If you’ve been around for a while, you will know that POHO, or Psycho Overkill Home Office, is an ongoing theme of this blog. I’ve described it more than twice as “two comma technology on a one comma budget.” It stands to reason that my home network is in the “psycho overkill” range, with three sites connected by VPNs and internal 10 gigabit networking (40 gigabit on its way).
Disclosure: Much of the gear in this post is Cisco Meraki, and much of that was obtained using employee purchase program benefits as a Cisco employee. As a system engineer I was eligible for free renewals on my licenses for the Meraki gear, but the original licenses and most of the hardware purchases were out of my own pocket. Any other gear mentioned was purchased out of my own pocket through mainstream methods (i.e. eBay) unless otherwise noted. Cisco has not reviewed, influenced, or endorsed this post or this blog, and they most likely won’t.
What’s the POHO like today?
In the past two years I’ve been running a somewhat crippled network, despite having pretty good employee purchase benefits at work. Still, with gigabit fiber and 500 megabit cable, I’m at about 2.5x the capacity of my core router.
I’m running a Meraki MX84 as the core of my home network, with AT&T / Sonic fiber as primary, and Comcast as secondary. It downlinks to an MS42p 48-port switch with four ports of 10 Gigabit Ethernet. On the upstream side, it connects via Meraki’s auto-vpn to an MX64 in my shop across town, and to a Z1 Teleworker unit in my garage that keeps some lab gear protected from the world (and simplifies IP addressing).
I have a couple of MS switches around the networks, as well as a Cisco Small Business SG500XG-8F8T, a Netgear MS510TXPP (for mgig POE) and a couple of other brands in use from time to time. Wireless is handled by MR56 and MR34 in the house, MR18 in the garage, and MR16 in the shop.
Unfortunately, the MX84 is limited to 500mbps of stateful firewall or 320mbps of advanced security throughput. I’m getting pretty close to that, but the other half of the uplink is idle unless I switch over to the other side of the MX.
And unfortunately I am no longer a Cisco employee, so there’s no more deep discounts and free SE license renewals in my future.
So I’ve been thinking about the possibilities, in a POHO budget (preferably $1000 or less), to upgrade this environment.
Givens and Druthers
Givens and Druthers means you define your solid requirements (givens) and your wish list (druthers). “If I had a chance, I’druther have this, that, and the other thing.”
My solid requirements are pretty easy to define:
- Able to handle 1.5 gigabits of throughput with security features enabled. Otherwise, no reason to upgrade.
- Modest power and noise levels. No Cisco 3945 routers for the home office.
- Dual gigabit Ethernet uplink with cellular failover, or triple uplink and I’ll use a cellular router for the failover.
- Easy configuration, monitoring, and management
- Easy VPN configuration for the two remote sites and mobile use.
- Low upfront and ongoing cost
My druthers have built up over the last year and are a bit more flexible.
- Able to handle 2 gigabits with NGFW or other advanced feature set.
- Multiple 10 gigabit ports, preferably with trunking capability.
- POE for wireless gear or subordinate switches
- No ongoing cost for licensing
So where do we start? Why not just upgrade the Meraki?
I thought about that, but the semi-affordable-at-employee-price MX100 caps out at 750mbps. Street price (logged-out search on cdw.com, so probably a price anyone can get) is around $3500 plus $3600 for an advanced security license for one year. Going to the MX250 which handles 4mbps brings me to about $8k hardware and $3600 for the license.
Employee pricing was better, but still pretty extreme for my budget, and no longer an option since I’m no longer with that company.
Using an open source or other publicly available software product is another alternative. I’ve found that in various forums, asking “what hardware should I use” for a 1.5-2 megabit firewall usually results in a non-answer of “pfsense!!!!1!” I’ve been considering a small server for pfsense or something like it, but it’s more of a hands-on solution and I haven’t had luck getting useful answers about hardware scaling.
But in the search for pfsense information, I found that people were reusing first gen Sophos firewalls (PDF), and the Sophos specs for their own software gave me a good sense that the SG310 could handle what I need. The SG330 is also a viable alternative.
Both models support up to 18 ports, 8 Gigabit Ethernet RJ45 ports and two SFP 1Gig ports built in, and a modular Flexi bay that can take up to 4 10Gig ports or up to 8 1Gig ports. They both have an 180GB Intel SSD and 12GB of RAM on board.
SG310 is rated at 17 Gbps Firewall throughput, 3Gbps VPN, 5Gbps IPS, and 1.2Gbps AV-proxy. SG330 bumps that up to 20 Gbps firewall, 4Gbps VPN, 6Gbps IPS, and 1.5Gbps AV-proxy. Based on the lowest specs, the SG310 could handle my throughput requirement with the highest load option, so it was an easy choice.
You’ll find the SG310 Rev1 as low as $475 shipped on eBay as of this writing (they are a bit more rare now, and mine was under $200 a year ago). The SG330 is as low as $400 shipped, and there are more of them around albeit closer to $600-800 for the most part. The 10GbE module used runs for about $800, or twice as much as the router itself, but there’s a seller out there now with a module for $425 shipped.
The Sophos community forums and subreddit have a lot of user information on upgrading the SG to an XG firewall, which keeps the LCD active and enables a 30 day trial for almost all features, plus the base firewall free beyond that. Note that the forums absorbed the Astaro forums, so you’ll find content from almost 20 years ago in there alongside recent stuff. Check the date before following instructions or panicking that they don’t work.
I followed the XG upgrade instructions, and they worked quite well to bring me up to the current version. I’m still deciding whether to keep using it with the standard software, or cut over to pfsense or the like. I’m thinking the VPN piece and the network failover will warrant some further testing before making that decision.
An upside to this line is that it is pretty much a standard PC inside. There’s a 4th gen Core i-series processor (some have Xeons), with VGA out the back and three USB ports, so you can hang a keyboard and monitor on it to install your own software (in fact, to install the XG, you pretty much just plug a bootable USB drive with the image “burned” onto it, and watch the screen go by). The network ports should just show up to whatever OS you install. You may have to hunt down LCD support if it matters, but many people have done it with Linux at least.
But will 8 ports be enough?
Good catch, for those of you who thought of this. I currently use two uplink and one downlink ports on my MX appliance, and up to 30 ports on the MS42 switch.
To solve this problem, I picked up a pair of Brocade/Ruckus compact switches. They’re each about 2/3 of a rack wide, with a couple of POE ports and nearly silent operation.
The ICX-6450-C12-PD provides 16 ports of Gigabit Ethernet, 14 copper-only (four of them PoE) and 2 dual-personality with SFP option. Used pricing on eBay is around $125-200 when you get past the “*READ* parts-only listings. I’ll admit I bought this on on accident, thinking it was the 7150 with 10GbE. But still, it was a good deal and might let me scale back the office rack a bit.
The ICX-7150-C12P is similar, but with a USB-C console port, as well as optional 10GbE for the dual personality ports. List price appears to be $1,000, or $1,500 with the 10GbE upgrade key. Used pricing on eBay is in the $250-400 range.
With some cleaning up of the office network, I can see most of my traffic being handled on the 7150. Two desktops with 10GbE using the SFP ports, a two port trunk up to the Sophos device, and the rest handling four NAS ports, the upstairs access point, the managed power strip, and the Raspberry Pi clusters. The 6450 can trunk into the Sophos as well, perhaps with a separate subnet, for testing and updates.
What about wireless networking?
Right now I use Meraki MR56 and MR34 access points in the house, and a Dlink wireless bridge feeding the downstairs MS220-8P switch that connects the downstairs workstation, two printers, entertainment center, and the second MR34.
I do have some Ubiquiti gear, including five different AP models going back a few years, but I ended up getting the MR56 from Meraki (specs) as one of my last purchases on the EPP, to support 802.11ax and Bluetooth Low Energy (BLE) connectivity. I’m still pondering where to go with that, when the licenses expire.
What else is on your mind?
I’ve had some friends suggest Fortinet, and apparently they’re pretty easy to use, and readily available on the used market. I might be able to deploy their access points as well as firewalls, which could be interesting. And they’re headquartered about three miles from home, so maybe I can find a bored field engineer who’d have a chat about options. I would need to see what the licensing situation is, as I would want to be able to upgrade firmware.
I do have a small Ubiquiti kit (which was in a post almost 4 years ago), and I’ve been considering their Dream Machine Pro, although I’ve heard nightmares about firmware on those machines and requiring scheduled reboots. The EdgeRouter 6P was also recommended a while back. They also have access points, and a lot of their gear is available locally at Central Computers, which is good since the good stuff seems to come in and out of stock on store.ui.com.
Where do we go from here?
I still have just short of a year on my Meraki licenses, so I have some time to experiment. What do you think of the above ideas, or what have I not thought of? I’d especially appreciate thoughts on wireless access points for when I’m no longer in the Meraki ecosystem.