quad interface fierwall PC with good bios security/update

[js123]

Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

thanks in advance,
jerry

[Nullman]

Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

Protectli is the way to go. They have open source coreboot BIOS for their entire line. Check out their 4 ports offers here: https://eu.protectli.com/vault-4-port/

In your case, i would go with FW4B model. Thomas Krenn and Deciso also have some nice units, but they are a bit pricier because they are in EU.. I know that Thomas Krenn used to have coreboot BIOS on their older models, but i dont see it in as an offer on new units. Worth checking out:

https://www.thomas-krenn.com/en/products/low-energy-systems
https://shop.opnsense.com/product-categorie/hardware-appliances/

With Deciso hardware you are directly supporting OPNSense project.

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

It no longer makes sense to keep those separated for home use.

[passeri]

If it is affordable then I recommend Deciso appliances.

• Coreboot
• Small and efficient, with good WAF
• One year of business edition, or consider that a donation
• Releases work, or at least are a better bet to do so than on a third party box

If your DNS use is internal rather than public-facing then definitely use the router for that and DHCP. All the management tools are there.

eta: I formerly used a mini-pc for Opnsense. If or when I need to replace the 697, it will be with a Deciso appliance for all the above reasons.

[patient0]

Coreboot

No coreboot in the DEC740 I got, do you know which models got coreboot?

[newsense]

>>>do you know which models got coreboot?

They're listed on the download page, iirc the 600 series.


I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.


The options aren't exactly excellent but some are better than others.

[passeri]

Coreboot

No coreboot in the DEC740 I got, do you know which models got coreboot?

Yes. Mine. Otherwise, check the product page. :)

It was mentioned above as a positive feature, so I mentioned it is available in a quad-port Deciso router.

[Nullman]

I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.

The options aren't exactly excellent but some are better than others.

Completely wrong way of thinking. Absence of updates means that there is nothing to fix or add. And thats a good thing. Saying that appliance sucks because it doesnt get its BIOS updated every month is just silly. My Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones. Same goes with Intel platforms. Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

As for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times. So please, do not spread false information. And lack of customization on coreboot BIOS is a feature. Thats how the firmware is designed. This is why you have a choice with Protectli. You can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.

[Greg_E]

I'm leaning towards a Protectli, it's too hard to get the OPNsense hardware in the USA, and the tariffs make it unaffordable right now. I was looking at a DEC2770, the only thing I'm missing with some of the Protectli boxes will be the 10g connections, and I don't really need that right now. It might have been nice to route between LANs at 10g, but I only have gigabit to the WAN.

[Nullman]

They have appliances with two 10G pors like this one https://protectli.com/news/vp2440-launch/

[BrandyWine]

I am running this item. No 10G installed just yet, will do that for some vlans in .1q soon
amazon.com/dp/B0F4WXKZRB

[js123]

Thanks everyone for the responses, it was a great help. I'm on the left coast of the US, so the protectli products are an easier lift.

[nero355]

The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

You are aware of the fact that both CISCO and DELL used to have backdoors in their products in the past, right ?!

As long as it's a product from a brand that many others are using I would not worry about it too much, however BIOS/UEFI updates/upgrades because of microcode updates and stuff like that are a nice to have IMHO :)

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

I like having my OPNsense or any other kind of Router as clean as possible so I host Pi-Hole and it's own Unbound instance seperately.

I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

This is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!
- If it's someone who you could consider to be on the same level as any random Custom Android ROM developer for example then things get different...

The same story goes for my Thinkpad laptop by the way and not just all these funny little Mini PCs that many use as a DIY Router or VM Lab Server and stuff like that... :)

Completely wrong way of thinking.

IMHO he is fully in his right to think that way if there is not enough clarity about the whole thing!

Absence of updates means that there is nothing to fix or add. And thats a good thing.

Any kind of software in general is never finished so that's a very bold claim you are doing there! ;)

Saying that appliance sucks because it doesnt get its BIOS updated every month is just silly.

That's the other extreme side of the story which should be avoided too ofcourse!

My Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones.
Same goes with Intel platforms.

Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

If I am perfectly honest : It all went wrong the moment you have chosen for ASUS hardware...

But considering the amount of crap both AMD and Intel have gone through the last 10 years or so it might be a VERY GOOD thing to have updates/upgrades as often as possible when needed no matter how annoying it can be for end users :)

As for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times.

I think we need a timeframe for that data :
- When was the model released ?
- When did you buy it ?
- How many updates/upgrades were there in total so far ?
- Do they consider the model to be a current one or is it close to it's EOL date ?
- etc.

So please, do not spread false information.

I feel like your claims/advice isn't perfectly neutral either to be honest...

Simple example :

And lack of customization on coreboot BIOS is a feature.
Thats how the firmware is designed.
This is why you have a choice with Protectli.

You can't be taken seriously after making such claims IMHO :-/

You can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.

That's personal taste and that's fine, but it does not mean that everyone else feels the same way about it...

[Nullman]

This is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

Coreboot for Protectli devices is outsourced to a well known and reputable open source firmware company 3mdeb. https://3mdeb.com/

- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!

They have dedicated team(s) for this. And all their work is hosted on github. You can find it here https://github.com/protectli-root/protectli-firmware-updater

- If it's someone who you could consider to be on the same level as any random Custom Android ROM developer for example then things get different...

These people are not some random basement dwellers from XDA forums. This is official Protecli firmware that was outsourced to 3mdeb.

IMHO he is fully in his right to think that way if there is not enough clarity about the whole thing!

There is enough clarity for those who want to know. Everything im saying here is publicly available information combined with personal experience. Im not talking out of my ass nor im shilling for Protectli or any other brand. Stop playing detective. If you live in US, get Protecli. If you live in EU, get Deciso or Thomas Krenn. It is that simple.

Any kind of software in general is never finished so that's a very bold claim you are doing there! ;)

By that logic, life is not worth living.

That's the other extreme side of the story which should be avoided too ofcourse!

And how do you avoid it if the ME/PSP or CPU uCode has known critical vulnerabilities and only way to fix them is to flash latest BIOS ? Your reply makes no sense.

If I am perfectly honest : It all went wrong the moment you have chosen for ASUS hardware...

Please stop embarrassing yourself. 

I think we need a timeframe for that data :
- When was the model released ?
- When did you buy it ?
- How many updates/upgrades were there in total so far ?
- Do they consider the model to be a current one or is it close to it's EOL date ?
- etc.

I... i just cant...

I feel like your claims/advice isn't perfectly neutral either to be honest...

Talking about neutrality with TopTon signature.

[passeri]

If you live in US, get Protecli. If you live in EU, get Deciso or Thomas Krenn. It is that simple.

Just pausing to mention existence of other places on the planet at which point simplicity is down the gurgler, decisions need to be made. Our relative proximity to one or two Chinas makes CWWK boxes very popular. Been there, done that, in fact finally have it on ebay at the moment.

I will stick with my own decision which I consider sound for the reasons I outlined above, all subsequent discussion (and fisking) notwithstanding. The topic is a quad port, reliable, fast router, with a side of supporting companies and principles most valuable to each person.

[BrandyWine]

I have for many many years ran 100% asic based soho hardware for home fw. Now I am running freeBSD/OPNsense.
The latter has monumental more effort just to keep the device itself secure.
Two different worlds when it comes to security hardware.