Author Topic: Favorite cheap multi-GBE SBCs for use as router/firewall appliances  (Read 3536 times)

0 Members and 1 Guest are viewing this topic.

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3697
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #25 on: August 25, 2021, 04:05:46 pm »
Maybe. It's hard to tell from the headline feature lists what they can do for me - at least there is a feature list instead of just a list of recent updates :)

As I said, I use the failed email login logs to block ranges of IP (which could range from single IP to entire country). Can those things do that for me?
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #26 on: August 25, 2021, 06:46:14 pm »
Suricata certainly can. And its free, but some lists of rules may cost money.
"What the large print giveth, the small print taketh away."
 

Offline dunkemhigh

  • Super Contributor
  • ***
  • Posts: 3697
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #27 on: August 25, 2021, 08:10:15 pm »
How would it know the mail server has bumped an incorrect login?
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 960
  • Country: ca
    • VE7XEN Blog
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #28 on: August 25, 2021, 08:45:53 pm »
The vendor Qotom on Aliexpress builds a variety of fanless mini PCs with up to 8 Intel NICs and Atom to i7 CPUs that are a good fit for this use. Price point is higher than Mikrotik etc. but performance is too. I've been evaluating one of them for potential wide deployment at $DAYJOB and been pretty happy with it. It's the best value I've found for an x86 GigE-class network appliance. No other affiliation.

Lanner out of Taiwan is a somewhat more 'respected' vendor of similar appliances, at the corresponding higher price point and annoying distribution channel. These are nice too but expensive.
73 de VE7XEN
He/Him
 
The following users thanked this post: cdev, dunkemhigh

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #29 on: August 27, 2021, 05:19:38 pm »
There are now several new options based on the raspberry pi 4 compute module. They are described as carrier boards and all I have seen have two ports, the CM costs around $25 and these carrier boards run as little as $30. So they make a functional small router/firewall box starting at around $55 that can handle gigabyte ethernet.

That's pretty cheap.
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #30 on: August 27, 2021, 05:25:26 pm »
The vendor Qotom on Aliexpress builds a variety of fanless mini PCs with up to 8 Intel NICs and Atom to i7 CPUs that are a good fit for this use. Price point is higher than Mikrotik etc. but performance is too. I've been evaluating one of them for potential wide deployment at $DAYJOB and been pretty happy with it. It's the best value I've found for an x86 GigE-class network appliance. No other affiliation.

Lanner out of Taiwan is a somewhat more 'respected' vendor of similar appliances, at the corresponding higher price point and annoying distribution channel. These are nice too but expensive.

I've looked at them but they seem a bit more expensive than I'd hope them to be. Thin clients are a lot cheaper, it seems. Some are basically really cheap.

What do people think about using USB3 NICS with a USB3 -capable thin client and a USB3 hub  for a firewall?
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #31 on: August 27, 2021, 05:30:18 pm »
What do the Mikrotics with their dedicated switch chips bring to the table thats superior to a plain PC with multiple NICS? Performance, but is the performance that much better? How does that wrk? I am looking for an explanation about how the hardware elements interact?

I think the setup I am envisioning would ideally need at least four ports plus WAN so five. This is to have physical separation between different kinds of devices (like VOIP phones, servers and PCs and wireless PCs) all with a firewall to rule them all...


How many ethernet ports do you want?

If it's more than just a couple then it's hard to go past something designed specifically for the purpose, such as the $99 Mikrotik RB450Gx4 with quad core 716 MHz ARM cpu, 1 GB RAM, and 5 gigE ports. Industrial quality at close to hobbyist prices.

https://mikrotik.com/product/rb450gx4
« Last Edit: August 27, 2021, 05:34:26 pm by cdev »
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #32 on: August 27, 2021, 05:44:26 pm »
How would it know the mail server has bumped an incorrect login?

By parsing your mail server's log for strings indicating so?  And comparing that info to its own internal queue's records?

With the caveat that I literally have just recently started looking at them it appears they use dedicated filters to break packets into categories and then operate on the individual packets in queues.. before letting them go to their final destinations. Suricata uses a lanugage "Rust" which seems particularly well suited for doing this.

Similar to a firewall but with finer granularity and more verbosity in logging. The IDS systems (Surcata, Snort, and it seems many others most of which support rules written in one of the two firmats) download large text files that contain literally thousands of rules every hour or day or week or so and update their behaviors. They can go much further than the log-centric checking IP addresses and domain names resolve to something that makes sense for what they are doing or check them against a "bad people" list and then adding failed attempts to a list the firewall then blocks for a period of time. (thats what fail2ban does).Smaller switch/ruters even the fancy ones like the aforementioned ones seem to not be up for being used with or as an IDS. They just dont have the horsepower.

They may also (like fail2ban)  keep records of failed logins in a fast database and make it extremely difficult to sit at a server trying different logins or paswords.. All the time compiling statistics if anybody keeps trying and failing again and again. The more they try the more the ban thats used for them is lengthened or expanded to a larger scope.. say banning entire hosting companies  or IP address blocks if banning similar hosts makes sense. .. etc.
« Last Edit: August 27, 2021, 05:58:02 pm by cdev »
"What the large print giveth, the small print taketh away."
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 960
  • Country: ca
    • VE7XEN Blog
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #33 on: August 27, 2021, 06:10:42 pm »
I've looked at them but they seem a bit more expensive than I'd hope them to be. Thin clients are a lot cheaper, it seems. Some are basically really cheap.

What do people think about using USB3 NICS with a USB3 -capable thin client and a USB3 hub  for a firewall?

In theory it will work, but it's pretty janky and may be unreliable. I have also found most USB3 NICs struggle to achieve close to 1G of throughput. If you don't need multi-Gbps of throughput, I would prefer to use one or two real 1G interfaces from the thin client/NUC/mini PC to a managed switch and make a 'router on a stick' using VLANs.

Quote
What do the Mikrotics with their dedicated switch chips bring to the table thats superior to a plain PC with multiple NICS? Performance, but is the performance that much better? How does that wrk? I am looking for an explanation about how the hardware elements interact?

The switch means that port-to-port traffic within the same VLAN doesn't need to hit the CPU for bridging, so depending on your use case may improve performance. But it sounds like in your case it won't help at all, any routing / NAT needs to be done on the CPU. It's basically a way to save BOM cost by avoiding needing dedicated NICs for every port (which also means you need a PCIe interface on the controller and a bus for the NICs). You can assign different VLANs to each port with a single (internal) GigE attached to the CPU and it appears to outside hosts that each port is independent. Very common for low-end network hardware to be designed this way. Basically what I suggest above, but integrated in the box.
73 de VE7XEN
He/Him
 

Offline bingo600

  • Super Contributor
  • ***
  • Posts: 1669
  • Country: dk
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #34 on: September 12, 2021, 06:25:30 pm »
I'd go for the Mikrotik every time based on known quality and support.

Quality   :-DD  ... "Cough..Cough"
https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/


Well to be fair i have used some OK products from them , but they seem to have quite some Oopzes in RouterOS

/Bingo
 
The following users thanked this post: cdev

Offline cdev

  • Super Contributor
  • ***
  • Posts: 6610
  • Country: 00
Re: Favorite cheap multi-GBE SBCs for use as router/firewall appliances
« Reply #35 on: September 19, 2021, 05:40:32 pm »
I have to say though, they pack a lot of value into those devices.

Whenever a manufacturer does that its impossible to avoid vulnerabilities, etc. unless they have an unlimited budget. (or somebody else does)

I'd go for the Mikrotik every time based on known quality and support.

Quality   :-DD  ... "Cough..Cough"
https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/




Well to be fair i have used some OK products from them , but they seem to have quite some Oopzes in RouterOS

/Bingo

I think their user-interface could be improved a lot without too much pain.
"What the large print giveth, the small print taketh away."
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf