Hardware suggestion for IPFire with IPS and URL Filtering

Hello at all,

After using a few years of IPFire and OPNsense i have to replace my hardware and take a look around whats new in both distributions.
It looks like a lot of changes were made on site of IPFire and the point which has bothered me a few years again (lack of vlan support) was solved so far.

My old APU1D4 is nealry eight years old and really slow, if i use it with OPNSense, IPS and Webfiltering. My new 300/20 internet line was melt down to 100/20. So i have to disable both features to get the full internet connection.

I have checked the Ligthning Wire Labs HP but the Appliance Mini seems to be to weak to serve my internet line and the Business appliance is to expensive to don’t run in trouble with my finance boss (e.g. wife).

There are two systems which seems to be powerfull enough to serve as a firewall to my network.

https://shop.tx-team.de/Networking-Firewall/Desktop-Firewall/EcoBox::32.html
https://www.ipu-system.de/produkte/ipu672.html

What do you mean, which one of them would be more convinient to serve as firewall with IPS and Proxy/URL filter?

Best regards
Gothicgorn

I wouldn’t buy any of them (no dual core CPU in 2020 anymore and no low Atom) https://www.cpubenchmark.net/compare/Intel-Atom-C3558-vs-Intel-i5-7200U/3129vs2865

Also they have too less RAM.

Get yourself a i3-9100T and an Intel i350 nic controller card + ITX board ASUS Prime H310I-Plus R2.0 + small NVMe SSD M.2 Toshiba OCZ RC100 120GB + G.Skill NT Series DIMM 8GB, DDR4-2400, (F4-2400C15S-8GNT) RAM + any cheap chase (for example SilverStone SST-ML05B (you can install lots of fans that may rotate very slow and won’t produce much noise but create a constant air stream for perfect cooling) + FSP FSP200-50GSV-5K 85+ 200W).

You will have much more power for the same price.

Why would you purchase a new Intel CPU, when up to 12 security flaws from mid-2017 are still haunting us ?

Something like a HP 90-0068(x) compact desktop has a 4 core Ryzen CPU & 4 GB RAM. There are slots to take up to 3 extra NIC, if required. It’s running a 35 W CPU and is fairly compact - not much larger than an ITX system.

1 Like

Strong point, for many years I’ve bought these little Zotac Nano Barebones but I won’t do this anymore because of Intel. My personal list of preference:

  • AMD quad-core CPU
  • Min. 8 GB, Max. 32 GB RAM
  • Min. 128 GB SSD
  • Min integrated WLAN AP
  • Min 2x Ethernet
  • Min 2x USB 3
  • passive cooling
  • low energy when idle (<15 W)

The only one device as far as I know is the Maxtang VHFP-30

1 Like

Because of power consumtion resulting in louder systems also.

Not available on german/european markets, only from overseas. And only two ethernet nics.

You need to buy it directly in far-east and let it shippd to europe. But I believe that it is only a matter of time until first resellers will have their containers in Europe. This device is quite new somewhere from Nov/Dec 2019.

In case of any hardware vulnerabilities you will never get software fixes such as bios updates as well known with those chineese, “cheap” products. That’s why I got rid of all mini PCs from overseas. There is no service afterwards. That’s why I suggest to build your own system.

You may also use low power epyc embedded itx boards but that will costs lots of more bugs.

well, that’s true though in most cases so called “secure” and “trustable” devices are just coming from such containers, bought and rebranded in far-east e.g. Tuxedo Linux Books -> https://www.clevo.com.tw/

Obviously I work for LWL, so I am biased here :slight_smile:

Yes, this appliance is probably not fast enough for a 300M connection. The IPS is the biggest problem here and it only passes through about 100M. Still good for price and form-factor, but not enough for you.

It would be nice to have a product that is slightly larger and more powerful, but unfortunately they will instantly become a lot more expensive.

I have ranted a couple of times here on the forum and on our blog about those Chinese vendors that dump their stuff onto some markets. There are plenty of technical reasons not to touch them. I often got angry when people compare the price of something that is shipped as a “gift” to you from China directly, but in Europe buyers have rights and are expecting a service. You get none of that when you buy from China and this cannot be compared very easily.

However, would I touch Intel? I would prefer not to, but that makes your choice a lot smaller on the market. AMD is not free from any of those issues. Have they handled them better? Yes. Are they less likely to be vulnerable? Yes. Are they cheaper? Yes. But still they are not perfect.

Whatever you decide to do, I would urge you to invest money into your firewall. Certain things are not cheap, but you will use that box every day. All the time. It has to be solid. IPFire runs so much better on proper hardware and you won’t run into any obscure hardware issues that are probably impossible to debug.

2 Likes

In response to issues raise by @xperimental:

re power consumption, I don’t have any recent Intel products. My core 2 duo systems never throttle back to less than about 60 % max CPU frequency and power consumption is directly proportional to frequency. OTOH, AMD CPU will routinely throttle back to 1 GHz, and that is all that an IPFire box will generally need.

re noise, a 35 W max CPU, often running at one-third of that, won’t need big fans and should be inaudable a metre or so from workstations.

re marketing. This is changing in some countries - I’m in Australia. I recently purchased a Ryzen laptop, directly from Lenovo web site. The machine was configured to my selection and freighted to me direct from China. Price of freight was “included” and probably not significant.

re Firmware support. I expect this from Lenovo.

@teejay

Ryzen embedded does look a good solution. At present it is mainly used in “Industrial” PC that have lower sales volume and are relatively expensive. That might change. I still have two HP N40L SOHO servers. A great little server having AMD low-wattage CPU & ECC RAM.

The maxtang VHFP-30 does look a good fit. The list price of USD 560 would put it out of reach of most home users, nor can I find any mechanism for purchasing one from here.

You made my day. Thx. It’s too late over here so I’ll keep it short.

What’s re???
You seriously compare recent CPUs power management with CPUs from 2006? How do you know 1 GHz is enough for firewall applications. My AMD A4 5050 is @ 80% when using the full bandwidth of my line (120Mbit) and we are talking here about 300MBits. Also power consumption is not directly proportional to a processors base speed and my Ryzen @ Zen1 did never reduce their base frequency quit well when using linux os. Even by the use of Windows there is still trouble with the power management and Ryzen @ Zen2.

When I’ve been to Australia in 2007 near Wollongong there have been weekend markets every second weekend for PCs and Multimedia stuff with lots of very cheap chinese products.

I’m not a fan of Intel hardware… it’s actually the opposite, but that’s for sure → Intel hardware always worked better with Linux out of the box.

regarding to cheap chinese manufacturer: There are cheap and cheaper ones… better stick with the cheap ones and those who are delivering A-Brands. I’ve already named Clevo as example.

But Michael also made a good point. When stability and trust count then better assemble it by yourself if possible. I have to trust to resellers and I never sell hardware, which I have not used before for myself. That’s why I am using these little Zotac Boxes for many years now.

Though it’s 2020 and the time for Intel NUCs is over…

“re” is English short-hand for “regarding”

Anyone contributing to this forum could post any actual power figures that they measured for later Intel CPU - nobody has.

General enquirers to this forum tend to start with the premise that they must cater for their maximum line speed 24/7. That’s not a valid assumption around here where there are two peak periods each of several hours each per day when achievable speed is often less than half of nominal. So which to cater for ?

I’m not clear what CPU usage IPFire is reporting. It reports only a single figure for my 4 core A6-1450. Is that aggregate, average per core or simply core 0. KDE on my workstation, running on a similar but faster APU, reports per core and each core mostly doddles along at 2%, blipping up to 15% when some task occurs.

The HP 90-0068A & my laptop are using Ryzen version 3. Those run Ubuntu 18.04 without difficulty but I have not delved into CPU frequency scaling.

FWIW, when I was attending those weekend computer markets, the overwhelming bulk of dollar turnover was for brand-name mainboards, CPU, RAM, graphics cards & drives. The generic items were mainly cards, adapters, cables etc.

One compromise that IPFIre installers currently have is between Intel based hardware that might be better configured for a router, but has move vulnerabiliies and AMD hardware that is the converse. I’m opting for lower vulneabiilty.

Please contact me or give me your contact, I need a hardware

Suitable choice of hardware depends on each situation - bandwidth, number of users, addons such as IPS & Clamav. as well as permissible downtime.

What is your situation ?

Yes IPS and Clamav will be used as well as other add-ons, it’s to be used by a company in the banking sector

IPS and Clamav are CPUHogs, and most of load rely on one core.
IMVHO considering the goals and the tools chosen for achieve control and safety, a desktop/laptop Intel CPU quad core at least may fit better than a Celeron J or Pentium Gold. Higher IPC rate helps performance.
Is appliance form factor mandatory for this customer?

One of the Lightning Wire Labs appliances is indicated. https://www.lightningwirelabs.com/products/ipfire/appliances

Although those, as well as, quality desktop PC are fairly reliable, there might also be a case for a “cold-standyby” unit for use when any configuration issues are encountered with the main firewall.

1 Like