Recent posts

#1
>>>do you know which models got coreboot?

They're listed on the download page, iirc the 600 series.


I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.


The options aren't exactly excellent but some are better than others.
#2
Quote from: passeri on Today at 08:38:27 AMCoreboot
No coreboot in the DEC740 I got, do you know which models got coreboot?
#3
If it is affordable then I recommend Deciso appliances.
  • Coreboot
  • Small and efficient, with good WAF
  • One year of business edition, or consider that a donation
  • Releases work, or at least are a better bet to do so than on a third party box
If your DNS use is internal rather than public-facing then definitely use the router for that and DHCP. All the management tools are there.

eta: I formerly used a mini-pc for Opnsense. If or when I need to replace the 697, it will be with a Deciso appliance for all the above reasons.
#4
General Discussion / NAT redirect - DNS timeout
Last post by jbernardo - Today at 08:35:19 AM
Hello,
I have a working setup with a pi-hole doing DHCP+DNS and using the opnsense unbound as upstream DNS server. DNS queries are fast, everything works, ads/malware/telemetry is blocked by the pi-hole.
Next step for me would be to redirect any queries from my LAN to any DNS server other than the pi-hole.For that, I added a "Destination NAT" rule, with protocol TCP/UDP, any destination/port DOMAIN (53), redirect target IP - the IP of the pi-hole, target port DOMAIN (53), inverted source my pi-hole IP.
Now, queries to any DNS server outside the LAN show as "RDR" in the log, and appear in the pi-hole query log. But, the query result never makes it back to dig or nslookup, it always ends with ";; communications error to 1.1.1.1#53: timed out"
What am I missing here? Do I need a firewall rule?
Thank you.
#5
Your end systems won't use an ULA if IPv4 is also available. The "happy eyeballs" algorithm prioritizes:

- IPv6 GUA if present
- IPv4 if present
- IPv6 ULA if present

So dual stack hosts never use ULA if the destination is reachable via IPv4, too.
#6
Topton is just unreliable cheap garbage. There is a good reason why Deciso, Thomas Krenn and Protecli cost that much. Ive seen people buy Toptons like crazy, and then mount a fan on them because their aluminum case can not dissipate heat properly because they use the worst quality materials. It complete defeats the purpose because this is advertised as passively cooled unit. Worst of all, their quality is so inconsistent, that some units can work reliably for years, and some die for no reason after few months. And thats the exact reason why you should avoid them. Especially when people that have these units start to recommend them and claim that they have it for X amount of years, and they are working just fine. If you are on a tight budget, go for Quotom. But dont be a cheap ass and go below that. It will cost you more in a long run.
#7
Quote from: js123 on Today at 05:06:28 AMHi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

Protectli is the way to go. They have open source coreboot BIOS for their entire line. Check out their 4 ports offers here: https://eu.protectli.com/vault-4-port/

In your case, i would go with FW4B model. Thomas Krenn and Deciso also have some nice units, but they are a bit pricier because they are in EU.. I know that Thomas Krenn used to have coreboot BIOS on their older models, but i dont see it in as an offer on new units. Worth checking out:

https://www.thomas-krenn.com/en/products/low-energy-systems
https://shop.opnsense.com/product-categorie/hardware-appliances/

With Deciso hardware you are directly supporting OPNSense project.

Quote from: js123 on Today at 05:06:28 AMA second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

It no longer makes sense to keep those separated for home use.
#8
Hardware and Performance / quad interface fierwall PC wit...
Last post by js123 - Today at 05:06:28 AM
Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

thanks in advance,
jerry
#9
26.1, 26,4 Series / Unable to get IPv6 Traffic via...
Last post by johnshill - Today at 03:41:56 AM
I have dual stack working correctly (I think) on my home network using DHCPv6 on WAN and "Identity association" on each of my three subnets with Router Advertisements set to "Assisted" mode. My ISP is Hyperoptic and I have /56 on the WAN for prefix delegation size and each of the subnets is using /64.

whatismyipaddress.com detects both IPv6 and IPv4 and test-ipv6.run passes with 10/10 on all my clients, however, any client connected via WireGuard fails.

I configured all the IPv6 settings per the WireGuard Road Warrior Setup guide to no avail, including:
-ULA for the tunnel address, fddd::1/64, and tried both fddd::2/64 and fddd::2/128 for the peer/client in every combination.
-Assigned an interface to WireGuard.
-Created an outbound NAT rule for IPv6 with Translation / target set to "Interface address"
-Created an inbound firewall rule on WAN for IPv4+IPv6
-Created a firewall rule on WireGuard letting it access all subnets and the internet.
-Created normalization rules with Max mss 1360

My config is as follows:

[Interface]
PrivateKey = <redacted>
Address = 10.10.50.2/32,fddd::2/128
DNS = 10.10.50.1, fddd::1 <this is probably wrong>

[Peer]
PublicKey = <redacted>
Endpoint = ddns.myowndomain.com:51820
AllowedIPs = 0.0.0.0/0,::/0

I simply cannot get "What Is My IP Address" to detect an IPv6 when connected from my phone to my home network via VPN and would kindly appreciate some help.
#10
if it fails memtest86, maybe try again with a big fan directed onto the top of the Topton. Then try regular deployed use with the big fan blowing on it. Do you see the same results, or different?

I have been interested in mini-pc devices like this, such as Protectli Vault models, but the lack of active cooling always makes me hesitate. I wonder, can it really be stable and provide high uptimes? I have no experience with these tiny PC models myself, so I hesitate and search for testimonials. More than once I was just about to click BUY!!! on similar items while browsing Amazon, and just in the corner of my eye I then see "frequently returned item." Yes, well perhaps I can guess why that might be, I think, and it all comes to a screeching halt.

On at least some models, Protectli includes tightly fitted slabs of aluminum heat transfer blocks between critical components and the topside heat sink. Are blocks like these present inside the Topton models? I have no idea. If they aren't present they could be fabricated by a sufficiently OCD afflicted owner. (TBH I would set about this at once without asking myself why really, or consulting with a licensed therapist) But if I were advising someone else, I would say, can lowering the operating temperature by increasing airflow across the heat sink improve system stability at all? If it does then maybe we're onto the cause of the instability, but if it doesn't significantly change things then it's going to be down to something else.