I have one APU2 (The one recomended by IPFire) and the APU6. None of these is powerful enough.
I know for sure this is an SW issue, as OpenWRT works perfectly.
So I need remandation for something light-weighted, but powerful enough. SFP is preferable both on red and on green. Two interfaces is enough. 10Gb may be interesting.
I’m expecting well below €400.
OpenWRT and IPFire are very different products with different characteristics. In term of pure throughput using no QoS or IDS/IPS (suricata), I did not see much difference between OpenWRT and IPFire on my APU2. About 850/900 Mbit/sec in both cases on all the wired interfaces and about 350/400 Mbit/sec on the WIFI (vle600wx card).
If you want a 2.5 or 10 Gbit network with a statefull, bell and whistle firewall, I am not aware of any hardware combination that can reliably take that job under 400 euros. Hopefully I am wrong and it does exists, but I strongly doubt it.
You need the following, not complete list of characteristics:
Probably I am forgetting something.
On my 1Gb line I’m getting 940 both ways with OpenWRT. IPFire can’t do. I like to use IPFire, but it seems the software is very demanding on hardware. I may did “mistake” testing with SNORT running. But still, shouldn’t be an issue. Especially since it was out that was struggling most with speed. Down was almost OK.
I have also 1 Gbit line and I mostly get 850 in average (occasionally 900), both ways using either vanilla IPFire or OpenWRT. If you use suricata with IPFire, that drop is expected and well documented. I believe it is also reported in the wiki.
EDIT: take a look at this wiki page
The figures that are mentioned at the end of the wiki page you referenced need to be updated as they will have improved with some changes that were made in 2021/2022 but the principle still applies that IPS is s resource heavy function.
I have a mini and if i remember right, after the improvements i get ~450 to 500 on my 1 Gbit line when i have IPS enabled.
Before the improvements i was getting around 200 to 250 on the same 1 Gbit line.
Openwrt does not have suricata. I did a search in the openwrt documentation on line for suricata and it came back saying it had found nothing related to suricata.
So what is the hardware requirement with a one Gb fiber inn and out ?
This must be something people behind ipfire must know.
Looking at the specs for the Lightning Wire Labs appliances then both the Business and Office appliances use a 2.20GHz processor that has 4 cores and from the IPS testing info both should be able to achieve 1Gb performance.
So from a processor point of view the above would be the processor capability.
The problematic thing is that the network controller firmware provided on the motherboard needs to support being able to balance all four ethernet adaptors across all 4 cores of the processor to achieve this throughput.
That balancing is often what is not provided in the network firmware as most motherboards are sold on the basis of being used for machines with only one network adaptor.
So an option would be to use the Lightning Wire Labs machines but they are definitely higher than the €400 limit you mentioned.
You could look at buying a motherboard from other suppliers together with 4 network adaptors and the rest of the required parts and confirm with the supplier that the firmware would be able to balance the traffic across all cpu cores.
I suspect that if you find a supplier that is able to confirm/guarantee the balancing that the cost will still end up above €400
I found a Supermicro A2SDI-4C-HLN4F mini ITX which runs the same atom processor as used by Lightning Wire Labs and has four built in ethernet adaptors. That board had a price of between €399 and €492 from various suppliers (in The Netherlands) excluding the processor and memory.
I don’t know if that motherboard balances the network traffic across all the cpu cores but as the network adaptors are on the motherboard then hopefully that would be the case.
But not the IPFire Mini Appliance CPU then ? So you’re confirming any of the PC engines APU boards won’t fulfill the 1GB speed, and you also questioned if the next level of HW does. Thanks. Very helpful.
This is very important information as many now starts to use 1GB fiber lines. Here in Norway you can even get 10Gb for home use.
Correct. That was already pointed out in post 4 where the link takes you to the IPFire Wiki page where performance values of the IPFire Enterprise, Business and Mini Appliances are quoted.
That clearly shows that the Mini Appliance does not meet 1Gbit when the IPS is turned on.
I mentioned in post 5 that my Mini Appliance was achieving around 400 to 500 Mbit with the latest IPS improvements that have been applied to IPFire. That is still not achieving the 1Gbit level. So it is clear that if you want full 1Gbit performance with IPS turned on then you need to look at more powerful systems, but also with load balancing across cpu cores implemented in the firmware by the network card manufacturers.
No I did not. If you inferred that from something I wrote then that was not my intention.
I have no knowledge about the higher level Lightning Wire Labs systems, other than what is defined in their data sheets.
If you want to find out if the other systems available from them have the capability you desire then you should contact them and have that discussion with them. I can only talk about the Mini Appliance that I have installed in my home system.
10Gbit fibre connections may become available but the hardware to support that is not going to be at the €400 level for quite some time, especially as currently there is a worldwide chip shortage.
This product might meet the OP requirements:Topton Ryzen 5500U mini-pc
The 2.5 Gb Ethernet device uses Intel i226V. Ryzen 5 5500U has TDP of 15 Watts.
Varying opinions have been expressed about Aliexpress. In the only significant issue that I have had, where a vendor declined to ship a mainboard, for which I had paid, Aliexpress promptly refunded my payment, in full.
Thanks. Nice HW. I would prefer SFP interface, as red is fiber directly in to my house. No modem or converters. Green can also be SFP.