Hi! I’m looking for some advice regarding a device capable of routing 10G on the LAN-side (i.e. firewalling, VLANs), WAN speed is currently limited to 1G (with a 2.5G port). On the switch side, I’m running a TP-Link SX3008F for 10G and a LAGed TP-Link SG3428X for 1G devices.
To keep everything passively cooled, I’d much prefer SFP+ ports to RJ45, but with the newer 80m/100m Broadcom chips or RTL8261N transceivers, copper could work if necessary. Power consumption is a concern (optical modules or passive cables don’t use that much energy).
Currently I’m looking at the following options:
W1700K - OpenWrt support is still somewhat rough and the 10G ports are copper. The device is currently available for around EUR 100 (which I gather is pretty expensive compared to a few months ago, but still way cheaper than the other options, the PSU would be another EUR 30 or so). Wi-Fi 7 is a bonus, but I’d probably fine to keep my Flint 2 as an AP.
BPI-R4 - given the deficiencies in hardware design, I’d not to try to use it as Wi-Fi router. It has SFP+ ports, but is not really cheap (board + case + cooler go for EUR 330 on AE, plus again EUR 30 or so for a quality PSU).
Protectli VP2440 (Intel N150 with an integrated X710 dual SFP+ and two 2.5G copper ports). Costs EUR 470 including PSU but not RAM, so another EUR 50-200 extra, depending on whether I can get a working used 8 GiB module locally.
Since I’ve extra NVMe drives, the Protectli does not look so bad cost-wise against the BPI-R4 to me, but I’ve got no idea of how much CPU power the N150 brings vs. the ARM cores. In general, I’m not looking at running a lot of services on the router.
Am I missing a viable option? What’s the power usage on the BPI-R4 when not using a Wi-Fi card? The Protectli should be around 12-15 W idle (though running OpenWrt from eMMC instead of an NVMe disk might drop things a bit).
I understand your need to route 10Gbps within the same lan but it is worth to keep in mind (in case you upgrade your wan speed)
I don’t believe any Intel “N” CPU can support 10G between two physical links with high stability.
Reason is these CPUs (N100, N150, N305) are limited to 9x pci express 3.0 lanes.
Considering the board has to provide lanes for other devices, such as nvme slot, ethernet/rj45 nics, extra USBs, it is hard to imagine a board project capable of providing 4 exclusive lanes for the PCI slot where you would install a X710 Intel card.
Each pci-express 3.0 lane provides ~985MB/s (7,88Gbps), so a minimum of x2 lanes for a single 10Gbps and x4 lanes for two 10Gbps ports without any bottlenecks.
And of course, you’d also encounter a CPU bottleneck if you try to run 10Gbps WAN<>LAN on these CPUs.
If I would buy some x86 hardware today for 10Gbps and be “future proof” I would buy something like this:
The VP2440 has the 10G ports built-in, supposedly they indeed use four of the PCIe lanes (the included M2 slots have two lanes and one lane each, the two I226-V ports should only use a single lane).
This is an example from my Pentium Gold 8505 mini PC with 2 nvme slots (x4) and 6x intel i-226v nics (x1), you can see that they do not share any lanes, the CPU itself provides 20 lanes.
If you plan to run openwrt barebone sharing lanes is not a big deal, if you plan to use a hypervisor, I recommend avoiding boards that share lanes to prevent issues with PCI-E Passthrough of NICs to a specific VM (such as openwrt).
If there is heavy local traffic demand that is definitely a good recommendation, the downside is that you lose the vlan isolation.
If you want to keep vlan isolation, the recommendation is to use a L3 switch for inter-vlan routing.
So you have L3 switch (ASIC) for vlan<>vlan traffic and router (CPU) for lan<>wan traffic, this way you don’t saturate your router<>switch uplink with local traffic, making sure your router resources (CPU and link) are always available for wan traffic.
I think it’s the price of the 8 GiB version, but I don’t think the 4 GiB version is still available for that low (it also seems out of stock, but I haven’t checked all vendors … AE’s search is just as bad as Amazon’s).
Edit: Nope, the cheapest one is EUR 230 with shipment for just the board, and it’s all only the 4 GiB version (8 GiB eMMC).
A summary search for the 4g model says 260€ if you buy the power supply+plexiglass case+cooler+4gb board. A cool hundo after two years, it gained more value than my stock assets
Yes, it becomes somewhat less isolated, but on the shared resource turn off ip forwarding and ipv6 forwarding, and place rules to prevent forwarding in the firewall as a second line of defense and the loss is somewhat minimal. If the shared resource is attacked and an attacker gets local control then they can start sending packets on all the VLANs but this is also true of your router. One way to help is to put the shared resource so that it only provides ssh on a particular management VLAN.
It all depends on your security requirements, but for a home or small business system where the internal LAN is fairly well controlled, I think the security risk is probably worth it to avoid having to route at 10Gbps
I’d prefer full separation via the FW, but yeah, it’s a home network the whole zero-trust thing is not really because an actual threat profile and more because I can.
I have also had a look at the power usage of the BPI-R4 compared to the VP2440 and decided to try to get the former if available at a reasonable price (apparently they announced their big price hike 5 days ago).
Conrad had both the 4G and 8G versions listed at their old price and was running a promotion with 10 % off, so I tried to order. Initially, the 8G version was listed as sold out and the 4G available, but they cancelled my order after I paid. On the next day, both versions were listed as available (with future delivery dates), so I tried to order both and the 4G version got cancelled again, but the 8G version is supposed to be delivered mid-April. We’ll see if the order is actually going through, but so far it’s looking good. I will hold off on ordering the case and cooler, though.
I kinda doubt the BPi will actually route at 10Gbps, I mean if it does that's great but i'd expect maybe more like 3 or 4 Gbps. I could be wrong though. Would love to know what kind of numbers you get once you get one.
With HW offloading supposedly it can (without it, definitely not). But we'll see what the numbers are. Faster than the GL-MT6000 with its 2.5G ports, I’d hope.
It's all about board design, it's possible, just that you haven't seen one yet.
I own CWWK N100, the NVME is only x1, USB is 2.0 only (no 3.0), with only 2 onboard 2.5GbE, yes you might feel it hard to imagine, but this board has a dedicated PCI-E x4 for me to plug dual port 10G NIC (Mellanox X3)
Some other China based stuff having similar design, but some of them use the same chipset as Intel X520 (failed!! it needs x8 lanes for dual ports)
It seems they have a listing for the 4G R4 at the old price