# Raspberry as router



## mfaridi (Apr 28, 2019)

In our company, my boss wants me to make Router for an internal network, we have above 100 users.
this Router must share internet to users and has some limitation.
Can I use Raspberry as Router?
I would be grateful any recommend for this project.


----------



## SirDice (Apr 29, 2019)

mfaridi said:


> Can I use Raspberry as Router ?


Don't. It'll work fine for one or two users but the ethernet interface of the Pi is rather slow. Also note that there's only one ethernet so you'll have to add additional ones with USB. USB is also quite slow. In short, it's the wrong hardware for the job.


----------



## aht0 (Apr 29, 2019)

I assume it would have to act as a gateway between external networks (Internet) and internal networks. For hundred people you'll have to look for decent x86_64 hardware. Quad-core CPU at minimum with decent clocks. More if you want to run IDS/IPS software on it, it would be rather good idea. It would help prevent malicious software getting in from Internet. You never know what employees would download, look at or click on. IDS/IPS requires fair amount of processing power.

Since it's not your average home system you need to buy good quality hardware and that does not mean cheap-ass consumer system, which are not meant to be in wall socket 24/7/365. Consumer hardware is not meant for it. Get enterprise quality hardware. Becomes more expensive but it's cheaper than having bunch of downtime because your hardware gave up and died suddenly.

Pi has 1-2 (depending on models) USB2 root ports, which means very limited throughput. When you add USB ethernet card, it means everything connected to Pi would share that pitiful resource. It's not really fit not for even 1 user, USB NIC's are not the most stable ones under load.


----------



## mfaridi (Apr 29, 2019)

Thanks all ,
Which hardware you recommend for this project. price is more  important.


----------



## jdakhayman (Apr 29, 2019)

Ill answer your question with a question. Whats your budget? We are shooting in the dark without that.

jda


----------



## Remington (Apr 29, 2019)

You should start with a mini server or motherboard that uses Intel Atom C2000 series as a bare minimum.  Anything less and it'll be overloaded with 100+ users causing slow performances.

Intel Celeron J1900 may cut it but just barely as I'm using it as a home router.


----------



## usdmatt (Apr 29, 2019)

Do you need it to do anything special?
If it's just a router I personally would vote for using something off the shelf rather than building one. Hell if it's just providing a router to the Internet (<= 1Gbps) and not doing lots of inter-vlan routing you could probably get away with something like a Mikrotik Hex S for ~$69.


----------



## andrian (Apr 29, 2019)

buy and you will be satisfied 
*Intel® D2500CC*


----------



## mfaridi (Apr 29, 2019)

usdmatt said:


> Do you need it to do anything special?
> If it's just a router I personally would vote for using something off the shelf rather than building one. Hell if it's just providing a router to the Internet (<= 1Gbps) and not doing lots of inter-vlan routing you could probably get away with something like a Mikrotik Hex S for ~$69.


I see the specification of Miktortik Hex S, hardware specification is lower than Pi. but performance is better. I think it depends on OS.


----------



## SleepWalker (Apr 29, 2019)

https://www.friendlyarm.com/index.php?route=product/product&product_id=248


----------



## balanga (Apr 29, 2019)

I've just come across the Espressobin but have no idea how useful it might be.  I understand you can get it with pfSense installed so it must be reasonably powerful.


----------



## Phishfry (Apr 29, 2019)

I think the cheapest acceptable x64 solution is the PCEngines APU2 line.
Cheapest is around $130 you can get the APU2D2 with case, power and 16GB Phison mSATA module.
https://pcengines.ch/apu2.htm
100 Users would be the most I put on an APU2D2.
If you are doing any NAT or packet inspection it will be not be enough. Simple routing OK.


----------



## SirDice (Apr 30, 2019)

mfaridi said:


> I see specification of Miktortik Hex S , hardware specification is lower than Pi. but performance is better. I think it depend on OS.


You're only looking at the CPU and memory specs, which aren't the bottleneck. The hardware is built entirely different. For one the Mikrotik has specialized hardware for switching and routing. The Raspberry Pi doesn't have that kind of networking hardware onboard. The Pi is a hobby project, not a hardcore networking component.


----------



## Remington (Apr 30, 2019)

I have pfsense running on this mini pc 24/7 for 3 years.  It's extremely reliable and never had any issues with it.  VPN and firewall works very well.






						Amazon.com: QOTOM Mini PC with 8GB RAM 64GB SSD, 4 Intel LAN Port, VGA, 4 USB Port, celeron j1900 Processor Quad core 2 GHz, Fanless Mini PC pfSense: Computers & Accessories
					

Amazon.com: QOTOM Mini PC with 8GB RAM 64GB SSD, 4 Intel LAN Port, VGA, 4 USB Port, celeron j1900 Processor Quad core 2 GHz, Fanless Mini PC pfSense: Computers & Accessories



					www.amazon.com


----------



## Phishfry (Apr 30, 2019)

I like the spirit of the D2500 ITX suggestion above.
For my firewall I just retooled to a used Advantech AIMB-272 with low power i7 mobile chip.(Previously used a APU2)
2 Intel ethernet interfaces onboard (one for management the other DMZ) and I added dual port 10G fiber card for connection to my switch.
I used an old HTPC chassis for my low profile Chelsio fiber card. This goes on a shelf in my utility room hooked to modem.


			https://www.shop.perfecthometheater.com/HTPC-ITX4-v3-Black-Mini-HTPC-aluminum-chassis-HTPC-ITX4-v3-B.htm
		

It is the nicest shelf box I have built yet. I had most all the parts on-hand from previous duties..
I had to add a fan for the Chelsio card. It is a flamethrower.
The goal was Pico PSU but the Chelsio card drew too much power to boot so needed a real PS. I used a 1U model.

Here is a newer version of my Advantech board. IvyCreek. A 3632QM would be ideal for some low power VPN and filtering..
https://www.ebay.com/itm/273591689430


----------



## mfaridi (Apr 30, 2019)

Thanks ,
but compatibility by FreeBSD is more important for me. I want do this project by pure FreeBSD.


----------



## Remington (Apr 30, 2019)

mfaridi said:


> Thanks ,
> but compatibility by FreeBSD is more important for me. I want do this project by pure FreeBSD.



Qotom mini pc I quoted above will work with FreeBSD as pfSense is based on the same OS.


----------



## ralphbsz (May 1, 2019)

You have told us "100 users".  But you haven't told us anything else about the requirements.  What is the bandwidth you need to serve?  How much extra latency can you introduce?  What is the workload?  Occasional web browsing, a little bit of e-mail, or intense traffic, perhaps using cloud computing off-site?  Do you need to pass any interesting protocols (NFS, FTP, ...)?  Does it have to have VPN capability?  Or perhaps NAT?  What are the security needs?  How many internal networks do you need to route for (many sites have multiple networks)?  Does it need to serve wireless also (also function as an AP)?  Is user authentication required?  How about availability and reliability requirements?  Do you need guaranteed 5 (or 3 or 7) nines of uptime?  What is the financial penalty of an outage?  What other services do you want to serve?  You might want to use the same hardware also as a DNS, DHCP, NFS, Squid cache, E-mail, NFS, ... server.



mfaridi said:


> but compatibility by FreeBSD is more important for me. I want do this project by pure FreeBSD.


Why?  Please explain.  If a better solution could be found using a different OS, why would it have to be FreeBSD?


----------



## tommiie (May 1, 2019)

mfaridi said:


> but compatibility by FreeBSD is more important for me. I want do this project by pure FreeBSD.





ralphbsz said:


> Why?  Please explain.  If a better solution could be found using a different OS, why would it have to be FreeBSD?



Agreed. Choose the best tool for the job. It may or may not be FreeBSD. I could understand it if it was your home lab setup and you want to learn stuff but in a company setup, it all depends on how familiar your colleagues are with FreeBSD. What if you leave or become ill and they have to maintain the system?

Also, why would you invest countless hours of company time into setting up a FreeBSD router on some cheap hardware when you can just buy a router in a store and be done with it. If money is such an issue for your company (which you indicated it is) don't waste money with trying to get FreeBSD running on some random hardware and making it a well-performing router.


----------



## Remington (May 1, 2019)

I have to agree with tommiie since manually setting up a routing/firewall/Snort/VPN with FreeBSD will take a lot of time and work.  What if the updates or your configurations break something and your 100+ users are without network access? It's pretty obvious you really don't know what you're doing.  That's why pfSense is there to make the job easier.  I have few servers at the data center and all of them are behind pfSense.

I did manually setup FreeBSD with routing/firewall/VPN/fail2ban and it's not easy to do.  Few times I had updates that broke things and it was taking too much of my time to maintain FreeBSD firewall and I decided to switch over to pfSense.  Now I have more time to focus on developing softwares rather than trying to tweak FreeBSD firewall settings, troubleshootings, etc.


----------



## mfaridi (May 1, 2019)

ralphbsz said:


> You have told us "100 users".  But you haven't told us anything else about the requirements.  What is the bandwidth you need to serve?  How much extra latency can you introduce?  What is the workload?  Occasional web browsing, a little bit of e-mail, or intense traffic, perhaps using cloud computing off-site?  Do you need to pass any interesting protocols (NFS, FTP, ...)?  Does it have to have VPN capability?  Or perhaps NAT?  What are the security needs?  How many internal networks do you need to route for (many sites have multiple networks)?  Does it need to serve wireless also (also function as an AP)?  Is user authentication required?  How about availability and reliability requirements?  Do you need guaranteed 5 (or 3 or 7) nines of uptime?  What is the financial penalty of an outage?  What other services do you want to serve?  You might want to use the same hardware also as a DNS, DHCP, NFS, Squid cache, E-mail, NFS, ... server.
> 
> 
> Why?  Please explain.  If a better solution could be found using a different OS, why would it have to be FreeBSD?


I need this device for Internet sharing and captive portal and and control bandwidth and want set time and date limit. and set user in five level of using internet.


----------



## ralphbsz (May 1, 2019)

Sorry, your answer is about 5% of the information one would need to tell you whether (a) FreeBSD and (b) a Raspberry Pi is a suitable solution.

Actually, correction: If you have ~100 users, and you need to perform QoS (bandwidth control and limitation), authentication (so you can make them captive and apply time/date limits to them and group them into levels) and traffic filtering (for your five levels), then a RPi definitely doesn't have the compute power and IO bandwidth that is necessary.  If this were a 3Mbit/s DSL connection and all you need is simply routing with NAT (two ethernet ports), I think a RPi could do it.
Matter-of-fact, your feature requirements are so rich, implementing it from scratch with just FreeBSD would be an enormous amount of work. Unless you have a team of experts available.  The detail level of your answers suggests that there is not a team of experts available, and that don't actually understand the gap between requirements and solution complexity.

My suggestion: , the best solution will be to buy a pre-cooked solution.  I hear very good things about Barracuda Networks, which sells "appliances" that do this type of job, and they also have consulting services to set up and long-term administer these things.  This would probably be money well spent.  Warning: The headquarters of Barracuda is relatively near my house (about 20 minutes by car), so the fact that I hear good things about them may be biased, and there may be other and better solutions that I don't hear so much about.


----------



## SirDice (May 1, 2019)

ralphbsz said:


> My suggestion: , the best solution will be to buy a pre-cooked solution.


+1 on that.

I'm personally a big fan of Juniper (no I don't work for them, or live near them) routers and firewalls. They have a wide range of devices from small to medium to large and everything in between. So I'm sure you can find something that will fit the budget and cover most of your requirements. Interesting detail, JunOS is based on FreeBSD 

I would suggest buying a separate wireless AP. Preferably a SOHO or small enterprise model. The reason is that they usually come with management software that will allow you to easily add more APs if you need more coverage while allowing users to roam freely between APs without getting them disconnected.


----------



## Phishfry (May 1, 2019)

Ralph is right. Just the captive portal aspect is a large project. net/nocatsplash has been axed from ports so you are left with one or two solutions net-mgmt/coovachilli.

What I would recommend is trying pfSense or OPNSense. They both offer captive portal with account management like you want.
Not sure about 5 levels of access control for the internet though. It is mostly a routing OS.
Think of it as an network appliance OS. It uses a web interface for configuration. Uses pf for firewalling.
I say 'it' because OPNSense is forked pfSense which was forked MonoWall. It is good stuff. Based on FreeBSD.
Many people use shelf appliances but any case size will do. Even a big old tower.

You can do most of the tasks from FreeBSD proper if you don't mind Java for the CP.(coovachilli uses java)
Coming to terms with cheap hardware for serving a crowd is tough. At 100 users you are nearly at ISP level.
Are you planning on doing wired or wireless 100 customers ?


----------



## mfaridi (May 1, 2019)

SirDice said:


> +1 on that.
> 
> I'm personally a big fan of Juniper (no I don't work for them, or live near them) routers and firewalls. They have a wide range of devices from small to medium to large and everything in between. So I'm sure you can find something that will fit the budget and cover most of your requirements. Interesting detail, JunOS is based on FreeBSD
> 
> I would suggest buying a separate wireless AP. Preferably a SOHO or small enterprise model. The reason is that they usually come with management software that will allow you to easily add more APs if you need more coverage while allowing users to roam freely between APs without getting them disconnected.


But I want to do everything by FreeBSD as Juniper. I want to understand which config can work better on Juniper and can not work on FreeBSD.
Juniper is great and I need their config and solution for making FreeBSD better and best performance.


----------



## mfaridi (May 1, 2019)

ralphbsz said:


> You have told us "100 users".  But you haven't told us anything else about the requirements.  What is the bandwidth you need to serve?  How much extra latency can you introduce?  What is the workload?  Occasional web browsing, a little bit of e-mail, or intense traffic, perhaps using cloud computing off-site?  Do you need to pass any interesting protocols (NFS, FTP, ...)?  Does it have to have VPN capability?  Or perhaps NAT?  What are the security needs?  How many internal networks do you need to route for (many sites have multiple networks)?  Does it need to serve wireless also (also function as an AP)?  Is user authentication required?  How about availability and reliability requirements?  Do you need guaranteed 5 (or 3 or 7) nines of uptime?  What is the financial penalty of an outage?  What other services do you want to serve?  You might want to use the same hardware also as a DNS, DHCP, NFS, Squid cache, E-mail, NFS, ... server.
> 
> 
> Why?  Please explain.  If a better solution could be found using a different OS, why would it have to be FreeBSD?


After 15 years working with Linux and FreeBSD , I understand FreeBSD is much stable than Linux and performance is better than Linux.
but in my workplace, I want to use FreeBSD as root router and base router in our network, right now we use Mikrotik, and I want change it to FreeBSD.


----------



## Phishfry (May 1, 2019)

Sounds like you will be using FreeBSD so here is some more info.
I was looking at Coovachilli and found this to be useful:




__





						CoovaChilli captive portal
					

CoovaChilli captive portal  Originally the common opensource captive hotspot was ChilliSpot, but it has long since fallen into disrepair. So much that the CoovaChilli fork has completely taken over its role. So much in fact that if you see any reference to 'chilli' on the internet, as in 'we...




					openwrt.org
				




Does not handle payments or what OPN/pfSense calls vouchers.


----------

