MWareman Posted August 7, 2017 Posted August 7, 2017 Sounds like a reasonable conclusion, one I would also come to given the same criteria. In my case, the new Vault is handily outperforming my other options, so it's staying. Different criteria though.. Sent from my iPad using Tapatalk
elvisimprsntr Posted August 12, 2017 Posted August 12, 2017 Looks like Protectli products supporting AES-NI are up on their site, although listed as out of stock http://protectli.com/product-category/aes-ni/ Some models do appear in stock on Amazon
Scottmichaelj Posted August 12, 2017 Author Posted August 12, 2017 Looks like Protectli products supporting AES-NI are up on their site, although listed as out of stock http://protectli.com/product-category/aes-ni/ Some models do appear in stock on Amazon I have spent a little more time with their newest i3 box and after all said and done I am going to keep mine. I tossed in 8GB of RAM and a 240GB SSD drive spare I had. Makes a hell of a fast pfsense router. I did some speed comparisons at different times of the day one for one on the same servers etc. It appears the Protectli box is in fact faster than the PC I had and VirtualBox VM. I could not repeat the same results I had previously matching the PC and VM so I am tossing those results and I am starting over. Edit: Add Speedtests PC Box via ISP PC Box via VPN Protectli i3 via ISP Protectli i3 via VPN As you can see the ISP speeds are similar on both devices as one would expect. However the Protectli i3 I think actually is beating out the PC box, due to the AES-NI. MWareman also saw higher speeds than I did on his tests/internet due to him having a higher speed than I do. So I think this box has more room/overhead as ISP speeds increase over time. So all that said is now why I am deciding on keeping mine. A couple other observations I like. Protectli includes a bracket that you can use to hang the box on. For example if you want to put it into a structured wiring box you could which is really nice. The other cool thing is the speaker. Yes I know lame, but on reboot it beeps once when its turned on and then a series of beeps when the pfsense is fully loaded so you don't need a monitor. And the last little cool thing is when power is restored by default it powers back up. No messing around in the BIOS to set this, its factory set. EDIT: /couple random thoughts... Not sure how I was able to produce good speeds from the PC and VM before but can't anymore. So thats why I am going with what I know and see NOW. I was using VM with Win7, then I upgraded to Win10, could that been an issue? Dono. I am not going to toss VirtualBox on a fresh install just to test. Yes I am being lazy. Also VM upgraded to a newer version, could that caused an issue? Dono. VM takes CPU, memory and power. If you have a VM on a machine that your also using for other items like maybe PLEX - internet speeds will sacrifice when transcoding. I saw this when using PLEX and my SiliconDust HDConnect when watching free over the air (OTA) TV on my Nvidia Shield TV. /end random thoughts.
elvisimprsntr Posted November 8, 2017 Posted November 8, 2017 For those of you using a Netgear LB Series LTE modem for failover WAN and encountered problems using bridge mode, apparently there is a firmware update (see post on 10/24/17) available which is reported to address the issue. I installed the update using the GUI, although it did not reboot after the update. I had to manually pull power after I waited 15 minutes to allow sufficient time for the firmware update to complete. https://community.netgear.com/t5/Mobile-Routers-Hotspots-Modems/LB1120-Bridge-Mode-No-Connectivity/td-p/1260397 I was able to confirm that the LTE IP address is now the same as served to my pfSense firewall. I also noticed there are some setting in the config file to enable IP passthrough and DMZ mode. These settings do not seem to be available via the GUI, at least not with the LB1120 model. Not sure if those settings are specifically for the Dual WAN LB2120 model. I have not tried to manually change them and restore the file. router.DMZaddress=192%2E168%2E5%2E4 # 192.168.5.4 router.DMZenabled=false router.ipPassThroughEnabled=true # Bride mode setting? Also seems to be using Google DNS servers by default, but this option is not available via the GUI if you want to use more secure DNS servers, i.e. OpenDNS router.DHCP.DNS1=8%2E8%2E8%2E8 # 8.8.8.8 router.DHCP.DNS2=8%2E8%2E4%2E4 # 8.8.4.4 router.DHCP.DNSmode=Auto # I assume this only applies if you are using router mode with DHCP enabled
asbril Posted November 8, 2017 Posted November 8, 2017 I have spent a little more time with their newest i3 box and after all said and done I am going to keep mine. I tossed in 8GB of RAM and a 240GB SSD drive spare I had. Makes a hell of a fast pfsense router. I did some speed comparisons at different times of the day one for one on the same servers etc. It appears the Protectli box is in fact faster than the PC I had and VirtualBox VM. I could not repeat the same results I had previously matching the PC and VM so I am tossing those results and I am starting over. Edit: Add Speedtests PC Box via ISP PC Box via VPN Protectli i3 via ISP Protectli i3 via VPN As you can see the ISP speeds are similar on both devices as one would expect. However the Protectli i3 I think actually is beating out the PC box, due to the AES-NI. MWareman also saw higher speeds than I did on his tests/internet due to him having a higher speed than I do. So I think this box has more room/overhead as ISP speeds increase over time. So all that said is now why I am deciding on keeping mine. A couple other observations I like. Protectli includes a bracket that you can use to hang the box on. For example if you want to put it into a structured wiring box you could which is really nice. The other cool thing is the speaker. Yes I know lame, but on reboot it beeps once when its turned on and then a series of beeps when the pfsense is fully loaded so you don't need a monitor. And the last little cool thing is when power is restored by default it powers back up. No messing around in the BIOS to set this, its factory set. EDIT: /couple random thoughts... Not sure how I was able to produce good speeds from the PC and VM before but can't anymore. So thats why I am going with what I know and see NOW. I was using VM with Win7, then I upgraded to Win10, could that been an issue? Dono. I am not going to toss VirtualBox on a fresh install just to test. Yes I am being lazy. Also VM upgraded to a newer version, could that caused an issue? Dono. VM takes CPU, memory and power. If you have a VM on a machine that your also using for other items like maybe PLEX - internet speeds will sacrifice when transcoding. I saw this when using PLEX and my SiliconDust HDConnect when watching free over the air (OTA) TV on my Nvidia Shield TV. /end random thoughts. very jealous of your IP speed. Maximum that I get is 90.
Scottmichaelj Posted November 8, 2017 Author Posted November 8, 2017 very jealous of your IP speed. Maximum that I get is 90. I am VERY happy with my pfSense setup, best thing I could have done. However a huge thanks goes to Michael Wareman who is a genius when it comes to networking. There are a few things like pfblocker, snort and squid addons I am still and playing with.
asbril Posted November 8, 2017 Posted November 8, 2017 I am VERY happy with my pfSense setup, best thing I could have done. However a huge thanks goes to Michael Wareman who is a genius when it comes to networking. There are a few things like pfblocker, snort and squid addons I am still and playing with. I don't think that it has anything to do with my network setup. Unfortunately in my condo, the maximum Comcast will give us is officially 75, but it goes to 90. My router is a Google Wifi, which is by far the best I have ever had.
jason.russo.96 Posted November 14, 2017 Posted November 14, 2017 I'm glad that I found this thread because it is exactly what I am trying to do. After a network outage a couple weeks ago, I realized how dependent I am on it! My main goals are; controlling my ISY, controlling my ELK M1, checking my cameras (Blue Iris web-server), and checking my aquariums (Neptune controller). I have an ASUS RT-N66u running the latest DD-WRT firmware. I have the dual wan set up properly because I have internet in the house when the failback switches over, but I cannot access anything inside the house (cameras, elk, ISY). I have tried a Peplink unit from a company called DATA2GO. They said the solution is to add a static IP, I don't agree with this. I also have a Netgear LB2120. This works as well as long as I have it set up inline (using the LB2120 for fail over, NOT the dual wan router). I have internet but cannot find my home devices. So here is where I think the issue is, I use an ASUS DDNS (hostname.asuscomm.com) for my devices. I type in [hostname].asuscomm.com then the port, it works great. The DDNS points to the public IP, when the network switches over to cellular, the public IP changes so the DDNS is pointing to the wrong place now. I can set everything up for the public IP, but the same thing happens. I've tried running the LB2120 in bridge mode and router mode, neither works. Ideally I can write a script to make the ASUS router DDNS update sooner, maybe every 5 minutes? This will allow a maximum time of 5 minutes when the DDNS is pointed at the wrong address. Maybe I can use another DDNS provider that updates sooner? I'd prefer to use the Netgear and return the peplink. I can use a Verizon sim card and use a pay as you go data plan so it is basically free unless you use it. Data2go want's $12 a month for the static IP. Any help is appreciated,
elvisimprsntr Posted November 14, 2017 Posted November 14, 2017 1. Check for firmware updates for the LB2120 via its interface. There was a recent update for the LB series for bridge mode. 2. I struggled with trying to use an off the shelf dual WAN router. Ultimately, I ended up with a protectli.com appliance running pfSense. It has a higher learning curve than DD-WRT or factory firmware, but is well worth it. I have three ISPs: Tier 1: ATT fiber Tier 2: Comcast xfinitywifi Tier 3: ATT LTE IoT SIM With pfSense, you can restrict which LAN devices have access to any particular WAN path. For example I only allow security devices access via the LTE WAN to limit usage. 3. pfSense you can have multiple DyDNS clients running to update each WAN path for each unique IP address. This way you can have two separate hostnames, then configure what ever clients you prefer to access your Elk and ISY to failover to the second hostname.
jason.russo.96 Posted November 14, 2017 Posted November 14, 2017 1. Check for firmware updates for the LB2120 via its interface. There was a recent update for the LB series for bridge mode. 2. I struggled with trying to use an off the shelf dual WAN router. Ultimately, I ended up with a protectli.com appliance running pfSense. It has a higher learning curve than DD-WRT or factory firmware, but is well worth it. I have three ISPs: Tier 1: ATT fiber Tier 2: Comcast xfinitywifi Tier 3: ATT LTE IoT SIM With pfSense, you can restrict which LAN devices have access to any particular WAN path. For example I only allow security devices access via the LTE WAN to limit usage. 3. pfSense you can have multiple DyDNS clients running to update each WAN path for each unique IP address. This way you can have two separate hostnames, then configure what ever clients you prefer to access your Elk and ISY to failover to the second hostname. I did update the firmware in the LB2120. It allowed it to work in bridge mode so I wasn't getting the Dual NAT error in the ASUS router. Is that protecti device just a router? What are you using for a LTE device? I think that if I could just get the router to update the DDNS more frequently then everything would work correctly. Is that an incorrect assumption?
elvisimprsntr Posted November 14, 2017 Posted November 14, 2017 Is that protectli device just a router? What are you using for a LTE device? I think that if I could just get the router to update the DDNS more frequently then everything would work correctly. Is that an incorrect assumption? The protectli.com device is just a firewall/router. I run lightweight LEDE on my old WiFi routers to be simple APs. I have the LB1120 and an ATT IoT SIM plan. Adding a different/another router to update DyDNS more frequently only works if have a means to force which path you want updated. The advantage of pfSense is that you can have multiple instances and specify which WAN path to update each unique hostname.
Scottmichaelj Posted November 14, 2017 Author Posted November 14, 2017 The protectli.com device is just a firewall/router. I run lightweight LEDE on my old WiFi routers to be simple APs. I have the LB1120 and an ATT IoT SIM plan. Adding a different/another router to update DyDNS more frequently only works if have a means to force which path you want updated. The advantage of pfSense is that you can have multiple instances and specify which WAN path to update each unique hostname. Couldn’t he have a rule setup for each WAN (or Gateway) to be on a different DyDNS address with pfsense? Then if one is down he could go through the LTE address? Then there is no delay? For example WAN Comcast DyDNS could be home.com and WAN LTE DyDNS home2.com? Then using either one he could connect in? IIRC DyDNS account allows multiple DDNS entries. However as I see it now in pfsense when the WAN goes down it then will send an update to DyDNS - there is no timer. So the change should happen faster then his ASUS setup.
elvisimprsntr Posted November 14, 2017 Posted November 14, 2017 Couldn’t he have a rule setup for each WAN (or Gateway) to be on a different DyDNS address with pfsense? Then if one is down he could go through the LTE address? Then there is no delay? For example WAN Comcast DyDNS could be home.com and WAN LTE DyDNS home2.com? Then using either one he could connect in? IIRC DyDNS account allows multiple DDNS entries. However as I see it now in pfsense when the WAN goes down it then will send an update to DyDNS - there is no timer. So the change should happen faster then his ASUS setup. That's what I have, two separate hostnames (e.g. primary.mydomain.com and secondary.mydomain.com) My failover WAN is limited to security devices only (cameras, ISY, Elk, etc.) since there are data caps and/or has limited BW.
Scottmichaelj Posted November 15, 2017 Author Posted November 15, 2017 That's what I have, two separate hostnames (e.g. primary.mydomain.com and secondary.mydomain.com) My failover WAN is limited to security devices only (cameras, ISY, Elk, etc.) since there are data caps and/or has limited BW. Ah yes your point #3! I need to learn to read lol Have you done anything with snort, pfblocker or squid? I am trying to figure out how to load sites/ASNs as an alias, then route traffic based on a whitelist outside my VPN.
jason.russo.96 Posted November 15, 2017 Posted November 15, 2017 These are screen shots of the wired connection on Comcast. It has a standard 76.19 IP address. Everything works fine. I can access everything without issue. The second set of screen shots are when the modem (LB2120 in bridge mode inline between the cable modem and router) is on LTE. The router picks up the LTE IP address, but the DDNS returns a dual NAT error. Furthermore, when I do a speed test, it shows another ip address. I don't know where this one comes from. Needless to say, I can't access my cameras, isy, etc. I do have internet for everything in the house. Am I going about this all wrong? I can also turn on the dual WAN if needed, but the Netgear doesn't seem to like that mode unless you set it for LTE only. I'm afraid that if it is set up that way it is always going to be connected to LTE and use up a lot of data. I'd prefer not to have to buy expensive hardware and pay high subscription fees. If that is the only way, I may abandon this plan. Is there a better DDNS service that I can use? Scottmichaelj and elvisimprsntr recommended 2 DDNS, but how would I use that. Maybe I don;'t fully grasp the concept of DDNS. I thought that DDNS monitors the public IP and redirects the traffic to the correct IP if it changes. If I have 2 DDNS, how would I know which one to go to? For example, if I am at work and the network goes down, I would need to access DDNS 2, how would I know that? Comcast Network.pdf LTE Network.pdf
jason.russo.96 Posted November 15, 2017 Posted November 15, 2017 No, I never got the t working in bridge mode. pfSense got an IP, but it was a 10. Address anyway so inbound port forwards are not going t work anyway... I'm leaving mine in router mode, and double NATing. Can you explain this? Why won't a 10. work?
MWareman Posted November 15, 2017 Posted November 15, 2017 10. addresses are RFC1918. You cannot connect to them from other Internet devices. Failover WAN is really only an outbound solution. ISY should be able to continue talking to the ISY Portal (for instance). 99% of the time you will not be able to connect to services you host (like cameras) when on LTE. The inbound communications are typically not available on LTE.
jason.russo.96 Posted November 15, 2017 Posted November 15, 2017 10. addresses are RFC1918. You cannot connect to them from other Internet devices. Failover WAN is really only an outbound solution. ISY should be able to continue talking to the ISY Portal (for instance). 99% of the time you will not be able to connect to services you host (like cameras) when on LTE. The inbound communications are typically not available on LTE. That's unfortunate. Isn't that what everyone is doing here?
MWareman Posted November 15, 2017 Posted November 15, 2017 Not I. I use the backup to ensure my ISY can still talk to the ISY Portal, and my Elk can still talk to Alarm Relay (and a couple of other similar applications). If I need to control things, I use the portal. I do have an emergency workaround - a cloud based VPS that I have a Unbuntu host on my lan connect to. If necessary I can SSH tunnel thru this. It’s hideous to setup though. If you need redundant inbound, LTE is not the correct technology in all likelihood. You’ll need two separate conventional ISP circuits. If your LTE carrier is allowing a static IP that *might* work (if they allow inbound connections - make sure to tell them you are running a server).
jason.russo.96 Posted November 15, 2017 Posted November 15, 2017 Not I. I use the backup to ensure my ISY can still talk to the ISY Portal, and my Elk can still talk to Alarm Relay (and a couple of other similar applications). If I need to control things, I use the portal. I do have an emergency workaround - a cloud based VPS that I have a Unbuntu host on my lan connect to. If necessary I can SSH tunnel thru this. It’s hideous to setup though. If you need redundant inbound, LTE is not the correct technology in all likelihood. You’ll need two separate conventional ISP circuits. If your LTE carrier is allowing a static IP that *might* work (if they allow inbound connections - make sure to tell them you are running a server). I'll have to try some things when I get home. So I guess I will still get notifications from the ISY (outbound data) and the ELK can send notifications to Central Station (I need to change it to network monitoring). As far as the portal goes, will I will be able to see the admin module through a LTE connection? I did set it up at one point but I never paid for the service because I didn't see the need at the time. If I can, this will solve most of my needs. I can see my Elk status through the ISY console and get alerts if something happens. Also, my aquarium status is cloud based so that is also outgoing data. The cameras are a different story. I'll have to see if Blue Iris offers a cloud based system.
MWareman Posted November 15, 2017 Posted November 15, 2017 If you have the ISY Portal, you can indeed connect the admin console thru it back to your ISY without needing the inbound port forward.
jason.russo.96 Posted November 15, 2017 Posted November 15, 2017 If you have the ISY Portal, you can indeed connect the admin console thru it back to your ISY without needing the inbound port forward. This is very helpful, thank you.
Scottmichaelj Posted November 15, 2017 Author Posted November 15, 2017 This is very helpful, thank you.Jason, pfsense is free for personal use. If you have an old PC you can buy a four port networking card and use it as a router. The software is easy to install. Learning the rest is a bit harder. Once you get the basic concepts and rules in place you can copy them. The only subscription would be the DyDNS. You may even be able to find a free DDNS service and with pfsense you may not need a second DDNS since the failover change happens quickly once the gateway goes down.
MWareman Posted November 15, 2017 Posted November 15, 2017 For free ddns, I use dns.he.net and my own custom domain. Works flawlessly with pfSense...
jason.russo.96 Posted November 16, 2017 Posted November 16, 2017 So I installed the ISY Portal tonight and hooked up the LB2120 (I'm using an Xfinity Mobile sim, it shows up as Verizon). I unplugged the WAN and I could still control my ISY through cellular!! I can arm and disarm my ELK through the admin console (I'm not getting pushover notifications, but I think I just need to change some timing settings. I have the timeout set at 2000ms). I also realized I could remote into my desktop with Splashtop and see my Blue Iris. I think I can live with this setup as long as I can get the notifications working. You said that the ELK can communicate to central station through the LTE? I have to check that out next.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.