# Screened subnet (triple-home)

## depontius

This is only marginally related to Gentoo, though I do plan to run Gentoo on the machine.

I wish to revamp my network architecture at home.  When it's done, I wish to have my cable modem and an appliance router behind that.  Behind the appliance will be a DMZ, then the new router/firewall behind that.  Behind the new router/firewall I want to subnets, one that corresponds to my current private LAN, and another subnet for commercial networked hardware.  I'll probably wind up with two wifi networks as well, one on my private LAN and one on the commercial LAN.

I am looking at suggestions for hardware this new router/firewall.  I've had very little luck finding dual-ethernet Raspberry-Pi-like hardware without one ethernet, possibly both being USB-connected.  I suspect one USB-connected ethernet could be OK, though I'm less that comfortable with it, and even less comfortable with two USB-connected ethernets.  I'd also rather not have a big power-hungry PC for this.

Right now I have two commercial gizmos in the house which can be networked, but I'm not because I don't trust them on my private LAN, possibly not on my DMZ, either.  I have a few pieces of commercial gear that are on my private LAN that I might also want to move off of it.

This doesn't seem to be a common problem, though personally I think it should be.  Others might find this discussion valuable for themselves.

----------

## NeddySeagoon

depontius,

I run a HP Gen 7 microserver with a Quad NIC which given me 5, 1Gbit network ports in total.

The box runs an assortment of KVMs, including my router.

I have a total of 4 networks,

The big bad internet,

Wireless

Wired 

DMZ.

Wireless drives a LAPC1200 wireless AP, which can do all sorts of black magic with VLANs.

Is VLAN separation good enough, or do you want physical separation? 

Thin box is also my media server. With 5 HDD, it draws about 60W,

In the UK at least, HP microservers usually have cashback offers that make them good buys.

You should be nervous of networking on USB if you need more than 100Mbit.

Its all IPv4/IPv6 dual stack too.

----------

## jamapii

I'm running a pcengines alix (3 NIC 100 mbit, obsolete) and may switch to an apu2 board (Gbit instead). Price should be well below 200 USD.

The alix is now quite a bottleneck with openvpn. apu2 should be much better but I have no data.

I have also looked at Mikrotik Routerboards. They provide performance data for their own Linux based commercial OS. There are a few products with different extra features. They are MIPS based and have openwrt support I think.

----------

## Ant P.

I'm in the same boat - some stuff I just won't connect to my LAN because I don't trust them. I'm thinking of setting up a separate wifi LAN with no access or routes except to other LAN ranges. Does that sound reasonable?

----------

## NeddySeagoon

The only things I have on wifi are android devices.

I don't trust them, and they can't get to my wired LAN so that works.

I do see traffiic from wifi trying to phone home and being dropped in my firewall logs.  Everything still works, so I have to wonder what this attempted phoning home is all about.

Wifi is not secure anyway.  If you need secure wifi you must run you own encryption over the wifi link.

----------

## depontius

 *jamapii wrote:*   

> I'm running a pcengines alix (3 NIC 100 mbit, obsolete) and may switch to an apu2 board (Gbit instead). Price should be well below 200 USD.
> 
> The alix is now quite a bottleneck with openvpn. apu2 should be much better but I have no data.
> 
> I have also looked at Mikrotik Routerboards. They provide performance data for their own Linux based commercial OS. There are a few products with different extra features. They are MIPS based and have openwrt support I think.

 

Without considering speed, the apu2c4 looks really sweet, and not nearly as expensive as I feared.  This bears further study, thanks.

----------

## depontius

One more thing I just realized about the apu2c4.  This is a Jaguar from AMD, and it's amd64 instruction set.

I can set one of my systems as a generic x86_64 instruction set and use it as a binhost, no cross-compiling needed.  This is starting to look really good.

----------

## 1clue

Put all the stealth-network-enabled devices in with the wifi group.  This includes TV/BluRay/whatever entertainment devices, baby monitors, etc.  MAYBE not your security system if you know the manufacturer to be trustworthy. As in, you did it yourself using Linux.

Turn on all your home devices and look at the router's LAN map. We have 3 people in the home who use Internet. We have 34 active devices right now. Do you know where your TV was made?  Do you know that it doesn't run malware injected straight from the factory, or something an outsider exploited?

Your trusted network should only have hardware and software that you actually trust.

----------

## 1clue

Just as a side comment, Intel's c3000 series atom processors would be spectacular for a project like this. And SuperMicro has lots of boards with those processors, supporting strong networking and disk storage.  For example, the c3958 board with 1x gigabit ipmi interface and 4x intel 10/2.5g/1 gbps lans. And some of the boards support 12 built-in sata3 ports as well as pcie m.2 disks.

I built a box based on the c2758 with 7 lans, and it's fantastic. There's a c2000 flaw that bricks the devices though, so I'd definitely get the c3000 instead. The c3000 series also supports vt-d which the c2000 series does not.

I'm not affiliated with SuperMicro or Intel, only a happy customer.

If you're interested in running a small KVM host then these are the perfect deal. There are commercial products using the c2000 line in exactly that way. https://antsle.com/product/antsle-one-pro/?key1&dynamic1&key2=dynamic2&key3=dynamic3 for example. The c3000 line would be spectacular that way.

Interesting bits for my c2758 system:

8 cores, 16 GiB RAM gentoo box (can go to 64 GiB with ecc RAM)

7 Intel  gigabit nics.

Has QuickAssist technology (anything with c??58 has QuickAssist)

For normal tasks like compiling it's about half the speed of a 1st-gen i7 920 system I also have.

For encryption/compression it's faster than my i7.

I have benchmarked an encrypted and compressed stream at about 2.4 gbps, not using disk or actual network. I didn't use actual network because I don't have enough hardware to get anywhere near that load.

The one thing I'm really bent about on this system is it does not support vt-d so I can't donate a NIC to a VM in a satisfactory way. The c3000s have fixed that.

Edit: One networking test I have done is hook 3 ethernet cables between the router box and my i7. The i7 has bargain basement realtek hardware, and I think I was beating against limitations on that. The load on the c2758 box seemed low.

----------

## depontius

Once this is set up and running, pretty much any commercially-loaded stuff will be on the new subnet.  Stuff on my DMZ and private LAN will mostly be Gentoo that I admin.  I currently let my phones onto my LAN, but I load LineageOS on those myself.  Right now my WRT54G is running Netgear firmware, and since it's not a WRT54GL I'm not sure if it has enough RAM for modern DD-WRT.  I'm likely at least two months away from implementation, so there is planning time.

----------

## 1clue

Some quick questions:

What is your Internet bandwidth, down and up?

What do you expect your bandwidth to be in a few years?

What sort of firewall setup do you intend?

VPN?

Firewall rules between your trusted network and the rest?

Here's the thing:  A device in the class of a Raspberry Pi makes a really bad router. Speaking as someone who uses several pi's in his work, they are the worst choice for router duty.  They're fantastic for other things, just not NAS and not routers.

Your ultimate usable speed for clients on the network heavily depends on the latency of the hardware between you and the Internet. Each step adds latency, and each physical device adds latency.

If you have 20 mbps or better Internet speed, then I extremely strongly recommend that you stop looking at Raspberry Pi or anything even close to that.

If you NEED to be up and running on the Internet, then I extremely strongly recommend that you stop looking at Raspberry Pi or anything even close to that.

You're better off buying an off-the-shelf small business setup than you are trying to whittle something out of substandard hardware.  The pi is substandard with respect to networking and disk tasks because of the hardware baked into the system. I use the pi platform for all sorts of tasks, just not those.

Internet router: Your router should have much more throughput than your ISP's bandwidth states. Latency is the key here.  Their hardware is good enough to support their maximum supported bandwidth and probably more. If any part of the chain is marginal then the entire throughput will suffer in a magnified way. Adding even nat, or a few firewall rules, really hits minimal hardware right in the place that hurts most:  Throughput.

Internal router:  Same thing, only you should be looking at gigabit throughput as the minimum transfer rate. Firewall rules hurt even more here. Any extra processing causes latency.

Switch:  With a setup like you're describing, I recommend at least a smart switch with VLAN capability. https://www.amazon.com/TP-Link-Ethernet-Unmanaged-Rackmount-TL-SG1016DE/dp/B00K4DS67C/ for example.

Network cards:  Avoid budget brands like Realtek. In the gigabit and lower range, Intel rules the roost. Intel nics handle almost everything in the network stack internally, leaving your CPU to do other things. I have Realtek and Intel both, the Realtek on my i7 box is slower than the Intel on my atom box.

I would recommend one of these scenarios:

Get one box that can handle all of your routing duty, with several high-quality NICs built-in that can do all the things you want on one system instead of multiple.

Do the above, but use VMs to encapsulate each of the systems in your proposal above.

Interesting hardware I've found:

https://mikrotik.com/product/

https://www.pfsense.org/products/

https://www.supermicro.com/products/motherboard/ATOM/

https://www.netgate.com/solutions/pfsense/#on-premises

It used to be that netgate had small router systems available, now it all seems pfSense related. Not sure what happened there, I'm not really recommending you get pfSense. Only inexpensive routing gear good enough for a commercial environment but on a smaller scale.

----------

## depontius

The apu2c4 that jamapii pointed me at is not a Pi system, it is an AMD Jaguar, which is most probably competitive with an Atom.  The three NICs it has onboard are Intel ethernet, as well.  There is still cause for concern, but I don't believe it's in the same realm as you were imagining it to be.

1 - Right now I'm getting 8.5 down, 6 up.  That is the fault of my front-line router.  I have a replacement which will be faster, but have had configuration problems getting the replacement into service.  The front-line router issue will be settled before I embark on this new project.

2 - I expect my bandwidth down to take a big jump as soon as I get the new router in.  As for next few years, I don't know.  I'm surprised at how much I can get done with "only" 8.5 down and 6 up.  I do a fair amount of work from home on this setup.

3 - The front-line router is running its own commercial firewall.  The new box I'm planning will be my vehicle for learning nftables.

4 - I'm running OpenVPN at the moment.  With the new router I don't know if I'll run OpenVPN on it or forward the port to a machine on my private LAN.  At some point I want to look into WireGuard.

5 - Not fully determined yet.  The private LAN will be permitted to do pretty much what it wants, though currently I have a bit of choking to make sure that all mail goes through my server and none tries to go out directly.  The commercial LAN will be permitted to respond to my private LAN, and I'll have to play by ear its ability to "phone home".  Obviously my Obihai needs to get out in order to do VOIP, my Blu-Ray will need to get out in order to stream, etc.  But none of that stuff will be able to originate a connection to my private LAN, and the rest I'll have to figure out on the fly.  Most likely early on I'll be heavily invested in monitoring outgoing connections from the commercial LAN.

Right now I have an old PC as a bastion host, doing this routing.  Once upon a time I had hot-sparing ambitions, but that hasn't come to pass.  But that machine is so crucial to operation of the rest of the network that some types of updates can become a royal pain.  I want to separate functions, get some redundancy, cut my electric bill, and even take all of this new low-power hardware and put it on a UPS, so my network can stay up through a power outage, rather than staying up long enough for a graceful shutdown.

----------

## 1clue

Just a point of info, if you're running Gentoo on an atom then I'd say 4 cores with 8 GiB RAM would probably be workable. I have 8/16. It's slower than any other system I've run Gentoo on and actually used for something.  I ran Gentoo on a pi b+ but it took so long to maintain I scrapped it.

If you're looking at a non-Gentoo setup then I would expect a 2-core atom c2000 to easily accommodate everything you've talked about, given sufficient RAM. Probably 4G for a single system handling all the duties except vpn, or 6G total for two VMs handling that.  I don't have experience with atoms other than c2000 so I don't know how they compare.

When I built my setup I had no benchmarks to go from. I bought extra-big because I expected gigabit Internet soon, which hasn't happened. As it is, I could probably happily saturate a VPN with gigabit Internet, that's speculation based on the limited tests I can do.

----------

## Mad Merlin

It doesn't run Gentoo out of the box, but a Ubiquity Edgerouter is built for this kind of task and will only run you ~$100 USD. 

https://www.ubnt.com/edgemax/edgerouter-lite/

The base model has 3 routed (not switched) ports, but there's also an 8 port model. I run several of the 3 port model for various purposes and am quite happy with them.

----------

