Opnsense and intel CPUs

[eponymous]

Hi all,

This is my first post to the forum - I've just learned about Opnsense and am very excited to get up and running!

I had a question regarding hardware.

I've got an old Netgate SG-2440 lying around which I intend to put Opnsense on.

I think for all intents and puposes it should be a perfect machine for it.

The important specs are:

Code: [Select]

CPU Intel "Rangeley" Atom C2358 1.7 GHz with QuickAssist
CPU Cores 2
Memory Options 4GB DDR3L Non ECC
Storage Options 32GB eMMC Flash on board (I'll be putting a larger disk in)
Network Interfaces 4x Intel 1GbE
USB Ports 2x 2.0 ports
Console Port Mini USB

My question is more about using Intel CPUs in general on a router. It's clear Opnsense takes security very seriously (using HardenedBSD and all).

There have been a number of issues with Intel CPUs - in particular, exploits in the ME firmware and so on.

Is it a good idea for me to use an Intel Atom C2358 based machine to run Opnsense? Or should I be looking for another platform to run this on?

Are there any actual exploits that I'd need to be aware of that haven't or can't be patched via Opnsense/BSD?

Am I just being overly paranoid? (wouldn't be the first time)

The SG-2440 is spare so it'd be a shame not to use it. I've also got one of the boards which luckily doesn't have the Intel C2358 clock signal component issue.

(and sorry if my question seems a little esoteric!)

Best!

E.

[bartjsmit]

Ark says you're ok for 64-bit: https://ark.intel.com/content/www/us/en/ark/products/77978/intel-atom-processor-c2358-1m-cache-1-70-ghz.html

However, it may be a bit thin to do a lot of the fancier stuff, performance-wise.

In answer to your security concern - the best way to mitigate security issues with your firewall is to block any traffic going to your firewall rather than through it. Don't run DNS, web proxy, VPN, or anything else on the firewall itself.

Also, security issues are not particular to Intel hardware. Any CPU design since the 1970's uses features that reduce security in some degree. Spectre is a good example: https://spectreattack.com/

Bart...

[eponymous]

Thanks Bart for the response (sorry for the late reply!).

Yes I like your answer and it's made me also re-think my stategy towards how I'll set up my network moving forwards - i.e. moving some services off the router and keeping it simple.

Cheers.

[Patrick M. Hausen]

Additional remark: side channel attacks like Spectre and Meltdown are really only relevant if you run applications on a system for multiple untrusted tenants. Like in Webhosting. For appliances that run most services as root and have no users that can logon remotely, the issue is next to irrelevant. IMHO.

[Wyrm]

To avoid any problems with Intel CPUs just use AMD.
AMD now is  technologically very in front and Intel is left behind.
There are lots of news from AMD and they have very good and powerfull CPUs and for better price then Intel.
If you look at AMD Ryzen, Ryzen Pro, EPYC, embedded Epyc and that big players like Dell, HP and other have strong server platforms based on AMD...
There are of course lots of people who are "locked" and "encrypted" (I do not know how to explain it) with Intel and did not realized that winner is AMD for last 2-3 years.

Pavel

[aponomarenko]

People use Atom a lot to run OPNsense (and other BSDs too): https://bsd-hardware.info/?view=search&name=Atom&typeid=cpu