Re: Equipment for OBSD based firewall

[Jordan Geoghegan]

On 09/10/18 08:22, Sonic wrote:

How does the Edgerouter compare in performance to an Atom 2358/2558
based system?
Especially interested in firewall performance using site-to-site VPN's.



There's trade-offs for everything. The x86 platform is fundamentally 
flawed and contains innumerable backdoors  and vulnerabilities. The 
C2000 chip series has issues with hardware/circuit degradation. On 
MIPS64 the mmu lacks support for W^X and the pmap module only supports 
32 bit mappings resulting in weaker ASLR,  there's also no rtc on octeon.


In terms of performance, I've found the Edgerouter Pro to be able to 
handle half a gigabit of traffic no problem. I've never owned an APU / 
soekris device to compare the performance to. Obviously a 2 or 3 Ghz x86 
machine is going to push more packets through sheer brute force, but for 
the average home or office connection, there will be no difference 
unless you're among the lucky few with a synchronous gigabit connection. 
For my clients or family/friends with their measly 30/5 or 80/8 
connections, an ERL running fq_codel QoS runs great, and pulls less than 
10 watts of power.  Something like a soekris device would be unnecessary 
overkill.  Even in situations where I was working with 100/100 or 
250/250 connections, the ERPro handled it like a champ. A buddy of mine 
has been running a PowerMac G4 as a OpenBSD router/firewall for his 
150/150 fibre connection for many years just because he doesn't like 
x86. I've seen benchmarks of the early beta octeon IPsec hw accleration 
being able to push around 50Mbit/s on an Edgerouter Lite. There should 
be better performance on the ERPro, but I have yet to see any benchmarks.

Re: Equipment for OBSD based firewall

[Sonic]

How does the Edgerouter compare in performance to an Atom 2358/2558
based system?
Especially interested in firewall performance using site-to-site VPN's.

On Mon, Sep 3, 2018 at 8:01 PM Jordan Geoghegan  wrote:
>
> On 09/03/18 16:17, Bogdan Kulbida wrote:
> > Ladies and gentlemen,
> >
> > I need to build a pf OBSD firewall for a small office. What minimally
> > feasible equipment would you recommend in order to achieve this goal?
> >
> > Thank you!
> I've ran multiple office networks on octeon devices. I've found the
> Edgerouter and Edgerouter Pro to be quite performant. The Edgerouter Pro
> can easily handle a 100/100 connection or even a 250/250 connection. I
> like them because they're free of any spectre / fpu bugs as they use an
> in-order CPU. OpenBSD also supports hw accelerated IPsec on them. I've
> used them to run DHCP and DNS servers, used them heavily as jump
> hosts/proxies and also ran my unbound-adblock and pf-badhost scripts;
> with over 100,000 domains and IP/CIDR blocks being filtered while
> pushing dozens of terrabytes in network traffic through them each month,
> they've proven to be rock solid. If you have modest needs, then an
> Edgerouter lite should suffice.
>
> Keep in mind, these are just my personal opinions, and I am biased. I
> can't stand the thought of having an x86 machine exposed on the open
> internet, much less trusting it to secure and segment my network. With
> spooky management engine shenanigans and hardware bugs abound, I'm just
> not interested in putting my faith in x86 again. Too much emotion, too
> much garbage.
>
> Cheers,
> Jordan
>

Re: Equipment for OBSD based firewall

[Nick Holland]

On 09/04/18 00:57, Joel Wirāmu Pauling wrote:
> But - The thing that isn't mentioned here is basically Power Cost and
> Consumption vs PPS(Packet Processing Speed).
> 
> IMNSHO running on anything that doesn't ;
> 
> A) Have passive Cooling
> B) Is older than a couple of years (in intel/amd terms anything with a
> TDPW above 65W)
> 
>  - is probably not a great idea. Mainly because the on-going cost of
> supplying power to old junkers isn't worth what you can do with a
> 'newish' junker.
> 
> If you have free electricity, feel free to do what you like I guess.

TDP is the MAXIMUM power draw.  MAXIMUM (and of only the CPU)
Your OpenBSD firewall isn't going to be running at the maximum power
consumption on a P4 or newer processor very often or very long.  For
home use, you really care about idle power draw and the ability of the
HW to do the job.

Every era has its "The Answer Is" system, this year, it's PCengines and
ARM/Octeon.  Before, it was Soekris.  People get stupid with that stuff.

What's "greener", keeping something out of a landfill that draws 40w or
something brand new that draws 15W?  How many years do you have to run
the 15W system to pay for the cost of it?  How much is your time spent
fighting with its quirks worth?  Will it pay off before your ISP ups
your downlink speed to the point where your barely-does-the-job HW is
now "can't do the job"?

Some old P3/P4 systems have very modest power consumptions when idle.
Get yourself a wattmeter, and see what you have.  After install, remove
power from the CD/DVD, maybe some of the case fans, and maybe consider a
USB flash drive to boot.  Slow the clock speed, remove some RAM.  Pull
out the sound card/modem/whatever.

And when things break, unless you just HAPPEN to have a serial terminal
infrastructure laying around, an ol' keyboard and monitor used to debug
your system will beat the heck out of finding a USB to Serial adapter
and a null modem cable when you need it.

Heck, I have a serial infrastructure in my life, and I'm really
wondering if my serial-only firewall is worth the pain.  I recently
moved from a USB drive to a real hard disk because while it draws more
power, it boots and works a LOT faster (kernel and library randomization
is horrible on USB flash drives).

I get the "I hate Intel" thing, but unfortunately, most of the non-Intel
systems show why Intel (and AMD) own the serious computer market.

Nick.

Re: Equipment for OBSD based firewall

[Bob Smith]

I am a big fan of Decisio (https://www.deciso.com/product-catalog/)

Yes, it comes out of the box with "another BSD" preloaded, but you can easily 
take care of that in a few minutes courtesy of a USB console and a USB key with 
Mr de Raadt's opus magnum on it. ;-)




‐‐‐ Original Message ‐‐‐
On September 4, 2018 12:17 AM, Bogdan Kulbida  wrote:

> Ladies and gentlemen,
>
> I need to build a pf OBSD firewall for a small office. What minimally
> feasible equipment would you recommend in order to achieve this goal?
>
> Thank you!
>
> ---
>
> Best regards,
> Bogdan Kulbida
> Founder and CEO, Konstankino LLC http://konstankino.com
> +1.802.793.8295

Re: Equipment for OBSD based firewall

[Zbyszek Żółkiewski]

for APU it’s worth mentioning there are 2 versions in regards of network 
performance: i210 and i211 NIC chip. 
i210 (apu2c4) suppose to be faster and more feature-rich, while i211 is “value 
product”. 
But since i have only i210AT version and never see head-to-head comparisons 
there is nothing to backup that claims…

Ref (there are nice tables comparing chips):
https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-ethernet-controller-datasheet.pdf?asset=9573
https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i211-ethernet-controller-datasheet.pdf?asset=9567
https://www.intel.com/content/dam/www/public/us/en/documents/faqs/ethernet-controller-i210-i211-faq.pdf?asset=9597


> Wiadomość napisana przez Shawn Webb  w dniu 
> 04.09.2018, o godz. 02:00:
> 
> The PC-Engines APU devices are wildly popular among the BSD networking
> folk, and for good reason. I have a number of APU2 and APU3 systems
> deployed. I have one APU4 device deployed. I'll likely deploy another
> APU4 device within the next month or two.

_
Zbyszek Żółkiewski

Re: Equipment for OBSD based firewall

[Peter N. M. Hansteen]

On 09/04/18 01:17, Bogdan Kulbida wrote:
> Ladies and gentlemen,
> 
> I need to build a pf OBSD firewall for a small office. What minimally
> feasible equipment would you recommend in order to achieve this goal?

'minimally feasible' hardware for a small office firewall includes most
(i386 or amd64) hardware made this century, mod a few devices that were
just to weird and hard to come by to keep supported.

But then as others have mentioned, older hardware tends to draw more
power and run hotter than newer units, and you might find yourself in a
situation that the source of spare parts just ran dry.

There are several highly intergrated and even fanless systems on the
market that would be suitable (do go for the ones with at least two
physical network interfaces though).

One of the more traditional designs I was resonably happy with for my
home network for a few years was a HP Microserver G8, which with a few
PCI slots, dual bge(4)s built in and IIRC 4GB memory. Ran like a charm,
and was dirt cheap for a new system at the time.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Equipment for OBSD based firewall

[Joel Wirāmu Pauling]

But - The thing that isn't mentioned here is basically Power Cost and
Consumption vs PPS(Packet Processing Speed).

IMNSHO running on anything that doesn't ;

A) Have passive Cooling
B) Is older than a couple of years (in intel/amd terms anything with a
TDPW above 65W)

 - is probably not a great idea. Mainly because the on-going cost of
supplying power to old junkers isn't worth what you can do with a
'newish' junker.

If you have free electricity, feel free to do what you like I guess.


-Joel



On 4 September 2018 at 15:10, Bogdan Kulbida  wrote:
> Ingo,
> I so much enjoyed reading your answer. Thanks a lot for sharing.
>
> -Bogdan
>
> On Mon, Sep 3, 2018 at 20:04 Ingo Schwarze  wrote:
>
>> Hi Bogdan,
>>
>> Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700:
>>
>> > I need to build a pf OBSD firewall for a small office. What minimally
>> > feasible equipment would you recommend in order to achieve this goal?
>>
>> I seriously doubt that you can find anything in the trash that isn't
>> seriously oversized.
>>
>> In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an
>> Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system
>> disk of 100 MB (not GB!) and a /var/ disk of another 100 MB.
>> The about ten concurrent users were happy with it for years.
>>
>> OK, that would no longer work because the SX25 had no numerical
>> coprocessor which is now required to run OpenBSD, and it required
>> some fiddling to fit the system installation into 100 MB.  But it
>> always routed the traffic fast enough.
>>
>> Currently, one of my office firewalls runs on:
>>
>>  - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz)
>>  - RAM: 128 MB (yes, an eigth of a GB)
>>  - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!)
>>
>> The only reason the machine is *THAT* large is that at the time it
>> was selected, we no longer had any smaller dismantled desktop
>> machines in the trash.  I don't have the slightest doubt that a
>> much smaller machine would also be fine - certainly with half of
>> everything, like 100 MHz, 64 MB RAM, 1 GB disk.
>>
>> And since then, i'm too lazy to pull something newer from the trash
>> to replace it - because it just works.
>>
>> As a matter of fact, i'm sending this email over it...
>>
>> Yours,
>>   Ingo
>>
> --
> ---
> Best regards,
> Bogdan Kulbida
> Founder and CEO, Konstankino LLC 
> +1.802.793.8295

Re: Equipment for OBSD based firewall

[Bogdan Kulbida]

Ingo,
I so much enjoyed reading your answer. Thanks a lot for sharing.

-Bogdan

On Mon, Sep 3, 2018 at 20:04 Ingo Schwarze  wrote:

> Hi Bogdan,
>
> Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700:
>
> > I need to build a pf OBSD firewall for a small office. What minimally
> > feasible equipment would you recommend in order to achieve this goal?
>
> I seriously doubt that you can find anything in the trash that isn't
> seriously oversized.
>
> In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an
> Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system
> disk of 100 MB (not GB!) and a /var/ disk of another 100 MB.
> The about ten concurrent users were happy with it for years.
>
> OK, that would no longer work because the SX25 had no numerical
> coprocessor which is now required to run OpenBSD, and it required
> some fiddling to fit the system installation into 100 MB.  But it
> always routed the traffic fast enough.
>
> Currently, one of my office firewalls runs on:
>
>  - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz)
>  - RAM: 128 MB (yes, an eigth of a GB)
>  - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!)
>
> The only reason the machine is *THAT* large is that at the time it
> was selected, we no longer had any smaller dismantled desktop
> machines in the trash.  I don't have the slightest doubt that a
> much smaller machine would also be fine - certainly with half of
> everything, like 100 MHz, 64 MB RAM, 1 GB disk.
>
> And since then, i'm too lazy to pull something newer from the trash
> to replace it - because it just works.
>
> As a matter of fact, i'm sending this email over it...
>
> Yours,
>   Ingo
>
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC 
+1.802.793.8295

Re: Equipment for OBSD based firewall

[Ingo Schwarze]

Hi Bogdan,

Bogdan Kulbida wrote on Mon, Sep 03, 2018 at 04:17:51PM -0700:

> I need to build a pf OBSD firewall for a small office. What minimally
> feasible equipment would you recommend in order to achieve this goal?

I seriously doubt that you can find anything in the trash that isn't
seriously oversized.

In 2001, i ran an OpenBSD 2.7 firewall with ipf(4) on an
Intel 486-SX25 (25 MHz) with 24 MB (not GB!) RAM, a system
disk of 100 MB (not GB!) and a /var/ disk of another 100 MB.
The about ten concurrent users were happy with it for years.

OK, that would no longer work because the SX25 had no numerical
coprocessor which is now required to run OpenBSD, and it required
some fiddling to fit the system installation into 100 MB.  But it
always routed the traffic fast enough.

Currently, one of my office firewalls runs on:

 - CPU: AMD-K6 234 MHz (yes, a quarter of a GHz)
 - RAM: 128 MB (yes, an eigth of a GB)
 - HD: ATA (not SATA!) UDMA-2, 3 GB (not 300 GB!)

The only reason the machine is *THAT* large is that at the time it
was selected, we no longer had any smaller dismantled desktop
machines in the trash.  I don't have the slightest doubt that a
much smaller machine would also be fine - certainly with half of
everything, like 100 MHz, 64 MB RAM, 1 GB disk.

And since then, i'm too lazy to pull something newer from the trash
to replace it - because it just works.

As a matter of fact, i'm sending this email over it...

Yours,
  Ingo

Re: Equipment for OBSD based firewall

[Tracey Emery]

https://pcengines.ch



On September 3, 2018 5:17:51 PM MDT, Bogdan Kulbida  
wrote:
>Ladies and gentlemen,
>
>I need to build a pf OBSD firewall for a small office. What minimally
>feasible equipment would you recommend in order to achieve this goal?
>
>Thank you!
>-- 
>---
>Best regards,
>Bogdan Kulbida
>Founder and CEO, Konstankino LLC 
>+1.802.793.8295

-- 
Tracey

Re: Equipment for OBSD based firewall

[Bogdan Kulbida]

Thank you. Much appreciated.

On Mon, Sep 3, 2018 at 17:03 Tracey Emery  wrote:

> https://pcengines.ch
>
>
>
>
> On September 3, 2018 5:17:51 PM MDT, Bogdan Kulbida 
> wrote:
>>
>> Ladies and gentlemen,
>>
>> I need to build a pf OBSD firewall for a small office. What minimally
>> feasible equipment would you recommend in order to achieve this goal?
>>
>> Thank you!
>>
>>
> --
> Tracey
>
-- 
---
Best regards,
Bogdan Kulbida
Founder and CEO, Konstankino LLC 
+1.802.793.8295

Re: Equipment for OBSD based firewall

[Shawn Webb]

On Mon, Sep 03, 2018 at 04:17:51PM -0700, Bogdan Kulbida wrote:
> Ladies and gentlemen,
> 
> I need to build a pf OBSD firewall for a small office. What minimally
> feasible equipment would you recommend in order to achieve this goal?

Hey Bogdan,

The PC-Engines APU devices are wildly popular among the BSD networking
folk, and for good reason. I have a number of APU2 and APU3 systems
deployed. I have one APU4 device deployed. I'll likely deploy another
APU4 device within the next month or two.

https://pcengines.ch/

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:+1 443-546-8752
Tor+XMPP+OTR:latt...@is.a.hacker.sx
GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: Equipment for OBSD based firewall

[Jordan Geoghegan]

On 09/03/18 16:17, Bogdan Kulbida wrote:

Ladies and gentlemen,

I need to build a pf OBSD firewall for a small office. What minimally
feasible equipment would you recommend in order to achieve this goal?

Thank you!
I've ran multiple office networks on octeon devices. I've found the 
Edgerouter and Edgerouter Pro to be quite performant. The Edgerouter Pro 
can easily handle a 100/100 connection or even a 250/250 connection. I 
like them because they're free of any spectre / fpu bugs as they use an 
in-order CPU. OpenBSD also supports hw accelerated IPsec on them. I've 
used them to run DHCP and DNS servers, used them heavily as jump 
hosts/proxies and also ran my unbound-adblock and pf-badhost scripts; 
with over 100,000 domains and IP/CIDR blocks being filtered while 
pushing dozens of terrabytes in network traffic through them each month, 
they've proven to be rock solid. If you have modest needs, then an 
Edgerouter lite should suffice.


Keep in mind, these are just my personal opinions, and I am biased. I 
can't stand the thought of having an x86 machine exposed on the open 
internet, much less trusting it to secure and segment my network. With 
spooky management engine shenanigans and hardware bugs abound, I'm just 
not interested in putting my faith in x86 again. Too much emotion, too 
much garbage.


Cheers,
Jordan