Question Critique my proposed SOHO network

[fkoehler]

Hi All,

Recently had issues with my Archer C7 v2 running DD-WRT and long story short, am re-doing my SOHO network as OpenWRT IS much nicer and featured.

Planning:
Router- Rpi 4b OpenWRT ( supports ~900Mb WAN, I will be moving to 400Mb) Yes, I know, I laughed to. Until I saw some threads on OpenWRT going back awhile, and seeing how pitiful most of the SOC are on even the expensive consumer routers. I'm also going to add NVME SSD to it since it easy and cheap.

Cisco 3560/3750 PoE switch, have on hand but on eBay for $30-40 shipped 24/48 ports if you're interested.

AP's- Roku/Firestick seem fine on N, so sticking with that and/or with AC as I don't do a lot of LAN traffic.
Thinking of trying Ruckus Flexzone R500 from eBay for $40-50/ea x2.

House is a ranch style, 2k sqf, back yard is an acre, so I might need an external AP for mowing tunes, future pond IoT stuff/solar.

I was following Ubiquiti the last couple years, however recently they seem to have turned into a Netgear, so a little more for the Ruckus seems worth a shot.
Ubiquiti seems to have jumped the shark and turned into Netgear, so although they made some nice unobtrusive AP's, not interested in them now.
Wish I could repurpose the 3 Cisco 1131's I have, but way to big and max at G. Be sad to trash them this week...

Critiques, comments, flames?

 

[fkoehler]

Yes, I noticed that after I started down the RPi path....
We're going to prob go with a VPN soon, so we'll have to see how poor it is.
Supposed to be getting 400Mb, however still waiting for Verizon to come out and replace my wonky ONT to see if I am actually getting that, before starting VPN.

Be aware that RPi4 does not have AES hardware acceleration. It could affect VPN performance if you are going to use any.

AES on BCM2711 (RPi4)? - Raspberry Pi Forums

www.raspberrypi.org

==

Well, Wireguard way much better than OpenVPN

Raspberry Pi 4 Benchmarked with 32-bit and 64-bit Debian OS - CNX Software

The first Raspberry Pi board with a 64-bit Arm processor was Raspberry Pi 3 Model B, and all new models including the latest Raspberry Pi 4 come with four

www.cnx-software.com

 

[fkoehler]

Yes, I've been down some rabbit holes. However, it appears that at least in this instance with Open and Pi's, they've been running for 6-8 months with few issues being reported. Even less now that Pi is an official Open package.
Just ran across another project similar to what I want here:
https://gateway-it.com/raspberry-pi-4-as-a-home-router-openwrt-adguard-home/

Currently my status is:
Primary router- Archer C7 v2 (OpenWRT)
PoE Switch- Cisco (free, used for Ports, PoE, Trunking)
2X Aruba 205 Instant APs ($52)
Aruba Instant is nice because I can configure one AP, set it to be the virtual controller,
and other Aruba AP's that are brought online will be found and configured automagically by it.
The AP's handle all wlan duties, including SSID's, VLANs, and associated DHCP.
Most of the features of full controller in an AP. Way better than Cisco.


RPi 4b- Waiting on micro hdmi cable ($35)
Armor case (heatsink) ($11)
TP-Link UE300 USB3-Enet adapter (Reportedly good to 900Mb+) ($9)
USB3-SATA adapter (SSD Samung 830 probably) ($10)

I went down this rabbit hole last year. In the end, I decided on a small form factor PC (specifically I used a Dell Optiplex 9020 sff system). Yes, it draws more power (max 255W depending on hardware), but it also supplies a lot of added flexibility. But it was cheap (picked one up for under $220 total after adding in a SSD and the network card, mine was also a i7-4790 CPU, so 4 core/8 threads).

Some of the added flexibility is a PCI-E 3.0 x16 slot. It let me put in a dual port 40Gb network card, which I use for my routing (although I am only using 1 port and using a router-on-a-stick configuration as I don't need the full 40Gb bi-directional at this time, as my core switch does most of my routing, this is just doing edge-routing to-from the internet, which obviously doesn't have a 40Gbps connection).

The other benefit is that it has the horsepower for running pfblocker-ng (think of it as pi-hole on steroids as it integrates with the firewall, not just returning a not found on a DNS lookup which can be bypassed by something using an IP address which doesn't need to be looked up via DNS).

 

[mxnerd]

If you care about OpenVPN performance, take a look of Protectli various models:

OpenVPN Performance on The Vault – Protectli Knowledge Base

protectli.com

==

RPI4 can be used for text based (you can install UI if you want though) feature rich SBC DietPi server if it does not perform as good as you wish as a VPN router.

DietPi.com

Seems still buggy though.

==

Well, RPI version comes with Allo.com Web GUI

DietPi Community Forum

Welcome to the DietPi OS Community Forum

dietpi.com

 

[fkoehler]

Yes, when everything is setup, I'll have to see who I want to go with for VPN, and then see if they support WG vs OpenVPN.
I had DietPi 3-4 years ago when they first came out, however haven't touched a Pi since.

 

[Fallen Kell]

Just a word of warning about using a Pi4 for VPN. Due to its processor performance, you will be limited to under 400Mbps throughput (possibly as low as 10Mbps depending on hardware/software) with AES-128 (the standard level of encryption for most VPN systems). In other words, if you are paying for 800Mbps and possibly adding a second redundant connection with 400Mbps, it will be no where near powerful enough. Please note, that those values are just for performing the encryption itself, not also performing routing, firewall, DNS, etc., so expect MUCH lower once you add those functions on top of the VPN encryption.

See the benchmark results yourself: https://github.com/ThomasKaiser/sbc-bench/blob/master/Results.md

This was one of the reasons why I went with a small form factor x86 platform (and specifically a CPU that also had AES-NI support) for my system that is my router. And on top of that, once you add in the costs of a heatsink/fan (needed if you want to try and get closer to that 400Mbps performance), an enclosure, power supply, network board for additional ports, and memory card/usb stick/storage), you are looking at the same ~$200 costs as the small form factor PC's you can pickup.

 

[fkoehler]

Just a word of warning about using a Pi4 for VPN. Due to its processor performance, you will be limited to under 400Mbps throughput (possibly as low as 10Mbps depending on hardware/software) with AES-128 (the standard level of encryption for most VPN systems). In other words, if you are paying for 800Mbps and possibly adding a second redundant connection with 400Mbps, it will be no where near powerful enough. Please note, that those values are just for performing the encryption itself, not also performing routing, firewall, DNS, etc., so expect MUCH lower once you add those functions on top of the VPN encryption.

See the benchmark results yourself: https://github.com/ThomasKaiser/sbc-bench/blob/master/Results.md

This was one of the reasons why I went with a small form factor x86 platform (and specifically a CPU that also had AES-NI support) for my system that is my router. And on top of that, once you add in the costs of a heatsink/fan (needed if you want to try and get closer to that 400Mbps performance), an enclosure, power supply, network board for additional ports, and memory card/usb stick/storage), you are looking at the same ~$200 costs as the small form factor PC's you can pickup.

I should be ok, I'm just upping it to 400Mb is all.
I am going to route IoT vlan for Roku and Firestick outside the VPN, so actual VPN use should be for general web browsing.

If the Pi really can't hande it, and I can't offload more devices, I'll look for an AES-NI supported x86 SBC for sure.