Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
linux_router:hardware [2023-01-23 Mon wk04 17:49] – [Router Hardware] baumkplinux_router:hardware [2024-12-15 Sun wk50 10:07] (current) – [Old Router Hardware] baumkp
Line 1: Line 1:
 {{tag>linux router hardware}} {{tag>linux router hardware}}
-=====Router Hardware===== +======Router Hardware====== 
-(Jan 2023) For my router, including DNS (BIND9) and DHCP (ISC DHCP) I am using a Supermicro SYS-E200-9B that comes with a Supermicro motherboard X11SBA-LN4F. I purchased this in 2016 and got functional in 2017, whilst waiting for NFTables to run all required features on Ubuntu.  The X11SBA-LN4F has an Intel Pentium N3700 system with 4 x Intel i210-AT GbE LAN. I got with maximum 8GB RAM and 120GB mSata HD.  Sadly the mSata HD was a Chinese branded unit that failed after 3 years operation. I replaced it with an old Samsung 256GB 860 SSD that I had on hand. I also took the opportunity to change the router from Ubuntu to Debian at this time. The N3700 CPU had reasonable performance at the time and includes AES instruction, which a number of common lower priced options at the time did not, e.g. J1900 CPU. The AES CPU instruction helps improve encryption performance significantly, handy for SSL / VPN.  The unit is still performing well now. including the 10 year old Samsung SSD.  I run the following software on it, all bare metal:+ 
 +=====ikoolcore-r2-max===== 
 +(Dec 2024The Supermicro SYS-E200-9B has stopped working.  It posts bios, but will not boot further.  I suspect hardware failure of some sort.  The BMC failed a few years ago.  I have ordered a replacement [[https://www.ikoolcore.com/products/ikoolcore-r2-max|ikoolcore-r2-max]].  The replacement comes with 2.5Gb/s and 10GB/s NICs and a more modern and faster 8 core [[https://www.intel.com/content/www/us/en/products/sku/231805/intel-core-i3n305-processor-6m-cache-up-to-3-80-ghz/specifications.html| i3-305 CPU]] that should easily handle home router services up to 10GB/s, and certainly to 2.5GB/s.  The [[https://www.marvell.com/products/ethernet-adapters-and-controllers/fastlinq-edge-ethernet-controllers.html|Marvell AQC113C-B1-C 10Gb/s NIC]] on this machine are RJ45 based and have full connectivity for all normal RJ45 speeds (10, 5, 2.5, 1Gb/s, and 100 and 10Mb/s). 
 +++++ikoolcore-r2-max specifications| 
 +  *Processor: Intel Alder Lake-N i3-N305 (Also N100 option, standard without system fans) 
 +  *Memory: 1 x SO-DIMM DDR5 4800MHz, 32GB(SAMSUNG). 
 +  *Ethernet Ports: 2 x Marvell AQC113C-B1-C 10Gbps Network cards(via PCIe 3.0 x 2), 2 x Intel i226-v 2.5G network cards (via PCIe 3.0 x 1) 
 +     *AQC113C-B1-C is a 6-Speed Commercial Temperature Grade, RoHS 6/6* network chipset 
 +  *Storage: 2 x M.2 2242/2280 NVMe SSD, PCIe 2.0 x 1 
 +  *USB Ports: 2 x USB-A 3.0(5Gbps), 1 x USB-C 3.2 Gen2(10Gbps)  
 +  *Display: HDMI 2.0 and Type-C display output with 4K 60fps support 
 +  *Cooling System: Full aluminum body passive cooling, dual 4010 fans active cooling for aluminum fins 
 +  *System Compatibility: Compatible with Windows, Linux, pfSense, OPNsense, OpenWrt, Proxmox VE, VMware ESXi, Unraid and more 
 +  *BIOS: AMI EFI BIOS with Auto Power-on, WOL, and PXE support 
 +  *Power Supply: DC IN 12-19V 
 +  *Dimensions: 157 x 118 x 40 mm  
 +  *Weight: Main unit 1050g (1110g for Fanless Unit), packed about 1600g 
 +  *More: 
 +     *Product wiki: [[https://wiki.ikoolcore.com|wiki.ikoolcore.com]] 
 +     *Drivers, BIOS, Firmware: [[https://dl.ikoolcore.com|dl.ikoolcore.com]] 
 + 
 +More Information AND FAQs, please visit [[https://wiki.ikoolcore.com|wiki.ikoolcore.com]]. ++++ 
 + 
 +=====Old Router Hardware===== 
 +++++old hardware tldr;| 
 +With the X11SBA-LN4F finally failing about 8 years after purchase (2016) and 7 years after be placed in to operating I am honestly disappointed in its reliability.  The BMC fail about 3-4 years before the main machine failed.  The limitations of the machine were starting to be come apparent, it was slow, but low powered. If it had not failed I probably would have been able to continue to use as my router for a few more years.  Its now limited performance means it is not worth the trouble to try to repair.  
 + 
 +====X11SBA-LN4F==== 
 +For my router, including DNS (BIND9) and DHCP (ISC DHCP) I am using a Supermicro SYS-E200-9B that comes with a Supermicro motherboard X11SBA-LN4F. I purchased this in 2016 and got functional in 2017, whilst waiting for NFTables to run all required features on Ubuntu.  The X11SBA-LN4F has an Intel Pentium N3700 system with 4 x Intel i210-AT GbE LAN. I got with maximum 8GB RAM and 120GB mSata HD.  Sadly the mSata HD was a Chinese branded unit that failed after 3 years operation. I replaced it with an old Samsung 256GB 860 SSD that I had on hand. I also took the opportunity to change the router from Ubuntu to Debian at this time. The N3700 CPU had reasonable performance at the time and includes AES instruction, which a number of common lower priced options at the time did not, e.g. J1900 CPU. The AES CPU instruction helps improve encryption performance significantly, handy for SSL / VPN.  The unit is still performing well now. including the 10 year old Samsung SSD.  I run the following software on it, all bare metal:
   * NFtables for firewall and routing   * NFtables for firewall and routing
   * Bind9 for DNS   * Bind9 for DNS
Line 9: Line 37:
  
 I looked at the various options for the router hardware, written in 2016.  I looked at the various options for the router hardware, written in 2016. 
-++++tldr;|+
   *A small ARM based machine, e.g. Raspberry Pi 3. (The current RPi looks much more capable.) However these machines are generally limited in a number of way, including by definition not x86 based. Many do not have more than one NIC and the NIC are often not full Gigabit. (To be fair this hardware may be sufficient in most cases, as most homes do not have better than 100Mb/s internet connections, and in general much slower.) The main upside is that they are small, low power and relatively cheap. Those with only one NIC need to be setup with USB NIC adaptors, that further complicates setup, performance and reliability. Although better spec'ed machines, e.g. with multiple gigabit NICs, start getting more pricey too. I suppose you get what you pay for....   *A small ARM based machine, e.g. Raspberry Pi 3. (The current RPi looks much more capable.) However these machines are generally limited in a number of way, including by definition not x86 based. Many do not have more than one NIC and the NIC are often not full Gigabit. (To be fair this hardware may be sufficient in most cases, as most homes do not have better than 100Mb/s internet connections, and in general much slower.) The main upside is that they are small, low power and relatively cheap. Those with only one NIC need to be setup with USB NIC adaptors, that further complicates setup, performance and reliability. Although better spec'ed machines, e.g. with multiple gigabit NICs, start getting more pricey too. I suppose you get what you pay for....
-  *The Raspberry Pi 4 looks like a much better option than earlier versions for a home router. Still has the complexity of only native 1 NIC, but that is full 1Gbe and there are 2 USB 3 port to allow another full 1Gbe NIC off USB.+  *The Raspberry Pi 4 & 5 looks like a much better option than earlier versions for a home router. Still has the complexity of only native 1 NIC, but that is full 1Gbe and there are 2 USB 3 port to allow another full 1Gbe NIC off USB.
   *An older x86 based machine. The main downside to these is poor power consumption and large size, even an old server tends to use more than 30W at the wall, or greater than $60/year power. Also the board I had only had one built in NIC, so I would need a PCIe NIC card. There is also the issue of reliability and performance for the older hardware, although it is probably good enough in this respect. That all being said if one is strapped for cash this may be a good way to start as the upfront cost would be smallest, if not zero.   *An older x86 based machine. The main downside to these is poor power consumption and large size, even an old server tends to use more than 30W at the wall, or greater than $60/year power. Also the board I had only had one built in NIC, so I would need a PCIe NIC card. There is also the issue of reliability and performance for the older hardware, although it is probably good enough in this respect. That all being said if one is strapped for cash this may be a good way to start as the upfront cost would be smallest, if not zero.
   *At the moment, 2016, there are a lot of Intel Celeron J1900 based units with 4 NICs around. The J1900 is an older CPU, 4 cores, 2.0-2.42 GHz. Also in many cases the NIC hardware is older, particularly on the cheaper units, so care must be taken if you want to ensure more up to date hardware. These machines are a good option, low power (~8 - 10W), small size. They come with 2 SATA ports and mini PCI-E slots. By the time you fit them out they cost out USD250 - 350, with 4-8GB RAM and 120GB mSata drive. The cheaper options are as noted above usually with older NIC hardware and lower memory and HD size and can be had at even lower prices.   *At the moment, 2016, there are a lot of Intel Celeron J1900 based units with 4 NICs around. The J1900 is an older CPU, 4 cores, 2.0-2.42 GHz. Also in many cases the NIC hardware is older, particularly on the cheaper units, so care must be taken if you want to ensure more up to date hardware. These machines are a good option, low power (~8 - 10W), small size. They come with 2 SATA ports and mini PCI-E slots. By the time you fit them out they cost out USD250 - 350, with 4-8GB RAM and 120GB mSata drive. The cheaper options are as noted above usually with older NIC hardware and lower memory and HD size and can be had at even lower prices.
-  *I decided to get a Supermicro [[https://www.supermicro.com/products/system/Mini-ITX/SYS-E200-9B.cfm|SYS-E200-9B]] that comes with a Supermicro motherboard [[https://www.supermicro.com/products/motherboard/X11/X11SBA-LN4F.cfm|X11SBA-LN4F]], an Intel Pentium N3700 system with 4 x Intel i210-AT GbE LAN, from [[https://mitxpc.com/products/sys-e200-9b|Mitxpc]]. I got with maximum 8GB RAM and 120GB mSata HD. The N3700 CPU is more modern than the J1900 and includes AES instruction that the J1900 does not have. The AES CPU instruction helps improve encryption performance significantly, handy for SSL / VPN. Otherwise the overall performance is similar (4 cores at 1.6-2.4GHz) and power slightly lower than the J1900. (The Intel LAN controllers are also the more modern ones). This unit also comes with a dedicated IPMI LAN Port, allowing full remote KVM operation on the network. A downside of the IPMI is that it uses another 3.5W of power (1W power 24/7 costs $2.29/year @ $0.25/kWhr, so 3.5W IPMI costs $7.67/yr extra for power over the main units 9W at $19.71/year). The upside is that the unit can be remotely off-site operated, with configuration options for auto on at power up and heart-beat with auto reset. (My home server is also a Supermicro based unit with dedicated IPMI LAN Port and has given me a good 5 years of service to date.) Downside is mainly the price, USD490 + delivery, as these units are not sold locally I purchase in USA and had it mailed at USD75. In any case this hardware should allow for a router with great performance for some years to come. Again you get what you paid for.....+  *I decided to get a Supermicro [[https://www.supermicro.com/products/system/Mini-ITX/SYS-E200-9B.cfm|SYS-E200-9B]] that comes with a Supermicro motherboard [[https://www.supermicro.com/products/motherboard/X11/X11SBA-LN4F.cfm|X11SBA-LN4F]], an Intel Pentium N3700 system with 4 x Intel i210-AT GbE LAN, from [[https://mitxpc.com/products/sys-e200-9b|Mitxpc]]. I got with maximum 8GB RAM and 120GB mSata HD. The N3700 CPU is more modern than the J1900 and includes AES instruction that the J1900 does not have. The AES CPU instruction helps improve encryption performance significantly, handy for SSL / VPN. Otherwise the overall performance is similar (4 cores at 1.6-2.4GHz) and power slightly lower than the J1900. (The Intel LAN controllers are also the more modern ones). This unit also comes with a dedicated IPMI LAN Port, allowing full remote KVM operation on the network. A downside of the IPMI is that it uses another 3.5W of power (1W power 24/7 costs $2.29/year @ $0.25/kWhr, so 3.5W IPMI costs $7.67/yr extra for power over the main units 9W at $19.71/year). The upside is that the unit can be remotely off-site operated, with configuration options for auto on at power up and heart-beat with auto reset. (My home server is also a Supermicro based unit with dedicated IPMI LAN Port and has given me a good 5 years of service to date.) Downside is mainly the price, USD490 + delivery, as these units are not sold locally I purchase in USA and had it mailed at USD75. In any case this hardware should allow for a router with great performance for some years to come. Again you get what you paid for..... So some 7 years later I am having problems with the BMC on this unit, it is very unreliable now and requires the entire computer is reset, which in many aspect defeats the purpose of having it. The main unit otherwise works, but it is now much more difficult to use headlessly. The main unit is still go enough for my home internet which can be provided up to 1000Mb/s, however is usually much lower than this upstream.... 
 + 
 +<fs smaller> I don't see the point installing a 64bit OS on systems with less than 4GB of RAM. A 32bit OS can only natively access up 4 GB RAM, but should give better compromise with such limited RAM.</fs> 
  
-<fs smaller> I don't see the point installing a 64bit OS on systems with less than 4GB of RAM. A 32bit OS can only natively access up 4 GB RAM, but should give better compromise with such limited RAM.</fs> 
-++++ 
 ====Specific issues with use of headless X11SBA-LN4F hardware==== ====Specific issues with use of headless X11SBA-LN4F hardware====
-++++IPMI KVM Display Problems|+
 ====IPMI KVM Display Problems==== ====IPMI KVM Display Problems====
 Acronyms can be painful. IPMI = Intelligent Platform Management Interface, KVM = Keyboard video and mouse, BMC = Baseboard management controller. Acronyms can be painful. IPMI = Intelligent Platform Management Interface, KVM = Keyboard video and mouse, BMC = Baseboard management controller.
Line 47: Line 75:
  
 I plan to dedicate NIC0 to the WAN and bridge NICs 1-3 to the LAN. Also the bridged LAN network will used for the main server and its VMs with dedicated IP addresses on the LAN. The main NFTables based router will run on bare metal and a number of VMs used for DNS, DHCP, VPN and logger.++++ I plan to dedicate NIC0 to the WAN and bridge NICs 1-3 to the LAN. Also the bridged LAN network will used for the main server and its VMs with dedicated IP addresses on the LAN. The main NFTables based router will run on bare metal and a number of VMs used for DNS, DHCP, VPN and logger.++++
 +
 +=====VM / Docker on Router=====
 +===Progress===
 +As of 2023/01 I setup a VM manager (Libvirt/qemu/KVM) on the router and loaded Docker on it.  It is slow but does seem to work.
 +Next:
 +  *ISC Kea DHCP in Docker (currently ISC DHCP in bare metal)
 +  *ISC Bind 9 in Docker (currently ISC Bind 9 in bare metal)
 +  *Wireguard VPN in Docker (currently Wireguard VPN in bare metal)
 +
 +===Router key features===
 +  - Operate reliably 24 hours per day, 7 days a week
 +  - Low power operation, power cost money
 +  - Headless Remote access, with separate BMC NIC (this could be integrated or external KVM, e.g. [[https://pikvm.org/|PiKVM]])
 +  - Hardware suitable for purpose:
 +    - At least 2 NICs (1 WAN plus 1 or more LAN, quality native type NICs, not USB based), 4+ NICs preferable.
 +    - NICs to be 1 GB/s type minimum, although as of 2023, 2.5GB/s NICs would now be minimum specification
 +    - Sufficient CPU power not to limit primary performance
 +    - Correct CPU options, e.g. AES, [[https://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.html|virtualization]] (VT-x, and as of 2023 VT-d).
 +  - No graphical user interface environment install (although individual applications could have web interface)
 +  - Connectivity to upstream IPS provided internet
 +  - Firewall
 +  - DNS
 +  - DCHP
 +  - VPN for use as secure gateway to allow private access from public internet
 +The following key services define the router:
 +  *network services (bare metal)
 +  *ISP Internet connectivity (bare metal)
 +  *main firewall (bare metal)
 +  *DNS
 +  *DHCP
 +  *VPN (for secure public access to LAN)
 +
 +===Assumptions and Limitations===
 +  *Low power means lower CPU resources, hence care with applications that require significant or otherwise unnecessary resources.
 +  *Some services on bare metal to ensure reliable performance
 +  *This machine is much slower than usual hardware, and this is noticeable on interface usage, even no graphical.
 +  *The network and related services performance must NOT limit performance on upstream IP connectivity to greater than 100Mb/s and preferably only limit as speed get close to NIC's 1 Gb/s hardware speed.  (At the moment my internet connection is via fibre and is limited to about 1000Mb/s down and up, although the plan I am on is limited to 250Mb/s down and and 20MB/s up and this hardware and setup seem to be performing well. Up until March 2024 my internet connection is via VSDL and is limited to about 65Mb/s down and 16MB/s.)
 +
 +Docker really does some work on the firewall using iptables.  For this reason I decided to setup a virtual machine (VM) environment, Linux QEMU/KVM/Libvirt based. VM's seem to impact the firewall / network setup less adversely than Docker. The use of the VM isolates the Docker firewall machinations from the bare metal. 
 +
 +===Why not Proxmox===
 +++++tldr;|
 +  *I have not used to date, this is I have no experience with Proxmox
 +  *I already have a lot of experience on run Debian, libvirt/qemu/kvm, which is what Proxmox seems to be built on
 +  *Proxmox seems to need to be installed on bare metal.  I am not so sure this would work well with my bare metal firewall feature requirements
 +++++
 +
 <-  linux_router:background|Prev page ^ linux_router:start|Start page ^ linux_router:ubuntu|Next page -> <-  linux_router:background|Prev page ^ linux_router:start|Start page ^ linux_router:ubuntu|Next page ->