Smallest, cheapest hardware for OpenBSD router + firewall

[beiroot]

What is the smallest, cheapest hardware you can run OpenBSD on as a router + firewall? I've briefly googled, read tedu's blog along with obsd architecture support and searched this forum, but I'm curious of your opinions. Maybe you have some experience in such "rollouts"?

I guess the ideal one would be: fanless, energy-saving, with at least two eth or one + possibility to extend. Maybe wifi?

What is your opinion?

P.S: Correct me if I'm wrong, but if it runs OpenBSD it might as well run httpd, ntpd, dns, maild, ftpd etc. and I guess it's all a matter of performance, right?

[jggimi]

I use ALIX platforms from PC Engines. These are AMD Geode 32-bit uniprocessors with 100Mbps NICs. I find the processors are more than powerful enough for routing packets at that speed. If you don't require Gigabit or faster networks, these may meet your needs for routing packets.

However, storage I/O may be a limiting factor for "server" applications, as for some models of ALIX, Compact Flash is the provisioned media. ALIX machines can also be configured with USB 2.0, but for my ALIX machines (all ALIX.2 series) USB mass storage cannot be used for boot, and the admin should consider the power requirements of any attached USB device.

PC Engines also markets more modern small systems: the APU and APU2, with Gigiabit NICs and 64-bit capable multi-core CPUs.

http://www.pcengines.ch/index.htm

[da1]

https://soekris.com/

[fvgit]

Quote:

Originally Posted by da1

https://soekris.com/

They're nice, I have a net5501. But they're not exactly the cheapest solution, which the OP asked for.

[jggimi]

Careful shopping is certainly required. And newer technology may not be significantly more expensive than older products.

For example, PC Engines sells the apu2c4 for € 8 / $13 more than the alix2d18. This is a significant jump in power, capacity, and capability for a relatively low incremental cost.

In addition, while the ALIX and its technological peers may meet capacity needs today -- they do for me -- PC Engines has already placed the ALIX systems on an end-of-life roadmap. http://www.pcengines.ch/eol.htm.

Long term product availability should be of some consideration for the ALIX and other Geode-based platforms like the Soekris net5501.

[bsd-keith]

I'd imagine a 10" netbook would work, cheap & powerful enough I would have thought, but I don't do server stuff, so I'm just putting it forward for consideration.

[jggimi]

They can be used, but generally they don't fare as well as equipment designed for the purpose:

• They have limited network connectivity.(USB dongles might extend this.)
• Power consumption is significantly higher, so operating costs are higher. Even if the CPUs were the same, they have graphics cards that draw power and may need fans for cooling.
• Heat management may be a problem - even with forced air cooling, netbooks are not usually designed to operate 7/24 with the display closed over the keyboard. (Leaving the netbook open may help with cooling, but may not be possible.)
• Even netbooks are much larger than the typical Soekris / PC Engines device, because netbooks have video displays.

[beiroot]

Thanks for your replys.
Soerkis is really nice, but quite expensive - in Europe 210 euro for the board only. Adding case and power supply - something around 270. Way too much for my budget now.

Netbook is not an option since it has a fan a can have heating problems as jggmi said.

I think the PC-Engine and Ubiquiti (Ubiquiti EdgeMax EdgeRouter Lite ERLite-3 512MB Memory 3 Ethernet Ports Router - from tedu's blog) are kinda what I'm thinking.

What do you think about Beagle Board?
Any other ideas?

[jggimi]

Quote:

Originally Posted by beiroot

Any other ideas?

Topology thoughts.

I began using all three NICs on the alix2d13 systems in a topology similar to this common single router configuration:

1. ISP network
2. LAN network
3. DMZ network

I didn't have a DMZ network requirement -- as the ALIX systems are deployed in pairs with carp(4) for redundancy, I used the third NIC for router-to-router private networking. The third NICs were interconnected with a cross-over cable.

1. ISP network
2. LAN network
3. Private router-to-router network

But over time, my topology requirements grew. Today, a pair of ALIX systems now routes to 8 LANs. Yet I've reduced the number of NICs I use on each ALIX machine to two, leaving the third NIC empty. I trunk(4) the two NICs I am using, and then deploy vlan(4) pseudo-NICs as needed.

Adding 802.1Q VLAN capability to my Ethernet networks has been the most significant change I've made to them since deploying twisted-pair Ethernet. Hubs -> unmanaged switches was just performance improvement. 10 -> 100 -> 1000baseT was just bandwidth improvement. Neither altered the network topology.

The only reason I'm not using all three NICS is that I'm out of ports on my managed switch. If there were spare ports, I would add these NICs to the trunk().

With a managed switch, even a single-NIC computer could be deployed as a router -- this is a so-called "router on a stick." Depending on your bandwidth and connectivity requirements, a managed switch gives you much more flexibility in systems choices. You need not necessarily restrict yourself to considering 3-NIC or 4-NIC systems.

[pttymuth]

BeagleBone Green can accomplish this for $40, but there isn't much in the way of extra packages available for the armv7 port. Luckily OpenBSD can do a lot out of the box, including what your asking for.

[beiroot]

jggmi thanks a lot for your post. It was very educational It gave me a fresh look at this topic because I haven't thought of trunking, managed switch or router on a stick.

pttymuth, thanks, I'll check that out. BB Green seems to be the cheapest idea. However, I would need to follow jggmi's scenario and buy a managed router. Any ideas for that, guys?

Generally, what I'm aiming at my home is the architecture you can see in the attached file (found it googling). A word of explanation on the labels since they're in Polish:

- On the bottom left, it's the ISP
- Router1 is the cheapest, smallest obsd machine I asked about
- Router2 is a SOHO router with wifi
- routers can't be connect via cable - architectural constrains
- PC2 is in fact an OpenBSD test range server I would like to keep in the DMZ
- there could be other pcs upstairs

I know it's complicated, if not stupid, but believe me, if I could lay cables and make it properly, I most definitely would.

Any ideas how to reasonably make it work?

[jggimi]

Some additional thoughts, based on your requirement to use Ethernet over radio. They are in no particular order.

• If you want a server to be happy, attach it to wired networks only. Client systems can withstand to be on wireless, but not servers. Do what ever you need to do to move servers off of your wireless network segments.
• When shopping for low-cost managed switches, look for "802.1Q" in the specifications. This is the VLAN standard. If you also want to do managed trunking, look also for "802.3ad" in the specification, as this is the Link Aggregation Control Protocol (LACP) standard. I am using a managed switch that does not support LACP, but does support simple "round robin" static trunking.
• In a VLAN environment, standard Ethernet is considered "untagged", and Ethernet frames that include VLAN headers are considered "tagged." When you configure a managed switch, you assign VLANs to ports, and whether the port will use tagged or untagged Ethernet. An untagged port would be dedicated to a specific VLAN, and that VLAN becomes a "physical" LAN if you connect the port to an unmanaged switch or to a WiFi bridge, for example.
• I do not have any VLAN-capable WiFi access point devices. I don't need them, since I do not operate multiple WiFi networks at this time.

[bsdprefer]

PC Engines has already other newer platform "APU". It has gigabit ports, 4Gb of RAM, 1 GHz CPU quad core, etc Example : http://pcengines.ch/apu2c4.htm

Is someone using it ? How well OpenBSD performs on it ?

[ocicat]

Quote:

Originally Posted by bsdprefer

Is someone using it ? How well OpenBSD performs on it ?

Welcome!

The APU series is slightly more expensive that the original Alix boxen, but the faster processor is certainly appreciated, the larger memory size can easily be used, & the 1GB network connections can be beneficial if networking can support it.

It's a reasonable second generation.

How does OpenBSD run on it? Great! Many project developers use Alix & APU systems, so they are fully supported.

More comments can be found earlier in the thread.

[denta]

I've been using an apu1d4 (3 LAN, 4 GB DRAM, T40E CPU) as router/firewall for about a year, and its been really great so far.

Code:

OpenBSD 6.0-current (GENERIC.MP) #0: Sat Nov 26 21:52:43 MST 2016
    build@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error ff<clock_battery,ROM_cksum,config_unit,memory_size,fixed_disk,invalid_time>
real mem = 4246003712 (4049MB)
avail mem = 4112728064 (3922MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdf16d820 (7 entries)
bios0: vendor coreboot version "4.0" date 09/08/2014
bios0: PC Engines APU
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT
acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD G-T40E Processor, 1000.13 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache
cpu0: 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD G-T40E Processor, 1000.00 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache
cpu1: 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 21, 24 pins
acpiprt0 at acpi0: bus -1 (AGPB)
acpiprt1 at acpi0: bus -1 (HDMI)
acpiprt2 at acpi0: bus 1 (PBR4)
acpiprt3 at acpi0: bus 2 (PBR5)
acpiprt4 at acpi0: bus 3 (PBR6)
acpiprt5 at acpi0: bus -1 (PBR7)
acpiprt6 at acpi0: bus 5 (PE20)
acpiprt7 at acpi0: bus -1 (PE21)
acpiprt8 at acpi0: bus -1 (PE22)
acpiprt9 at acpi0: bus -1 (PE23)
acpiprt10 at acpi0: bus 0 (PCI0)
acpiprt11 at acpi0: bus 4 (PIBR)
acpicpu0 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS
acpicpu1 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS
acpibtn0 at acpi0: PWRB
cpu0: 1000 MHz: speeds: 1000 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD AMD64 14h Host" rev 0x00
ppb0 at pci0 dev 4 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:40:e6:40
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb1 at pci0 dev 5 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:40:e6:41
rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb2 at pci0 dev 6 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci3 at ppb2 bus 3
re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:40:e6:42
rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 1.2
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, SATA SSD, S9FM> SCSI3 0/direct fixed t10.ATA_SATA_SSD_A1AE07570FDF00008448
sd0: 15272MB, 512 bytes/sector, 31277232 sectors, thin
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x42: polling
iic0 at piixpm0
pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x40
ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x40
pci4 at ppb3 bus 4
ohci2 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support
ppb4 at pci0 dev 21 function 0 "ATI SB800 PCIE" rev 0x00
pci5 at ppb4 bus 5
ohci3 at pci0 dev 22 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support
ehci2 at pci0 dev 22 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb2 at ehci2: USB revision 2.0
uhub2 at usb2 configuration 1 interface 0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
pchb1 at pci0 dev 24 function 0 "AMD AMD64 14h Link Cfg" rev 0x43
pchb2 at pci0 dev 24 function 1 "AMD AMD64 14h Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 14h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 14h Misc Cfg" rev 0x00
pchb4 at pci0 dev 24 function 4 "AMD AMD64 14h CPU Power" rev 0x00
pchb5 at pci0 dev 24 function 5 "AMD AMD64 14h Reserved" rev 0x00
pchb6 at pci0 dev 24 function 6 "AMD AMD64 14h NB Power" rev 0x00
pchb7 at pci0 dev 24 function 7 "AMD AMD64 14h Reserved" rev 0x00
usb3 at ohci0: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci1: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52
usb5 at ohci2: USB revision 1.0
uhub5 at usb5 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb6 at ohci3: USB revision 1.0
uhub6 at usb6 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1
vmm at mainbus0 not configured
umass0 at uhub2 port 1 configuration 1 interface 0 "Generic Flash Card Reader/Writer" rev 2.01/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Multiple, Card Reader, 1.00> SCSI2 0/direct removable serial.058f6366058F63666485
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (fcdfd597abb22259.a) swap on sd0b dump on sd0b

[beiroot]

Guys, what about RouterBoard?

[jggimi]

The only Routerboard I'm aware of that was supported was the RB600A, via the socppc architecture. The most recent build for that architecture was 5.8, in 2015.

I found a discussion of other Routerboards in the misc@ archives.

[beiroot]

How about hardware that has a built-in ADSL modem? Neither Soekris nor ALIX nor APU2 has it...
My idea is to have all-in-one modem+router+firewall on OpenBSD. Something that might replace FritzBox or any other commercial home appliance.

[vgk]

How about one of these.
Ubiquiti Networks EdgeRouter LITE
Ubiquiti Networks EdgeRouter PoE
I think the LITE costs $100.
You can run the OpenBSD Octeon port.
https://www.openbsd.org/octeon.html

[shep]

Quote:

P.S: Correct me if I'm wrong, but if it runs OpenBSD it might as well run httpd, ntpd, dns, maild, ftpd etc. and I guess it's all a matter of performance, right?

Although a compromise, The OpenWRT project allows the addition of packages to a custom built linux firmware. I think all the services you listed above are available. The key is to have adequate flash and ram.

OpenWRT packages

One topology would be an openbsd based, pf filtering firewall, between your modem and a cheap refurbished router with openwrt+custom packages