quad interface fierwall PC with good bios security/update

Started by js123, Today at 05:06:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 05:06:28 AM
Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

thanks in advance,
jerry
Today at 07:06:24 AM #1
Quote from: js123 on Today at 05:06:28 AMHi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

Protectli is the way to go. They have open source coreboot BIOS for their entire line. Check out their 4 ports offers here: https://eu.protectli.com/vault-4-port/

In your case, i would go with FW4B model. Thomas Krenn and Deciso also have some nice units, but they are a bit pricier because they are in EU.. I know that Thomas Krenn used to have coreboot BIOS on their older models, but i dont see it in as an offer on new units. Worth checking out:

https://www.thomas-krenn.com/en/products/low-energy-systems
https://shop.opnsense.com/product-categorie/hardware-appliances/

With Deciso hardware you are directly supporting OPNSense project.

Quote from: js123 on Today at 05:06:28 AMA second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

It no longer makes sense to keep those separated for home use.
Today at 08:38:27 AM #2 Last Edit: Today at 08:40:00 AM by passeri
If it is affordable then I recommend Deciso appliances.
  • Coreboot
  • Small and efficient, with good WAF
  • One year of business edition, or consider that a donation
  • Releases work, or at least are a better bet to do so than on a third party box
If your DNS use is internal rather than public-facing then definitely use the router for that and DHCP. All the management tools are there.

eta: I formerly used a mini-pc for Opnsense. If or when I need to replace the 697, it will be with a Deciso appliance for all the above reasons.
Deciso DEC697
Today at 08:43:17 AM #3
Quote from: passeri on Today at 08:38:27 AMCoreboot
No coreboot in the DEC740 I got, do you know which models got coreboot?
Deciso DEC740
Today at 09:11:58 AM #4
>>>do you know which models got coreboot?

They're listed on the download page, iirc the 600 series.


I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.


The options aren't exactly excellent but some are better than others.
Today at 11:28:38 AM #5
Quote from: patient0 on Today at 08:43:17 AM
Quote from: passeri on Today at 08:38:27 AMCoreboot
No coreboot in the DEC740 I got, do you know which models got coreboot?
Yes. Mine. Otherwise, check the product page. :)

It was mentioned above as a positive feature, so I mentioned it is available in a quad-port Deciso router.
Deciso DEC697
Print
Go Up Pages1
User actions