Products > Embedded Computing
Favorite cheap multi-GBE SBCs for use as router/firewall appliances
cdev:
--- Quote from: ve7xen on August 25, 2021, 08:45:53 pm ---The vendor Qotom on Aliexpress builds a variety of fanless mini PCs with up to 8 Intel NICs and Atom to i7 CPUs that are a good fit for this use. Price point is higher than Mikrotik etc. but performance is too. I've been evaluating one of them for potential wide deployment at $DAYJOB and been pretty happy with it. It's the best value I've found for an x86 GigE-class network appliance. No other affiliation.
Lanner out of Taiwan is a somewhat more 'respected' vendor of similar appliances, at the corresponding higher price point and annoying distribution channel. These are nice too but expensive.
--- End quote ---
I've looked at them but they seem a bit more expensive than I'd hope them to be. Thin clients are a lot cheaper, it seems. Some are basically really cheap.
What do people think about using USB3 NICS with a USB3 -capable thin client and a USB3 hub for a firewall?
cdev:
What do the Mikrotics with their dedicated switch chips bring to the table thats superior to a plain PC with multiple NICS? Performance, but is the performance that much better? How does that wrk? I am looking for an explanation about how the hardware elements interact?
I think the setup I am envisioning would ideally need at least four ports plus WAN so five. This is to have physical separation between different kinds of devices (like VOIP phones, servers and PCs and wireless PCs) all with a firewall to rule them all...
--- Quote from: brucehoult on July 19, 2021, 04:41:59 am ---How many ethernet ports do you want?
If it's more than just a couple then it's hard to go past something designed specifically for the purpose, such as the $99 Mikrotik RB450Gx4 with quad core 716 MHz ARM cpu, 1 GB RAM, and 5 gigE ports. Industrial quality at close to hobbyist prices.
https://mikrotik.com/product/rb450gx4
--- End quote ---
cdev:
--- Quote from: dunkemhigh on August 25, 2021, 08:10:15 pm ---How would it know the mail server has bumped an incorrect login?
--- End quote ---
By parsing your mail server's log for strings indicating so? And comparing that info to its own internal queue's records?
With the caveat that I literally have just recently started looking at them it appears they use dedicated filters to break packets into categories and then operate on the individual packets in queues.. before letting them go to their final destinations. Suricata uses a lanugage "Rust" which seems particularly well suited for doing this.
Similar to a firewall but with finer granularity and more verbosity in logging. The IDS systems (Surcata, Snort, and it seems many others most of which support rules written in one of the two firmats) download large text files that contain literally thousands of rules every hour or day or week or so and update their behaviors. They can go much further than the log-centric checking IP addresses and domain names resolve to something that makes sense for what they are doing or check them against a "bad people" list and then adding failed attempts to a list the firewall then blocks for a period of time. (thats what fail2ban does).Smaller switch/ruters even the fancy ones like the aforementioned ones seem to not be up for being used with or as an IDS. They just dont have the horsepower.
They may also (like fail2ban) keep records of failed logins in a fast database and make it extremely difficult to sit at a server trying different logins or paswords.. All the time compiling statistics if anybody keeps trying and failing again and again. The more they try the more the ban thats used for them is lengthened or expanded to a larger scope.. say banning entire hosting companies or IP address blocks if banning similar hosts makes sense. .. etc.
ve7xen:
--- Quote from: cdev on August 27, 2021, 05:25:26 pm ---I've looked at them but they seem a bit more expensive than I'd hope them to be. Thin clients are a lot cheaper, it seems. Some are basically really cheap.
What do people think about using USB3 NICS with a USB3 -capable thin client and a USB3 hub for a firewall?
--- End quote ---
In theory it will work, but it's pretty janky and may be unreliable. I have also found most USB3 NICs struggle to achieve close to 1G of throughput. If you don't need multi-Gbps of throughput, I would prefer to use one or two real 1G interfaces from the thin client/NUC/mini PC to a managed switch and make a 'router on a stick' using VLANs.
--- Quote ---What do the Mikrotics with their dedicated switch chips bring to the table thats superior to a plain PC with multiple NICS? Performance, but is the performance that much better? How does that wrk? I am looking for an explanation about how the hardware elements interact?
--- End quote ---
The switch means that port-to-port traffic within the same VLAN doesn't need to hit the CPU for bridging, so depending on your use case may improve performance. But it sounds like in your case it won't help at all, any routing / NAT needs to be done on the CPU. It's basically a way to save BOM cost by avoiding needing dedicated NICs for every port (which also means you need a PCIe interface on the controller and a bus for the NICs). You can assign different VLANs to each port with a single (internal) GigE attached to the CPU and it appears to outside hosts that each port is independent. Very common for low-end network hardware to be designed this way. Basically what I suggest above, but integrated in the box.
bingo600:
--- Quote from: brucehoult on July 19, 2021, 04:48:13 am ---I'd go for the Mikrotik every time based on known quality and support.
--- End quote ---
Quality :-DD ... "Cough..Cough"
https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/
Well to be fair i have used some OK products from them , but they seem to have quite some Oopzes in RouterOS
/Bingo
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version