Author Topic: Favorite cheap multi-GBE SBCs for use as router/firewall appliances  (Read 2722 times)

0 Members and 1 Guest are viewing this topic.

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
A number of cheap SBCs that run limux have multiple gigabit lan ports. They all are very energy efficient, and have GPIOs and have basic connectivity options. But the rest vary a lot.

Do any stand out for good wired networking capabilities when used as a software router/switch?

I dont know much about how the various CPUs perform in that usage scenario.

Presumably they all have GPIOs and UART that can be used with a NMEA speaking device (GPS) and its one pulse per second source for accurate timekeeping?

I don't know much about the many new SBC HW platforms.

Presumably even OSs like FreeBSD might be fairly straightforward to compile on a new hardware platform.. If one had a complete Linux for it.
« Last Edit: July 18, 2021, 11:05:46 pm by cdev »
"What the large print giveth, the small print taketh away."
 

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 2368
  • Country: nz
  • Formerly SiFive, Samsung R&D
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #1 on: July 19, 2021, 04:41:59 am »
How many ethernet ports do you want?

If it's more than just a couple then it's hard to go past something designed specifically for the purpose, such as the $99 Mikrotik RB450Gx4 with quad core 716 MHz ARM cpu, 1 GB RAM, and 5 gigE ports. Industrial quality at close to hobbyist prices.

https://mikrotik.com/product/rb450gx4
« Last Edit: July 19, 2021, 10:10:59 am by brucehoult »
 
The following users thanked this post: cdev, I wanted a rude username

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 2368
  • Country: nz
  • Formerly SiFive, Samsung R&D
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #2 on: July 19, 2021, 04:48:13 am »
Banana Pi BPI-R2 is also an option, but at only $10 less than the Mikrotik I'd go for the Mikrotik every time based on known quality and support.

https://www.amazon.com/Open-Source-Compatible-Raspberry-Quad-core-Cortex-A7/dp/B07JZ8LM6Q
« Last Edit: July 19, 2021, 10:11:22 am by brucehoult »
 
The following users thanked this post: cdev

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 2907
  • Country: fi
    • My home page and email address
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #3 on: July 19, 2021, 08:31:48 am »
For the MikroTik products, do take a look at the Results tab in the product page.  Typical real-world performance is somewhat less, but should give a rough idea of the capabilities.

I'm using an RBM33G as a 4G/LTE router/firewall myself.
 

Offline DiTBho

  • Frequent Contributor
  • **
  • Posts: 967
  • Country: gb
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #4 on: July 19, 2021, 10:55:47 am »
The MediaTek's MTK MT7622 SoCs look interesting ...
« Last Edit: July 19, 2021, 11:41:05 am by DiTBho »
 

Offline DiTBho

  • Frequent Contributor
  • **
  • Posts: 967
  • Country: gb
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #5 on: July 19, 2021, 12:18:21 pm »
FreeBSD

On Atom, Geode, and x86-compatible SoC.
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #6 on: July 20, 2021, 10:23:08 pm »
I have a Geode based HP thin client. But I would need to use a USB NIC and it only has USB2, not USB3

What do you think about firewalling performance?
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #7 on: July 20, 2021, 10:28:25 pm »

The Mikrotic is designed for hat kind of application but closed source and they hav had security issues in the past, but youre right, it does look like a hell of a value and four ports is pretty good, plus the list of features in the OS is quite respectable.

Thanks, this is a good suggestion. One thats pretty hard to beat, even now with all the new SBCs out there.


How many ethernet ports do you want?

If it's more than just a couple then it's hard to go past something designed specifically for the purpose, such as the $99 Mikrotik RB450Gx4 with quad core 716 MHz ARM cpu, 1 GB RAM, and 5 gigE ports. Industrial quality at close to hobbyist prices.

https://mikrotik.com/product/rb450gx4
« Last Edit: July 21, 2021, 12:49:08 am by cdev »
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #8 on: July 21, 2021, 12:50:15 am »
Four ports would be ideal. Two gigabit ports would be adequate.
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #9 on: July 21, 2021, 12:58:34 am »
https://www.amazon.com/Open-Source-Compatible-Raspberry-Quad-core-Cortex-A7/dp/B07JZ8LM6Q
[/quote]

This board looks much more flexible but it is too expensive for me right now. .


Around a year ago I saw a two port Banana Pi that was super cheap, (under $30)

Now I cant find it.
 

Banana Pi BPI-R2 is also an option, but at only $10 less than the Mikrotik I'd go for the Mikrotik every time based on known quality and support.
If I could install some well respected firewall distro. that would be ideal. I would love to find a hardware platform that I could install any x86_64 image onto. A small energy efficient server

Actually, I just remembered I have seen a number of RPI ComputeModule4 expansion boards that have multiple -GBEs I forget their prices.

Buut I dont think super expensive. 
« Last Edit: July 21, 2021, 01:56:22 am by cdev »
"What the large print giveth, the small print taketh away."
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 3939
  • Country: hr
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #10 on: July 21, 2021, 06:48:22 am »
Don't waste your time reinventing the wheel.
Just use Mikrotik.

As for "...and they hav had security issues in the past, ...." comment, by that token, nobody should use ANTHING made by Cisco EVER...

 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 13600
  • Country: us
  • DavidH
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #11 on: July 21, 2021, 07:21:05 am »
I just bought a PC Engines APU2 with 4 x Intel i211AT Gigabit Ethernet ports for that application, and they have ECC RAM as well.
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 2907
  • Country: fi
    • My home page and email address
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #12 on: July 21, 2021, 09:35:29 am »
The Mikrotic is designed for hat kind of application but closed source
I run OpenWRT on my RBM33GRB450gx4 is fully supported by robimarko's OpenWRT branch.

The only closed source part running is the routerboot boot loader, which I personally accept gladly, because it makes these things unbrickable (at least via normal upgrade mechanisms), and is perfectly happy booting OpenWRT.  You could replace that with u-boot, but it just isn't worth it in my opinion.
 

Offline DiTBho

  • Frequent Contributor
  • **
  • Posts: 967
  • Country: gb
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #13 on: July 21, 2021, 08:33:44 pm »
I like OpenWRT, but I would recommend it only to developers and to people who both have skills and strong motivation.
 

Offline DiTBho

  • Frequent Contributor
  • **
  • Posts: 967
  • Country: gb
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #14 on: July 21, 2021, 08:43:46 pm »
I have a Geode based HP thin client. But I would need to use a USB NIC and it only has USB2, not USB3

You mentioned FreeBSD, my answer was only related to the best supported architecture
  • FreeBSD on x86 is Tier class 1 -> Fully-Supported Architectures)
  • FreeBSD on ARM is Tier class 2 -> Developmental and Niche Architectures

Tier class 2
Tier class 2 platforms are functional, but less mature FreeBSD platforms. They are not supported by the security officer, release engineering, and port management teams.
 

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3182
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #15 on: July 21, 2021, 10:19:50 pm »
I can highly recommend pfSense:

https://www.pfsense.org/products/

Originally ran it on a PC Engines Geode with tiny compact flash, but now it's running on some firewall box which is basically a PC in a firewall-looking case. I've run it in a VM (saves on hardware), installed to clients, paid a bounty to get a feature incorporated, etc. I looked at OpenWRT but that sucks dogs in comparison, IMO.

Netgate sponsors them now (they used to be entirely commercial-free), so the site wants you to buy Netgate stuff. Ignore all that, and the pfSense Plus (unless you need that kind of support, of course). However, that product page does have a handy table of CPU power appropriate to various sustained throughputs, which might be useful in your choice of hardware.
 
The following users thanked this post: cdev

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #16 on: July 21, 2021, 10:47:40 pm »
Yes, PFSense looks like a keeper. I realoly want to have fine grained control. I really need it actually, thanks..
"What the large print giveth, the small print taketh away."
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 13600
  • Country: us
  • DavidH
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #17 on: July 21, 2021, 11:24:37 pm »
Originally ran it on a PC Engines Geode with tiny compact flash, but now it's running on some firewall box which is basically a PC in a firewall-looking case. I've run it in a VM (saves on hardware), installed to clients, paid a bounty to get a feature incorporated, etc. I looked at OpenWRT but that sucks dogs in comparison, IMO.

I am trying to go the other way.  I have been running M0n0wall and pfSense at various times on PC hardware for but picked up a PC Engines APU2 a couple months ago to use instead.

I have been experimenting with OPNsense because it supports more of what I want to do but problems may leave me switching back to pfSense.
 

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3182
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #18 on: July 21, 2021, 11:54:29 pm »
Quote
I have been experimenting with OPNsense because it supports more of what I want to do but problems may leave me switching back to pfSense.

What kind of problems?

I keep meaning to take a look at it (particularly since it seems many bad remarks were made by the pfSense people), but I rely on pfBlockerNG-devel quite heavily to protect my servers (email hack attempts are annoying, but also provide an unending list of IP ranges to blacklist).
 

Offline David Hess

  • Super Contributor
  • ***
  • Posts: 13600
  • Country: us
  • DavidH
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #19 on: July 22, 2021, 07:30:53 pm »
Quote
I have been experimenting with OPNsense because it supports more of what I want to do but problems may leave me switching back to pfSense.

What kind of problems?

I have not been able to get DNS working properly with any configuration of DNS.

 

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3182
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #20 on: July 22, 2021, 09:06:02 pm »
That's not a small problem!
 

Offline dredd

  • Contributor
  • Posts: 5
  • Country: au
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #21 on: August 01, 2021, 12:40:53 pm »
I can highly recommend pfSense:

OPNsense is step ahead of pfSense, you'll be better off. MIT licenced too. www.opnsense.org
 

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3182
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #22 on: August 01, 2021, 01:10:47 pm »
It's the pfBlockerNG-devel plug-in that would give me pause for thought, possibly terminally. Pretty much essential for my setup.
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #23 on: August 25, 2021, 02:31:20 pm »
OPNSense uses "unbound" as its DNS which is fairly well documented. But there are some gotchas.

If you could post any log messages. there is a small program to check your configuration's well formedness.

Also a program to fetch trust anchor file. There are a bunch of files actually to get the DNS server bootstrpped with the Internet's root DNS servers for the various TLDs and so on.

At the beginning it fetches and caches a lot of data.


Quote
I have been experimenting with OPNsense because it supports more of what I want to do but problems may leave me switching back to pfSense.

What kind of problems?

I have not been able to get DNS working properly with any configuration of DNS.
« Last Edit: August 25, 2021, 02:33:42 pm by cdev »
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6535
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #24 on: August 25, 2021, 02:35:53 pm »
Quote
I have been experimenting with OPNsense because it supports more of what I want to do but problems may leave me switching back to pfSense.

What kind of problems?

I keep meaning to take a look at it (particularly since it seems many bad remarks were made by the pfSense people), but I rely on pfBlockerNG-devel quite heavily to protect my servers (email hack attempts are annoying, but also provide an unending list of IP ranges to blacklist).

similar to Suricata, Snort, etc, or something better?
"What the large print giveth, the small print taketh away."
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf