I have one APU2 (The one recomended by IPFire) and the APU6. None of these is powerful enough.
I know for sure this is an SW issue, as OpenWRT works perfectly.
So I need remandation for something light-weighted, but powerful enough. SFP is preferable both on red and on green. Two interfaces is enough. 10Gb may be interesting.
I’m expecting well below €400.
OpenWRT and IPFire are very different products with different characteristics. In term of pure throughput using no QoS or IDS/IPS (suricata), I did not see much difference between OpenWRT and IPFire on my APU2. About 850/900 Mbit/sec in both cases on all the wired interfaces and about 350/400 Mbit/sec on the WIFI (vle600wx card).
If you want a 2.5 or 10 Gbit network with a statefull, bell and whistle firewall, I am not aware of any hardware combination that can reliably take that job under 400 euros. Hopefully I am wrong and it does exists, but I strongly doubt it.
You need the following, not complete list of characteristics:
Probably I am forgetting something.
On my 1Gb line I’m getting 940 both ways with OpenWRT. IPFire can’t do. I like to use IPFire, but it seems the software is very demanding on hardware. I may did “mistake” testing with SNORT running. But still, shouldn’t be an issue. Especially since it was out that was struggling most with speed. Down was almost OK.
I have also 1 Gbit line and I mostly get 850 in average (occasionally 900), both ways using either vanilla IPFire or OpenWRT. If you use suricata with IPFire, that drop is expected and well documented. I believe it is also reported in the wiki.
EDIT: take a look at this wiki page
The figures that are mentioned at the end of the wiki page you referenced need to be updated as they will have improved with some changes that were made in 2021/2022 but the principle still applies that IPS is s resource heavy function.
I have a mini and if i remember right, after the improvements i get ~450 to 500 on my 1 Gbit line when i have IPS enabled.
Before the improvements i was getting around 200 to 250 on the same 1 Gbit line.
Openwrt does not have suricata. I did a search in the openwrt documentation on line for suricata and it came back saying it had found nothing related to suricata.
So what is the hardware requirement with a one Gb fiber inn and out ?
This must be something people behind ipfire must know.
Looking at the specs for the Lightning Wire Labs appliances then both the Business and Office appliances use a 2.20GHz processor that has 4 cores and from the IPS testing info both should be able to achieve 1Gb performance.
So from a processor point of view the above would be the processor capability.
The problematic thing is that the network controller firmware provided on the motherboard needs to support being able to balance all four ethernet adaptors across all 4 cores of the processor to achieve this throughput.
That balancing is often what is not provided in the network firmware as most motherboards are sold on the basis of being used for machines with only one network adaptor.
So an option would be to use the Lightning Wire Labs machines but they are definitely higher than the €400 limit you mentioned.
You could look at buying a motherboard from other suppliers together with 4 network adaptors and the rest of the required parts and confirm with the supplier that the firmware would be able to balance the traffic across all cpu cores.
I suspect that if you find a supplier that is able to confirm/guarantee the balancing that the cost will still end up above €400
I found a Supermicro A2SDI-4C-HLN4F mini ITX which runs the same atom processor as used by Lightning Wire Labs and has four built in ethernet adaptors. That board had a price of between €399 and €492 from various suppliers (in The Netherlands) excluding the processor and memory.
I don’t know if that motherboard balances the network traffic across all the cpu cores but as the network adaptors are on the motherboard then hopefully that would be the case.
But not the IPFire Mini Appliance CPU then ? So you’re confirming any of the PC engines APU boards won’t fulfill the 1GB speed, and you also questioned if the next level of HW does. Thanks. Very helpful.
This is very important information as many now starts to use 1GB fiber lines. Here in Norway you can even get 10Gb for home use.
Correct. That was already pointed out in post 4 where the link takes you to the IPFire Wiki page where performance values of the IPFire Enterprise, Business and Mini Appliances are quoted.
That clearly shows that the Mini Appliance does not meet 1Gbit when the IPS is turned on.
I mentioned in post 5 that my Mini Appliance was achieving around 400 to 500 Mbit with the latest IPS improvements that have been applied to IPFire. That is still not achieving the 1Gbit level. So it is clear that if you want full 1Gbit performance with IPS turned on then you need to look at more powerful systems, but also with load balancing across cpu cores implemented in the firmware by the network card manufacturers.
No I did not. If you inferred that from something I wrote then that was not my intention.
I have no knowledge about the higher level Lightning Wire Labs systems, other than what is defined in their data sheets.
If you want to find out if the other systems available from them have the capability you desire then you should contact them and have that discussion with them. I can only talk about the Mini Appliance that I have installed in my home system.
10Gbit fibre connections may become available but the hardware to support that is not going to be at the €400 level for quite some time, especially as currently there is a worldwide chip shortage.
This product might meet the OP requirements:Topton Ryzen 5500U mini-pc
The 2.5 Gb Ethernet device uses Intel i226V. Ryzen 5 5500U has TDP of 15 Watts.
Varying opinions have been expressed about Aliexpress. In the only significant issue that I have had, where a vendor declined to ship a mainboard, for which I had paid, Aliexpress promptly refunded my payment, in full.
Thanks. Nice HW. I would prefer SFP interface, as red is fiber directly in to my house. No modem or converters. Green can also be SFP.
Would you happen to know if it’s possible to install ipFire on some of the Ubiquiti Egderouters ? And if not, is it a huge exercise to make ipFire support such HW ?
Or the Dream Machine.
https://store.ui.com/collections/unifi-network-unifi-os-consoles/products/udm-pro
Will this be a good option for ipFire?
@r1200cl any progress on that question 
my research ended exactly at the same point 
requirements: SFP GPON up to a 2.5GB PPPoE connection
nothing other like the DECiSOs
however, by accident i have found these adapters:
and a good old case-mod 
No. It seems the people behind ipfire isn’t willing to help. So I go OpenWrt. Not what I wanted, but there is no willingness from @ms to assist people in proper HW.
Maybe cause Germany is an underdeveloped country when it’s come to fiber. I don’t know.
That opensence HW was my best shoot. But no one is willing to tell me if ipfire can be installed on it.
Also I’m using wire guard now. An VPN solution ipfire won’t support.
I would be willing to pay for better support, but that’s not an option either.
I also suspect that if PC engineers and ipfire was better to cooperate, HW acceleration could be implement and problem solved.
So my conclusion is that ipfire isn’t for people with 1GB fiber. And they won’t help people to have it work.
Maybe they will understand that when all users has left, what they did wrong.
@r1200cl
thx 4 the reply.
and you are correct: germany is new to fibre. it is so sad 
regarding the compatibility it looks like one has to try and error on that 
EDiTH:
like already written, it is a very very tiny budget you are planning and however
it will be opnsense or openwrt or ipfire i am very interested if you can achieve this goal
of saturate a fibre gigabit connection ‘all-inclusive’ for less than 400eur 
for me the show-stopper is the sfp-cage but we will see 
I have IPFire on this:
https://www.supermicro.com/en/products/system/1U/5018/SYS-5018A-FTN4.cfm
Those are rather cheap due to an inherent potential clock flaw in the Atom 2000 series but the risk is not very high and mine has survived so far, way beyond the specified 18 months of initial failure … something…rate…
Had a look for the cheapest components for Intel Socket 1700:
Case: 30€
PSU: 30€
MB: 70€
CPU: 60€
FAN: 20€
RAM: 10€
SSD: 15€
Shipping: 20€
Total: 255€.
No NICs yet.
Don’t think so!
Edit: cheapest Inter-Tech Intel SFP+ 10G Single Port NIC ~ 60€. = 120€
Total: 375€.
But all cheap and probably crap components.
I don’t know what you want. I am not offering free hardware advice, because I simply cannot give it to you. I don’t own all the hardware that people ask questions about and that is why we have a community: To pool information like this.
That is not an IPFire problem. It is a hardware problem. The hardware simply needs to be able to handle that traffic. All of the IPFire appliances that we offer do support this. However, you cannot send 1 GBit/s through an IPS on some hardware that consumes 5W. It is as simple as that.
I understand that you might be frustrated, but this is not a way to talk here.
If you have questions, you can ask them. If nobody replied, you probably asked the wrong question. But moaning about not getting any help without putting any effort in yourself is not going to get you were you want to go.