1Gb router + hdds build

[daggs1]

Greetings,

I'm looking to build a setup that will provide me NAS, backup server and will act as a 1gb NAT router (wireless via usb dongle, 2 pcie 1gb nics, wan based on the o/b nic).
I've decided to base the system on this MB https://www.asus.com/Motherboards/H110M-K/overview/
I've wanted to know, assuming I put 4GB of ram, which cpu will provide my needs? (my main goal is to get the 1gb NAT and decent backup performance, the NAS will be occasionally in use).
in addition, I've like to hear suggestions on how to minimize the sound level this system is bound to make.

Thanks,

Dagg.

 

[coercitiv]

• I would aim for 4c/4t, but would rather pick Coffee Lake - either wait for the new chipsets in April or just buy a Z board since the i3 8100 would be cheaper than Kaby Lake i5 anyway. (hence total cost would be equal).
  
• Sound level will be dictated by the HDDs inside the chassis, not your CPU.

 

[daggs1]

Greetings coercitiv,

• I would aim for 4c/4t, but would rather pick Coffee Lake - either wait for the new chipsets in April or just buy a Z board since the i3 8100 would be cheaper than Kaby Lake i5 anyway. (hence total cost would be equal).
  
• Sound level will be dictated by the HDDs inside the chassis, not your CPU.

the i3 8100's socket is LGA 1151 (300 Series) which isn't compatible with the mb I've posted above.
I went with that mb because I use it at work, it has good set of features (form factor (uATX) is important as it is designated to be placed in the living room where my fiber connection resides currently) and I can get it quite cheap.
regarding the Z board I'm unable to find a good board, can you recommend one?

from my experience, the major noise factor are the cpu and case fans. question is, is there a way to reduce them.

 

[VirtualLarry]

Asrock Z370 ITX/ac, has two intel GigE NICs, and AC wifi onboard. Drop in an i3-8100, you'll have plenty of power.

 

[daggs1]

Greetings VirtualLarry,

Asrock Z370 ITX/ac, has two intel GigE NICs, and AC wifi onboard. Drop in an i3-8100, you'll have plenty of power.

thanks for the advice, using that cpu+mb combo as several cons:

1. higher that I'd like to pay, the mb it self is 3 types expensive than the one I've suggested above.
2. I don't need an AC wireless, N is enough for me, infact I have a wireless N usb dongle I'd like to use as wireless. in addition, I don't like the fact that wireless source is at the mb, because I plan to put the machine in the living room near the floor, e.g. close to the kids.

the form factor is a tempting pro nonetheless.
my question is, will the above mb, a Intel Core i3 7100 and 4 gb of ram will do the trick?
on the same page, I might be able to get my heads on a AMD A8-5600K with 3gb of
ram, will that work?

Thanks.

 

[daggs1]

so I narrowed it down to this spec:

• mb: ASUS H110M-K
• cpu: Intel Core i3-7100 Kaby Lake
• memory: Corsair Vengeance LPX 1x4GB
• nics: 3 x TP-Link TG-3468 PCI Express 10/100/1000Mbps
• case + psu: Antec NSK2480B with 380W PSU

I know I was recommended to get i3 8100 but the cost of the mb makes it not worthwhile.
I intent to boot the system from us stick.

will this setup suffice?

 

[DrMrLordX]

Most routers use far less CPU power than that, so I see no problem there.

Power supply looks good.

So what software solution are you going to use to provide NAS?

 

[Zstream]

Are you 100% set on Intel? There are much cheaper CPU's/MOBO's capable of driving that requirement, but I digress.

 

[LightningZ71]

It would be helpful to know your intended software solution. I use a re-purposed sandy bridge i5 to run my home router. I use a hypervisor (HyperV) to run an instance of Sophos XG, FreeNAS, and a steam-cache server. I have one Gigabit port on the motherboard, and a pair of cheap dual port PCI-E gigabit cards installed in it (they are used Intel server nics that I got for real cheap). My setup uses one of the card based NICs to handle the WAN link to my ISP, the on board RJ-45 for a connection to a Linksys wireless broadband router (What I was using before this setup) in bridged mode, providing just the access points for both the 5G and 2.4g bands for my built in devices and for the unregulated devices (smart phones for the adults, smart TVs, IoT devices), another card based RJ-45 for a second WiFi access point (bridged Apple Airport, which was free from a friend that was upgrading, it's got a good setup for turning off the kids' wifi access on a schedule among other things) that holds the highly regulated, monitored, and protected wireless network for all of my kids' devices, a third card mounted RJ-45 for a link to an older NAS device that supports network based backups for everything and a fourth card mounted RJ-45 for future expansion (I'm going to do something with a home media server system to replace my cable boxes soon).

It doesn't take a lot of processor to make it all run. I have Sophos defined as dual core, and the others are single at the moment. Doing all of that on one system still yields me wire speed forwarding on my 100Mbps ISP connection, and by my calculations, will handle everything through 500Mbps without a problem. It'll show some limitations at a full gigabit, but that's largely because of the level of packet inspection that I've got enabled. I'm on the lookout for a good price on a used Ivy Bridge I7 that is compatible with my board for when fiber makes it into my neighborhood in the next year or so. You might find that RAM amount a bit tight. Sophos XG supports 6GB max (though, I'm rarely going above 2), and a NAS box can use as much as you can throw at it for file caching. I'd suggest you try to get to 8GB as it looks like you might want to run 3 VMs at some point.

What are you using for a boot drive? If you can find it, I'd suggest that you look for a cheap, low capacity SSD. You can often find them used online for very little. Remember, for this purpose, size and write speed aren't a big issue. Just something that consumes very little power that can help your server get booted back up quickly after a power outage. A lot of people like to use USB sticks for that, and that's fine, but I find that they can be quite slow, and often don't like being used that way long term. I use an older 120GB SATA SSD for mine and it does just fine. I also have a 500GB 7200 RPM hard drive setup as a proxy cache for the Sophos firewall, but I don't see it helping a whole lot. I had it, already and didn't have a use for it, so I just threw it in there to see if it would help.

 

[daggs1]

Greetings DrMrLordX,

Most routers use far less CPU power than that, so I see no problem there.

Power supply looks good.

I know but I want the machine to support 1gb nat on the local lan and be able to run backups and nas access when needed.

So what software solution are you going to use to provide NAS?

well as my requirements aren't that complicated, all I need is a bunch of nfs and samba shares, I'll probably use debian.
I think it is more like light NAS...

 

[daggs1]

Greetings Zstream,

Are you 100% set on Intel? There are much cheaper CPU's/MOBO's capable of driving that requirement, but I digress.

of course I'm open to other possibilities, thing is that the place I live in might be referred as Intel domain. it is hard to find good selection of non Intel based cpus/mobos.

 

[daggs1]

Greetings LightningZ71,

It would be helpful to know your intended software solution. I use a re-purposed sandy bridge i5 to run my home router. I use a hypervisor (HyperV) to run an instance of Sophos XG, FreeNAS, and a steam-cache server. I have one Gigabit port on the motherboard, and a pair of cheap dual port PCI-E gigabit cards installed in it (they are used Intel server nics that I got for real cheap). My setup uses one of the card based NICs to handle the WAN link to my ISP, the on board RJ-45 for a connection to a Linksys wireless broadband router (What I was using before this setup) in bridged mode, providing just the access points for both the 5G and 2.4g bands for my built in devices and for the unregulated devices (smart phones for the adults, smart TVs, IoT devices), another card based RJ-45 for a second WiFi access point (bridged Apple Airport, which was free from a friend that was upgrading, it's got a good setup for turning off the kids' wifi access on a schedule among other things) that holds the highly regulated, monitored, and protected wireless network for all of my kids' devices, a third card mounted RJ-45 for a link to an older NAS device that supports network based backups for everything and a fourth card mounted RJ-45 for future expansion (I'm going to do something with a home media server system to replace my cable boxes soon).

It doesn't take a lot of processor to make it all run. I have Sophos defined as dual core, and the others are single at the moment. Doing all of that on one system still yields me wire speed forwarding on my 100Mbps ISP connection, and by my calculations, will handle everything through 500Mbps without a problem. It'll show some limitations at a full gigabit, but that's largely because of the level of packet inspection that I've got enabled. I'm on the lookout for a good price on a used Ivy Bridge I7 that is compatible with my board for when fiber makes it into my neighborhood in the next year or so. You might find that RAM amount a bit tight. Sophos XG supports 6GB max (though, I'm rarely going above 2), and a NAS box can use as much as you can throw at it for file caching. I'd suggest you try to get to 8GB as it looks like you might want to run 3 VMs at some point.

What are you using for a boot drive? If you can find it, I'd suggest that you look for a cheap, low capacity SSD. You can often find them used online for very little. Remember, for this purpose, size and write speed aren't a big issue. Just something that consumes very little power that can help your server get booted back up quickly after a power outage. A lot of people like to use USB sticks for that, and that's fine, but I find that they can be quite slow, and often don't like being used that way long term. I use an older 120GB SATA SSD for mine and it does just fine. I also have a 500GB 7200 RPM hard drive setup as a proxy cache for the Sophos firewall, but I don't see it helping a whole lot. I had it, already and didn't have a use for it, so I just threw it in there to see if it would help.

I'm a linux guy so debian will be my os, I plan to boot the os from a usb drive into the memory.
my goal is to have my two hdds (backup and media share) connected to the board via sata, the backup software will be backuppc which will backup the media share and various other machines on the network (linux and windows oses).
the media share will be exported via nfs and samba, as readonly, the nfs will have the ability to allow write under specific conditions.
my isp connection is 1gbps fiber, so the lan needs to be 1gbps, I also intend to take a unused tplink usb wireless dongle I have and use it a 300mbps wireless access point.

I assume that the os should take much in the memory but if 4GB is tight, I'll bump it to 8GB.
up until I got the fiber connection, my setup was as such where the backups were on the main desktop and the media share was on the router.
but the router's latest vendor firmware doesn't protect from KRANK and doesn't support NFS. openwrt/lede protects from KRANK and supports NFS but I get 200mbps at most when it comes to speed.
in addition, to get the backups going the main desktop needs to be on and the external hdd case should be on (go tell the wife to remember turning it on... she never remembers).

so I want to consolidate the router, media share and backups to one machines that is always on and no need for special actions to get anything to work.

 

[LightningZ71]

I strongly suggest that you use VMs to separate your router functions from your in house NFS/Backup functions. It's a security basic. Processor HP won't be an issue, but it will increase memory demands.

 

[daggs1]

I strongly suggest that you use VMs to separate your router functions from your in house NFS/Backup functions. It's a security basic. Processor HP won't be an issue, but it will increase memory demands.

you mean like a vm for the router and a vm for the share and the backup? if so, won't this increase the system's overhead? also, if I put the router on a vm, I fail to see how I can get near 1gbps within the lan. also, won't having the NFS/Backup functions on a vm and accessing the net result in performance drop?

 

[LightningZ71]

There is absolutely a performance hit from using virtualization. full stop. The question to be asked is, will that performance hit matter to you?

You will need at least two VMs. One will run the firewall/router installation. The other will run the NFS/Backup server.

The firewall/router VM can be surprisingly light. You can fit them in under 2GB of RAM and they use a very small amount of storage space. Having two cores dedicated to a basic firewall that has SPI and the basics of routing and security doesn't take a lot of processing power. Heck, big campus switches that run gigabit layer three switching at near wire speed are running on Atom class processors. A basic NFS/Backup server is also a very small footprint, both in processor overhead and RAM overhead. Obviously, more RAM can give you deeper caching and more I/O buffers, but, for home use, the difference would be hard to notice. I operate a hypervisor with three VMs on a board with an SB i5, and 8GB of RAM. It's not cramped for what I do with it, and what I do includes a lot of deep packet inspection on my kids' Wifi network. It does increase the power draw of the PC, but, even with that, it's less than running two or three separate machines.

There are many, many good how-to's out there on the net that can help you through setting any weird combination up that you want. I chose Sophos XG because it was very close to turn key, the free home use license was not very restrictive at all, and it was getting the same updates and many of the same features that their mainline commercial product is getting. (there are many other packages out there, besides using Linux/BSD to do it yourself) I have not been disappointed. I will admit that, with a 100Mbit connection, my setup is hardly breaking a sweat, spending most of its time near idle. Some of that is due to using server class NICs that have some offload capabilities for packet handling. My next project is to setup video streaming inside the house for all of my TVs and not just the living room one. I'm going to be refurbing another PC to operate as a NAS box in another part of the house and have it connected to the main VM server via a bonded 2Gbit link using some CAT 6 I have laying around. Unless I find something better, it's going to be a C2Quad PC with another of those dual port Intel server nics in it.

 

[daggs1]

Greetings LightningZ71,

There is absolutely a performance hit from using virtualization. full stop. The question to be asked is, will that performance hit matter to you?

I can live with up to 20% performance drop.

You will need at least two VMs. One will run the firewall/router installation. The other will run the NFS/Backup server.

The firewall/router VM can be surprisingly light. You can fit them in under 2GB of RAM and they use a very small amount of storage space. Having two cores dedicated to a basic firewall that has SPI and the basics of routing and security doesn't take a lot of processing power. Heck, big campus switches that run gigabit layer three switching at near wire speed are running on Atom class processors. A basic NFS/Backup server is also a very small footprint, both in processor overhead and RAM overhead. Obviously, more RAM can give you deeper caching and more I/O buffers, but, for home use, the difference would be hard to notice. I operate a hypervisor with three VMs on a board with an SB i5, and 8GB of RAM. It's not cramped for what I do with it, and what I do includes a lot of deep packet inspection on my kids' Wifi network. It does increase the power draw of the PC, but, even with that, it's less than running two or three separate machines.

following your suggestion, I think I'll compile openwrt with O2 opt and install it on a vm, I thought of 2 cores, 64MB storage and 512MB of ram, not sure why I need 1Gb.

I'm not sure I understand why I need to place the NAS/backup on a vm, I think that it should be on actual os. better I/O performance.
this layout requires solutions for the following two issues:

1. as the main os gets the ip from the vm it is running, I think that the router vm should start before the network unless the os requests ip when it detects there is a router up.
2. I must allocate all the nics to the vm and one to the hosting os, thing is, I must make sure that the same nic (lets say the onboard for wan and the reset of them for the conenctions).

I wonder if there is a way to create a dummy nic adapter instruct the os to use it to connect to the vm.

There are many, many good how-to's out there on the net that can help you through setting any weird combination up that you want. I chose Sophos XG because it was very close to turn key, the free home use license was not very restrictive at all, and it was getting the same updates and many of the same features that their mainline commercial product is getting. (there are many other packages out there, besides using Linux/BSD to do it yourself) I have not been disappointed. I will admit that, with a 100Mbit connection, my setup is hardly breaking a sweat, spending most of its time near idle. Some of that is due to using server class NICs that have some offload capabilities for packet handling. My next project is to setup video streaming inside the house for all of my TVs and not just the living room one. I'm going to be refurbing another PC to operate as a NAS box in another part of the house and have it connected to the main VM server via a bonded 2Gbit link using some CAT 6 I have laying around. Unless I find something better, it's going to be a C2Quad PC with another of those dual port Intel server nics in it.

sounds nice, I'd rather use os I know than ones I don't, but thanks for the tip.

btw, I assume the case's fans and psu are rather quite (as it is a htpc case), so I just need to find a low quite cpu fan. i thought of getting this one: https://www.newegg.com/Product/Product.aspx?item=N82E16835186100 as I used it before, any other suggestions?

 

[LightningZ71]

I'm not much of a hardware man with respect to specing cases and fans and tend to go with more of what I find online as suggestions.

What is your use expected NFS performance? If you're client devices are connecting via Wifi, even with a good wireless AC connection, you won't see a bottleneck due to VM I/O overhead coming from a pair of SATA Hard drives, especially with large block transfers like backups.

While you certainly can build your solution as you propose, for what you're going to do, especially with respect to running a router on the box, it is a better security practice to have separate VMs hosting the various services. The effective reduction in attack profile is not dramatic when you properly configure your box, but, it's still not beyond what your hardware can do. Most Hypervisors or VM Hosts have the ability to define a virtual network internally, allowing the router VM to have it's internal vNIC share a virtual broadcast domain with the NFS VM on a vNIC if you want. Some even allow you to configure that virtual switch to have an external NIC tied to it. It's going to depend on how you do it. If you're planning on using KVM, I'm not as familiar with it for direct configuration, though, I've used VirtualBox a bunch for similar setups. I use HyperV on the bare metal because I'm familiar with it, and it's free. You can certainly install a minimal Linux OS on the box, lock it down, and then run KVM on that to define your VMs. I'd lock down the base OS with respect to network access and, instead, route all network I/O to the VMs. If you've got a little gigabit switch laying around, you can use the external NICs to have it do the traffic passing between the VMs if you're worried about the virtual packet overhead, though that's usually not needed. I've seen that done in cases where admins are enforcing strict traffic control however.

There are a lot of ways to do this. I prefer to do VM isolation for everything largely due to security, and also because it makes some aspects of managing things easier. I can customize each VM to optimally support it's desired function. Configuring each VM OS for maximum security is easier as each only has to have open the specific ports required for it's function. Troubleshooting is easier because you don't have to deal with OS level interactions between services as well. For your configuration, 4GB of RAM should be fine. If you're configuring Linux to run without an XServer or display manager, then that's plenty. I try to have multiple GB of RAM for gateway routers because I like to setup small WAN caches to help with keeping the traffic going. I also tend to use software appliances, which also have a bit of extra overhead in them. Wile Proxy caches aren't nearly as effective as they used to be, they still have a place. There is still a lot of common static bits of web out there that can be cached and served up quickly. Half a gig to a gig of cache area is usually more than enough to catch 90% of that, and can certainly take a bite out of your WAN traffic load. With a 1 gig WAN connection, it won't seem like a big deal, and it probably isn't, but, it's still something that I commonly configure.

Again, your way will certainly work, and if that's a way you feel comfortable doing it, then do it.

 

[daggs1]

I'm not much of a hardware man with respect to specing cases and fans and tend to go with more of what I find online as suggestions.

case is selected, only the hsf is the question, I'll continue search.

What is your use expected NFS performance? If you're client devices are connecting via Wifi, even with a good wireless AC connection, you won't see a bottleneck due to VM I/O overhead coming from a pair of SATA Hard drives, especially with large block transfers like backups.

I don't intend to have AC wireless, N is what I need, no more. NFS has it's limitations (I cannot use NFSv4 because kodi doesn't supports its), samba is samba.
I want to max the possible throughput of the nfs, that I why I'm not that reluctent to place the nas and backups in a vm.
the router vm hopefully will be light enough but still provide me ~1gbps NAT.

While you certainly can build your solution as you propose, for what you're going to do, especially with respect to running a router on the box, it is a better security practice to have separate VMs hosting the various services. The effective reduction in attack profile is not dramatic when you properly configure your box, but, it's still not beyond what your hardware can do. Most Hypervisors or VM Hosts have the ability to define a virtual network internally, allowing the router VM to have it's internal vNIC share a virtual broadcast domain with the NFS VM on a vNIC if you want. Some even allow you to configure that virtual switch to have an external NIC tied to it. It's going to depend on how you do it. If you're planning on using KVM, I'm not as familiar with it for direct configuration, though, I've used VirtualBox a bunch for similar setups. I use HyperV on the bare metal because I'm familiar with it, and it's free. You can certainly install a minimal Linux OS on the box, lock it down, and then run KVM on that to define your VMs. I'd lock down the base OS with respect to network access and, instead, route all network I/O to the VMs. If you've got a little gigabit switch laying around, you can use the external NICs to have it do the traffic passing between the VMs if you're worried about the virtual packet overhead, though that's usually not needed. I've seen that done in cases where admins are enforcing strict traffic control however.

I got a little gigabit switch I use, I'd rather not use it for another thing.
I prefer my solution because it saves me the need to install another os over vm for the NAS/backup.

There are a lot of ways to do this. I prefer to do VM isolation for everything largely due to security, and also because it makes some aspects of managing things easier. I can customize each VM to optimally support it's desired function. Configuring each VM OS for maximum security is easier as each only has to have open the specific ports required for it's function. Troubleshooting is easier because you don't have to deal with OS level interactions between services as well. For your configuration, 4GB of RAM should be fine. If you're configuring Linux to run without an XServer or display manager, then that's plenty. I try to have multiple GB of RAM for gateway routers because I like to setup small WAN caches to help with keeping the traffic going. I also tend to use software appliances, which also have a bit of extra overhead in them. Wile Proxy caches aren't nearly as effective as they used to be, they still have a place. There is still a lot of common static bits of web out there that can be cached and served up quickly. Half a gig to a gig of cache area is usually more than enough to catch 90% of that, and can certainly take a bite out of your WAN traffic load. With a 1 gig WAN connection, it won't seem like a big deal, and it probably isn't, but, it's still something that I commonly configure.

Again, your way will certainly work, and if that's a way you feel comfortable doing it, then do it.

security is good but I don't expect any outside access to the router and the chances someone will be able to access the system from within is same as he can access my other systems on the lan.
I don't intent to run any ui on the system, just cli.

I'll try my way an report back.
thanks for the info.

Dagg.

 

[DrMrLordX]

well as my requirements aren't that complicated, all I need is a bunch of nfs and samba shares, I'll probably use debian.
I think it is more like light NAS...

I would double your RAM then and go with a VM-based solution.

 

[daggs1]

I would double your RAM then and go with a VM-based solution.

should I double the ram or not? I'm not sure... for my needs, how would more ram help?

 

[DrMrLordX]

should I double the ram or not? I'm not sure... for my needs, how would more ram help?

@LightningZ71 mentioned using WAN caches. Also VM usage will probably push you past a 4 GB RAM budget. Probably.

 

[Charlie22911]

I personally would not use a single box for all those functions, I’d really suggest putting the routing on its own hardware. Too many potential security/stability/performance issues there.
Been there, done that.

EDIT:
This is what I’m using for my pfSense setup for about a year now, It’s cheap and reliable.

https://www.amazon.com/gp/aw/d/B06ZYG5ZQX/

 

[Zstream]

I personally would not use a single box for all those functions, I’d really suggest putting the routing on its own hardware. Too many potential security/stability/performance issues there.
Been there, done that.

EDIT:
This is what I’m using for my pfSense setup for about a year now, It’s cheap and reliable.

https://www.amazon.com/gp/aw/d/B06ZYG5ZQX/

I’m regards to performance, all you need is SR-IOV support, and you’re good to go from the network side.

Trust me, I ran a four VM’s, plus a firewall on a haswell v3-1231, and 32gb of ram. Hell, it was running on an AMD 1055t.

Look at your I/O from your NIC, and storage drives before you worry about anything else.

 

[daggs1]

Greetings DrMrLordX,

@LightningZ71 mentioned using WAN caches. Also VM usage will probably push you past a 4 GB RAM budget. Probably.

as said, I intend to place only the router on the vm with 1 gb of ram and will install openwrt, so I don't think WAN caches is relevant much as the wireless
usage will be minimal and should be handled by openwrt which is designed to run systems less capable than a vm with 2 cpus and 1 gb of ram.

that my 0.02c thought.

 

[daggs1]

Greetings Charlie22911,

I personally would not use a single box for all those functions, I’d really suggest putting the
routing on its own hardware. Too many potential security/stability/performance issues there.
Been there, done that.

EDIT:
This is what I’m using for my pfSense setup for about a year now, It’s cheap and reliable.

https://www.amazon.com/gp/aw/d/B06ZYG5ZQX/

question, what fw are you using? are you sure that you are protected from KRACK exploit for example?
another issue is the media share and backups which I still need to address.
btw, I can't seem to find ram amount and wlan on that box.

at that price range, I'm left with adding another 100$ and get my build which is more capable imho.