Hardware for firewall/DNS/proxy recommendation

M

mefizto

Greetings all,

I have some ports on the current firewall failing, so it will need to be replaced. Since the PC Engines hardware will no longer be available, what would be a good, reasonably priced, x86 hardware for running FreeBSD as a replacement?

As there will not be any X11, the video performance is immaterial.

Kindest regards,

M
 
forums.freebsd.org

PC Engines winding up

Not got round to ever using one of their machines and looks like running out of time to try: https://www.pcengines.ch/eol.htm
forums.freebsd.org forums.freebsd.org
forums.freebsd.org

pcengines replacement

I am looking for a replacement for my pcengines apu2 ... while it is an almost perfect fit for my needs, I need a somewhat faster device. Faster in the sense of I/O. I use it as firewall and storage system (via sshfs) - with 2 USB enclosures with 4x12TB HDD each. Accessing the USB disks is at...
forums.freebsd.org forums.freebsd.org
 
Hi rootbert,

thank you for the link. Can you share what hardware you acquired?

Kindest regards,

M
 
Hi,

You may try yo build for yourself any system with a processor under 30W TDP (Ryzen or an Intel) and 1GbE in dual or quad port configurations from Intel.
 
Hi zsolt,

you are, of course, correct, and the link provided by rootbert actually has some suggestions. However, finding a ready-made unit would be preferable.

I have been wondering if RPi4 with 8GB RAM and SSD, which I already have, connected to a smart switch would be a (temporary) adequate solution.

Kindest regards,

M
 
I run firewalls on a couple of Raspberry Pis (a 3B and a 4). But I use Debian and iptables, not FreeBSD.

They are quite satisfactory (and don't sweat with only 4 GB memory). However you have to match their Ethernet adapter throughput with your Internet service.

What's the rated speed of your Internet connection?
 
Hi gpw928,

thank you for the encouragement. The download speed is 34-44 Mbps, the upload speed is 18-20 Mpbs depending on the speed tester used.

Bummer that you do not use FreeBSD, I would have asked you about the USB3-to-Ethernet adapter. I know that I could use the smart switch, but it does limit the speed.

Kindest regards,

M
 
I have benchmarked both AX88179 and AX88179A USB3 adapters on amd64 FreeBSD systems. They both run at near gigabit wire speed (935 Mbits/sec) so long as your host USB port is rated for USB3.[12] Gen 2. However the AX88179 chipset suffered from the driver doing occasional resets. The AX88179A chipset adapter is in daily use, and is rock solid.

I have not benchmarked the USB network adapters on my Pi4 (my Internet connection is not fast enough to worry about). I know that the Pi4 USB 3.0 ports are rated for 4.8 Gbit/s. That should not be an issue given you upload/download speeds.

My last USB3 network adapter purchase from Amazon had the AX88179A chipset, though the description does not suggest that. At US$14.99 it's not a big risk.

[These observations for the Pi4. The Pi3B has bandwidth limitations that prevents it achieving gigabit speeds on both the Ethernet and USB ports.]
 
mefizto said:
Greetings all,

I have some ports on the current firewall failing, so it will need to be replaced. Since the PC Engines hardware will no longer be available, what would be a good, reasonably priced, x86 hardware for running FreeBSD as a replacement?

As there will not be any X11, the video performance is immaterial.

Kindest regards,

M
Click to expand...
I've been using a Beelink EQ12 for the past year. Intel N100, 16GB ram, 500GB m.2, and dual Intel 2.5Gb nics, WiFi6, tripple displays, it's $279 - a $50 coupon right now on Amazon. A real beast for the price and FreeBSD runs great on it. There are some lower cost configurations I think.

I've been using it as a firewall (IPFW), dhcp and DNS server booting from ZFS.
 
Hi gpw928,

thank you for the network adapter recommendation, I will get it next time I order from Amazon.

In a meanwhile I have side-stepped the issue by finding an older EOL router, that had more that recommended resources fro running supported build of OpenWRT, so I re-flashed.

Kindest regards,

M
 
Greetings all,

well my OpenWRT adventure was short lived, it seems that trying to change the configuration resulted in inability to log into the router.

Kindest regards,

M
 
Hi VladiBG,

thank you for your reply,

I have not (yet) considered purposely built appliances because (i) I currently have some and when the vendor decide to obsolete them, there is nothing that can be done, (ii) they have a built-in hardware limitations, e.g., I have learnt that the reason the OpenWRT crashes/locks is due to limited RAM in my router, (iii) as I am lazy I would prefer a familiar OS, and not to learn a new one.

Hence the FreeBSD solution, either built by myself, I used to have such a set-up on my laptop until it irresponsibly died, or even installing a pre-built one, e.g., OPNsense would be preferable. Furthermore, such a hardware may be upgraded.

Kindest regards,

M
 
I have not yet settled on a new device for my clients, however, where I use just the firewall functionality I used opnsense hardware (no ECC ram) - quite satisfied so far except for wifi of course.
 
PRIME B660M-A D4
Intel(R) Core(TM) i3-13100
Intel 82574L gigabit
Intel I219-V gigabit
(one of them is onboard but I forgot which is which)

Anyway, able to push 900-950 Mbit/s up and down on a gigabit fibre connection.
 
mefizto said:
[...]I would prefer a familiar OS

[...] e.g., OPNsense [...]
Click to expand...
OPNsense is not FreeBSD; it's a horrible abomination. If you are familiar wit FreeBSD, the GUI is massively inconvenient, tedious and cumbersome as well as restrictive and unintuitive. If you want something that would be "quick and easy" on normal FreeBSD but not intended by the GUI, you are at a dead end or if you decide to just configure it "the correct way", the GUI abstraction layers will constantly blow up your configurations.

I've given up on those GUI-centric abominations, they are a huge waste of time if you are already familiar with "doing it the rigt way". Stay with a real and fully usable FreeBSD, or in case of a pure router/firewall installation have a look at OpenBSD (I still find their routing domains far superior to just FIBs).

Regarding that hardware: Are you talking about a small home network or some full-blown enterprise network where you have to push a lot of packages? single-stream bandwidth is never the problem, but the number of actual packets and states is.

For small(ish) home networks I'd just go for some of those x86_64 based multi-port mini-PCs from aliexpress (Topton et al). They work reasonably well, come with absolute boilerplate hardware (e.g. intel NICs) and nothing exoctic, so they 'just work'™ out of the box. They usually also have an mPCIe or additional M.2 socket and a SIM slot for WWAN, so you can have a backup link.
I'm running 6 of those topton Celeron 5105 based 4-port systems with OpenBSD as home/soho routers and VPN boxes. Haven't had any issues with them yet with the oldest ones now running almost 3 years for 24/7 (bought 2 of them when the 5105 was brand-spanking-new). At ~15W they can even be powered by a PoE-splitter.


Given the price of thoe raspberry toys nowadays, IMHO it's a no-brainer to just go for such x86 based systems (or used small servers if power consumption isn't an issue). In the beginning they were nice for some tinkering at a low budget, but nowadays they are mostly overpriced gadgets. The cheap, tiny ones still are quite useful (at a reasonable price), but those are far from capable to be used as a proper router.
 
Hi rootbert,

thank you for your reply.

Hi SirDice,

thank you for the recommendation.

Hi sko,

sko said:
OPNsense is not FreeBSD; it's a horrible abomination. If you are familiar wit FreeBSD, the GUI is massively inconvenient, tedious and cumbersome as well as restrictive and unintuitive. If you want something that would be "quick and easy" on normal FreeBSD but not intended by the GUI, you are at a dead end or if you decide to just configure it "the correct way", the GUI abstraction layers will constantly blow up your configurations.
Click to expand...
That is really surprising. I have been experimenting with OpenWRT, mainly because I have a supported router and to understand the concepts, and it is very flexible in that one can completely sidestep the GUI and do everything via CLI. Surprisingly, reading the forum, that is what most people are doing.

So thank you for letting me know. Before my Laptop irresponsibly died, I had a pf firewall, an unbound, and a proxy running on it, in fact the unbound was serving my entire network, but since I am not an expert, I was worried that I had overlooked something - hence looking on the presumably semi-professional solutions.

sko said:
Are you talking about a small home network or some full-blown enterprise network where you have to push a lot of packages?
Click to expand...
Small home, office network, so thank you for the hardware recommendation.

In the interest of full disclosure, my lessee recently called me about some issues with the apartment, and I discovered that his computer/EE specialization is security networking engineer. He offered to review my requirements and provide me with a proposed structure and required hardware to implement it. So, I sent him everything today and will await his response.

Kindest regards,

M
 
You must log in or register to reply here.
Back
Top