The pfSense Store

Author Topic: Unofficial QOTOM Hardware Topic  (Read 23182 times)

0 Members and 2 Guests are viewing this topic.

Offline chudak

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #15 on: June 21, 2017, 05:39:27 pm »
Did anybody try those boxes run PIA VPN (https://www.privateinternetaccess.com/) ?

So far my download speed performance was 20x slower.

I've been using the i5 version with 4GB ram and 32GB SSD for a little over two weeks. I've set it up as follows with my symmetrical 1Gbps fibre to premise connection:

  • Open VPN (4x) servers to access my LAN from various devices using a Synology as a backend Radius authentication server
  • Open VPN client to PIA, using 4x connections clustered as Tier 1 in a single gateway group. This is the only way I've found to max out transfer speeds to PIA


Wow your setup sounds sophisticated and cool!

I have a box like your but 8GB RAM.  I guess I am not experienced enough to do reasonable troubleshooting to why my PIA is not preforming.  I did report this to PIA and BTW they are buying the same box to test themself.  So it will benefit us I hope.  If I don't use VPN PIA client on my router = my full speed is ~940/850 mbps and with PIA my speed drops more then 70%.

Would you mind to share screenshots of your PIA VPN client configuration?  Also how did you setup Cryptographic Hardware options?

Thx[/list]

Offline huyrune

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #16 on: June 22, 2017, 12:27:57 pm »
I purchased a Qotom Q355G4 (i5 version) and just received it yesterday.  I'm pretty impressed with the build for the price.

Has anyone virtualized pfsense on one of these things?  My rationale for using a VM for pfSense on this box is so that I can setup another VM for Guacamole (HTML5 RDP). 

Also, being new to pfSense, coming from Fortigate's, I need a way to connect using clientless vpn.  This was accomplished on Fortigate's using Java based Native RDP.  Is there any way to connect via RDP or VNC using pfSense without a VPN client?

Offline johnkeates

  • Sr. Member
  • ****
  • Posts: 573
  • Karma: +51/-1
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #17 on: June 22, 2017, 12:35:28 pm »
Also, being new to pfSense, coming from Fortigate's, I need a way to connect using clientless vpn.  This was accomplished on Fortigate's using Java based Native RDP.  Is there any way to connect via RDP or VNC using pfSense without a VPN client?

Clientless VPN doesn't exist, as much as the PR and marketing teams would like you believe that it does, it's not the case. Also, in the example, Java is the client ;-)
I think what you need is some sort of use case and maybe we can figure out a method that works for you.

Offline ekoo

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #18 on: June 22, 2017, 05:03:45 pm »
Thats why my thread was deleted...no biggie...... i'll repost here.

I bought the Qotom Q190P-S08, 8GB ram, no wifi, no SSD for USD$163 + $32 shipped via DHL from Hong Kong to Washington, USA (but using it in Vancouver, Canada)...... arrived in 3 days.

Internet: Telus Fibre 150mb/150mb

My previous (and first experience) PFsense was on another industrial PC Atom N270, 2gb of ram. This quickly maxed itself out with the 150/150.

My PF setup consists of:
Traffic shaper as per some thread on this forum (forgot where)
Snort as per this thread (https://forum.pfsense.org/index.php?topic=61018.0) in IDS, not blocking
Squid with ClamAV
LightSquid
ntopng
OpenVPN "Roadwarrior"
a few other packages for logging usage, darkstats, traffic totals, bandwidthD, etc etc.

See attached below.
I was able to max out the downstream, but CPU usage was not much.

The box is small, see picture, Apple 1A charger for comparison

My network consists of:
- Unifi UAP-AC-LR
- Unifi US-8-PoE
- Provider's Fibre box
all on a UPS. So if the power goes out, I still have internet for a little while.
Devices on the network: 7 wireless devices (tablets, phones, laptops, smart watches), 3 wired devices (desktop, seedbox/Plex, VOIP)
If i have a family party, or family visiting from overseas: 40+ wireless devices

With a setup like this, I think it rivals any consumer router, including the "latest and greatest" NightHawk........more potential, cheaper in price too!
Moving from a consumer router/AP system (TP-link Archer C8, and the older Linksys WRT54GL) to pfsense was the best thing i've ever done.
I've made the WRT last much longer (10 years longer) than its actual useful life with Tomato. With this box and pfsense, I think it will last another 10 years before i'd move on to something else.
« Last Edit: June 22, 2017, 05:28:37 pm by ekoo »

Offline johnkeates

  • Sr. Member
  • ****
  • Posts: 573
  • Karma: +51/-1
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #19 on: June 22, 2017, 06:37:26 pm »
Thank you for reposting!

Offline huyrune

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #20 on: June 22, 2017, 10:21:01 pm »
Clientless VPN doesn't exist, as much as the PR and marketing teams would like you believe that it does, it's not the case. Also, in the example, Java is the client ;-)
I think what you need is some sort of use case and maybe we can figure out a method that works for you.

Well, agreed.  The client is indeed Java, but on locked down workstations, Java is mostly available (although that seems to be changing as well).  Sophos and newest Fortigate OS have HTML5 RDP clients, that seem to be a fork of Guacamole, and they are indeed truly clientless.

For me, my use case is work and various client environments when I'm forced to use their workstations and the only ports open are 443 and 80 and we can't install anything on their workstation.  I might likely be able to get a vpn client like openvpn installed, but it's a lot of hassle to happen.

Any ideas?

Offline chudak

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #21 on: June 22, 2017, 10:36:08 pm »
How do you setup "using 4x connections clustered as Tier 1 in a single gateway group" ?

Offline fnkngrv

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #22 on: June 23, 2017, 02:00:08 am »
I am glad that I found this! 

I actually purchased the 2017 Quad core J1900 Micro PC Intel NUC 4 LAN Q190G4U Barebone Fanless from them directly via eBay.  I had converse with them back and forth and they had told me that I would be all set using pfsense and openVPN however now I know that it isn't all that great an idea.  A friend pointed me to this model because he uses it, but he doesn't use a vpn service like I plan to.  Luckily I got into a debate with them about the description for SSD.  They had SSD in the description, but they didn't actually say that the box uses MSATA.  I already had an 8gb stick of ram laying around from a laptop that I turned in from work plus a 120gb SATA SSD laying around so I thought that I would be set.  I say all this because I reached out this evening as I am going through videos on YouTube and got to the point to discuss AES-NI with the Ah-HA moment to verify to be sure as even though they told me I would be set I wanted to be doubly sure before I get to heavy into revamping my network.  That is the long version to get to the fact that they are not giving me a tough time to do a return for full refund even though I bought it on May 1st. 


I am now looking at the QOTOM-Q330G4 instead as a replacement unless someone can suggest a better alternative that doesn't use much wattage (this one is 15W), doesn't cost over $250, small footprint, and is fanless? 


Usage:  I plan on running very few modules on it for the most part.  This is a home router that will be linked internally to an Ubiquiti Unifi AP AC Pro for wireless clients, a 48 port POE switch, a couple Cisco 8841s and Cisco C881-K9 for work clients and Cisco dCloud, and using openVPN with a VPN service.  I may also fire up my SFTP server again for friends or colleagues to remotely connect on occasion.


Here is a link to the one that I am eyeballing:

https://r.ebay.com/2OQgIN

« Last Edit: June 23, 2017, 10:00:59 am by fnkngrv »

Offline jgiannakas

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +15/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #23 on: June 23, 2017, 04:38:19 am »
How do you setup "using 4x connections clustered as Tier 1 in a single gateway group" ?

The screenshots below should help you out.

Offline johnkeates

  • Sr. Member
  • ****
  • Posts: 573
  • Karma: +51/-1
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #24 on: June 23, 2017, 05:49:33 am »
Clientless VPN doesn't exist, as much as the PR and marketing teams would like you believe that it does, it's not the case. Also, in the example, Java is the client ;-)
I think what you need is some sort of use case and maybe we can figure out a method that works for you.

Well, agreed.  The client is indeed Java, but on locked down workstations, Java is mostly available (although that seems to be changing as well).  Sophos and newest Fortigate OS have HTML5 RDP clients, that seem to be a fork of Guacamole, and they are indeed truly clientless.

For me, my use case is work and various client environments when I'm forced to use their workstations and the only ports open are 443 and 80 and we can't install anything on their workstation.  I might likely be able to get a vpn client like openvpn installed, but it's a lot of hassle to happen.

Any ideas?

Well, I don't think there is much of a 'VPN' case here. What you probably need is a plain Guacamole server and a HTTPS entry point. That's about the best you can get I'm afraid. Some operating systems have built in IPSec clients you could use, but those sometimes require administrator access to set them up. It would be 'clientless' as you don't need to 'add' a client because it's already there.

Offline chudak

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #25 on: June 23, 2017, 09:56:34 am »
How do you setup "using 4x connections clustered as Tier 1 in a single gateway group" ?

The screenshots below should help you out.

Wow this will keep me busy !!!


Offline fnkngrv

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #26 on: June 23, 2017, 12:33:34 pm »
Well I didn't want to miss out on the good pricing of the Q330G4 so went ahead and ordered it.  I will report back my findings and answer any questions after getting it installed.  It is shipping from Hong Kong so says estimated delivery around the 29th-3rd.

Offline chudak

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #27 on: June 23, 2017, 02:28:32 pm »
How do you setup "using 4x connections clustered as Tier 1 in a single gateway group" ?

The screenshots below should help you out.

@jgiannakas just wondering, so the idea is that one VPN client won't use all pfsense box resources ?  also when 4 vpn clients connect won't they open 4 sessions with 4 IPs ?  confused :(

PS:  is #4 missing ?

Offline jgiannakas

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +15/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #28 on: June 24, 2017, 06:32:39 am »
How do you setup "using 4x connections clustered as Tier 1 in a single gateway group" ?

The screenshots below should help you out.

@jgiannakas just wondering, so the idea is that one VPN client won't use all pfsense box resources ?  also when 4 vpn clients connect won't they open 4 sessions with 4 IPs ?  confused :(

PS:  is #4 missing ?

Yes the reason for the 4x connections to PIA is that each one individually can hit about 100-150 mbps maximum due to limitations by PIA. This results in about 20% or so CPU usage on that CPU. By clustering 4 of them you can use more of the system resources to hit a higher throughput. They will open 4 connections with 4 ip addresses. The PFSense box will load balance the connection demand across all 4 of the gateways. Things to note:
 - 1 connection always goes through 1 gateway. For example if you are downloading a single file from a web browser that is 1 connection (usually unless you are using a download accelerator). This will mean that that single file will be limited to about 100-150mbps download speed as its routed through one of the four gateways.
 - Web browsing uses all four of the gateways. The reason for that is that the Web browser will open multiple connections to download a webpage. For example, in a simplified manner, it will open one for the HTML, one for each CSS, one per image etc. So browsing benefits from having multiple gateways almost proportionally to their total number
 - Torrent downloading by default opens hundreds/thousands of connections. Hence it will by default max out all of the gateways
 - Speedtest.net usually uses up to 3 or 4 connections when benchmarking. Hence it will (in most cases) max out all of your gateways in the group.

You can observe the above by graphing the openvpn gateways in the router homepage (click the (+) button and add the graphs). You will see the bandwidth climb per gateway as you load them up.

Regarding screenshot number 4, it was a typo on my side, just labeled number 4 as 5 :) Hope this helps you. For more info you can read up here: 
https://forum.pfsense.org/index.php?topic=76015.0
https://forum.pfsense.org/index.php?topic=115992.15
https://forum.pfsense.org/index.php?topic=125374.0 (post by pfbasic)

The attached are showing the benchmarks I've been hitting with and without routing the traffic through PIA over wifi-ac. You will see that the box can hit about 700mbps over my Wifi AC connection direct to the internet (its closer to 800-850mbps over a cabled connection) and about 500mbps over PIA with Wifi-AC connection to my access point. CPU usage is about 80% when routing over the PIA gateway group and about 30% when routing directly through the WAN. Latency is broadly the same at 3ms.

My ISP is Hyperoptic which is delivering Fiber to premise (block of flats) and routed CAT6 cables to each apartment.
« Last Edit: June 24, 2017, 06:54:09 am by jgiannakas »

Offline chudak

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #29 on: June 24, 2017, 09:57:21 am »
@jgiannakas thank you, your explanations are very useful an first time I see re: PIA that make lots of sense!