Question Critique my proposed SOHO network

[fkoehler]

Hi All,

Recently had issues with my Archer C7 v2 running DD-WRT and long story short, am re-doing my SOHO network as OpenWRT IS much nicer and featured.

Planning:
Router- Rpi 4b OpenWRT ( supports ~900Mb WAN, I will be moving to 400Mb) Yes, I know, I laughed to. Until I saw some threads on OpenWRT going back awhile, and seeing how pitiful most of the SOC are on even the expensive consumer routers. I'm also going to add NVME SSD to it since it easy and cheap.

Cisco 3560/3750 PoE switch, have on hand but on eBay for $30-40 shipped 24/48 ports if you're interested.

AP's- Roku/Firestick seem fine on N, so sticking with that and/or with AC as I don't do a lot of LAN traffic.
Thinking of trying Ruckus Flexzone R500 from eBay for $40-50/ea x2.

House is a ranch style, 2k sqf, back yard is an acre, so I might need an external AP for mowing tunes, future pond IoT stuff/solar.

I was following Ubiquiti the last couple years, however recently they seem to have turned into a Netgear, so a little more for the Ruckus seems worth a shot.
Ubiquiti seems to have jumped the shark and turned into Netgear, so although they made some nice unobtrusive AP's, not interested in them now.
Wish I could repurpose the 3 Cisco 1131's I have, but way to big and max at G. Be sad to trash them this week...

Critiques, comments, flames?

 

[mxnerd]

If what you want is playing with 3rd party firmware using a home wireless router, I would recommend the routers on the support list from freshtomato.org

You can also use the router in many different modes, including wireless bridge/client mode.

Choose a Wireless Bridge Mode For Your Tomato Network

When you setup a wireless bridge with Tomato, it’s best to use two identical routers of the same model number. I also recommend that you install the same firmware version on both routers. Ide…

learntomato.flashrouters.com

much nicer UI than OpenWRT/DD-WRT in my opinion.

If not, probably a mesh system.

* not my video*

==

Mesh for backyard.

Amazon.com

reviews for this particular model that mention acres

Amazon.com

Like all products on the market, users have different opinions/experiences.

Can EAP225-Outdoor cover both inside and outside a house? - Business Community

Hey guys! I'd kindly ask you to advise me what equipment to purchase. We live in a house of roughly 500m2 on 3 floors surrounded by land of 12000m2. The farthest point from the house is some 140m away. 4 people live in the h

community.tp-link.com

 

[fkoehler]

Thanks,

Let me explain my logic.

1. Almost anything is better than OEM firmware.
Asus_MerlineWRT is supposedly very good, however IIRC, you are stuck with Asus routers.
After using DD for 6-7 years, Open seems far more polished, uptodate, and has significant packages available.
After 20 years in networking primarily Cisco, it shouldn't be a problem as aside from the Rpi, everything else is mainstream and should follow industry standard interop. Open has more SD-WAN like features than most Cisco routers outside of the high-end.

2. The SOC's on most routers are cheapest bottom of the barrel, and are easily outclassed by the RPi4 or other SBC's available for $50. They also usually have GB of ram and expandable flash/USB/NVME capability.
Getting a 900Mb WAN-capable 'router' w/2Gb ram, USB-Enet adapter for $60-70 seems reasonable as people have been reportedly running them w/out issue for quite a while now.

3. I could get a couple more cheap N/AC routers and setup a mesh for cheap and call it done, however I've done mesh networks in the past, and there are pro's/con's to it just like everything. In my case, since I'm going PoE AP's from a 3560-PS/48, I can place them anywhere I can get a drop from a simple site survey and no suboptimal placement because I need to get it near an AC outlet. And no one ever talks about the instra-mesh traffic that takes place as the mesh functions which bites into overall throughput.

4. The downsides of using commercial equipment like Cisco, Junos, etc, is usually power, noise, and being SME.
As Mark found out, and if people look, you can get an industry hardened 48 port PoE switch which can be made 'dumb' very easily, or with just a little knowledge and forum questioning, can give you a L2/L3 switch with all the options you want.

CISCO WS-C3750-24PS-S CATALYST 3750 SERIES 24-PORT PoE NETWORK SWITCH (N3) | eBay

<p dir="ltr">CISCO WS-C3750-24PS-S CATALYST 3750 SERIES 24-PORT PoE NETWORK SWITCH (N3). Condition is "Used". Shipped with USPS Priority Mail.</p> <p dir="ltr">The switch powers up and lights up. I assume their is still some sort of previous configuration on it, but I am not sure. I don't know...

www.ebay.com

The actual power used will normally be quite a bit less than the max stated unless you are running a 24x7 data center (Mark), and the noise can be eliminated by simply pulling the existing fan, and cutting a hole in the top of the switch and throwing in a 120 - 200mm quiet fan of your choice.
Its a crying shame to see what a lot of Gb-level equipment goes for on eBay, which many are quick to dismiss as old-tech vs some plastic piece of kit made by some nobody at 2-3x the price with 1/4 of the features.

5. For 99% of people, adding a wireless extender is probably going to be good enough, though not ideal for gamers.

Finally got my Archer unbricked and running Open, and wife is telling me the internet is 'jumping' again....
So, same problem between DD and Open, which likely means the hardware is failing and I need to go ahead with my plan above.
I'll probably make a little project out of this in another thread with site survey, heat maps, and equipment BOM and configurations for router, switch and AP's in the event anyone wants/needs to duplicate.

 

[mxnerd]

Mesh is for convivence. Wired AP almost is always better than wireless mesh in terms of performance, because there always will be wifi interference in the environment throughout the day and wifi latency is always higher.

Like all electronics/computer products, wireless home router will die eventually. For the main wired router, the other option is to run pfSense with mini barebone x86 appliance, not as feature rich as OpenWRT though.

 

[fkoehler]

I looked at pfSense a while ago, and it seemed like Opnsense had better multi-core support and packages. However I only read about it from a FW perspective, and it does appear as though some people use at a router also. Not sure if it is as useful running wifi though.
I've got 3 Arruba 215's and the RPi4b ordered, so I will have to see how it performs. My total cost is going to be about $130 as I have a Samsung 830 and a Cat 3650 on hand.
If for some reason it doesn't work as well as it appears to work for others with 500Mb+ WAN, I may have to repurpose the Pi for an ethercat project and go with some barebones x86 as you mentioned and have OpnSense handle routing/FW duties.

 

[mxnerd]

pfsense's wifi support is about nil. opnsense is a fork of pfsense, don't think it will have good support of wifi either.

 

[fkoehler]

I've read that, however thats really only a problem for people who are trying to turn an x86 pf box into a wireless router or a standalone AP. In both those cases, they need the pf box to have drivers for the wlan adapters.


In my case, if I need to go with pf, I would need it to simply be a router/fw.
The Arubas do all their own wifi and dns to clients, with multi-SSID and vlans, and I believe trunking.
So as long a pf can handle a trunked port, thats the extent of its involvement in wireless.

I think. I'll find out more if the RPi doesn't work.

 

[ch33zw1z]

I've read that, however thats really only a problem for people who are trying to turn an x86 pf box into a wireless router or a standalone AP. In both those cases, they need the pf box to have drivers for the wlan adapters.


In my case, if I need to go with pf, I would need it to simply be a router/fw.
The Arubas do all their own wifi and dns to clients, with multi-SSID and vlans, and I believe trunking.
So as long a pf can handle a trunked port, thats the extent of its involvement in wireless.

I think. I'll find out more if the RPi doesn't work.

Setting up pfSense for VLAN and trunk port

Hi, I’m fairly new to pfSense, VLAN, etc...I need some help to renew my network. The network now is like in this image I would like to implement a setup sim...

forum.netgate.com

pfsense definitely supports vlans and port trunking, no sweat.

As you said, pfsense is best suited for the router / LAN workload, let the AP's handle the wireless

 

[fkoehler]

Good to know. I do want to see how the RPi performs first though.
I know Open has basic FW, not sure I will need much more than that for what we do.

 

[sdifox]

How are you setting up the rpi4? You need a wan port and a lan port. If you use a usb 3.0 nic I would worry about thermal throttle. An Ethernet rpi4 shield is probably a better option. I don't see the point to nvme since you don't need fast storage for router duty.

 

[mxnerd]

How are you setting up the rpi4? You need a wan port and a lan port

OpenWRT probably has better support if OP is going to use RPI 4. But the concept is the same.

 

[sdifox]

given we are talking about 300 mbits, wouldn't this lead to potential bottlenecking on that one nic?

 

[simas]

Hi All,

Recently had issues with my Archer C7 v2 running DD-WRT and long story short, am re-doing my SOHO network as OpenWRT IS much nicer and featured.

Planning:
Router- Rpi 4b OpenWRT ( supports ~900Mb WAN, I will be moving to 400Mb) Yes, I know, I laughed to. Until I saw some threads on OpenWRT going back awhile, and seeing how pitiful most of the SOC are on even the expensive consumer routers. I'm also going to add NVME SSD to it since it easy and cheap.

Cisco 3560/3750 PoE switch, have on hand but on eBay for $30-40 shipped 24/48 ports if you're interested.

AP's- Roku/Firestick seem fine on N, so sticking with that and/or with AC as I don't do a lot of LAN traffic.
Thinking of trying Ruckus Flexzone R500 from eBay for $40-50/ea x2.

House is a ranch style, 2k sqf, back yard is an acre, so I might need an external AP for mowing tunes, future pond IoT stuff/solar.

I was following Ubiquiti the last couple years, however recently they seem to have turned into a Netgear, so a little more for the Ruckus seems worth a shot.
Ubiquiti seems to have jumped the shark and turned into Netgear, so although they made some nice unobtrusive AP's, not interested in them now.
Wish I could repurpose the 3 Cisco 1131's I have, but way to big and max at G. Be sad to trash them this week...

Critiques, comments, flames?

What are you priorities in terms of cheap, feature full, easy to use, etc? Do you want plug and play? Do you want ability to do advanced things on it (multi WAN failover ,etc) ? How important is WAF (are there others depending on that connection)?

I am pretty happy with my cheap (~$60), very low power, fairly feature full Mikrotik Hex (750RG3). I started with GUI (Winbox) for configuration and eventually learned by way towards normal CLI. Now I have a config that I like that runs firewall/router the way I want, I know exactly what it is doing, support two ISPs ( multiple WAN), and best item for me - this is just my config on out of the box hardware. if this device bites the dust, I plug the replacement, load the config and back running in 10 seconds. I can not do something like this with my earlier attempts of tinkering systems (pfsense, etc).

However, this is NOT dummy proof, click-here-for-wizard-let me talk you through it type of device. it is a router, nothing else, nothing less, nothing more. does not make coffee 🙂

I have it connected to Brocade ICX 6450-24 switch picked off e-bay for ~$90 to give me fairly low power device for normal gig networking and 4 10G ports that I do use (one to primary server/vm host , one to NAS, one to primary workstation ,elsewhere).

I use Unifi for AC and it just works, controller runs on Windows server.

so I ranked my earlier needs as
- stability/redundancy
- recovery speed
- feature functionality
- cost
- (very last) ease of initial setup

with myself working remotely, DW working remotely from the house, kids needing to do their school work remotely - bad wifi or no wifi or no internet would become a major emergency very fast at the time of COVID. if I were alone, no kids, no kids school, no remote work , my needs may be ranked in different order.

what is your priority order? go from there.


forgot to say - i love that in case of my cable (primary) internet outage, my house is continuing to use secondary (ATT) internet without anyone noticing. that alone worth the 'insurance price' of secondary slower/cheaper connection. i also put in basic quality of life things like Pi-hole that take care of all/almost all internet ads for any device on my network, and closed everything I could find. I have zero desire to watch/share my content outside of my network or allow any cloud service to come back in to 'help me' manage it. so I stay away from any technology that needs cloud host to operate/authenticate

 

[mxnerd]

given we are talking about 300 mbits, wouldn't this lead to potential bottlenecking on that one nic?

VLAN uses same physical port, definitely will eats into total bandwidth. For internet browsing/downloading purpose, the impact will be minimal, however.

 

[sdifox]

VLAN uses same physical port, definitely will eats into total bandwidth. For internet browsing/downloading purpose, the impact will be minimal, however.

5 Gbps Ethernet on the Raspberry Pi Compute Module 4

tl;dr: I successfully got the Intel I340-T4 4x Gigabit NIC working on the Raspberry Pi Compute Module 4, and combining all the interfaces (including the internal Pi interface), I could get up to 3.06 Gbps maximum sustained throughput. Update: I was able to boost things a bit to get 4.15 Gbps...

www.jeffgeerling.com

😎

 

[mxnerd]

5 Gbps Ethernet on the Raspberry Pi Compute Module 4

tl;dr: I successfully got the Intel I340-T4 4x Gigabit NIC working on the Raspberry Pi Compute Module 4, and combining all the interfaces (including the internal Pi interface), I could get up to 3.06 Gbps maximum sustained throughput. Update: I was able to boost things a bit to get 4.15 Gbps...

www.jeffgeerling.com

😎

Well, that works. But it's an ugly hack. 😛

Why not just buy 4-6 ports mini-PCs from Qotom or Protectli?
Or something like this 5-ports HP T620 Plus?

HP/ T620 PLUS Thin Client Quad Core GX-420CA 16/4+Intel GB 4-port -pfSense ready | eBay

Importantly, the Jaguar architecture supports AES-NI and will therefore be ready for the future 2.5 version of pfSense. May be Pro/1000 PT/ET or i340. Your unit may have 2 serial ports or be a model that has 1 serial port and 1 VGA port instead.

www.ebay.com

 

[sdifox]

Well, that works. But it's an ugly hack. 😛

Why not just buy 4-6 ports mini-PCs from Qotom or Protectli?
Or something like this 5-ports HP T620 Plus?

HP/ T620 PLUS Thin Client Quad Core GX-420CA 16/4+Intel GB 4-port -pfSense ready | eBay

Importantly, the Jaguar architecture supports AES-NI and will therefore be ready for the future 2.5 version of pfSense. May be Pro/1000 PT/ET or i340. Your unit may have 2 serial ports or be a model that has 1 serial port and 1 VGA port instead.

www.ebay.com

you are going to have to ask the op

 

[fkoehler]

How are you setting up the rpi4? You need a wan port and a lan port. If you use a usb 3.0 nic I would worry about thermal throttle. An Ethernet rpi4 shield is probably a better option. I don't see the point to nvme since you don't need fast storage for router duty.

I've got the TP-Link UE300 USB3-Enet adapter which was found to give in excess of 900Mb throughput.
I've got the Armor case, which includes some spongy TIM's. TIMs are really thick, so I want to replace with some metal shims of appropriate metal and a decent thermal paste.
As for the NVME, I cheaped out and picked up a USB3-SSD adapter.

 

[fkoehler]

given we are talking about 300 mbits, wouldn't this lead to potential bottlenecking on that one nic?

RPi4 routing performance numbers

Interestingly, I went to my main router and ran a speed test while watching netdata. It uses way more CPU during the download phase of a speedtest than it does during the upload phase. This appears to be due to a dramatically higher interrupt rate. (softirq rates about 115k/s during download...

forum.openwrt.org

Half way down page to Dlakelan's comment, 922Mb through the USB3 TP-Link UE300

 

[fkoehler]

Cheap, feature full, easy to use... I want it ALL!

OK, I've got cheap, and feature full.
Easy to use? Not yet, however I'm a network engineer so its kinda sorta easy to use, just a bit different than the normal cisco I've worked on.
No multi-wan, Fios seems pretty stable for me. If there is ever a problem, I'll just put my phone on hotspot. WAF not really needed, Open has decent FW for home.

The RPi is the router, cisco will most likely be the switch, and 2x Aruba 205's will be the AP/WLAN Controller.
I'm thinking just set the RPi as a router on a stick trunck to the switch, with trunks to the AP's to allow me segregate the Guest, IoT, Home Users.

Not sure if I can run PiHole on the router, which would be cool.

What are you priorities in terms of cheap, feature full, easy to use, etc? Do you want plug and play? Do you want ability to do advanced things on it (multi WAN failover ,etc) ? How important is WAF (are there others depending on that connection)?

I am pretty happy with my cheap (~$60), very low power, fairly feature full Mikrotik Hex (750RG3). I started with GUI (Winbox) for configuration and eventually learned by way towards normal CLI. Now I have a config that I like that runs firewall/router the way I want, I know exactly what it is doing, support two ISPs ( multiple WAN), and best item for me - this is just my config on out of the box hardware. if this device bites the dust, I plug the replacement, load the config and back running in 10 seconds. I can not do something like this with my earlier attempts of tinkering systems (pfsense, etc).

However, this is NOT dummy proof, click-here-for-wizard-let me talk you through it type of device. it is a router, nothing else, nothing less, nothing more. does not make coffee 🙂

I have it connected to Brocade ICX 6450-24 switch picked off e-bay for ~$90 to give me fairly low power device for normal gig networking and 4 10G ports that I do use (one to primary server/vm host , one to NAS, one to primary workstation ,elsewhere).

I use Unifi for AC and it just works, controller runs on Windows server.

so I ranked my earlier needs as
- stability/redundancy
- recovery speed
- feature functionality
- cost
- (very last) ease of initial setup

with myself working remotely, DW working remotely from the house, kids needing to do their school work remotely - bad wifi or no wifi or no internet would become a major emergency very fast at the time of COVID. if I were alone, no kids, no kids school, no remote work , my needs may be ranked in different order.

what is your priority order? go from there.


forgot to say - i love that in case of my cable (primary) internet outage, my house is continuing to use secondary (ATT) internet without anyone noticing. that alone worth the 'insurance price' of secondary slower/cheaper connection. i also put in basic quality of life things like Pi-hole that take care of all/almost all internet ads for any device on my network, and closed everything I could find. I have zero desire to watch/share my content outside of my network or allow any cloud service to come back in to 'help me' manage it. so I stay away from any technology that needs cloud host to operate/authenticate

 

[fkoehler]

you are going to have to ask the op

I saw that hack of Geerlings, and was pretty intrigued.
However, right now I want to keep confounding variables to a minimum and will use a switch since I need PoE anyways, and have a couple handy already.

At a later date, if I can confirm the Aruba 205's will work with passive PoE, then I can pick up some cheap $5 ones on eBay as the Arubas only need 15 watts.

Haven't read enough if this will work on the regular Rpi4 or just the Computer mod.

I've seen a few suggested mini's with Jaguar cores, however I think those are just a bit too old, small. If I had to go x86, I'd probably look around mini-itx/sbc for something with slightly newer quad-core low power procs.

And, it looks like BSD has Arm64 becoming Tier1, so OPNSense should be following right behind. If I am reading it correctly, OPNSense is already running community releases on Arm:

Show posts - spikerguy

Show posts - spikerguy

forum.opnsense.org

 

[mxnerd]

Be aware that RPi4 does not have AES hardware acceleration. It could affect VPN performance if you are going to use any.

AES on BCM2711 (RPi4)? - Raspberry Pi Forums

www.raspberrypi.org

==

Well, Wireguard way much better than OpenVPN

Raspberry Pi 4 Benchmarked with 32-bit and 64-bit Debian OS - CNX Software

The first Raspberry Pi board with a 64-bit Arm processor was Raspberry Pi 3 Model B, and all new models including the latest Raspberry Pi 4 come with four

www.cnx-software.com

 

[sdifox]

I saw that hack of Geerlings, and was pretty intrigued.
However, right now I want to keep confounding variables to a minimum and will use a switch since I need PoE anyways, and have a couple handy already.

At a later date, if I can confirm the Aruba 205's will work with passive PoE, then I can pick up some cheap $5 ones on eBay as the Arubas only need 15 watts.

Haven't read enough if this will work on the regular Rpi4 or just the Computer mod.

I've seen a few suggested mini's with Jaguar cores, however I think those are just a bit too old, small. If I had to go x86, I'd probably look around mini-itx/sbc for something with slightly newer quad-core low power procs.

And, it looks like BSD has Arm64 becoming Tier1, so OPNSense should be following right behind. If I am reading it correctly, OPNSense is already running community releases on Arm:

Show posts - spikerguy

Show posts - spikerguy

forum.opnsense.org

You need the compute module to have easier access to pcie, albeit only 1x. Also you need the io board and you do lose the usb 3 ports.

The Raspberry Pi Compute Module 4 Review

Introduction Six years ago, the Raspberry Pi Foundation introduced the Compute Module: a teensy-tiny version of the popular Raspberry Pi model B board. Between then and now, there have been multiple revisions to the Compute Module, like the 3+ I used in my Raspberry Pi Cluster YouTube series...

www.jeffgeerling.com

Hopefully that realtek usb nic can dissipate heat fast enough for continous duty. Maybe add a fan? Or go the RPI CM4 with io board and get a pcie nic with the same chipset that works well for openwrt. The compute module has onboard storage as well so you don't need the ssd.

Do report back on your findings.

 

[simas]

Cheap, feature full, easy to use... I want it ALL!

OK, I've got cheap, and feature full.
Easy to use? Not yet, however I'm a network engineer so its kinda sorta easy to use, just a bit different than the normal cisco I've worked on.
No multi-wan, Fios seems pretty stable for me. If there is ever a problem, I'll just put my phone on hotspot. WAF not really needed, Open has decent FW for home.

The RPi is the router, cisco will most likely be the switch, and 2x Aruba 205's will be the AP/WLAN Controller.
I'm thinking just set the RPi as a router on a stick trunck to the switch, with trunks to the AP's to allow me segregate the Guest, IoT, Home Users.

Not sure if I can run PiHole on the router, which would be cool.

got it. of cause , we want it ALL - however it is always 'rank it in priority' order.

I get your desire to play with RPi and it could work for you (i do not use it in my setups so can not comment). cost wise i found mikrotik to be just as cheap or cheaper (once you factor case + accessories), stable as a rock, and set it and leave it alone type of device. YMMV.

good luck with your project!

 

[Fallen Kell]

I went down this rabbit hole last year. In the end, I decided on a small form factor PC (specifically I used a Dell Optiplex 9020 sff system). Yes, it draws more power (max 255W depending on hardware), but it also supplies a lot of added flexibility. But it was cheap (picked one up for under $220 total after adding in a SSD and the network card, mine was also a i7-4790 CPU, so 4 core/8 threads).

Some of the added flexibility is a PCI-E 3.0 x16 slot. It let me put in a dual port 40Gb network card, which I use for my routing (although I am only using 1 port and using a router-on-a-stick configuration as I don't need the full 40Gb bi-directional at this time, as my core switch does most of my routing, this is just doing edge-routing to-from the internet, which obviously doesn't have a 40Gbps connection).

The other benefit is that it has the horsepower for running pfblocker-ng (think of it as pi-hole on steroids as it integrates with the firewall, not just returning a not found on a DNS lookup which can be bypassed by something using an IP address which doesn't need to be looked up via DNS).