Picking a home router

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
I know I did OpenVPN speed testing with the APU2C4 before I sold it, but I just can't find the data.

Here is the comparative OpenSSL benchmark testing between the APU2C4 and the i3-7100 though.

First the PcEngines APU2C4:

Code:
[2.3.1-RELEASE][root@pfSense.localdomain]/root: openssl speed -elapsed -evp aes-128-ecb
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ecb for 3s on 16 size blocks: 23413097 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 18438085 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 7473361 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 2115520 aes-128-ecb's in 3.01s
Doing aes-128-ecb for 3s on 8192 size blocks: 279464 aes-128-ecb's in 3.00s
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ecb     124869.85k   393345.81k   637726.81k   720221.92k   763123.03k
Now the i3-7100:

Code:
[2.3.3-RELEASE][admin@router.localdomain]/var/log: openssl speed -elapsed -evp aes-128-ecb
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-ecb for 3s on 16 size blocks: 242729953 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 207367303 aes-128-ecb's in 3.01s
Doing aes-128-ecb for 3s on 256 size blocks: 69510589 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 17831161 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 2219499 aes-128-ecb's in 3.00s
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ecb    1294559.75k  4412345.31k  5931570.26k  6086369.62k  6060711.94k
Looks like an average of about an order of magnitude improvement across the board. I should note that by the time I ran the second test, the router was already up and I didn't want to take it down, so the i3-7100 aren't necessarily reflective of a dedicated test. There may be other traffic in the background.
Probably not a bad idea for to start pricing out my upgrade hardware :D
I'm guessing it's not going to fit a regular pcie NIC
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,678
I'm there with you. Hadn't even thought about one of those. No issues so far?

None at all.

The standard Amp Mate N Lok (often erroneously called 4pin Molex) plug can handle 11A per cable if per spec cables are used. In the 4 pin power configuration we are only using the 12v+ and ground wires, so it should be able to pull all of this, so 132w. Older molex adapters may be designed for old power supplies and have wires designed for 5a though, so this makes it 60W.

Since the 60w PSU cannot provide more than 60w except for short spikes, I think we are safe.

In other applications I'd be careful. 4 pin P4 power connectors are designed for 8 amps per 12v/ground pair, so 16 amps total. Draw 16 amps over a single 12 wire in a standard molex 4 pin connector and you might be melting stuff in a hurry.

The problem only gets worse with 8 pin EPS and PCIe power adapters, but in this limited application, that cable is never going to see more than 5A, and probably nowhere even near that due to tge 60w being spread over not just this connector, but the main motherboard connector as well.

So here it is safe.

One thing to keep in mind when using extenders and adapters is that they are often made in China and other low cost countries where corners are often cut.

This is what happened to my desktop recently when I used an 8 pin EPS extension that turned out to have counterfeit wires in it. They were labeled 18AWG on the insulation, but the conducting strands inside were only 22AWG. (AWG gets smaller as the number goes up)
 

Shikami

Gawd
Joined
Apr 5, 2010
Messages
721
So last question ... Maybe :)

Should I go with the APU2? Or should I look for a good cheap mobo/cpu/ram combo in the classifieds? I'm looking at $200 for the APU setup. I'd happily spend that or a bit more for a stronger setup with a VGA port if it were worthwhile, but I can't get a good feel for what the pros/cons would be from my research.

Let's say I go with some desktop hardware, what should I be looking for in an ideal architecture?

I will have some time...maybe at work, or later this weekend (better) to talk a bit about this. But to start off what is your budget?
 

compgeek89

Limp Gawd
Joined
Nov 30, 2018
Messages
150
I will have some time...maybe at work, or later this weekend (better) to talk a bit about this. But to start off what is your budget?
As with anything, budget is just a function of value. I don't have a hard budget. $50 is great, but you get what you pay for. I'd like to try to find stuff used, but I'd be willing to spend a few hundred or more for a more flexible capability. Also, I am not overly partial to a minimal form factor, I'd be fine using a tower. I'd prefer low power consumption, but physical size isn't really a factor. All of that said, I'm not really interested in spending north of $500 in used parts because I don't think I have any foreseeable need for that much capability.

Really appreciate the discussion in this thread so far, has been very enlightening.
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
Joined
Mar 4, 2019
Messages
44
I am incredibly intrigued by the idea of a DIY router. Where could I get more info on this?
Another thing to do is grab an older PC (think Pentium or P2 class) with a couple Gigabit NICs and install IPCop on that and connect to the switch of your choice along with WAPs and you've got a similiar thing. I used a setup like this a long time ago and it worked great.
 

Shikami

Gawd
Joined
Apr 5, 2010
Messages
721
I feel that building can give you the most freedom of choice for hardware support. You can easily add, migrate, virtualize into a router and NAS, etc. Key attributes I was looking for was *Umph* back in 2015 for my pfSense build. The ASRock QC5000-ITX/PH I felt was the best choice at the time for me. One simple reason was the very fact that I wanted fan-less and it was quad cores. I wanted no fans at all even with the PSU....no noise. I was looking for low wattage, platinum rated PSU, and this seem to be the best compromise of cost and power usage. I wanted the PCIe to be integrated with at least a 4X support for a NIC. Nothing bridged externally to any logics that can cause a bottleneck.

Now, personally what is good about AMD in this regard is the fact that you get every bit of support in instructions (AES, AVX, BMI) virtualization, etc. Again the integrated graphics is just a cherry on top. Enough graphics power for an OS, pfSense, whatever; and also due to the supporting connection types (VGA, DVI, HDMI, DP.)The only negative really is memory support was 64bits instead of 128bits. Network is very memory from DRAM to cache, it is important. Loosing a little bandwidth at that time was not much an issue. The supported frequency of the ram is more important, and this gave a good amount of bandwidth necessary.


So, this is what I ended up getting:

ASRock QC5000-ITX/PH AMD FT3 Kabini A4-5000 Quad-Core APU SOC Mini ITX Motherboard/CPU Combo 59.99

COOLER MASTER Elite 110 RC-110-KKN2 Midnight Black Steel / Plastic Mini-ITX Tower 39.99

Intel Ethernet Server Adapter I350-T2 - OEM 129.99

Ballistix Sport 8GB 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) Desktop Memory Model BLS8G3D1609DS1S00 38.99

Kingston SSDNow V300 Series 2.5" 120GB SATA III Internal Solid State Drive (SSD) SV300S37A/120G 54.99

SeaSonic Platinum Series SS-400FL2 Active PFC F3 400W ATX12V Fanless 80 PLUS Platinum Certified Modular Active PFC Power Supply 109.99

Total: 433.94 (there was a rebate in there some where but basically the cost)




I can easily take out the motherboard and RAM and place the next architecture of what I want the router to be. Many are doing Ryzen APU builds and they are nice. Personally, I have been wanting a embedded Ryzen similar to what I have-again this is due to the nickle and dime bullshit of Intel with the lower end processors. When you consider the Amazon build they are all right and may very well serve your networking needs, but I think they are very limiting and over a long period of time it may be costing more than expected.

This router has been running non-stop for 4 years and never-ever had an issue. Once you use pfSense as a router, you will be like that is a good difference when comparing to some RISC offloaded networking SOHO router.


Hmn...image links are not working so I will post the address:

https://imgur.com/a/ED5AR8O



 
Last edited:

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,369
Might be too late but this is the system i got, I shopped around and sure you could build a cheap celeron system, but then factoring power usage the APU2 was worth it in the end for me



Invoice w75948 Date: 12.11.2018
Qty Part# Description Price Ext HTS code Origin Weight
1 apu2d4 APU.2D4 system board 4GB 123.00 123.00 8471.5000 TW 237g
1 case1d2redu Enclosure 3 LAN, red, USB 9.40 9.40 8473.3000 CN 251g
1 ac12vus2 AC adapter 12V US plug for IT equipment 4.10 4.10 8504.4000 KH 139g
1 msata16g SSD M-Sata 16GB MLC Phison 14.50 14.50 8523.5100 TW 7g
1 usbcom1a Adapter USB to DB9F with USB cable 7.50 7.50 8473.3000 CN 70g
5 Shipping + Handling 27.00 704g
Subtotal USD 185.50
0% VAT USD 0.00
Total USD 185.50
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,369
Another thing to do is grab an older PC (think Pentium or P2 class) with a couple Gigabit NICs and install IPCop on that and connect to the switch of your choice along with WAPs and you've got a similiar thing. I used a setup like this a long time ago and it worked great.
Newer firewalls now though need new encryption, so P2's are just long in the tooth!
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
The APU series are cool small embedded devices. I used to use the APU2C4 for my router. It was great if you didn't want to run OpenVPN on it. The CPU just couldn't keep up with that. Compared to a custom built box, you also lose flexibility to change things should the need arise. The price is great though, the form factor small, and it uses very little power compared to a desktop (which is great for a 24/7 device). If you do get one, make sure you get the model with Intel NIC's

Biggest nuisance about them - IMHO - is the fact that while they are called "APU" they are NOT an APU like we usually use the term. The box has no graphics on board at all. You have to install your OS using telnet via a serial cable, and this can be a pain in the ass, especially since most modern computers lack serial ports, and the first couple of USB to serial adapters I tried, didn't work properly with the device.

It's a neat concept, but I think I would lean towards mini-ITX hardware instead. Unless you want to try to push OpenVPN, you really don't need much of a CPU. Even used hardware could be a good place to get a deal. Try to find Mini-ITX boards with dual Intel NIC's like the Asrock one I mentioned above, and then plop the cheapest compatible CPU you can find in it. Celerons will do just fine. I also really like the PicoPSU's and M350 MiniITX enclosures from mini-box.com. With those my i3-7100 router idles at ~6-7W at the wall according to my Kill-A-Watt. You need much ess power than you think. The lowest end 60W PicoPSU is Prime95 stable at stock clocks on my i3-7100. Only downside is that it doesn't have the 4 pin power connector, so I used a molex adapter for that.
All great points. And, an overall good recommendation. I will note that the box you have in the picture only has 1 ethernet port, which is a huge disadvantage. The APU2 comes with 3. Much more flexibility there. Ultimately, it's about what you're goal is. I run OpenVPN on mine without issue. And, it pushes a lot of bandwidth (20+ GB in about an 8 hour period when it's used) and the rest of my services are unaffected. I'm guessing the people complaining about OpenVPN on the APU2 are people with a 1gbps connection and are expecting to get that when they try to download a file over the VPN from another connection? I've successfully streamed 4K over OpenVPN, so I'm not really sure what use case the APU2 OpenVPN application fails in. I'm genuinely curious!
Yeah, I will say limiting yourself to one ethernet port can be a hassle. You could get a USB->ethernet adapter, but that would cost you some speed. I am not a fan of limiting yourself to just the VPN. I prefer a solution that sifts traffic and moves certain traffic through the VPN and other traffic normally. For that, I find sometimes these minipcs just don't have enough power to handle it. I have used quite a few, including one very similar to the one you list here. We used the same enclosure, but had an option of 5 Ethernet ports for ours. I did a lot of very specific firewall rules including separate VPN connections. The system often had a hard time keeping up, especially with some of the traffic filtering we were doing. Our original box was using an atom processor, we upgraded to a mobile processor, but even it had trouble. Often there is some advantage for purpose built networking devices when you start really adding a lot of filtering/switching/routing complexity.

All that said, one of these boxes with a decent mobile processor and multiple 1GB ethernet ports could probably handle most people's needs. Some things I found helped as I was adding more complexity is using an SSD and/or creating a RAM drive to use for helping process traffic. Something for people to think about that are doing a lot of processing/analyzing traffic.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,678
Yeah, I will say limiting yourself to one ethernet port can be a hassle. You could get a USB->ethernet adapter, but that would cost you some speed. I am not a fan of limiting yourself to just the VPN. I prefer a solution that sifts traffic and moves certain traffic through the VPN and other traffic normally. For that, I find sometimes these minipcs just don't have enough power to handle it. I have used quite a few, including one very similar to the one you list here. We used the same enclosure, but had an option of 5 Ethernet ports for ours. I did a lot of very specific firewall rules including separate VPN connections. The system often had a hard time keeping up, especially with some of the traffic filtering we were doing. Our original box was using an atom processor, we upgraded to a mobile processor, but even it had trouble. Often there is some advantage for purpose built networking devices when you start really adding a lot of filtering/switching/routing complexity.

All that said, one of these boxes with a decent mobile processor and multiple 1GB ethernet ports could probably handle most people's needs. Some things I found helped as I was adding more complexity is using an SSD and/or creating a RAM drive to use for helping process traffic. Something for people to think about that are doing a lot of processing/analyzing traffic.

As I mentioned earlier, (both in my original post, and as a reply to FNTastic's reply) that was just a sample image of the case I found on google image search. IN my build I used an Asrock Mini-ITX board that has two Intel NIC's.

That said, if you have a managed switch that supports VLAN's and don't need more than a total of 1000Mbit between up and downstream, you could set it up to use your switch to tag the WAN with one VLAN and the LAN with another. You'd just wind up using one additional port on the switch. This feels like kind of a hack to me though. I'd probably only try it if I were in some sort of pinch.
 
Last edited:

compgeek89

Limp Gawd
Joined
Nov 30, 2018
Messages
150
I am loving this discussion. I actually decided I needed to learn more so I got an Edgerouter X for $40 on ebay to fill the gap while I continue to plan this. So I continue to welcome inputs and experiences.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,678
I am loving this discussion. I actually decided I needed to learn more so I got an Edgerouter X for $40 on ebay to fill the gap while I continue to plan this. So I continue to welcome inputs and experiences.

I love Ubiquiti's products. I currently have two of their Unifi AP AC-LR's.

I briefly had one of their Edgerouter POE 5. It was a nice little unit with a great user interface. In the end I decided to return it though, because it just wasn't fast enough to keep up with QoS on my 150/150 connection at the time.

I don't know how it compares to the Edgerouter X in capability though.
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
The ER-X should be able to do 150/150, though I'm not sure how much more. My ER-4 can handle 400Mbit QoS maybe?

You want more, well, pay up- even Ubiquiti's super-expensive Edgerouter Infinity is still just a toy, relatively speaking. A nice one, but not comparable to what could be built on an equal budget.
 

Ocellaris

Ginger @le, an alcoholic's best friend.
Joined
Jan 1, 2008
Messages
18,884
The ER-X should be able to do 150/150, though I'm not sure how much more. My ER-4 can handle 400Mbit QoS maybe?

You want more, well, pay up- even Ubiquiti's super-expensive Edgerouter Infinity is still just a toy, relatively speaking. A nice one, but not comparable to what could be built on an equal budget.
ER-X can do about 225 mbps total with QoS for me. I’m waiting on an ER-4 on sale to handle my 400 mbps connection now, it’s a lot more powerful than the ER-X.


For now I’m just using QoS for upstream.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,369
I do agree. Problem is, at least with IPCop, it has...or at least had...issues with the PCI-e interface. This makes working with older hardware easier.
Sadly cause IPCop is just not what it used to be back in the day when it was one of the go to along with m00nwall. I mean if all you want is a simple firewall, but it has not had a stable release in almost 4 years....are they even patching it any more? if not sure it is full of security holes.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,678
ER-X can do about 225 mbps total with QoS for me. I’m waiting on an ER-4 on sale to handle my 400 mbps connection now, it’s a lot more powerful than the ER-X.


For now I’m just using QoS for upstream.
QoS used to be a big deal for me, but ever since I got gigabit internet, the bottleneck is almost always on the other end. Since I never wind up being locally congested, I simply don't need it, and have disabled it for now.

What drove my desire for a more powerful router in a strong pfSense build was to use OpenVPN on the router, and have my entire network connect to the outside world via VPN.
 

Shikami

Gawd
Joined
Apr 5, 2010
Messages
721
QoS is a kludge-it was never a fix. A lot of internet connectivity is asymmetrical and the secondary exacerbated part of the issue; the root issue is bandwidth. When you do not have enough bandwidth for multiple hosts you will start to have issues with latency and what bandwidth that the hosts can utilize. This is intrinsic to networking (q.v.TCP ACK's). QoS, can also add latency to the issue due to the processing of the packets and the buffering to place priority to the packets; it is not FIFO. Although, this [ the packet QoS processing ] has been resolved a bit, or completely. One major issue of many of the RISC SOHO routers is that there is an accelerator/offloading packet processor which will usually will be disabled when QoS is enabled. This is why your 1Gb/s SOHO goes to ~200Mb/s-400Mb/s. The RISC processors and memory installed are too weak for networking. There is a golden rule of networking: For every bit transferred you need 1Hz; meaning that 1Gb needed 1GHz. The fact that packets cannot be processed in a vector method has been an issue that is slowly being resolved with: https://fd.io/ which pfSense has now released support https://www.netgate.com/press-releases/tnsr-buisiness-press-release.html (but business only).

When you go pfSense you do get a bit more punch for packet processing and you can noticed differences. Using QoS and such can be less limiting too.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
30,678
QoS is a kludge-it was never a fix. A lot of internet connectivity is asymmetrical and the secondary exacerbated part of the issue; the root issue is bandwidth. When you do not have enough bandwidth for multiple hosts you will start to have issues with latency and what bandwidth that the hosts can utilize. This is intrinsic to networking (q.v.TCP ACK's). QoS, can also add latency to the issue due to the processing of the packets and the buffering to place priority to the packets; it is not FIFO. Although, this [ the packet QoS processing ] has been resolved a bit, or completely. One major issue of many of the RISC SOHO routers is that there is an accelerator/offloading packet processor which will usually will be disabled when QoS is enabled. This is why your 1Gb/s SOHO goes to ~200Mb/s-400Mb/s. The RISC processors and memory installed are too weak for networking. There is a golden rule of networking: For every bit transferred you need 1Hz; meaning that 1Gb needed 1GHz. The fact that packets cannot be processed in a vector method has been an issue that is slowly being resolved with: https://fd.io/ which pfSense has now released support https://www.netgate.com/press-releases/tnsr-buisiness-press-release.html (but business only).

When you go pfSense you do get a bit more punch for packet processing and you can noticed differences. Using QoS and such can be less limiting too.

Spot on. I used to use QoS but once I upgraded to FiOS Gigabit, I found that I am almost always remotely limited anyway, so QoS doesn't really have any benefit.
 
Top