pcengines replacement

yes, we are using them as firewalls, I can recommend protectli devices. However, for my use-case it did not meet the requirements of having ECC memory.
 
Tks guys.
I just ordered a Protectli on Ebay.
Another question.
Currently my Router is OpenBSD and working pretty well.
I am mostly a FreeBSD guy for most things, but have always had Open as my firewall and Router.
Any contrasting experiences on Free vs Open for this use case?
One easier than the other to get humming, one more performant, etc.

I like them both and am open to suggestions.
Thanks in advance, you've all been helpful.
 
T_P_H_Beastie said:
I am mostly a FreeBSD guy for most things, but have always had Open as my firewall and Router.
Any contrasting experiences on Free vs Open for this use case?
One easier than the other to get humming, one more performant, etc.

I like them both and am open to suggestions.
Thanks in advance, you've all been helpful.
Click to expand...
I do manage some stuff at various clients, and I have switched all Firewalls from OpenBSD to FreeBSD. I do like OpenBSD, however, I prefer FreeBSD for various reasons. I do not want to hijack this thread on this. Switching to FreeBSD you will notice: some features lack in PF, but performance is much better (on hardware as well as VMs), of course the sane separation of OS and packages (/usr/local), and I personally prefer the FreeBSD release schedule. For some clients with unstable power supply it was a major relief that the FreeBSD based firewall always boots whereas we had many problems with OpenBSD (with different filesystem settings). Are there any not-so-mainstream (depends on the view of course) features like multipath routing or iked vpn you want to use? In that regard all my clients switched from iked to wireguard - worked flawlessly.
 
FreeBSD pf being so incredibly out of date makes it too hard to use. "Ah, you can use pf this way... except you can't on FreeBSD" No rdr-to, no nat-to (hurrr, just rewrite the rules, so easy to learn two ways of doing stuff, especially when you're not going to use one of them 🤪), no match. They should just call it something else so the documentation searches are actually useful. And no, the included documentation is not enough due to terseness.

I would love to not use OpenBSD but the only people who care about pf (or firewalls in general on BSD?) work over there.
 
Besides blacklistd I really don't need anthing beyond Book of pf Edition 2. Really. How much more can you glom on?

I love my FreeBSD pf firewall.

I just rehomed it yesterday as the hotswap power supply controller was making fans spin very loudly. It was old. X9 Supermicro Xeon way too much power. Never needed hotswap disk cages.

I was able to move one disk of my gmirror, rename HOSTID and added second drive to array for continued goodness. Using Innodisk 16GB SLC SSD from wayback.

Downsized from 3U rack case to Wesnea HTPC chassis with 40GB Chelsio adapter on new Jetway NF9G mobile IvyCreek ITX board. 3632QM. Dual SSD on former slim DVD mounting tray.
I did mount a fan right on my Chelsio card.

Back to a shelf sized firewall. A nearly silent one. I need a louder BEEPER. I like hearing my Startup/Shutdown beeper tune.
I had built this as a firewall backup but never finished it.

I can't beleive how easy it was to re-home.
efibootmgr for the win. I had to add the geom_mirror to the new machines EFI boot menu via efibootmgr. Then it boots off mirror and not off individual drive.
 
msplsh said:
I would love to not use OpenBSD but the only people who care about pf (or firewalls in general on BSD?) work over there.
Click to expand...
Really?
I see continuous changes / improvements to FreeBSD pf.
And they are being sponsored by Netgate.
But I only read git logs, so what do I know.
 
I see that you can search for this in the manpage. Maybe I'll give it another shot when 15 is actually released, but having to parse BNF and the Handbook abdicating responsibility by referring to a 2017 document is kind of... meh?

Checkin in on this and having worked with pf, this (from the manual) is a hilarious understatement: "the types of statements should be grouped and appear in pf.conf in the order shown above"
 
I wanted to come back to the topic. I have found the Advantech NCA-1515 to be a suitable substitute for APU2/3/4 line.

Mine has C3758-8 core and 32GB ECC. It is an OEM version branded ZScaler ZT800. The only difference is no eMMC onboard.

For storage it offers one mSATA M.2 2242 slot. Nothing longer due to space constraints.

For cellular it offers one M.2 Slot with only USB Signaling. It also has Mini-PCIe slot with USB Signaling and PCIe.

For Wifi it offers one Mini-PCIe slot.

I do not need two cellular slots so I added an NVMe to the MiniPCIe slot for cellular. It offers 1X Lane of PCIe 3.0.

So I get 800MB/sec with NVMe drive in adapter. Better than SATA.

That leaves me with a Wifi card Mini-PCIe slot and cellular M.2 B-Key card slot.

With all these cores I am making it a mini-server. Bhyve VM's on NVMe. Poudriere builder on host.

I was wrong about it containing an ethernet switch. It offers four Intel ix copper interfaces and 2 igb copper and two igb fiber interfaces. All 1G interfaces.

I saw the MiniPCIe to M.2 NVMe adapter trick here:
www.ebay.com

Lanner NCA-1515B C3558 Desktop Network Appliance with Additional Accessories | eBay

Used Lanner NCA-1515B. Power adaptor type : 12v 5.5/2.1 tip, suggest 60w although I used a 36w and it works. 1 x SFP 1G-T adapter. No ac adapter or other parts other than specified above. 8 x GE ports w/ SR-IOV and DPDK support.
www.ebay.com
Notice the nice SATADOM here.

I also used the M.2 adapter on Dell Edge 620 with C3558. But there is only one slot so you lose Wifi.
 
I gotta take the scraps when I can swing it. Like jbo@ mentioned earlier. Denverton went out of service in June.

How about this: The M.2 SATA SSD only had 400POH on it. It was an Apacer module and was probably original.

So that is pretty low mileage for me. Advantech boxes are built tough. SDWAN was just a fad. The boxes live on.

Dell Edge 620 is another Denverton gem. If it had more slots I would call it an APU2/3/4 replacement too.
 
Phishfry said:
Pretty fat. Denverton C3436L but no storage options eMMC only. X552 Intel backplane is supported on 14.

Some kind of SOHO router. WWAN in M.2/USB slot and WLAN in MiniPCI slot
Click to expand...
Hahaha It turns out this Verizon/ATT box was a Silicom IA3003 that I was looking at again...
It looked so familiar I had to drag it out of a tub.
Out of my three Denverton buys this was lowest power. Similar specs to C3558 but Low Voltage version. C3436L.
Phishfry said:
This was a runner up.. Another Denverton.
Silicom IA3001
Click to expand...
The IA3003 was different design (Cordoba) without ethernet bridge chip. 2x10GB interfaces. I was wrong about the model number. I have IA3003 OEM version.
Better product but very much like the Dell Edge 620/640/680. In fact I think they designed it.
Maybe an SDWAN Intel reference design Silicom did for Dell/EMC/Versa. I smell similarity. I am pretty sure Netgate sells some Silicom boxes.
 
msplsh said:
Yes, it's my feeling, based on how guarantees and laws and such surrounding those statements work in the jurisdictions they're made, if the reputation of the company making it matters, or will they just spin up a different name, and if companies actually make them or not. Is Rack Matrix making a guarantee or is Broachlink? Does Rack Matrix own the design (and therefore can go to a different vendor for production to keep up a guarantee) or Broachlink?

In my experience, Chinese companies do not care about reputation or long term promises, which is why they do not inspire me.

What else does not inspire confidence is the 404-ed link in your original post about it on Rack Matrix.
Click to expand...
Sorry for the late answer because I didn't notice it.
The 404-ed link was our fault because we added a new level (brand name) into the link. This is the same link updated https://www.rack-matrix.com/en/prod...ds-from-pc-engines-to-noah-of-broachlink.html
Thank you very much to let us know that broken link.

Even it's not our own design, the guarantee is provided by Rack Matrix as exclusive importer in EU.
Another thing is reputation and long term availability is one of our most priority.
This let us provide Noah as replacement of APU for industrial customers of PC Engines (after almost 1 year of test to choose that motherboard as qualified replacement in their final product).
As an example look here https://www.candelatech.com/ct521c-3ax4_product.php as replacement of the APU based product here https://www.candelatech.com/ct521a-2ax4_product.php
 
You must log in or register to reply here.
Back
Top