Question About Hardware Compatibility - UPDATE 8/14/2018

[TheWhiteBuffalo]

Greetings all,

I am currently running my firewall on a netbook and I am looking to get something with a smaller form factor. I have been looking at the Asus Tinker Board with the Rockchip RK3288 CPU. My main question is: Has anyone had success running OPNsense on this board?

I hope this finds you all well,

TWB

UPDATE 8/14/2018:

The Tinker Board is out of the scope of options for me. However, I am still looking for a single board computer to use for my firewall.

Any suggestions on my best possible options would be greatly appreciated.

Thanks again,

TWB

[marjohn56]

You need to say what the budget is.

[monstermania]

The Tinker Board is out of the scope of options for me. However, I am still looking for a single board computer to use for my firewall.

The problem is the availability of freebsd/hw drivers for the most sbc. Even if the cpu (i.e. ARM-Core) is supported by freebsd that doesn't mean that the whole sbc is running with freebsd!

So best solution at the moment is to use a x86-sbc for pfsense. There is a wide range of x86-sbc in the market but many of them where sold only to industrial customers.
One Company that sell x86-sbc is PC-Engines with their APU-Series (i.e. https://www.pcengines.ch/apu2.htm). IMHO the APU-Series is a good solution for a small and efficent firewall.

best regards
Dirk

[Ricardo]

The Tinker Board is out of the scope of options for me. However, I am still looking for a single board computer to use for my firewall.

The problem is the availability of freebsd/hw drivers for the most sbc. Even if the cpu (i.e. ARM-Core) is supported by freebsd that doesn't mean that the whole sbc is running with freebsd!

IMHO the APU-Series is a good solution for a small and efficent firewall.

best regards
Dirk

Beware PCengines APU2, if you want to use it on 1-Gigabit links, where it fails miserably to reach anything close to wire-speed, compared to some Linux-based firewall distrib.
https://forum.opnsense.org/index.php?topic=9264.0

[franco]

@ricsip, honest question: does your answer meet standards for objectivity? a lot of users have no problem with apu2 performance or are reasonable about its limits and this seems to indicate a general "no go" for said hardware.

[Ricardo]

@ricsip, honest question: does your answer meet standards for objectivity? a lot of users have no problem with apu2 performance or are reasonable about its limits and this seems to indicate a general "no go" for said hardware.

@franco: with all respect, I stated clearly that it's the combination of "Gigabit speed and APU2" , that cannot be taken as granted. That's what I learned personally.

[franco]

A yes or no would have been clearer. FWIW, you seem emotionally attached to the fact that this hardware doesn't live up to your expectations. Please don't let your sentiment lessen your appearance while helping others.


Cheers,
Franco

[TheWhiteBuffalo]

Awesome information! thank you for all the responses.

You need to say what the budget is.

As it stands, my budget for this project must not exceed 300 USD, however, I would like to spend much less than that.

The problem is the availability of freebsd/hw drivers for the most sbc. Even if the cpu (i.e. ARM-Core) is supported by freebsd that doesn't mean that the whole sbc is running with freebsd!

Since my original post, some personal research has revealed exactly this. Simply put, I need a x86-sbc to be successful with this project. I will definitely be checking out the APU-Series as a viable option. Any other suggestions are welcomed and would be greatly appreciated.

On a side note and, maybe, an unrelated tangent for a different discussion board all together. Is it worth trying to compile a custom freeBSD kernel to support some of these ARM boards? What would it take to create the drivers for different hardware?

I have done this with Linux and some obscure hardware setups, however, I am definitely a newbie to the BSD world.

Thanks again for the feedback,

TWB

[franco]

Armv6 support which we tried (RPI2) is fragmented per device. armv7 is similar. armv64 promised to bring the devices closer together under a single kernel, but last I heard this is part of FreeBSD 12 and we're currently using 11.

While it's possible to build armv6/7 for a single device the effort is currently steep, but not impossible given the open source nature. Only trouble is getting the build power or cross-build up and running properly and maintaining this for all subsequent updates. Some users have reported success in these areas, but not to the extent that it was easily usable for others and provide a constant stream of updates.

We do not wish for vendor locks and thus hope for better days in FreeBSD 12 with a unified arm64 platform. Fingers crossed.


Cheers,
Franco

[TheWhiteBuffalo]

While it's possible to build armv6/7 for a single device the effort is currently steep, but not impossible given the open source nature.

I had a feeling this was the scenario. I suppose if it was easy we would already have support for these boards. I might still look into the process a bit more. For now, however, it looks like buying a board that is already compatible with the current build will be more time efficient.

Greatly appreciative for the information,

TWB

[Ricardo]

A yes or no would have been clearer. FWIW, you seem emotionally attached to the fact that this hardware doesn't live up to your expectations. Please don't let your sentiment lessen your appearance while helping others.

Cheers,
Franco

Yes, indeed, I am usually passionate about things I do.

Let me ask something. If someone recommends the APU2 to OP, what reason is behind that recommendation? The OP didnt clarify the bandwidth requirements. It does matter if the APU2 will be serving a 10 Mbit ADSL or a 1Gbit Fiber WAN with PPPoE. It does matter if there will be 2 lines in the firewall ruleset, or 1000. It does matter if IPS/IDS will be activated with many rules, or no IPS/IDS at all.

There are no publically available benchmarks, that could say, OPnsense 18.7 + APU2 is good up to X mbit traffic (with NAT / without NAT?) if adding the following layer, one after each other:
a) there are X inbound rules in pf
b) there are Y rules in Suricata
c) x sessions in openVPN using y crypto algorithm serving z mbit bandwidth
d) total aggregated CPU load is under 400%

So its neither sufficient to say in generic, that APU2 is what OP is looking for.

[marjohn56]

As it stands, my budget for this project must not exceed 300 USD, however, I would like to spend much less than that.

Go for a Qotom, if you have the ram and SSD get the barebones i5 version, if not 4Gb RAM and a 32Gb SSD will still only set you back $289


Rock solid units, lots of users here have them, and one of the i5's I have came with an upgraded CPU, or splash out and go for the i7.


https://www.aliexpress.com/item/QOTOM-4-LAN-Mini-PC-with-Core-i3-4005U-i5-5250U-processor-and-4-Gigabit-NIC/32812678037.html?spm=2114.search0104.3.1.609f2b45TBugQ0&ws_ab_test=searchweb0_0,searchweb201602_3_10152_10151_10065_10344_10130_10068_10324_10342_10547_10325_10343_5012915_10340_10548_10341_10696_10192_10190_10084_10083_10618_5013015_10307_10820_10301_10821_10303_5012815_10059_100031_5012715_10103_10624_10623_10622_10621_10620,searchweb201603_55,ppcSwitch_3&algo_expid=0456645d-429a-45af-97d4-585e45898742-0&algo_pvid=0456645d-429a-45af-97d4-585e45898742&priceBeautifyAB=0

[franco]

Let me ask something. If someone recommends the APU2 to OP, what reason is behind that recommendation? The OP didnt clarify the bandwidth requirements. It does matter if the APU2 will be serving a 10 Mbit ADSL or a 1Gbit Fiber WAN with PPPoE. It does matter if there will be 2 lines in the firewall ruleset, or 1000. It does matter if IPS/IDS will be activated with many rules, or no IPS/IDS at all.

You are right. That being said, what's the reasoning behind recommending to avoid it without knowing the same? Do you plan to jump in every time someone asks a basic hardware question and recommend avoiding APU devices? Find the device that makes you happy and stick with it.

[monstermania]

@ricsip
You are right!
But TWB asked explicit for a sbc and for the money the APU2-Boards offers great performance and opportunities (i.e. m-pci slots). So i recommend this board. The iperf may be a problem for you. Others may habe no problem with this!

best regards
Dirk

[TheWhiteBuffalo]

Moved post...