+ port, or do i have to build my own router? i have a server running, a 4790k on an old z board, with a 10Gbe nic (have internal 10gbe in my main to) but i would hate to make that my router, since it is a working server, that will be used for other things. 

 

i need something with a high uptime, and that can handle being hammered... any recommendations.. (may be a rack router, since i do have a rack.

[jeffmeyer5295]

Everything about this post makes me extremely jealous. I do not know the answers to any of your questions but god damn man. 

[TheKDub]

The only consumer grade router I can find that has a 10Gb/s SFP+ port is the Netgear Nighthawk X10 R9000. I wouldn't recommend going with consumer grade gear if you're wanting to do 10Gb/s networking

[Electronics Wizardy]

What features do you want in a router?

 

Your gonna need a pretty beffy router if you want to do things like packet inpsection, but for just a basic router, something like a edge router infinity. PFsense will also work, but your gonna want a pretty fast system(think xeon e3 grade system. Look at a used dell r320 for a rack mount system.

[RasmusDC]

okay so it is a larger investment. 

 

i have a surplus Ryzen 1700x + motherboard, so buying a 10gbe SFP+ NIC and running PF sense on that should be good enough? 

 

only have 8gb of ram on it. 

[AngryBeaver]

Your options for this are going to be limited. the Netgear X10 is going to be an issue because the ports are only 1gb on the lan side. You can chain to of these together for a 2gb connection, but that is on paper and rarely works out that way in practice.

 

Now you do have commercial options. That being said you are going to need a sfp+ to 10gbe router, a 10gbe switch, and depending on the solutions you chose for the other two potentially a firewall, might as well grab a half server rack while you are at it lol. I mean you can skimp/skip some of these items, but you will be sacrificing security. I mean I guess in a bind you could use a switch with ACL's, but that would be a pita. Not to mention you lose your NAT support (IP masquerading).

 

Now if you can find a commercial grade gateway you might be ok. This would be a device that functions as a router/firewall/switch. It would need sfp+ on the wan side, and at least 1 10GBe lan port (you can use a switch to break that up more if needed)

[RasmusDC]

well.. have the server rack, have a 16 port 10GBE Cobber based switch currently, have a server running. so adding som kind of pc for routing is really not an issue, then just scrapping the AC68 for som AP´s (might want to wire som POE then)

 

PFsense, never played with it.. but it is fairly plug´n´play ? 

 

the price for the fiber companies option is 1000 dkk (160ish dollars) for the modem, and fiber establishing, but they want 18000dkk to exchange the modem for a router, then i also will not have a fully open line to run with, configs will be run through the provider.. and i hate losing control and 17000dkk (3000 ish dollars) should run me a bit of a distance buying equipment.

 

currently we are preparing the house, so it has cat 6a in all walls, the rack has been established. so it is just hardware..

 

have a XS716 T 16 port Netgear 10gbe switch.

[Alex Atkin UK]

Getting the basics of pfSense running is pretty much "follow the instructions during install".

Once you get used to the UI, doing anything else like advanced firewalling is not exactly hard either.  It offers so much more fine configuration than a consumer router, even under something like OpenWRT, that you can happily ignore if you don't need it but can come in REALLY handy as you learn more about it.  (routing specific clients over VPNs, forcing all DNS over the local cache, blocklist for known attack IPs, etc)

You are definitely going to need a decent CPU for all this, people generally recommend an i5 for Gigabit so not sure on specifics here.  As you already have a lot of the parts, its probably best to just try it with the Ryzen.  Its not like you are likely to need to even enable QoS with that kind of bandwidth, you are more likely to hit bottlenecks on the Internet itself first.

[RasmusDC]

there is no bias in the PFSense for Intel CPU´s? could use the 4790k as the PFsense and use the ryzen for server instead, guess the Ryzen will work better, or just as well for transcoding than the 4790k.

 

watched the Level1 tech video with Wendell, it seems a I5 2500k is more than enough, but i do know that even with my 500/500, running custom firmware on my AC68 cuts the internet to 200-300mbits, because of CPU bottlenecking, running pure hardware and i have my 550/550... so i do know that running in purely software, does demand CPU.

 

alternatively i have an old X99 platform laying around... but it should be slower than the Ryzen in raw speed.

 

guess i have to fiddle a bit. still not keen on buying the suppliers router, and not having full control of my internetline. and i know the 5/5gbit will never really be used... 

[Alex Atkin UK]

Well you can always try pfSense on each of them and depending on how many clients you stick 10Gig into you can test this before you put it into service.

Setup pfSense with DHCP for WAN and a different private subnet than your main LAN for its LAN.
Then make sure on your current LAN a client is running 10Gig all the way to pfSense,  plug a 10Gig machine into the pfSense LAN port, run iperf3 in server mode on the main LAN side client, iperf3 in client mode on the pfSense LAN side.  You will get a rough idea of the raw throughput the pfSense box can handle as it will be performing NAT between your main LAN and the pfSense LAN, just like it would with an Internet connection.

[beersykins]

You could always run VyOS or something, PFsense is pretty easy to use and gives you more firewall/IPS features.  Snort will be pretty CPU demanding at those data rates.  You could try either, really.  That i7 should have plenty of grunt to route 5 gbit.

 

I ran a Mikrotik CHR for a while, at 1 Gbps with a few firewall rules and no fastpath it sat at like 40% of one i5 3330 core, if that gives you any sort of x86 performance bearing (you could even try running the Mikrotik CHR in your environment  Although it's like $95 for the 10g license which is relatively steep, but offers a 60 day trial).

[Falconevo]

First, im jelly you can get 5/5G to your home.  Most businesses in the UK won't pay for that kind of connectivity!

 

If your plan is to use pfSense, I was able to do 6.7Gbit/s WAN<>LAN throughput with the following config in my testing but it does depend entirely on the packet sizes used during testing.  You will be very lucky to achieve any sort of 'line rate' 10G with packet filtering without some serious hardware.  Inter VLAN communication was slightly higher due to the larger MTU (9000) on the inside interfaces but your WAN interface is going to be 1500 or 1508 if you are using PPP to access the ISP.  If your ISP is via PPP you may have problems as I believe the current implementation of PPPoE is single threaded

 

Dell R610 Chassis

2x x5690 Xeon CPUs

32GB RAM (had 4x 8G sticks lying around)

1x Some shit 60G SSD

2x Dual Port Intel x540 (1 WAN 2 LAN)
 

When I get home ill pull out the custom config that was used for the network interfaces, The hardwall seemed to be related to interupts which cause one of the CPU threads to be exhausted.

 

[Alex Atkin UK]

That detail about PPPoE is interesting, I did wonder why one core on my box is always running hotter than the other, that must be it.

I can only imagine how horrific PPPoE must be for a REALLY fast connection, its always been the major bottleneck on any router I have owned.  I'd hope on a connection as fast as 5G/5G it runs off DHCP from a terminal adapter.

[Mikensan]

Definitely pushing the upper limits of pfsense, how many IP addresses are you getting? 

Pretty wild they're running a pipe that big to a residential, Denmark sounds badass.

 

Netgate seems to be confident in their hardware running 10gb cards and on an Atom.

https://www.netgate.com/solutions/pfsense/xg-7100-1u.html

 

Originally FreeBSD and stateful packet filtering could not hit 10gbps, averaged 4-6. Can't hurt to try if you already have the firewall, but be prepared to spend some money if it doesn't work and you want the full 5gbp/s.

[Alex Atkin UK]

I believe a lot has been going on in BSD world so if it struggles now it might work when the next release of pfSense comes out.

[RasmusDC]

it is still consumer internet, i get a 1 fixed ip with it... so i need to DHCP... 

 

and i know that it is extremely over the top, my 500/500 today is fast enough, but it is nearly the same price (well equipment wise it can be a fail) but even if i only get.. 2-3Gbit throughput then i am fine with the setup. 

 

i am not a network extreme guy, so i might need to play a bit around with it, userbase for me is low.

 

Have Cloud setup running, running a web page, running my own mail client, some plex (with transcoding) and use for full house WEB TV services (think it is 4-8mbit streams pr tv stream) and STEAM and so on..

 

I just really like that things are instant

 

Next real issue is that it will max out my 550/550MB/sec disc (my 500/500 gets 62+ MB/SEC) and my server only has 10TB Ironwolf discs....

[Alex Atkin UK]

Like you said though, that's only a single client.  The main reason to have a beefy connection is so that a single client CAN'T max it out, allowing you to never worry about running out of bandwidth at all.

 

If I could get that fast I'd move all my websites to locally hosted, saving some money on a VPS.