Self inflicted state of frustration - CLI, stupid interfaces, lack of automation etc... basic networking rant

[SecCon]

I feel this seem to be a general enough discussion based community - separate forum category for brainstorming might be nice - to post about my woes and ponderings over the course of the last five years. I am just not happy with where I am and perhaps someone can shed a light as to the reasons and possible solutions beyond my own thoughts.

1. Many years ago I got a Wifi Router. Asus RT-AC87U. It replaced some random D-Link stuff and was my first conscious decision to get in to more intelligent hardware for my Lan at home and home office (SoHo). I am still using it as my main Wifi AP, FW has been updated many times and it gives me 400 - 500MBit/s. It's enough for what I need.
   
   
2. A few years ago I wired my home and office. I don't trust wireless and was sick of having long cables in the two rooms we - mainly - use computers in. So I pulled Cat6 through most of the walls in relevant places and even setup a very nice "Core Network" 6U Cabinet. Switch and Router from Ubiquiti. Not Unifi. Edge. For a couple of years I was kinda satisfied with this but also noticing that Ubiquiti was on the path to sundown Edge products, and from the Ubiquiti Community I learned that a lot of things were not properly addressed in FW upgrades and firmware development was second to hardware sales. I did not ponder that a lot, but was not happy with my SoHo protection from a Firewall standpoint. My repeated attempts to use the Router as firewall stumbled on woes about overloading the hardware and difficult implementation via CLI. I managed to get QoS to work very well though.
   
   
3. So I dumped Ubiquiti for Mikrotik. Heads on in to a world of endless possibilities with RoS. Switch and Router. Now I can do a lot of things and will have a proper firewall and configure everything as I would like to have it with DMZ, vlans and blocking select devices from Internet access and what not. HA!
   
   Took me several days to even get the most basic DHCP working. I have yet to configure anything but the most basic firewall. Talk about drowning into the wrong way of handling things, with dated UI and a jungle of CLI, out of which a lot is not very well documented, not many real world examples. Been at that for the last year and a bit and I totally regret it. This is for CLI nerds with years of experience. You need proper training and lots of hands-on to handle this and right now, as in today, I have still to figure out how to make some basic things work. The UI is not smart, there is zero AI and no inbuilt guides. Still I guess it is a learning process and I have learned a lot, enough to consider replacing everything, again. I did learn how to set a working QoS though.
   
   
4. The next step?
   You have probably figured out that a common denominator for my sense of frustration is the lack of automation, too much CLI, and non pedagogical interfaces. Ubiquiti has some of that, but I am not going back. Still need a working Firewall. I am hesitant to put up an OPNSense in combination with Mikrotik since that would render a lot of the Router functionality void and useless. Some of you might think "git gud" and dismiss this post. I feel it is about greater challenge, to find the solutions that are adapted to you, rather than having to adapt yourself to them via an extended learning process a normal working person may just not have the time nor interest for..

I am not sure on what response I deserve or wish for. Maybe tips on another product line, a CLI learning resource or referrals to Cisco Networking Academy. My wish-list is not long, zero cli, more automation, more AI (with exceptions of course), more guides and an understandable interface that is based on function rather than sorted alphabetically and try to cope with everything at once. Maybe profiles could be nice, answering some questions about your network in a guide -

- this is a small network with less than 100 devices​

- with mixed devices​

- call it SoHo.something.something​

- IP span of 10.10.10.1/24​

- with a firewall for home usage - some exceptions - some additions​

- blocking *these* devices from internet (Xiaomi IoT)​

- setting *this* device/ip exposed in a dmz​

- using these addresses as DNS​

- allowing rdp via custom port to *this* computer​

- *this* with *that* fixed IP, persistant​

- automated fw updates with a configuration scan preceding to check for possible changes due to code updates, and warnings about them​

- etc...​

Is there anything like that on the market at a reasonable cost for a small home lan with a couple of dev servers?

 

[elvisimprsntr]

Sorry to hear of your troubles, but you are not alone in the quest for a reasonable cost, well documented, and supported solution. I gave up on low end consumer FW and APs many years ago, even trying open source firmware (DD-WRT, LEDE, OpenWrt) on consumer devices, in favor of enterprise class devices. You seem to already have a strong IT skill set, so here are a couple of suggestions.

1. Recommend getting a FW appliance from Netgate or Protectli: Trusted Firewall Appliances with Firmware Protection and running open source enterprise class FW software called pfSense® - World's Most Trusted Open Source Firewall. It takes literally minutes to set up a basic setup. You can explore or add more advance capabilities over time.

2. I am not an early adapter and don't like being the guinea pig for new technology, so I tend to look for APs that have been on the market for awhile that have reviews and had an opportunity to receive firmware updates. I also don't like overpaying for WiFi kit, so I tend to stay away from overpriced name brand kit that has enterprise level pricing and recurring extortion fees to manage their kit. I searched for awhile for new WiFi kit to replace my aging Linksys WRT series AC devices. I ended up settling on the Engenius EWS377AP 802.11ax WiFi6 APs as I felt it provided the most bang for the buck. Initially I bought one to kick the tires, and ended up purchasing a second to improve coverage in my three story townhome. Although the EWS377AP supports MESH, I use a wired backhaul so I don't cut my bandwidth in half. I set both APs and bands to the same SSID. Clients seamlessly switch between bands and APs without dropping a connection with the built in steering. This is even without a controller. There a number of OEMs that sell the exact same APs at a substantial markup and/or with crippled capability. In fact some of the OEMs didn't even bother to hide the Engenius name in their FCC filings. I don't recommend trying to purchase a used one off evilBay as there are 3 generations of the hardware. The latest v3 generation has a substantially larger ribbed heat sink. Unfortunately, most if not all the sale sites still show pictures with the smooth heat sink. I ordered mine shipped and sold by Amazon for $200 each. Amazon has a fairly liberal return policy if for some reason it does not meet your expectations.

Good luck in your quest!

 

[SecCon]

Sorry to hear of your troubles, but you are not alone in the quest for a reasonable cost, well documented, and supported solution. I gave up on low end consumer FW and APs many years ago, even trying open source firmware (DD-WRT, LEDE, OpenWrt) on consumer devices, in favor of enterprise class devices. You seem to already have a strong IT skill set, so here are a couple of suggestions.

Thanks, I try to not come around as a total noob, got 30 years in the business, but that was nice to read.

1. Recommend getting a FW appliance from Netgate or Protectli: Trusted Firewall Appliances with Firmware Protection and running open source enterprise class FW software called https::/www.pfsense.org. It takes literally minutes to set up a basic setup. You can explore or add more advance capabilities over time.

PFSense is actually the main alternative to OPNSense.

2. I am not an early adapter and don't like being the guinea pig for new technology, so I tend to look for APs that have been on the market for awhile that have reviews and had an opportunity to receive firmware updates.
Good luck in your quest!

Don't like to be an early adopter either, but long term support is a must.

 

[i386]

What do you mean with "more ai"?

 

[SecCon]

What do you mean with "more ai"?

Many next generation network protection equipment is implementing cloud based "intelligence" and working with accumulated data sets over time to help avoid breaches and exploits as soon as possible, maybe even zero-day stuff.

 

[adman_c]

I feel this seem to be a general enough discussion based community - separate forum category for brainstorming might be nice - to post about my woes and ponderings over the course of the last five years. I am just not happy with where I am and perhaps someone can shed a light as to the reasons and possible solutions beyond my own thoughts.

1. Many years ago I got a Wifi Router. Asus RT-AC87U. It replaced some random D-Link stuff and was my first conscious decision to get in to more intelligent hardware for my Lan at home and home office (SoHo). I am still using it as my main Wifi AP, FW has been updated many times and it gives me 400 - 500MBit/s. It's enough for what I need.
   
   
2. A few years ago I wired my home and office. I don't trust wireless and was sick of having long cables in the two rooms we - mainly - use computers in. So I pulled Cat6 through most of the walls in relevant places and even setup a very nice "Core Network" 6U Cabinet. Switch and Router from Ubiquiti. Not Unifi. Edge. For a couple of years I was kinda satisfied with this but also noticing that Ubiquiti was on the path to sundown Edge products, and from the Ubiquiti Community I learned that a lot of things were not properly addressed in FW upgrades and firmware development was second to hardware sales. I did not ponder that a lot, but was not happy with my SoHo protection from a Firewall standpoint. My repeated attempts to use the Router as firewall stumbled on woes about overloading the hardware and difficult implementation via CLI. I managed to get QoS to work very well though.
   
   
3. So I dumped Ubiquiti for Mikrotik. Heads on in to a world of endless possibilities with RoS. Switch and Router. Now I can do a lot of things and will have a proper firewall and configure everything as I would like to have it with DMZ, vlans and blocking select devices from Internet access and what not. HA!
   
   Took me several days to even get the most basic DHCP working. I have yet to configure anything but the most basic firewall. Talk about drowning into the wrong way of handling things, with dated UI and a jungle of CLI, out of which a lot is not very well documented, not many real world examples. Been at that for the last year and a bit and I totally regret it. This is for CLI nerds with years of experience. You need proper training and lots of hands-on to handle this and right now, as in today, I have still to figure out how to make some basic things work. The UI is not smart, there is zero AI and no inbuilt guides. Still I guess it is a learning process and I have learned a lot, enough to consider replacing everything, again. I did learn how to set a working QoS though.
   
   
4. The next step?
   You have probably figured out that a common denominator for my sense of frustration is the lack of automation, too much CLI, and non pedagogical interfaces. Ubiquiti has some of that, but I am not going back. Still need a working Firewall. I am hesitant to put up an OPNSense in combination with Mikrotik since that would render a lot of the Router functionality void and useless. Some of you might think "git gud" and dismiss this post. I feel it is about greater challenge, to find the solutions that are adapted to you, rather than having to adapt yourself to them via an extended learning process a normal working person may just not have the time nor interest for..

I am not sure on what response I deserve or wish for. Maybe tips on another product line, a CLI learning resource or referrals to Cisco Networking Academy. My wish-list is not long, zero cli, more automation, more AI (with exceptions of course), more guides and an understandable interface that is based on function rather than sorted alphabetically and try to cope with everything at once. Maybe profiles could be nice, answering some questions about your network in a guide -

- this is a small network with less than 100 devices​

- with mixed devices​

- call it SoHo.something.something​

- IP span of 10.10.10.1/24​

- with a firewall for home usage - some exceptions - some additions​

- blocking *these* devices from internet (Xiaomi IoT)​

- setting *this* device/ip exposed in a dmz​

- using these addresses as DNS​

- allowing rdp via custom port to *this* computer​

- *this* with *that* fixed IP, persistant​

- automated fw updates with a configuration scan preceding to check for possible changes due to code updates, and warnings about them​

- etc...​

Is there anything like that on the market at a reasonable cost for a small home lan with a couple of dev servers?

For a reasonably-priced SOHO firewall/router with a GUI, I think the list more or less starts with OPNsense and ends with pfsense (strictly alphabetically). You could also try the new UniFi routing gear (UDM/UDM Pro), but I can't speak to its capability at all. Also, it appears that Ubiquiti is really struggling with supply chain issues, as almost all of their gear is showing out of stock.

 

[SecCon]

For a reasonably-priced SOHO firewall/router with a GUI, I think the list more or less starts with pfsense and ends with OPNsense (strictly alphabetically). You could also try the new UniFi routing gear (UDM/UDM Pro), but I can't speak to its capability at all. Also, it appears that Ubiquiti is really struggling with supply chain issues, as almost all of their gear is showing out of stock.

I looked closely at UDM Pro. It is a combination I do not understand targeting a market far beyond my comprehension. It seems optimized for surveillance. It's not even a proper firewall. Tries to combine switching and routing in one unit with, for me, way to few ports or way to expensive switches having more ports.

This thread is me looking at the hardware in the first place, and it's UI. I have both PFSense and OPNsense ready for installation on my VM machine, but adding those would take away so much functionality that I actually already paid for, in my Mikrotik devices, not forgetting I still need something to hook up the cables to... regardless of VM'ed Firewalls.

 

[adman_c]

I looked closely at UDM Pro. It is a combination I do not understand targeting a market far beyond my comprehension. It seems optimized for surveillance. It's not even a proper firewall. Tries to combine switching and routing in one unit with, for me, way to few ports or way to expensive switches having more ports.

This thread is me looking at the hardware in the first place, and it's UI. I have both PFSense and OPNsense ready for installation on my VM machine, but adding those would take away so much functionality that I actually already paid for, in my Mikrotik devices, not forgetting I still need something to hook up the cables to... regardless of VM'ed Firewalls.

As someone who used Mikrotik for a couple of years before moving to pfsense, I would recommend getting rid of it immediately if you're frustrated with things not being easy/having a nice GUI. Yes, you've already paid for it, but that cost is already sunk. There's no need to add to it by trying to integrate it into your system* when you're looking for something simpler and better-documented. For firewall/limited routing purposes, pfsense comes closest to ticking all your boxes in my opinion (slightly beating out OPNsense merely because there exists substantially more documentation for pfsense than OPNsense). And if you're looking for hardware/software integrated solutions, you can buy a pfsense appliance directly from Netgate.

*If your mikrotik hardware is capable of running their SwitchOS, you could use it as a L2 switch, since SwitchOS is substantially simpler than RouterOS. Still ugly, but for L2 stuff you need to configure much, much less than L3 routing/firewalling.

 

[Markess]

I have both PFSense and OPNsense ready for installation on my VM machine, but adding those would take away so much functionality that I actually already paid for, in my Mikrotik devices, not forgetting I still need something to hook up the cables to... regardless of VM'ed Firewalls.

My lack of networking expertise is pretty shockingly extreme. But I do know a thing or two about dealing with sunk costs in terms of hardware.

No matter what you pick, it will probably end up "replacing" a great deal of the Mikrotik's functionality, right? And even though the Mikrotik gear is paid for, its not doing what you want...or giving you any joy. Hesitating to make a change because you've already invested so much money is a pretty natural thing, even if its something that isn't satisfying your needs. But it can be limiting, especially if you're trying to find a solution that includes keeping that hardware that isn't satisfying the need. A clean slate isn't cheap, but in some cases may be a better long term course of action.

It seems like the impact could be mitigated by converting the Mikrotik to a switch as @adman_c mentions? Or you could just sell the Mikrotik gear outright. Not sure where you are, or if you've been following prices, but where I am (California), used gear is STUPID EXPENSIVE both locally and on Ebay, etc.

Recently, my GT-AC2900 (an RT-AC86U with bells and whistles) died. It had been in an AI-MESH setup with a couple RT-AC68U routers I'd gotten cheap. Rather than buy more ASUS, which "worked" but didn't do what I wanted very well, I decided to make a more extreme change. Among the options I investigated, new Mikrotik gear was hard to find, and used was going for as much as it went for new. High demand right now for newer networking gear in general. Ubiquiti wasn't any better, etc. etc. etc. So, if you wanted to sell, you may be pleasantly surprised at what you could get.

I did my own post here seeking advice and wound up selecting pfSense and the AP that @elvisimprsntr recommended above, due in part to their recommendation. It took me an embarrassingly long time to pull the cable, but I eventually got the AP mounted in a position on the upper floor ceiling that I was able to cover the whole house (2650 sq feet) with usable 5GHz signal with just the one AP. pfSense is running on bare metal (Supermicro A2SDi-4C-HLN4F that I already had) as a router on a stick. I had a couple cheap L2 capable switches already that were in "dumb" mode when connected to the ASUS WiFi router, but am now trying to puzzle out VLANs for. One of the remaining, working, ASUS routers is now on bridge duty for the systems in the garage workshop, while i contemplate if/how I can finally pull a cable over to it.

Cheers.

 

[zer0sum]

The way I see it reading your post, the path of least resistance is to keep the Mikrotik switche/s, sell the router, and implement OPNsense as your gateway and security appliance.

It is trivial to get dhcp, dns, etc. working on OPNsense and then add more complex stuff like IPS, crowdsec, etc.
Once you have established a basic setup, you could look into running pihole/adguard as your dns service, or keep things simple with NextDNS

 

[SecCon]

@adman_c
@Markess , I am in Sweden.
@zer0sum

Thanks all for your kind thoughts and advice. I am aware of the possibility to change the OS on the Mikrotik Switch and is something I am considering, selling the Router in the process.

(Actually I never understood the ability to run a full MT RoS on the switches even if there is no hardware support for a lot of the functionality... )

All could be done in a few steps plan, some like this:

1. Setup one of the *sense machines, virtual or otherwise
2. Disconnect the Router - eventually sell it
3. Reconf the switch to SWoS instead of RoS.
4. Connect inbound WAN to *sense, distributing lan from there

I have the panels and wiring in place to be able to do that.

Checked the PFSense guides and it actually covers quite a few scenarios, including installing in ESXi so that is good for me. I assume an OPNSense setup could be made to work with pretty much the same guide, both are based on FreeBSD, but OPNSense on FreeBSD 13 and PFSense on 12. The ESXi part requires some additional fiddling with VMXNet and such.

Here I need to make up my mind on one thing. I rather have the *sense machine in the cabinet with my switch, it is a safer location, and on the same place where my main patch panel is, and of course the current router and the switch. That would require a small computer to handle it, what the *sense marketing people call an appliance, but is essentially a tiny computer with extra LAN ports and perhaps an SFP or two. Sure an additional expense, but covered by selling stuff and with two advantages, as I see it: 1: It runs on its own hardware, no need for ESXi, and 2: its on a safe location (I have my main servers in my garage, the "Core Cabinet" is in the house in a space on the roof behind a panel - inaccessible from outside the house, as opposed to the garage).

First thing is reading up a bit more about *sense. @adman_c Did you have any particular thoughts when choosing OPN before PF? I am not in a position to make any choice yet, I will read and browse tutorials and guides relevant for what I think I need or should have.

 

[oneplane]

It depends on where you are located in the world and what your support needs are. pfSense these days only makes sense if you live in the US and want commercial support in the US as well, for everything else OpnSense, VyOS or even OpenWRT makes more sense.

Hardware-wise anything you can reliably get is fine unless you need guaranteed scenarios from the vendor in which case you'd need a local vendor. Neither NetGate nor Protectli make sense unless you are located in the US.

Software-wise, OpnSense and pfSense are based on the same OS (FreeBSD) but OpnSense isn't trying to screw you over while pfSense is. Most other systems are based on Linux. Community support for any of the big open source projects is equally good, but *sense and VyOS also have good commercial support options. None of them, including when using OEM hardware really have any "oops it died randomly" issues when using known good parts like Intel NICs and good cooling/heatsinks on the stuff that gets hot.

Integrating all the switching and routing and firewalling seems nice at first, but in general isn't really in the same bucket. Switching separate from the other facilities works best in most smaller networks. There is a small 'medium' sized network scenario where it makes sense to integrate them, and beyond that for bigger networks it stops making sense again. So while MT and UniFi etc. have all their 'integrated' ideas, in reality it's only in specific circumstances that it is really all that useful. If you add the problems with vendor-determined capabilities instead of doing what you actually want to do the benefit of some highly integrated system fades out pretty fast.

Most small networks don't need a lot of upkeep either; once NAT, routing, firewalling, DHCP, DNS etc. are setup you are most likely to just change some firewall rules every now and then and that's about it. If you add/remove devices from the network a lot you might end up with most of your changes being port-based VLAN configuration on your switch.

What might be your best bet is just getting an ISO image (or pre-installed VM image) and running VirtualBox on your PC to just try the software. All four projects/products I mentioned can be used that way (which is also what makes them so good for running anywhere else - same software regardless of the environment!).

 

[adman_c]

@adman_c
@Markess , I am in Sweden.
@zer0sum

Thanks all for your kind thoughts and advice. I am aware of the possibility to change the OS on the Mikrotik Switch and is something I am considering, selling the Router in the process.

(Actually I never understood the ability to run a full MT RoS on the switches even if there is no hardware support for a lot of the functionality... )

All could be done in a few steps plan, some like this:

1. Setup one of the *sense machines, virtual or otherwise
2. Disconnect the Router - eventually and sell it
3. Reconf the switch to SWoS instead of RoS.
4. Connect inbound WAN to *sense, distributing lan from there

I have the panels and wiring in place to be able to do that.

Checked the PFSense guides and it actually covers quite a few scenarios, including installing in ESXi so that is good for me. I assume an OPNSense setup could be made to work with pretty much the same guide, both are based on FreeBSD, but OPNSense on FreeBSD 13 and FPSense on 12. The ESXi part requires some additional fiddling with VMXNet and such.

Here I need to make up my mind on one thing. I rather have the *sense machine in the cabinet with my switch, it is a safer location, and on the same place where my main patch panel is, and of course the current router and the switch. That would require a small computer to handle it, what the *sense marketing people call an appliance, but is essentially a tiny computer with extra LAN ports and perhaps an SFP or two. Sure an additional expense, but covered by selling stuff and with two advantages, as I see it: 1: It runs on its own hardware, no need for ESXi, and 2: its on a safe location (I have my main servers in my garage, the "Core Cabinet" is in the house in a space on the roof behind a panel - inaccessible from outside the house, as opposed to the garage).

First thing is reading up a bit more about *sense. @adman_c Did you have any particular thoughts when choosing OPN before PF? I am not in a position to make any choice yet, I will read and browse tutorials and guides relevant for what I think I need or should have.

So I have run pfsense for the past 2 years on yanling J3160 mini pc I bought from aliexpress, and it has been utterly rock solid for me. Out of luck (and partially because it was so stable I barely looked at it unless my cable internet went down for some reason), I missed the whole version 2.5/wireguard debacle and then never bothered upgrading from the 2.4 branch once I heard about it. I just built a new virtualized firewall appliance using proxmox and planned to run OPNsense as my primary firewall due to some of the corporate behaviors that oneplane alluded to.* However, I haven't yet gotten OPNsense fully configured, so I'm currently running pfsense+ because I was able to migrate my previous setup onto a virtual machine fairly seamlessly. Starting from scratch I'd probably go with OPNsense. They seem to be a slightly better org than Netgate, and they've made some UI redesign choices vs pfsense that are nice. But as you guessed, they are pretty similar under the hood, so most of the tutorials out there for pfsense can be applied relatively easily to OPNsense. I still plan to get my OPNsense vm working as my primary firewall--I just need a couple hours I can spend working on it.

* While I think some of Netgate's behavior is unsavory, I don't think they're actively trying to screw users. I just think that they're betraying a good deal of the open-source ethos that brought users to pfsense in the first place.

 

[oneplane]

So I have run pfsense for the past 2 years on yanling J3160 mini pc I bought from aliexpress, and it has been utterly rock solid for me. Out of luck (and partially because it was so stable I barely looked at it unless my cable internet went down for some reason), I missed the whole version 2.5/wireguard debacle and then never bothered upgrading from the 2.4 branch once I heard about it. I just built a new virtualized firewall appliance using proxmox and planned to run OPNsense as my primary firewall due to some of the corporate behaviors that oneplane alluded to.* However, I haven't yet gotten OPNsense fully configured, so I'm currently running pfsense+ because I was able to migrate my previous setup onto a virtual machine fairly seamlessly. Starting from scratch I'd probably go with OPNsense. They seem to be a slightly better org than Netgate, and they've made some UI redesign choices vs pfsense that are nice. But as you guessed, they are pretty similar under the hood, so most of the tutorials out there for pfsense can be applied relatively easily to OPNsense. I still plan to get my OPNsense vm working as my primary firewall--I just need a couple hours I can spend working on it.

* While I think some of Netgate's behavior is unsavory, I don't think they're actively trying to screw users. I just think that they're betraying a good deal of the open-source ethos that brought users to pfsense in the first place.

It is indeed a bit more nuanced I also don't think they are actively trying to be the bad guys but the end result is just all kinds of nasty. On the other hand; since both of them are based on FreeBSD anyway, you're at least going to get a good foundation regardless of which one you run. pfSense seems to be riding out the wave of past brand recognition, which isn't all that surprising considering the route NetGate is taking.

Those YanLing/Topton/Qotom boxes are pretty good, most of them are based on Intel reference designs anyway and since nearly all of the SoCs and mobile Core CPUs are easily passively cooled with the extruded cases the manufacturers like it's very likely that if it isn't dead on arrival it will keep running for a very long time.

Both software and hardware has gotten to the point where you mostly just mess with it if you want to change something, upgrade something or if someone tripped on a cable and broke something. Even in commercial scenarios where a low-budget solution is required, just buying two identical machines and keeping a configuration backup is enough to get 10 years out of a setup with zero problems.

The biggest "what if" with most of the hardware is firmware related problems, but those are generally badly or unmitigated anyway regardless of the amount of money thrown at it. This is one of the things where Protectli has a leg up; they essentially just rebrand those Chinese ODM boxes but made the investment to have coreboot ported to (some of) them. The big benefit here is that a lot of firmware problems can now be fixed nearly indefinitely as they come to light during the lifetime of the device (does not apply to microcode problems or FSP/BSP packages from intel as those are still closed off where not even an ODM could fix it). This is because coreboot is open and can be built by anyone and flashed as desired.

 

[adman_c]

Agree with everything oneplane wrote. Those little mini-pcs are rock solid. Mine routinely had hundreds of days of uptime that was only interrupted if I decided to apply an update. The only reason I went with something else is that I wanted my firewall to have 10gbe and that's one of the few things the mini pcs lack. And the only reason I messed with it at all is ... uhh ... well ... no reason other than I wanted to have a firewall with 10gbe. I mean, I'm hanging out in the STH networking forums, so I guess I find it fun...

EDIT: Man, just browsing the mini pcs that are available on aliexpress, and they're shockingly capable. $260 for a barebones unit with a Pentium N6005 and 4x 2.5GbE is a really solid deal. Another $120 or so for 16gb ram and 512gb of storage and you've got an incredible little PC that can run your firewall and a bunch of other net utilities. Obviously less ram/storage necessary if you're not running things virtualized.

 

[oneplane]

Agree with everything oneplane wrote. Those little mini-pcs are rock solid. Mine routinely had hundreds of days of uptime that was only interrupted if I decided to apply an update. The only reason I went with something else is that I wanted my firewall to have 10gbe and that's one of the few things the mini pcs lack. And the only reason I messed with it at all is ... uhh ... well ... no reason other than I wanted to have a firewall with 10gbe. I mean, I'm hanging out in the STH networking forums, so I guess I find it fun...

I ended up using mostly surplus C3000 series and Xeon D series boards for that. Every now and then a Dell VEP shows up for cheap and I tend to get them since they are such nice little reliable boxes. The only improvement I could think of is better CPLD integration and coreboot. New, those would not make sense for this purpose since you can get systems with equal or better CPU cores and PCIe slots for that price at which point 10Gb and more is easy to get. Especially netmap and DPDK have made it very much within reach to have very high performance software routers and firewalls these days.

 

[elvisimprsntr]

Our friends at Protectli: Trusted Firewall Appliances with Firmware Protection are testing a new 6 port FW with 2.5Gb ports. Will begin shipping in June.

 

[oneplane]

Our friends at Protectli: Trusted Firewall Appliances with Firmware Protection are testing a new 6 port FW with 2.5Gb ports. Will begin shipping in June.

Now that's some cool news. That also can have some secondary meaning: either they started working with an ODM to develop their own stuff, or an existing ODM product is getting built and they want in right away. I'm wondering if the ports will be SFP or copper.

 

[rorykingms]

Maybe Untangle? GUI first and foremost; seems to fit most of your requirements.

NG Firewall at Home | Edge Threat Management - Arista

Run NG Firewall at Home

www.untangle.com

 

[elvisimprsntr]

Now that's some cool news. That also can have some secondary meaning: either they started working with an ODM to develop their own stuff, or an existing ODM product is getting built and they want in right away. I'm wondering if the ports will be SFP or copper.

My guess is it is one of these.

https://www.amazon.com/Firewall-Appliance-Fanless-Ethernet-Barebone/dp/B09XDG6STP