Bottom line up front: How suitable is this combo for use in a homelab as a firewall, router, or converged appliance?
Background: I’m a data engineer by day and SBC/homelab enthusiast by night–my MACCHIATObin is still active in my rack. So I have some familiarity/experience working with Linux, Bash, Python, etc., but I’m very new to networking. I’m looking to replace my ISP’s router with my own device, taking this as a good opportunity to learn a bit more about networking hardware and software throughout this project. Additionally of note: while my service is multigig fiber, the only handoff from the ONT is RJ-45. In conjunction with this firewall/router device(s) project, I’m also upgrading my LAN to support 10G, potentially 40G trunk (My MikroTik CRS326-24S+2Q+RM switch has two QSFP+ ports).
The ClearFog CX LX2 is my top contender for the hardware, but before I commit I would like to have a better understanding of the benefits, and perhaps more importantly, the limitations of selecting this platform. After reviewing what I could find here and other places like Reddit, it seems the most recent discussion is at least several months old. I suspect there has probably been additional maturing/development since then. This brings me to my main question as well as:
- How much of an ordeal would it be to get up and running with pfSense/OPNsense or OpenWrt?
- Out-of-the-box/plug-and-play, do I need to dust off my C reference books and deep-dive into patching kernels, or somewhere in-between?
- Are there special considerations I should be aware of in order to fully utilize the hardware? For instance, the only thing I really know about DPDK is that it is more complicated than “traditional” networking and the usual tools for observability/debugging/monitoring won’t work, however I do see doc.dpdk.org has general “Getting Started Guides” for both FreeBSD and Linux, and OpenWrt specifically.
This is a pretty involved topic without a simple answer. There are definitely no perfect install and run solutions to fully take advantage of all the networking capabilities of the LX2160a. Here are some of the main points you need to take into account.
- Anything based on BSD’s is not going to work. There is initial base support for the LX2160a’s network packet processor on FreeBSD I believe but it is not nearly as feature complete as the Linux stack.
- To fully utilize anything above 10Gbps you will need to use DPDK. While you can hit multiple 10Gbps flows using standard networking interfaces (much less with in kernel packet rules like nftables), it is pretty inefficient due to context switching between kernel and userspace. In our testing with DPDK a single core can saturate the 25Gbps NIC using 1500MTU packets.
- There are many levels to dig into with the hardware offloading features of the Network Packet Processor. For instance there is the ability to load basic ACCEPT / DENY rules directly onto the NPP and those packets won’t ever hit the CPU itself. This doesn’t include more advanced things like NAT, but is very useful for DDOS mitigation etc.
With all that out of the way, there is some support for DPDK in OpenWRT through a couple of projects, and there is a possibility to use Vyatta’s DPDK layer for VyOS (The OSS fork) of their router. I have had this on my radar to test but don’t have anything I could share with you currently.
With all that being said, we can keep this forum thread open and I would be happy to collaborate / answer questions / post updates here on any of my testing. I am planning on moving one of my LX2160a’s as the core for my home dev network this summer and will probably be digging deep into this topic.
Cheers
1 Like
Thanks for the detailed response, this gives me a good frame of reference to start on this project. I would definitely be interested to hear how your testing and dev network project progress.