Network Switch

yeldarb12@r.nf to Selfhosted@lemmy.world – 49 points –

I'm looking at getting a 10 gigabit network switch. I only have 3 devices that could use that speed right now but I do plan on upgrading things over time.

Any recommendations?

57

The comments here saying to not bother with 10gbe is surprising considering it's the selfhosted community, not a random home networking self help. Dismissing a reasonable request form someone who is building a homelab is not a good way to grow niche communities like this one on the fediverse.

10gbe has come down in price a lot recently but is still more expensive than 1gb of course.

Ideas for switches: https://www.servethehome.com/the-ultimate-cheap-10gbe-switch-buyers-guide-netgear-ubiquiti-qnap-mikrotik-qct/

https://www.servethehome.com/nicgiga-s25-0501-m-managed-switch-review-5-port-2-5gbe-and-sfp-realtek/

For a router: https://www.servethehome.com/everything-homelab-node-goes-1u-rackmount-qotom-intel-review/

Personally going 10G on my networking stuff has significantly improved my experience with self-hosting, especially when it comes to file transfers. 1G can just be extremely slow when you're dealing with large amounts of data so I also don't really understand why people recommend against 10G here of all places.

I think it has to do with data differences between self hosters and data hoarders.

Example: a self hosted with an RPI home assistant setup and a N100 server with some paperwork, photos, nextcloud, and a small jellyfin library.

A few terabytes of storage and their goal is to replace services they paid for in an efficient manner. Large data transfers will happen extremely rarely and it would be limited in size, likely for backing up some important documents or family photos. Maybe they have a few hundred Mbit internet max.

Vs

A data hoarder with 500TB of raid array storage that indexes all media possible, has every retail game sold for multiple consoles, has taken 10k RAW photos, has multiple daily and weekly backups to different VPS storages, hosts a public website, has >gigabit internet, and is seeding 500 torrents at a given time.

I would venture to guess that option 1 is the vast majority of cases in selfhosting, and 10Gb networking is much more expensive for limited benefit for them.

Now on a data hoarding community, option 2 would be a reasonable assumption and could benefit greatly from 10Gb.

Also 10Gb is great for companies, which are less likely to be posting on a self hosted community.

I somewhat disagree that you have to be a data hoarder for 10G to be worth it. For example I've got a headless steam client on my server that has my larger games installed (all in all ~2TB so not in data hoarder territories) which allows me to install and update those games at ~8 Gbit/s. Which in turn allows me to run a leaner Desktop PC since I can just uninstall the larger games as soon as I don't play them daily anymore and saves me time when Steam inevitably fails to auto update a game on my Desktop before I want to play it.

Arguably a niche use case but it exists along side other such niche use cases. So if someone comes into this community and asks about how best to implement 10G networking I will assume they (at least think) have such a use case on their hands and want to improve that situation a bit.

And X-windows. There's a few server tasks that I just find easier with gui, and they feel kind of laggy over 1G. Not to mention an old Windows program running in WINE over Xwin. All kind of things you can do, internally, to eat up bandwidth.

I bought all the gear to do 10gbe but ultimately went back to 1gig simply because the power consumption. The switch alone used 20w at idle and each NIC burned 8w and I couldn't justify it.

Very reasonable. FWIW, sfp uses way less power than rj45 for 10gbe if that's an option.

This is what I was looking for! Thank you!

I'm partial to mikrotik gear, the CRS305 has 4 sfp+ ports for around $150.

Gonna disagree here. Microtik is a problematic company at best. They're super lax on security, and they've had a lot of issues with their products in general. They also offer no real warranty, but I assume that's because they aren't a dedicated networking company (they make other things).

Just last year the flags were raised on dated firmware that left something like a million devices vulnerable, and their response was lacking.

On the plus side: they are part of the EU, so data protection laws apply, and they do seem to be in the forefront on uptake of modern equipment and standards.

Can you elaborate on how their response was lacking? From what I found the stable branch had a patch for that vulnerability available for several months before the first report while the lts branch had one available a week before the first article (arguably a brief period to wait before releasing news about the vulnerability but not unheard of either).

MikroTik also offers a 2 year warranty since they legally have to, no idea what you're on about there. Also also not sure what you think they sell other than networking because for the life of me I can't find anything other than networking related stuff on their website.

Yeah I’ve worked at WISPs that were pushing TBs through their core routers every day. Those core routers? Mikrotiks. Every apartment buildings core routers and fiber aggregation switches? Mikrotiks. You had to get down to the access layer switches that fed the individual apartments to hit Cisco equipment.

This person is just repeating some shit they read somewhere, hoping it makes them sound knowledgeable. In another post they’re recommending trendnet shit. Get back to me when you can set up BGP peering on your trendnet lol.

https://fieldeffect.com/blog/mikrotik-devices-risk-super-admin-elevation-flaw

https://thehackernews.com/2023/07/critical-mikrotik-routeros.html?m=1

https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/

Wow you found three different articles, all about the same CVE, that the manufacture published a firmware patch for before any public disclosure was made. That’s definitely just as bad as pretending you don’t know about CVEs in your products lol.

Yeah they definitely could have been quicker with the patches but as long as the patches come out before the articles they are above average with how they handle CVE's, way too many companies out there just not giving a shit whatsoever.

the manufacture published a firmware patch for before any public disclosure was made

They were pretty quick for the stable branch, so I guess the miss is prioritizing it for LTS. But if it's just the one time, I'm completely fine with that.

So first of all I see no point in sharing multiple articles that contain the same copy-pasted info, one of those would have been enough. That aside, again, patches were made available before the vulnerability was published and things like MikroTik not pushing Updates being arguably more of a feature since automatic updates cause network downtime via a reboot and that would be somewhat problematic for networking equipment. Could they have handled that better? Yes, you can almost always handle vulnerabilities better but their handling of it was not so eggregious as to warrant completely avoiding them in the future.

Well because one is WAY WORSE than the other, and the response of commitment is way different. You're just plain wrong.

If I buy a switch and that thing decides to give me downtime in order to auto update I can tell you what lands on my blacklist. Auto-Updates absoultely increase security but there are certain use cases where they are more of a hindrance than a feature, want proof? Not even Cisco does Auto-Update by default (from what I've managed to find in this short time neither does TrendNet which you've been speaking well of). The device on its own deciding to just fuck off and pull down your network is not in any way a feature their customers would want. If you don't want the (slight) maintenance load that comes with an active switch do not get one, get a passive one instead.

My dude. You are not a serious person. I’m blocking you so I don’t waste my time with you in the future. Enjoy your life I guess.

You are a foolish person.

https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/

As far as warranty goes, Trendnet does Lifetime for their enterprise metal devices, which OP mentioned being interested in. Just looked at Microtik official warranty page, and it says to email support. Big difference.

https://www.rapid7.com/db/modules/exploit/linux/misc/cisco_ios_xe_rce/

We can go back and forth on RCEs literally all day. If your bar for using a product is “no RCEs”, get off the grid entirely my guy.

MikroTik is just as serious a network company as Cisco or Juniper, and vastly more serious from an enterprise networking point of view than trendnet.

Also where tf did OP mention anything about warranties?

Edit - https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4

Edit - https://www.archcloudlabs.com/projects/trendnet-731br/

Edit - lol holy shit look how customer focused trendnet is! They just plugged their ears and pretended an unauthenticated RCE in their product didn’t exist haha. https://arstechnica.com/information-technology/2015/04/no-patch-for-remote-code-execution-bug-in-d-link-and-trendnet-routers/

Edit - oof yikes look there’s more. https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulnerabilities-in-trendnet-tew-831dr-wifi-router-cve-2022-30325-cve-2022-30326-cve-2022-30327-cve-2022-30328-cve-2022-30329/

API went wonky

Wow. You do you, budday.

You seem REALLY on the Microtik brand for some reason. I presented one that didn't have those issues, you retorted with some stuff, I responded with valid issues. What's your problem?

You presented one that doesn’t have security vulnerabilities? Here’s yet another CVE out for trendnet: https://nvd.nist.gov/vuln/detail/CVE-2018-19239

Every. Single. Brand. Has. CVEs. I’ve used Mikrotik, I’ve used Cisco, I’ve used Juniper, I’ve used Ubiquiti. I have a trendnet Poe switch in my attic powering some cameras and an AP right now. I have no “problem” with any brand of anything.

I do have a problem with you implying that a company doesn’t take security seriously when they do. I start to think you’re intentionally lying when you lift up trendnet as the model, because they have quite an especially atrocious history of it.

Depending on your forecasted capacity needs, Ubiquity does have some attractive options depending on your comfort with managed vs unmanaged switches is. I am making some assumptions based on homelab tendencies. I have been very happy with the UniFi ecosystem personally, though I know it's not everyone's cup of tea. The Dream Machine Pro has been very good for me both operationally and reliability wise, and there are expansion options for 10Gb Ethernet or SFP+ switches that cover most (pro/prosumer) price ranges.

They are definitely not the best bang for buck necessarily, and I have not tried any MikroTik alternatives to directly compare so take my opinions with a big grain of salt. I work in a purely Cisco environment and am used to working almost exclusively in CLI, but I found the UniFi GUI and environment easy enough to pick up with a little effort. UniFi firewall is too permissive by default if you are using something like the Dream Machine as the front end, but as a Boundary non-expert it was not too difficult to configure satisfactorily. Wireless APs are pretty great too.

Do the devices have dual 10g ports each? You can build a triangle out of them.

That’s a big number. What’s the use case? Just cause?

I'm not op, but: I have 10gbit between by truenas server and my proxmox server. The use case is faster access to files from my proxmox server.

1gbit is actually quite slow when we talk disk speed.

I had exactly the same use case and I ended up with a 40G DAC fiber for that case. It ended up cheaper than converting the whole lan to 10G.

That said, it feels like used 10G equipment is easier to come by than 2.5G for now, and if you have 2G fiber uplink and only 1G past the router then it’s a waste.

Point of clarification: DAC is copper, AOC is fiber.

A lot of 10G equipment will support 5G/2.5G SFPs as well, so it can still be beneficial to go 10G on the core equipment.

Email does take some serious bandwidth

On a more serious note, people who have fast Internet should be running Tor relays. It would make the network much faster and secure.

Will you protect them from police raids and cover their legal costs for running a Tor node?

And it's quite likely they only have 10G locally, with way less bandwidth going to the outside.

There's different types of relay, including exit relays, which are the legally problematic type. Middle, guard, and bridge relays don't face the same issues with law enforcement and IP blocking.

You do face issues running a regular middle/guard relay. My IP is tainted from overzealous sysadmins looking up Tor related IPs and seeing mine because middle relays are public knowledge. I am banned from a lot of places for simply being a middle relay.

Thanks for the correction. It's a shame that sysadmins balcklist middle nodes too, since they won't see any TOR traffic originating from your IP address anyway.

Really? That's so odd, I thought as long as you're not running an exit node, you should be fine. TIL, I'll have to check my ISP's policies before setting one up then.

Your ISP doesn't give a fuck, it's not legal trouble. It's just overzealous sysadmins blocking anything that seems sus. I am permanently banned from most SoMe, for example, for having abnormal network activity but none of it is illegal.

Exit relays are totally fine from a legal perspective. They key is making sure the ISP and local police are aware so they don't come after you. ISPs have sent DMCA letters and such to operators when in reality they can't and shouldn't control the traffic coming out of Tor. The good news is that Tor has templates to respond.

Best practice is to let bigger organizations run exit relays so that there is the oversight from leadership.

Don't run a Tor node in places that have censorship laws or problems with freedom. In places such as the US and most of Europe it should be totally fine to run a node. What the network really needs is more middle nodes. You can inform your ISP and the local police of what you are doing just to be sure.

The only time you could get into trouble is when you are running a exit node. ISPs and police have mistakenly classified out nodes as local traffic. It is recommended that only organizations such as universities run Tor exit nodes. However, it is important to keep in mind that to my knowledge no one has ever been arrested for running a exit node in a western country.

However, it is important to keep in mind that to my knowledge no one has ever been arrested for running a exit node in a western country.

https://news.ycombinator.com/item?id=41505009

There links to other occurrences of arrest in the comments.

That's just for a exit node. I explicitly stated that one should only let larger organizations run a node.

Also, my original comment still stands about no one being arrested

What do you mean by not being arrested? I would say German police putting a black bag on your head and taking you to their station in the middle of the night is something one could consider an arrest.

Trendnet makes solid stuff. Good warranty, US based.

I tried a 5port 10g trendnet switch some time ago, had weird speed issues and package losses. No good experience at all :(

Have run hundreds of these and never had an issue. Never even had to do an RMA out of the box.

If you're seeing packet loss on switches, you may need to pay attention to what "port speed" and total "switch fabric" speeds are these days. You can have a 10 port 1Gb switch, but the total fabric only does 6Gb.

The loss did occur on simple ping commands, only on 2 out of 5 ports. The vendor confirmed the behavior to be faulty and took the switch back.

Maybe it was just a faulty model? However I do use multicast in my network (corosync) and a lot of 10G switches seem to have problems with that, maybe this was the case here, too.

The exact model is TRENDnet 5-Port 10G Switch, 5 x 10G RJ-45-Ports and there sure seem to be quite some people having issues as well...

Obligatory https://files.catbox.moe/6bwk52.gif

Honestly there isn't a lot of reason for 10G. Honestly 100M is probably fine for some people who are just browsing the web. The big think it latency as some of those old copper connections are very painful.

I would stick with 1G and be done with it

This is a community for people who have home servers. 100M is fine for a couple people just web browsing, but that's not the topic of this discussion.

I run 10G between my desktop and my server because I can easily saturate a 1G connection doing a simple file transfer.

Yeah, 100M is a no-go for me since my ISP provides much more than 100M, and streaming full-res videos would bottleneck that pretty quick.

1G is probably fine for us, but we'll probably go 2.5G minimum the next time I need to swap out switches, maybe 10G.