Re: Recommendation for firewall appliance running of and OpenBSD

[Kenneth Gober]

On Thu, Nov 24, 2016 at 3:15 PM, Tito Mari Francis H. Escaño
 wrote:
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD
and
> pf, and can be upgradeable to the latest version? It would be a great plus
if
> the appliance can also be configured as part of CARP firewall group.
pfSense
> with FreeBSD doesn't cut it :)

I have a few Soekris net6501 appliances that mostly work fine (they
sometimes fail to boot due to some mSATA issue, but pressing the reset
button generally fixes it).
http://soekris.com/products/net6501-1.html

A good-quality business PC with a multi-port Ethernet card also works
fine as a router.  My 'main' router is currently a Dell Optiplex 755
SFF with a low-profile 4-port Intel Gigabit adapter added to it.
These are easy and cheap to find refurbished/used, but are probably
not a good option if you require something with a serial console.

-ken

Re: Recommendation for firewall appliance running of and OpenBSD

[RD Thrush]

On 11/24/16 15:15, Tito Mari Francis H. Escaño wrote:
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD
and
> pf, and can be upgradeable to the latest version? It would be a great plus
if
> the appliance can also be configured as part of CARP firewall group.
pfSense
> with FreeBSD doesn't cut it :)

I had previous success w/ the alix boards via netgate.com.  I recently
upgraded to an ADI Engineering RCC-VE 2440[1] and have been pleased for the
past 8 months.  dmesg appended.

[1]

OpenBSD 6.0-current (GENERIC.MP) #0: Fri Nov 25 10:59:10 MST 2016
bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4273856512 (4075MB)
avail mem = 4139732992 (3947MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7fbf0420 (7 entries)
bios0: vendor coreboot version "ADI_RCCVE-01.00.00.08-nodebug" date
01/22/2016
bios0: ADI Engineering RCC-VE
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC MCFG SSDT
acpi0: wakeup devices EHC1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1166.89 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,
NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1166.67 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,
NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 1 (RP01)
acpiprt1 at acpi0: bus 2 (RP02)
acpiprt2 at acpi0: bus 3 (RP03)
acpiprt3 at acpi0: bus 4 (RP04)
acpiprt4 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
cpu0: Enhanced SpeedStep 1166 MHz: speeds: 2100, 1800, 1600, 1400 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0e rev
0x02
ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci4 at ppb3 bus 4
vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor,
rev 0x02) at pci0 dev 11 function 0 not configured
pchb1 at pci0 dev 14 function 0 "Intel Atom C2000 RAS" rev 0x02
"Intel Atom C2000 RCEC" rev 0x02 at pci0 dev 15 function 0 not configured
"Intel Atom C2000 SMBus" rev 0x02 at pci0 dev 19 function 0 not configured
em0 at pci0 dev 20 function 0 "Intel I354 SGMII" rev 0x03: msi, address
00:08:a2:0a:73:bd
em1 at pci0 dev 20 function 1 "Intel I354 SGMII" rev 0x03: msi, address
00:08:a2:0a:73:be
em2 at pci0 dev 20 function 2 "Intel I354 SGMII" rev 0x03: msi, address
00:08:a2:0a:73:bf
em3 at pci0 dev 20 function 3 "Intel I354 SGMII" rev 0x03: msi, address
00:08:a2:0a:73:c0
ehci0 at pci0 dev 22 function 0 "Intel Atom C2000 USB" rev 0x02: apic 2 int
22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
ahci0 at pci0 dev 23 function 0 "Intel Atom C2000 AHCI" rev 0x02: msi, AHCI
1.3
scsibus1 at ahci0: 32 targets
ahci1 at pci0 dev 24 function 0 "Intel Atom C2000 AHCI" rev 0x02: msi, AHCI
1.3
scsibus2 at ahci1: 32 targets
pcib0 at pci0 dev 31 function 0 "Intel Atom C2000 PCU" rev 0x02
ichiic0 at pci0 dev 31 function 3 "Intel Atom C2000 PCU SMBus" rev 0x02: apic
2 int 22
iic0 at ichiic0
iic0: addr 0x2e 00=41 words 00=4141 01= 02= 03= 04= 05=
06= 07=
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 with thermal sensor
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com1: console
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
uhub1 at uhub0 port 1 configuration 1 interface 0 "Intel product 0x07db" rev
2.00/0.02 addr 2
umass0 at uhub1 port 4 

Re: Recommendation for firewall appliance running of and OpenBSD

[Clint Pachl]

Tito Mari Francis H. Escaño wrote on 11/24/16 13:15:

Hi everyone,
Can somebody please recommend me a firewall appliance that can run OpenBSD and
pf, and can be upgradeable to the latest version? It would be a great plus if
the appliance can also be configured as part of CARP firewall group. pfSense
with FreeBSD doesn't cut it :)

I would highly recommend the Lanner embedded or network appliances. I 
bought a FW-7541 and a LEC-2280 back in 2012. I installed OpenBSD on an 
SSD in each. I've upgraded to every release since with zero issues.


I use the FW-7541 for my firewall/gateway, which also runs dhcpd, httpd 
(hosts OpenBSD sets/packages for the LAN), nsd, spamd, unbound, and 
tftpd (PXE booting). I think I paid about $400 for the Intel Atom CPU 
D525 @ 1.80GHz with 4GB RAM back in 2012, not including the SSD. It 
works awesome and can be found here:

http://www.lannerinc.com/products/x86-network-appliances/desktop/fw-7541

However, it looks like the FW-7541 has been replaced by the FW-7525:
http://www.lannerinc.com/products/x86-network-appliances/x86-desktop-appliances/fw-7525

I also bought another Lanner, the LEC-2280, for my main application server:
http://www.lannerinc.com/products/embedded-box-pcs/industrial-automation/lec-2280

I did contact Lanner support with an OpenBSD question shortly after 
setting them up. They were able to help. However, at that time, the 
engineer said they employed a couple of people who were familiar with 
OpenBSD, but basically they just made sure they were able to boot the 
latest OBSD release; not much assurances beyond that. However, I now see 
they have added OpenBSD and FreeBSD as officially supported OSes on some 
of their models.


I originally bought these two machines because of their fanless design 
and low power consumption. My meter measures 9-13W of power consumption 
for the the FW-7541.


If you can instal OBSD yourself and configure everything from the 
command line, I would highly recommend one of the Lanner desktop network 
appliances. I use the uplcom Prolific Technology Inc. USB-Serial 
Controller to access the console for administrative tasks like upgrades 
and backups.


Here is the dmesg for my FW-7541 firewall:

OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016
r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4267245568 (4069MB)
avail mem = 4133445632 (3941MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbea0 (22 entries)
bios0: vendor American Megatrends Inc. version "080016" date 08/03/2012
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) 
USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) 
P0P9(S4) HDAC(S4) USB4(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.26 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu0: 512KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu1: 512KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu2: 512KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.01 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu3: 512KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus 2 (P0P4)
acpiprt3 at acpi0: bus 3 (P0P5)
acpiprt4 at acpi0: bus 4 (P0P6)
acpiprt5 at acpi0: bus 5 (P0P7)

Re: Recommendation for firewall appliance running of and OpenBSD

[mxb]

Looks nice. Like a Soekis x2 + Kerberos case.
What I miss on all those boards is dedicated IPMI.

Else, with IPMI, those are perfect products for remote small office.

//mxb

> On 25 nov. 2016, at 15:01, Bob Jones
 wrote:
>
> Try the NetBoard A-10 and any of the products built on top of it :
> https://www.deciso.com/
>
> Comes with a version of FreeBSD running on it, but you can get OpenBSD
> on there via the console port, no probs.

Re: Recommendation for firewall appliance running of and OpenBSD

[Bob Jones]

Try the NetBoard A-10 and any of the products built on top of it :
https://www.deciso.com/

Comes with a version of FreeBSD running on it, but you can get OpenBSD
on there via the console port, no probs.

Re: Recommendation for firewall appliance running of and OpenBSD

[Joe Crivello]

> As far as I know, Halon cuts the number of IPSec tunnels on free version.


You're paying for ease of use and polish. Software developers aren't free.

Re: Recommendation for firewall appliance running of and OpenBSD

[mxb]

As far as I know, Halon cuts the number of IPSec tunnels on free version.


> On 24 nov. 2016, at 21:21, Joe Crivello  wrote:
> 
>> Can somebody please recommend me a firewall appliance that can run OpenBSD
> and
>> pf, and can be upgradeable to the latest version? It would be a great plus
> if
>> the appliance can also be configured as part of CARP firewall group.
> 
> 
> http://securityrouter.org/
> 
> Great product.

Re: Recommendation for firewall appliance running of and OpenBSD

[Stefan Sperling]

On Fri, Nov 25, 2016 at 04:15:23AM +0800, Tito Mari Francis H. Escaño wrote:
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD and
> pf, and can be upgradeable to the latest version? It would be a great plus if
> the appliance can also be configured as part of CARP firewall group. pfSense
> with FreeBSD doesn't cut it :)
> 

I'd recommend: Ditch appliances, invest your time into learning OpenBSD
and pf, and be happy forever after (including any future upgrades).

Re: Recommendation for firewall appliance running of and OpenBSD

[ilyes aiouaz - gmail]

https://www.esdenera.com/

By our friend reyk floeter

Le 24/11/2016 à 21:15, Tito Mari Francis H. Escaño a écrit :
> Hi everyone,
> Can somebody please recommend me a firewall appliance that can run OpenBSD and
> pf, and can be upgradeable to the latest version? It would be a great plus if
> the appliance can also be configured as part of CARP firewall group. pfSense
> with FreeBSD doesn't cut it :)

Re: Recommendation for firewall appliance running of and OpenBSD

[Joe Crivello]

> Can somebody please recommend me a firewall appliance that can run OpenBSD
and
> pf, and can be upgradeable to the latest version? It would be a great plus
if
> the appliance can also be configured as part of CARP firewall group.


http://securityrouter.org/

Great product.

Recommendation for firewall appliance running of and OpenBSD

[Tito Mari Francis H . Escaño]

Hi everyone,
Can somebody please recommend me a firewall appliance that can run OpenBSD and
pf, and can be upgradeable to the latest version? It would be a great plus if
the appliance can also be configured as part of CARP firewall group. pfSense
with FreeBSD doesn't cut it :)