Small firewall recommendations

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
Hello all,
Looking for some help finding a good firewall solution for a problem at work. I work for a city government and we are looking to add CCTV cameras for greenway trailhead parking lots and looking down the greenway a bit. I need a reliable firewall that is as small as possible and able to live in a ventilated and heated enclosure, have two LAN ports (or more)and one wan port. Ideally it is powered by 12 VDC or 48 VDC. Also has to support a P2P vpn to our main firewall. I have purchased a Netgate 1100 and hooked it up, but it is unresponsive after 24 hours. This is the second time I have had this unit go unresponsive, so I have lost faith in Netgate/PfSense. Any suggestions would be greatly appreciated.
 

oneplane

Active Member
Jul 23, 2021
397
215
43
Depending on your budget you could get a couple of those: https://forums.servethehome.com/ind...lake-quad-i225v-mini-pc-report.36699/page-117 and run them HA.

If you want customer support, that would be a no-go, and your next option might be something from Ubiquiti like a UISP Router or EdgeRouter.

Besides hardware and software, what's up with the "unresponsive after 24 hours" thing? Was it an indoor unit that was installed outdoors? Was there humidity damage/temperature damage? Manufacture defects? What did the vendor say? Did it go unresponsive over WAN, or also over LAN? Was it fixed with a reboot? It's hard to recommend something without more information; most problems are either power supply or environmental these days, everything else is software.
 

Stephan

Well-Known Member
Apr 21, 2017
632
419
63
Germany
My die-hard solution would be PC Engines APU 2E4 or 2E5 or 3D4 or 4D4. AFAIK all 4 GB versions have ECC. They are very far into their life-cycle though. And the Great Chip Shortage of last 2 years might mean, you can't source any. On the plus side, the board will run on 12V, have ECC RAM which actually works (how rare is that) and is of sturdy construction. Electrically sound, well-engineered, bugfixed. Schematics available. Could boot from SD but I'd prefer a small mSATA disk. Personally I like Kingston SKC600M for this. Software-wise, OpenWRT for x86 64-bit might be a solution: PC Engines APU 4

I have the predecessors called ALIX which have ran for decades. Thanks to archlinux32, with recent software even. Maintenance is a fresh wall PSU and a fresh CMOS battery every 12-15 years. On APU4D4 I run vanilla Arch with some tweaked packages and configs. Mainly to fix up ath9k/kernel/hostapd/crda/regdb for proper wifi operation.
 
  • Like
Reactions: cadamwil

oneplane

Active Member
Jul 23, 2021
397
215
43
PCEngines and ALIX haven't really been a realistic solution for a while now, unless you're using them mainly as soft-switches, at which point an L2+ switch will do the same thing but better and for less money. Pretty much anything in the Geode lineage and the 3000 series and older Celeron core lineage is pointless to get as well. It's all a dead end.

As for ECC: nice to have, but not as significant is people think it is. Error correction is often built into the protocol and application layers, and if not you'd still need ECC on both the server and the client to make ECC "in the middle" make sense. Considering we're talking about video streams I'd say that's not the biggest concern.

As for buggy Intel network silicon: you're unlikely going to get any 225v pre-B3 supplied and if you get 226 you don't even have to bother with the stepping since any released version works. And that's all int he 2.5G realm anyway, I doubt the video cameras even support that.
 

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
Depending on your budget you could get a couple of those: https://forums.servethehome.com/ind...lake-quad-i225v-mini-pc-report.36699/page-117 and run them HA.

If you want customer support, that would be a no-go, and your next option might be something from Ubiquiti like a UISP Router or EdgeRouter.

Besides hardware and software, what's up with the "unresponsive after 24 hours" thing? Was it an indoor unit that was installed outdoors? Was there humidity damage/temperature damage? Manufacture defects? What did the vendor say? Did it go unresponsive over WAN, or also over LAN? Was it fixed with a reboot? It's hard to recommend something without more information; most problems are either power supply or environmental these days, everything else is software.
I’m not sure what happened yet. Setup IPSec VPN P2P, yesterday. Camera traffic passed successfully, today, cameras are down, VPN down, ping to WAN no longer returns. Other tech is rebooting firewall tomorrow. I’ll look at it on Thursday and possibly see if Netgate can look into why it became unresponsive. Unfortunately it’s 8’ off the ground on a telephone pole and the only LAN side devices are the cameras. Internet connection is up as I can ping the ubiquit Edgerouter that is acting as the WAN side router between the ONT and my Netgate 1100 firewall.
 

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
PCEngines and ALIX haven't really been a realistic solution for a while now, unless you're using them mainly as soft-switches, at which point an L2+ switch will do the same thing but better and for less money. Pretty much anything in the Geode lineage and the 3000 series and older Celeron core lineage is pointless to get as well. It's all a dead end.

As for ECC: nice to have, but not as significant is people think it is. Error correction is often built into the protocol and application layers, and if not you'd still need ECC on both the server and the client to make ECC "in the middle" make sense. Considering we're talking about video streams I'd say that's not the biggest concern.

As for buggy Intel network silicon: you're unlikely going to get any 225v pre-B3 supplied and if you get 226 you don't even have to bother with the stepping since any released version works. And that's all int he 2.5G realm anyway, I doubt the video cameras even support that.
I don’t really need routing between most of the interfaces, but space is a huge concern. I’ve got a 18x16x6 space that’s got about 70% occupied. What I need is 2-4 pan ports, 1 wan port, a device that can pass video traffic over an IPSec P2P vpn, and allow remote management of some sort. OpenWRT may be fine, PFSense nah be fine, although I have always seem to have bad luck with it. Considered cradlepoint IBR900 but not enough interfaces. Thought the Netgate 1100 would be ideal, but I can’t have flaking out after 24 hours. It may be the encryption I have chosen on the VPN, I’ll check with Netgate.
 

Stephan

Well-Known Member
Apr 21, 2017
632
419
63
Germany
I wasn't suggesting ALIX (Geode indeed), but APU. Judging from my experience of both of them being stable as a rock.

OP didn't mention budget, time and experience available, also if professional support is wanted/needed. Then such endeavours with white boxes could of course not be suitable. There is a whole lotta trash out there for sure.

Routing performance should be in the order of many 100 MBit/s. With little else and a bit of luck, close to 1 GBit/s. With complex rules, more like 500 MBit/s. VPN performance would have to be measured.

Let me bring you up to speed with 226 from 4 days ago: PSA: Intel I226-V 2.5GbE on Raptor Lake Motherboards Has a Connection Drop Issue: No Fix Available Does it work better with Linux? What driver is needed? Who can tell? What stepping will the friendly Chinese factory solder onto the board? Who needs randomly dropping links? Will they come back or will the driver give up? Sorry I put 225 into the same bin as 226, trash bin. ;-)

Without ECC you could get what OP has experienced, a crashing router and nobody knows why.
 

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
I wasn't suggesting ALIX (Geode indeed), but APU. Judging from my experience of both of them being stable as a rock.

OP didn't mention budget, time and experience available, also if professional support is wanted/needed. Then such endeavours with white boxes could of course not be suitable. There is a whole lotta trash out there for sure.

Routing performance should be in the order of many 100 MBit/s. With little else and a bit of luck, close to 1 GBit/s. With complex rules, more like 500 MBit/s. VPN performance would have to be measured.

Let me bring you up to speed with 226 from 4 days ago: PSA: Intel I226-V 2.5GbE on Raptor Lake Motherboards Has a Connection Drop Issue: No Fix Available Does it work better with Linux? What driver is needed? Who can tell? What stepping will the friendly Chinese factory solder onto the board? Who needs randomly dropping links? Will they come back or will the driver give up? Sorry I put 225 into the same bin as 226, trash bin. ;-)

Without ECC you could get what OP has experienced, a crashing router and nobody knows why.
Budget is as cheap as possible, but my Netgate 1100 with support was $300. I’d pay more if needed, but I’d like to keep it as close to or under $400. Top priority is reliability. Secondary top priority is size. Tertiary would be support or at least frequently updated software. I don’t want any holes in my network. I’m a network admin with 13 years experience as a network admin. I’m used to light Linux work, but mostly dealt with SonicWall, watchguard, Cisco and Meraki. That said, if I get one of these configured & export the config. All of the planned needed currently 4, but soon 8 more, would be a change IPs, and IPSec key and upload. I’ll look into OpenWRT and possibly PFSense on the APU. I don’t need flashy, but I can’t be bouncing these constantly. I don’t have the time or patience to babysit flaky hardware or software.
 

oneplane

Active Member
Jul 23, 2021
397
215
43
I'd go with OpnSense considering a more recent OS base is used, or OpenWRT. VyOS would be an option if you don't mind the Cisco-style CLI and no WebUI.

But the software isn't all that exciting, it's more of a hardware thing at this point. If you need only a handful of ports, an EdgeRouter might be a good choice. Since you are already familiar with them, I'd say it fits in your setup nicely.

As for crashes etc. just make sure it has a watchdog timer and make sure it is not disabled.
 
  • Like
Reactions: cadamwil

oneplane

Active Member
Jul 23, 2021
397
215
43
I wasn't suggesting ALIX (Geode indeed), but APU. Judging from my experience of both of them being stable as a rock.

OP didn't mention budget, time and experience available, also if professional support is wanted/needed. Then such endeavours with white boxes could of course not be suitable. There is a whole lotta trash out there for sure.

Routing performance should be in the order of many 100 MBit/s. With little else and a bit of luck, close to 1 GBit/s. With complex rules, more like 500 MBit/s. VPN performance would have to be measured.

Let me bring you up to speed with 226 from 4 days ago: PSA: Intel I226-V 2.5GbE on Raptor Lake Motherboards Has a Connection Drop Issue: No Fix Available Does it work better with Linux? What driver is needed? Who can tell? What stepping will the friendly Chinese factory solder onto the board? Who needs randomly dropping links? Will they come back or will the driver give up? Sorry I put 225 into the same bin as 226, trash bin. ;-)

Without ECC you could get what OP has experienced, a crashing router and nobody knows why.
None of those issues have popped up elsewhere AFAIK, perhaps it's just a problem on the gaming/consumer mainboards and on windows.
As for QA/ECC: doesn't matter much where you get your hardware or how many bits of error correction you have, network components are garbage in, garbage out. If one part of the chain (i.e. the server) sends bad data, no amount of error correction is going to help you. Same goes for 'crashes', there are plenty of problems that could cause a crash, and unless you have an enabled hardware WDT it again doesn't matter how many bits of error correction your memory has.
 

amalurk

Active Member
Dec 16, 2016
280
98
28
101
You bought a unit that should work and has support, get them to support it IMHO. Also maybe I am not understanding your setup this early in the morning before coffee but doesn't the edgerouter that you mentioned and you can still ping, support VPN and firewall functions? Can't you simplify and just use that?
 
Last edited:

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
931
374
63
I think OP needs an industrial edge firewall; neither Netgate, Topton, nor any DIY SBCs can handle the environmental requirements OP asks for.
Unfortunately, the proper devices for the job aren't cheap. See the Moxa EDR series, Cisco ISA-3000, with Endian being probably one of the cheapest, just under $1k

I bet eBay has more than a few available at much lower prices if you don't mind having any support.
 
Last edited:
  • Like
Reactions: cadamwil

Stephan

Well-Known Member
Apr 21, 2017
632
419
63
Germany
@BoredSysadmin OP hasn't clarified or has he whether commercial support is a must-have. Alot depends on it, I agree.

Btw I've seen alot of cases where people intentionally opted for self-brewed solutions. Mainly because of low price to appease superiors, but also, funny enough and superiors were unaware, for added job security. "Can't fire Willy, he's the only one who knows how the blinking box in the basement that connects everything works."

Meanwhile CCTV in itself is an art. Most installations I have seen were planned naivly. Wrong field of views, chip not capable or not aided with 940nm IR during night time for 24/7 visibility, no differentiated video streams for capture, movement detection, and so on. Basically if you are not running Frigate with Google Coral accelerator for object classification and alerting, solution is stuck in 1995.
 
  • Like
Reactions: cadamwil

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
@BoredSysadmin OP hasn't clarified or has he whether commercial support is a must-have. Alot depends on it, I agree.

Btw I've seen alot of cases where people intentionally opted for self-brewed solutions. Mainly because of low price to appease superiors, but also, funny enough and superiors were unaware, for added job security. "Can't fire Willy, he's the only one who knows how the blinking box in the basement that connects everything works."

Meanwhile CCTV in itself is an art. Most installations I have seen were planned naivly. Wrong field of views, chip not capable or not aided with 940nm IR during night time for 24/7 visibility, no differentiated video streams for capture, movement detection, and so on. Basically if you are not running Frigate with Google Coral accelerator for object classification and alerting, solution is stuck in 1995.
The cctv stuff in this case are Avigilon cameras and is fairly top notch. Commercial support isn’t truly required as I have found there to be essentially three levels of support. Top level is a Cisco, SonicWall or back in the old days IBM, they have enough stuff to have seen about everything and have a solution for about any issue. Second level would be Ubiquiti or QNAP or Trendnet. More home gamer support, they release updates when needed, develop the software, but not quite as often as the higher tier, more likely to get a “huh, haven’t seen that, try rebooting it”. Third level is open source, fix it yourself, post on a forum, ask a question, get a snarky answer because of your ignorance. Sometimes I find second level and third to be the same. They have support, but they are fairly useless and your better off working it out yourself. I’m probably going to try one of the roll your own. I’d try and see if I could get a deal on the cisco ISA-3000, but I have $40k of Meraki & Cisco stuff on order since July, so I’m not exactly holding my breath on Cisco deliveries.
 

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
I think OP needs an industrial edge firewall; neither Netgate, Topton, nor any DIY SBCs can handle the environmental requirements OP asks for.
Unfortunately, the proper devices for the job aren't cheap. See the Moxa EDR series, Cisco ISA-3000, with Endian being probably one of the cheapest, just under $1k

I bet eBay has more than a few available at much lower prices if you don't mind having any support.
You’re not wrong, but the project doesn’t have the budget for that, has a quicker timeline than the availability of most Cisco stuff, and I’ve found that often there is a good enough solution from another route. I’m trying to get to 365 day+ uptime, as cheap as possible. I think I’m going to end up trying one of the ALIX 4d4 boards and run either OpenWRT or Opensense, maybe PFSense. I’m not opposed to any software, just I have seen PFSense on the 1100 and a virtual instance I tried in my home lab to be flakier than a SonicWall or other solutions I have used, but it might have been my use case.
 

oneplane

Active Member
Jul 23, 2021
397
215
43
I'd stick with just another ER4/X, but if it's 100Mbit video streams an option might be any dual core ARM based passive router, as long as it has an crypto engine for VPN. All the 'industrial' hardware is usually just old crap with conformal coating and parts ordered with a wider temperature range and glue on everything. Not saying that is a bad thing, but before getting that stuff, make sure you actually know what temperatures/moisture levels to expect. Some setups get into really weird situations where you need a heater because a sudden junction temperature change after downtime is just as problematic as overheating.

If the area it is placed in is dry and non-condensing and not freezing or boiling, a general non-coated FR4 board is fine, it'd be the equivalent of a basement or legacy utility closet.

If you can get an APU that would work fine, but if they are still unavailable a RouterBoard might actually be a viable alternative. Protectli can also work if you have enough airflow. In all cases OpenWRT or OpnSense should work just fine. The APU has a good watchdog timer so a random crash wouldn't be a big deal (it just reboots). Most modern intel (and AMD) chipsets have those, but on other boards there isn't much of a guarantee.

Ubiquiti used to have a UISP ONT-style box for outside usage that has a POE-passthrough and routing option built in, but I can't seem to find it anymore. It was very small, plenty of sealant and could run a variety of software.
 
  • Like
Reactions: cadamwil

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
931
374
63
If the area it is placed in is dry and non-condensing and not freezing or boiling, a general non-coated FR4 board is fine, it'd be the equivalent of a basement or legacy utility closet.
If I'm not mistaken, according to OP it's mounted inside a box that is mounted 8ft high on a telephone box. Will it be crazy hot or cold only depends on the local climate :)
This is why recommended a device which uses components meant to run in a wider temperature range. For curiosity's sake, I saw several Moxa routers selling starting from $300 on eBay right now. I have no personal experience with them and I am 100% unfamiliar with any licensing/subscription requirements if any.
 

cadamwil

Member
Jan 16, 2014
52
7
8
42
Nashville, TN
Just for those who were wondering, the info on the heater and fans for the boxes.

Fan Setpoint Temperature of +34° C (+93° F)
Heater Setpoint Temperature of -9° C (+16° F)
Hysteresis Window 5° C (9° F)

so not super tight control, next boxes I buy will probably be adjustable and I’ll try and kick the heat on about 35-38F and fan on about 80F.
 

oneplane

Active Member
Jul 23, 2021
397
215
43
That's good to know. Depending on the climate this means practically anything should be safe (temperature-wise), so that keeps a lot of options open.

As for the Moxa, there is surprisingly little information available, they do have industrial (DIN mounted!) PCs and the firmware seems to be just Linux and CramFS (perhaps a modified OpenWRT build).
 
  • Like
Reactions: cadamwil