# Modem/Router running FreeBSD or OpenBSD?



## Farhan Khan (May 20, 2018)

Are there any modem/router combination devices that run either FreeBSD or OpenBSD?
If not natively, I would be cool with flashing a device and running pfSense or whatever OpenBSD equivalent appliance exists.

My requirements are:

Can do WiFi and Ethernet with at least 5 ports
Allows for root console access or has a SUPER rich web interface
Can run a Hurricane Electric IPv6 tunnel (Uses IP protocol 41)
Can run DHCPv6 and/or router advertisement (rtadvd)
Can do OpenVPN as server and/or client
Small form-factor - Something designed for home use, not for a server rack
Options?


----------



## drhowarddrfine (May 20, 2018)

Jupiter Networks


----------



## Farhan Khan (May 20, 2018)

drhowarddrfine said:


> Jupiter Networks


Which device specifically?


----------



## Phishfry (May 20, 2018)

I build my own FreeBSD routers. I can help.

Shelf units will cost you more for 5 ports plus the horsepower to push OpenVPN.
Many people on the pfSense forum shun FreeBSD wireless Access Point, so for many clients you
might want to separate that task to a dedicated Access Point.
I use FreeBSD Wireless Access Point  for home and it gets around 7Megabytes/sec at some 35ft. away.
This is using an omni antenna and a carrier grade wireless card. My hardware is an old Checkpoint U5.
I doubt it would do much speed with OpenVPN.

Most of the small form factor boxes have low power CPU which is not suitable for OpenVPN.
Some of OpenVPN load will come from number of users on the tunnel and encryption algorithm used.
So size your CPU accordingly. I will link to some ebay SFF boxes later.
You have no name china brands and then other real embedded brands from Advantech to Jetway.
You can browse the pfSense forum to see the problems with the no-name China box. No comment.

All the software stuff you ask is a given.


Farhan Khan said:


> SUPER rich web interface


Well except this. Would you call Webmin SUPER rich....


----------



## rigoletto@ (May 20, 2018)

Farhan Khan said:


> Which device specifically?



Anyone using JunOS. Basically, all of them.


----------



## drhowarddrfine (May 21, 2018)

Farhan Khan said:


> Which device specifically?


All of them.


----------



## Farhan Khan (May 22, 2018)

Phishfry said:


> I build my own FreeBSD routers. I can help.
> 
> Shelf units will cost you more for 5 ports plus the horsepower to push OpenVPN.
> Many people on the pfSense forum shun FreeBSD wireless Access Point, so for many clients you
> ...


I currently run OpenVPN on a Raspberry Pi 1 and it suits my purposes perfectly fine. I do not need performance, the most bandwidth using tool will be VNC.

Why would they shun WiFi? That makes the product less attractive.


----------



## gpw928 (May 23, 2018)

Farhan Khan said:


> Are there any modem/router combination devices that run either FreeBSD or OpenBSD?
> If not natively, I would be cool with flashing a device and running pfSense or whatever OpenBSD equivalent appliance exists.



My immediate thought is the one mentioned in your own question, namely pfSense (or the still "free" fork, OPNsense).  

They both present as perimeter gateways, which I think I can infer from your post.

They both run on late versions of FreeBSD.  They do not require "flashing", just a normal install.  The GUI is adequate.  The functionality is enterprise class, limited only by the speed of the underlying hardware (and lack of things like custom network ASICs on the commercial top end gear).

pfSense lets you install standard FreeBSD packages (but you might want to remove them for maintenance/upgrade).  Not sure about OPNsense on that.

Although presenting as an appliance, both give you full access to the underlying FreeBSD system if you want it.

The forums are active, especially pfSense.  And you can pay for pfSense support if things get serious.

If you are worried about the box count or power bill, they also run as virtualised clients.  See, for example, the Proxmox group who seem keen on pfSense.  Though with five Ethernet NICs, I'm sure that you would want Intel VT-d or AMD-Vi (IOMMU) support on your motherboard and CPU if you go that way.


----------



## Farhan Khan (May 23, 2018)

My main question is about hardware.
ie, What specific hardware device do you recommend?


----------



## Phishfry (May 23, 2018)

Farhan Khan said:


> Why would they shun WiFi? That makes the product less attractive.


Well if you benchmark LEDE versus FreeBSD you would see the wireless gap.
Many pfSense users are not purists and use whatever equipment is fastest.
FreeBSD doesn't have 802.11AC and that is just the half of it.
A commercial access point should beat either Linux or FreeBSD hostapd.

The lower wireless speed doesn't bother me but some people just incessantly benchmark.
I take into consideration that I would rather run FreeBSD across all my boards,
Take the good with the bad.
Some people just whine about anything. Cellular modems are in the same boat.
The gap is even worse than wifi. PPP versus QMI is not a fight.
I understand why FreeBSD doesn't support a proprietary Qualcomm protocol.
I do wish there was something other than PPP (a single threaded application).
That is what holds it back and where MPD5 steps in.
For cellular modem you might need to add it as a USB device. Internal or external.

I looked at the Junipers since no one quoted a model number. The cheapest looks to be around $375 for the SRX110 and that includes zero support. A support contact is required for that.
Then there this tidbit "Eight 10/100 Ethernet LAN ports" yes that means no gigabit ethernet.

I think a really good router box would be a Supermicro E300-8D. At $650+RAM they are expensive, but 35W and a very good benchmarks on the D1518. Would serve up some speedy tunnels and you get dual 10G on top of 6 RG45's.
Plus with a riser you could add and it has MiniPCIe slot you could use for wifi.

I have trouble finding 6 port rigs for cheap. The Supermicro E200-9B has 4 ports but the N3700 benchmarks low. Not ideal for OpenVPN. For $375 it is a good deal.


----------



## SirDice (May 23, 2018)

Phishfry said:


> I looked at the Junipers since no one quoted a model number. The cheapest looks to be around $375 for the SRX110 and that includes zero support. A support contact is required for that.
> Then there this tidbit "Eight 10/100 Ethernet LAN ports" yes that means no gigabit ethernet.


I am really happy about the two SRX240s (active-passive) I've installed for a client a few years ago. This particular model is now EoL but definitely have a look at the SRX220 and SRX300. The 240s we have all have gigabit ports and are capable of 1.5Mbps throughput. More than enough for our 1Mbps uplink. Although none of these are meant to be used for the home, they're more an enterprise-grade branch office firewall.


----------



## rigoletto@ (May 23, 2018)

SirDice 

How the Juniper advertised throughput relate with the actual one? I mean, Sophos (for instance) advertise some throughput, but their appliance working with "everything ON" the throughput fall considerably. So, the advertised throughput is just real when very few/light features  are in use.

Thanks!


----------



## Phishfry (May 23, 2018)

On the SRW220 they show some real numbers.
https://www.juniper.net/us/en/products-services/security/srx-series/srx220/

The thing that I find strange is price. They seem to be all over the place. One place a SRW110 costs $375, but on cdw.com it is $675. So I don't know if you need to watch for grey market amazon sellers or what.

I do want to add that with the Juniper device you get UTM services too.
So that comes back to the service plan. To keep the UTM definitions fresh you probably have to have a service contract, Right?

You do get a nice GUI with these devices (I would hope).
But is it worth ~$1200.

Then let's get the black herring. EOL. Whenever Juniper wants they can say EOL.
Then your $1200 UTM router becomes obsolete.(with notice of a respectable 2+ years)
Have you seen what they want for optical transceiver modules.$$$

Here is the cheap Chinese no-name router. These people and Quotum must be killing Jim down at Netgate,
I'ts hard to explain quality to people. I recommend you deal with a known company.


----------



## rigoletto@ (May 24, 2018)

Phishfry said:


> The thing that I find strange is price.



I've seen these kind of weirdness with products from others similar brands (and in totally different markets). Also, for instance, at some distributors you sometimes find Ruckus wireless stuff for the price of  Ubiquiti for some time (when they really want to push).

I do not know how the IT market works, but often on others markets the retailers buy products from the maker with 40% off the street price (the actual price expected the product to be sold, not the list price). Big retailers/distributors sometimes manage to acquire products up to 70% off of the street price.

The general rule say retailers get the a lot of more money per piece than the maker.

So, if one buy stuff B2B FOB he/she pay considerably less for the product, but with the cost of managing all the import operation, which actually is quite cheap for small things, but can be a headache for people whom are not somehow connected to the foreign trade market, or maritime affairs etc.

Also, minimum quantities may be enforced and so there may need a reasonable investment followed by some work to sell the extra stuff.


----------



## Phishfry (May 24, 2018)

I am curious to hear from SirDice as to whether you can still use the EOL Juniper device.
Wondering if you do have to pay for a service contract for the UTM updates.
Maybe UTM is free, separate from support contracts.
I guess you can still use an EOL device, you might just have to use it behind something newer or just forgo the UTM features?
Firewall should still work on EOL right?

Back to the market, on Amazon I see no chance to buy the service contract.
I noticed with cdw.com you can add the service plan at purchase for 1 year, so no hidden costs.


----------



## rigoletto@ (May 24, 2018)

IDK about Juniper and the UTM features prices in particular, but I have an old Ubiquiti device, EOL since several years (more than 5) and that still receive firmware updates often.

They use the same system on all devices, and so it is easy to maintain several EOL devices. I hope Juniper does the same with JunOS.


----------



## SirDice (May 24, 2018)

We don't use the UTM functionality of the SRX240s. They're only used for their firewalling capabilities (and I recently added two IPSec tunnels to AWS on them). I'm personally not a big fan of IPS as there's always a risk of false positives and false negatives. So we don't rely on it and make sure the web applications themselves are properly protected. 

Never got them with a support contract. Just bought them, hired a guy to help set them up initially (setting up the clustering was something I'd never done before). And that's the only money we spent on them. They're still running, even though the device itself is now EoL.


----------



## Max212 (May 24, 2018)

SRX 200 series are EoL but are still supported by 2019-2021, depends on the model.
UTM usualy is Anitvirus, Antispam and Content filtering. On Juniper equipment most of it requires license.
As for IPS it requires license on its own.

As long as hardware is working fine and there are no weird vulnerabilities it is fine.

I know for one case where researches found big security hole in old SSG (Juniper) firewalls and Juniper released the patch even tho SSG's were long time EOL and out of support.

P.S.
500,000 infected consumer routers:
Targeted devices:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN 

More info on: 
https://arstechnica.com/information...umer-routers-all-over-the-world-with-malware/


----------



## Phishfry (May 24, 2018)

This whole topic has been timely for me as I am upgrading my network.
So I bought a Lanner FW7582A off ebay for $110 Upgraded it and was planning on using it for Xen learning box.

This conversation helped seal my network plans. I bought two more of the Lanners and I am putting 10G interface cards in each.
I thought about running Untangle on the Lanner behind pfSense.
Anybody out there using it?


----------



## Farhan Khan (May 25, 2018)

This conversation went in a different direction than I had originally intended.
A lot (all?) of the devices here are enterprise-grade or small-office grade. To put things into perspective, my current Hurricane Electric tunnel device is a Raspberry Pi 1 and its worked perfectly fine for years.
I was asking for something more for a home user. I would be cool with something high-end if its EoL and therefore significantly cheaper.


----------



## Phishfry (May 25, 2018)

Yes I know, I tried to steer it, As I said shelf units with 6 ports are pretty costly unless you want Chinese no-name.
You want model# ?

This is the best deal I can find you: definatly EOL but solid CPU. C2358 is good for this task. No real powerful though.
https://www.ebay.com/itm/253623009210?
Lanner FW-7525
I dont see details if the MiniPCIe slot is USB only for Cellular Modem or MiniPCIe for Wifi.

Your tiltle says modem, what are you referencing?


----------



## Farhan Khan (May 25, 2018)

I could go less than 6 ports, that was just me throwing a number out there. I'm fine with Chinese no-name as long as it can get a legit firewall/router on it like pfSense or even stock FreeBSD/OpenBSD that I can tinker with.


----------



## Phishfry (May 25, 2018)

The Quotums (China brand) have some complainers on pfSense because the buyers didn't read the description.

The boxes use a MiniPCIe slot that uses only a USB signaling. So some people think they can stick an Atheros module in it for wifi, but the Atheros modules work in MiniPCIe mode not MiniPCIe with USB signaling.

So Quotum stuck an oddball miniPCIe USB Wireless module in thier boxes ordered with wifi.
It is an internal version of the RaLink USB module and only works so-so in my opinion.
So everybody complaining about the crappy wifi.
The slot is really made for MiniPCIe Cellular modem and there is a SIM slot right next to it.
The problem is there are no "half card" MiniPCIe cellular modems anymore. The last were Ericsson 3G modules.
So it is a bit of a hot mess. A slot for modems that don't exist.
Who knows what kind of reliability you get.
Granted a Lanner on ebay carries the same warranty as a no-name chinese model. Meaning Good Luck.
With the Lanner you at least have a reputable manufacturer with prior quality goods.

Looking at the Lanner FW7525 manual it uses MiniPCie for USB modules only. So internal cellular modems. No Wifi.
It uses a full lenght slot.


----------



## Phishfry (May 25, 2018)

That Lanner FW7525 uses the C2358 and I thought it was better performing. This score is less than an APU2.
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C2358+@+1.74GHz
That is pathetic and 4 of the ethernet ports use a Marvell bridge chip. Not sure I like that either..
So this was not a great recommendation.
How about the APU2. For ~$150 it is a nice rig. Only 3 LAN's.
Headless, serial console only.


----------



## rigoletto@ (May 25, 2018)

You can run FreeBSD on some Ubiquiti routers, also a Mikrotik one. See HERE.


----------



## Sebastian (May 25, 2018)

lebarondemerde said:


> You can run FreeBSD on some Ubiquiti routers, also a Mikrotik one. See HERE.



You're right, but you will loose your hw acceleration.


----------



## PacketMan (May 25, 2018)

Phishfry said:


> The thing that I find strange is price. They seem to be all over the place.





lebarondemerde said:


> I do not know how the IT market works, but often on others markets the retailers buy products from the maker with 40% off the street price (the actual price expected the product to be sold, not the list price). Big retailers/distributors sometimes manage to acquire products up to 70% off of the street price.



I'm late to the discussion, but here goes.  For the above two comments, the big vendors offer pricing discounts based on volume.  So some sellers can offer significantly lower pricing because they get significantly higher discounts.




Phishfry said:


> I am curious to hear from SirDice as to whether you can still use the EOL Juniper device.



I'm hurt that you would not ask for me, a networking guy, to chime in.  hehe
Vendors like Juniper typically don't declare a product EoL. Instead they declare End of Sale, and End of Support.  After End of Sale you can still buy support.  After End of Support you cannot buy support for it.  But the Juniper devices are solid. They can run years after.  But the important thing to ask youself is what happens if me EoS router dies at 2:00am and I have no spare. So always evaluate your real requirements, ask yourself what is the the problem you are trying to fix, and buy the appropriate amount of support and/or sparing.




Farhan Khan said:


> My requirements are:
> 
> Can do WiFi and Ethernet with at least 5 ports
> Allows for root console access or has a SUPER rich web interface
> ...





Farhan Khan said:


> I was asking for something more for a home user. I would be cool with something high-end if its EoL and therefore significantly cheaper.



So it would seem to be you have two choices. (1) Build your own machine using hardware verfied to work with FreeBSD. (2) Or buy a Juniper device that is cheap because it is end of life.

I think the Juniper SRX300 is a slick little device, but it does not do WiFi.


----------

