Re-reading the post, I now see that I apparently thought 6x10Gb and not 2.5Gb but it's still good to see them evaluate it. It generally also means they will port coreboot yet again and more platforms will benefit from that. That's good as it's a classical situation of "a rising tide lifts all boats" for coreboot.
Self inflicted state of frustration - CLI, stupid interfaces, lack of automation etc... basic networking rant
- Thread starter SecCon
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
From the latter posts and @oneplane's writings about appliance market it seems I should steer away from PFSense and direct my attentions to OPNSense. I once read that OPN was a fork of PF, but I can't find that anymore, probably just some random text from the intarwebs.
Regardless, can't afford it now, but this would be rather hot to have in a rack.
https://shop.opnsense.com/wp-content/uploads/2021/08/DEC2680.mp4
As for commercial practices and fishy or right down nasty things, I am in the EU so buying appliances from the US is not really anything I would do unless forced to.
VyOS?
Regardless, can't afford it now, but this would be rather hot to have in a rack.
https://shop.opnsense.com/wp-content/uploads/2021/08/DEC2680.mp4
As for commercial practices and fishy or right down nasty things, I am in the EU so buying appliances from the US is not really anything I would do unless forced to.
VyOS?
I'd say trying OpnSense is your best bet because VyOS is CLI-only (be it a modern CLI - but still a CLI) and that wasn't on your wishlist 
You can start a VM on your computer and just test it out. Keep in mind that commercial 'firewalls' are mostly just a PC and software in a box with some fancy branding on it. The differences are mostly in hardware acceleration, information feeds for IDS/IPS from the vendor and in some cases pretentious machine learning things. In reality, 99% of the world has so much trouble getting the basics right (i.e. just putting the right rules in to allow the things you want and need but nothing else) making all the extra nice features not really super important.
For your own internet connection as long as it's 2.5Gpbs or below, any x86 PC from the last couple of years with modern network cards will work. And if it breaks, you just install the same software on a replacement, restore the configuration and off you go. The cheapest option are those Qotom/Topton boxes from Aliexpress. Probably come from the same factory as 10x more expensive "branded" versions. The next best option is something like a small form factor PC or barebones PC (usually available in weird form factors) with either two network cards already built in or just adding one via PCIe.
That is also one of the most important factors with OpnSense/pfSense/VyOS/OpenWRT: those software distributions will run on almost anything, and as long as you keep a backup of the configuration file, the hardware can die a thousand times and you can replace it with different devices and install the same software with no real change in how it works. The only difference you generally get is performance; faster CPUs and NICs will get you faster network performance.
You can start a VM on your computer and just test it out. Keep in mind that commercial 'firewalls' are mostly just a PC and software in a box with some fancy branding on it. The differences are mostly in hardware acceleration, information feeds for IDS/IPS from the vendor and in some cases pretentious machine learning things. In reality, 99% of the world has so much trouble getting the basics right (i.e. just putting the right rules in to allow the things you want and need but nothing else) making all the extra nice features not really super important.
For your own internet connection as long as it's 2.5Gpbs or below, any x86 PC from the last couple of years with modern network cards will work. And if it breaks, you just install the same software on a replacement, restore the configuration and off you go. The cheapest option are those Qotom/Topton boxes from Aliexpress. Probably come from the same factory as 10x more expensive "branded" versions. The next best option is something like a small form factor PC or barebones PC (usually available in weird form factors) with either two network cards already built in or just adding one via PCIe.
That is also one of the most important factors with OpnSense/pfSense/VyOS/OpenWRT: those software distributions will run on almost anything, and as long as you keep a backup of the configuration file, the hardware can die a thousand times and you can replace it with different devices and install the same software with no real change in how it works. The only difference you generally get is performance; faster CPUs and NICs will get you faster network performance.
VyOS sure has a fast and flashy site...I'd say trying OpnSense is your best bet because VyOS is CLI-only (be it a modern CLI - but still a CLI) and that wasn't on your wishlist
For your own internet connection as long as it's 2.5Gpbs or below, any x86 PC from the last couple of years with modern network cards will work.
My ISP speed is 100/100. Internal network is 1GB. As long as you can't write data to SMB HDD RAIDs faster than about 100MBit/s or invest in equipment that does, I don't really have any reason to have anything faster.
Buying stuff from AliBaba would be a first for me. You do have PC Engines home in EU with their resellers. Admittedly not the cheapest but well worth a look.
Aliexpress has the benefit of shipping relatively fast towards the EU, but chip shortages have been hitting everyone. And PC Engines devices are really nice, the downside is that they really can't do fast networking anymoreVyOS sure has a fast and flashy site...
My ISP speed is 100/100. Internal network is 1GB. As long as you can't write data to SMB HDD RAIDs faster than about 100MBit/s or invest in equipment that does, I don't really have any reason to have anything faster.
Buying stuff from AliBaba would be a first for me. You do have PC Engines home in EU with their resellers. Admittedly not the cheapest but well worth a look.
The SoC is getting too old for newer faster networks.Options to consider: 177.2US $ 38% OFF|Topton 2.5G Router Fanless Mini PC 4 Intel I225 2500M Nics Celeron J4125 2xDDR4 HD MI VGA pfSense OPNsense Ubuntu VPN Firewall|Mini PC| - AliExpress (2.5G ports) 340.14US $ 15% OFF|Qotom Mini Pc Q500G6 S05 Met Celeron Core I3 I5 I7 AES NI 6 Gigabit Nic Router Firewall Ondersteuning Linux Ubuntu Fanless computer|Mini PC| - AliExpress (1G ports)
You can get the lowest end models in both cases and as long as you don't go full Suricata on them it'll do your network just fine. If you really want a rack mount version, Qotom has that too: 211.85US $ 5% OFF|1 U Rack Qotom Mini PC 4 Ethernet Appliance Router Firewall Core i3 i5 Fanless Mini PC Computer OPNsense|Mini PC| - AliExpress but they are bad at commerce so you have to "add it" to your order of a normal one
it's metal (and plastic covers) so it's not a bad case, but for me the small fanless ones on a shelf have been fine.Alternatively, something like this works just as well: HP EliteDesk 800 G1 Small Form Factor (SFF) PC Specifications | HP® Customer Support just plonk an extra network card in it and off you go. If you have local surplus/remarketing/recycling companies selling used office PCs it can be a great first step.
Keep in mind: you're doing this for your home network, it doesn't have to be enterprise or commercial grade
Actually have a couple of HP7800UAlternatively, something like this works just as well: HP EliteDesk 800 G1 Small Form Factor (SFF) PC Specifications | HP® Customer Support just plonk an extra network card in it and off you go. If you have local surplus/remarketing/recycling companies selling used office PCs it can be a great first step.
Keep in mind: you're doing this for your home network, it doesn't have to be enterprise or commercial grade
But they are only DDR2, even if changed the default CPU for Prescott 4Core at 3GHZ. A bit to tall for cabinet I think. And only one ETH port and - after opening and checking, zero expansion possibilities. Bleh.
I respect your knowledge in regards to hardware, thanks for those links and I did not know that thing about PC Engines SOC.
As for business or home, well, I do not run a business, but I do run a few servers, so when looking at some software, like AV and such, I tend to go for business versions and right know I signed up with Techs+Together to get Bitdefender Endpoint for 2$ / month. And some... Kaseya VSA is included for ITSM and Assets...
I have to say, even a Prescott can do 100Mbit with ease. I used to have a rather old DDR2 system on a 100/100 symmetrical fiber somewhere which only got replaced after the (also ancient) mainboard got killed by the capacitor plague. That one also had a single ethernet port, and we used VLANs and a switch to bring both WAN and LAN and DMZ networks over that single card. But purely power consumption alone makes a direct-from-China box a better fit for most setups.
Edit: if you have some spare ports on your switch it might be worth just doing a setup on one of those (HP7800U) to try it out (just to play around with it).
- Create two VLANs on your switch, assign one port as trunk for both and two ports as access for either
- Put opnsense on a USB stick (or CD-R ) and boot from it (live boot works fine)
- Assign VLANs (you'll be prompted at startup)
- Assign firewall interfaces to those VLANs (WAN and LAN)
At that point you can plug a computer into the switch port you configured to access the LAN VLAN and try out the WebUI. Of course, mixing in VLANs and a single-interface network makes everything a bit harder to setup but at least you can do it with what you have on hand already.
Edit: if you have some spare ports on your switch it might be worth just doing a setup on one of those (HP7800U) to try it out (just to play around with it).
- Create two VLANs on your switch, assign one port as trunk for both and two ports as access for either
- Put opnsense on a USB stick (or CD-R
) and boot from it (live boot works fine)- Assign VLANs (you'll be prompted at startup)
- Assign firewall interfaces to those VLANs (WAN and LAN)
At that point you can plug a computer into the switch port you configured to access the LAN VLAN and try out the WebUI. Of course, mixing in VLANs and a single-interface network makes everything a bit harder to setup but at least you can do it with what you have on hand already.
Last edited:
I had never bought anything from aliexpress until I did. Honestly it's not much different than buying from a "reseller" on amazon other than the speed of shipping. And as oneplane said, being in the EU you have the advantage of stuff coming from China more quickly than it does over here across the pond. I'd go with something like this: €157 for j4125 barebones. You can grab 4/8gb of ram and a small ssd from amazon, and you're good to go.VyOS sure has a fast and flashy site...
My ISP speed is 100/100. Internal network is 1GB. As long as you can't write data to SMB HDD RAIDs faster than about 100MBit/s or invest in equipment that does, I don't really have any reason to have anything faster.
Buying stuff from AliBaba would be a first for me. You do have PC Engines home in EU with their resellers. Admittedly not the cheapest but well worth a look.
Otherwise, oneplane is giving you fantastic advice. A fancy abacus might be able to firewall 100mbit these days. My Celeron J3160 had no problem applying NAT and firewall rules on a 1gbit asymmetrical cable connection, and that is a very slow processor by modern standards (single-threaded performance that is frankly on par with a Pentium 4, but 4 cores and a LOT less power consumption). The biggest problem you will have with a super-old processor is that it'll run the GUI slowly, which might frustrate you. But I agree that it'll handle the firewall and NAT tasks just fine at that speed.
My home router is OPNSense on an old Lenovo m73 tiny, 4th-gen i5, with an extra RTL NIC on an mPCIe adapter. SFF (Lenovo, Optiplex, Prodesk, etc.) are even cheaper than TMM/uSFF (<$60 shipped in the States) and give you total freedom on PCIe NICs (e.g., SFP+ if desired, or cheapo $20 I350-T2 for regular gigabit). Old corporate desktops are cheap and abundant in N.Am.; even in EU there should still be a decent supply.