I’m considering loading IPFire on a Qotom Mini PC Q190G4U-S02 available on amazon. Does anyone know if this is a good choice for hardware?
I just googled a little bit and I think this hardware is very outdated. It runs on an Intel Celeron J1900 which is from 2013.
You can get much more recent hardware with more network interfaces like the Lightning Wire Labs Mini Appliance which I consider a rock-solid basis for IPFire!
@haveljj - It depends on your requirements for a firewall. I have only three computers and about ten IoT devices. Internet is 200 megabit download by 10 megabit upload. So not much load on the firewall box.
I have the similar Qotom, Q190G4N-S08, and for my use it works very well. It does not do AES-NI but I do very little VPN so it doesn’t matter much to me.
So I was happy with my purchase. But you may need much more depending on your needs.
Great. Thanks for the info. I do plan on using a VPN so I may have to consider something similar to the Qotom Q355G4 or Q330G4.
AES-NI is becoming quite important now with this kind of processors. Bandwidth is growing, 200 MBit/s is a lot of data to decrypt and obviously you do not want to add much latency just because you are using a VPN.
The IPFire Mini Appliance has AES-NI and benchmarks can be found here: https://wiki.ipfire.org/hardware/lightningwirelabs/mini
IMO the problem is that the Lightning Wire labs appliances just can’t compete on price with Qotom Mini PCs (I guess it’s hard to compete with China direct!). There are other options of Qotom Mini PC for those not wanting such an old CPU though, as haveljj has found.
I understand that the LW appliances are very low power, but sometimes it’s helpful to have an Intel PC, with Intel NICs and an SSSD. I would argue that it also makes the Mini PC more useful for other things if it is ever replaced in the future.
PS: I guess what I’m trying to say is that there are pros and cons to both.
While the Qotom doesn’t compare on power consumption, the Lightning Wire Labs appliances just don’t compare on price (last time I looked anyway).
I think it’s worth mentioning that in case @haveljj isn’t aware Lighting Wire is your company and so you have an inherent bias. Countering that, it also means that the Lightning Wire appliances are very well tested for IPFire, which I can’t say for the Qotom.
I have a Qotom-Q190G4U-S02 which has an intermittent problem when my Ubiquiti network switch restarts, say due to a firmware update, and the IPFire interfaces connected to it go down. They must be manually brought back up in a shell or by rebooting the OS. I suspect a driver problem but have yet to diagnose it.
While it does have an old Intel CPU, It has 4 x Intel NICs and more than enough power for the IPS to run on all 4 interfaces. I love the fact it’s passively cooled and lower average power consumption than my combined network equipment (access points powered through a PoE switch). Also I’m not likely to use a VPN from my IPFire system at the moment, but suspect that the CPU power would easily make up for the lack of AES-NI unless you’ve got very high internet bandwidth.
Well, they are very competitively priced, but there is more that comes with them than just the hardware.
The time that we spend on tuning IPFire so that it takes advantage of the hardware is enormous and of course our hardware comes with warranty as well.
In China you don’t get that. There are thousands of posts where people have issues with cheap hardware and I have absolutely no time to debug that. That is a huge cost that is just outsourced and you hope for the best!
Out of interest do you publish the prices of your hardware appliances anywhere? It looks like the Lightning Wire website has been substantially updated and I can only see a PDF with the hardware specifications.
Yesterday it took me a long time to find it! I was curious at the price difference.
Just curious, is the RAM extensible? Did not find any hints on this.
The price difference is much closer to the new models than when I purchased my MiniPC. The extra NIC is what I wanted too (total count 4, if only IPFire supported multiple networks other than RED, GREEN, BLUE, ORANGE!).
In fact it works out cheaper for me to buy from Lightning Wire, with their case, than buying the APU2 directly from a PC Engines reseller in my country (assuming this is based on an APU2, albeit modified). They also have an extra NIC, as the APU2 seems to only have 3.
I’m not sure why Michael mentioned the age of the Celeron, as the CPU in the Lightning Wire router is only 6 months newer.
Hardware-wise the two systems are actually quite comparable. The AMD has more useful CPU features (and I imagine much less fewer Intel vulnerability anti-features!), 60% of the power requirements of the Intel and potentially higher speed RAM, but it’s half the clock speed of the Intel. My understanding is that single core CPU speed is very helpful with dealing with “bursty” network traffic, especially if you use the IPS on all interfaces (as I do).
@hellfire I can’t speak for Lightning Wire, but the MiniPCs do not appear to have user-replaceable RAM, sadly. You possibly could, but they made the case hard to open in the one I have. In the end my curiosity lost out to wanting to keep whatever warranty I’d get from a Chinese Amazon reseller!
EDIT: Slight improvements to wording
I’m owning a APU2C4 with a AMD GX-412TC CPU, too. I ordered from a PC Engines reseller, additionally bought a 19" rack mounting enclosure and the device now perfectly fits into my 19" rack.
If desired I can post an image about those vulnerabilities and fixes that the WebIF currently lists for my CPU.
Normally you won’t need more than this and it is bad network design to route all internal traffic through the firewall.
Yes, the current IPFire Mini Appliance is based on PC Engines’ board. I was normally not a big fan of them because they had some horrible limitations and caused us a lot of extra work. However, we have sat down, decided that for many other reasons this is the platform we want to be based on, because we could not get some features in and keep a competitive price at the same time. There is only very limited choice for hardware that we need.
We modify it slightly, so you won’t get the same product from any other reseller and if course you get our lovely support team helping you out if something goes wrong. But we do not spend any time on disguising what this is based on.
The old IPFire Duo Box was based on an Intel Celeron at that time, but that was the most recent one that Intel released back then. Since the product has been on the market for years (and is discontinued now), this is now a dated design and the current IPFire Mini Appliance is better - overall speaking. The processor in the IPFire Duo Box however was very very fast per core. The IPFire Mini Appliance has more cores.
What comes on top of the IPFire Mini Appliance is that it is based on an AMD processor which is not vulnerable for may of the Spectre/Meltdown attacks and we patch the rest of course. So it is not slowed down much at all.
That RAM is replaceable/upgradable seems to be a dying thing on small devices. Obviously impossible on your iPhone, impossible on any modern and small laptop and embedded devices always have it soldered on. But 4GB of RAM is enough for IPFire for the foreseeable future. If you need more, you probably want some larger hardware anyways.
And regarding the Chinese resellers: The IPFire Mini Appliance has open firmware. I can give you the code of all the software running on it. From BIOS over boot loader to IPFire itself of course. You can audit it, you can modify it. You can do whatever you want with it and that is very important. We are doing security here and there is no point in trying to secure your firewall software when your hardware is backdoored.
Think a little bit outside of the box why the cheapest isn’t always the best.
And finally: If you buy a firewall appliance, it would last you for years. You won’t replace it the next year like your smartphone to be cool and trendy. It is worth to invest a little bit more.
Use VLAN could not be an option, at least for blue+orange?
Geode APU2 (412 as far as i can remember) and small celeron J are quite a lot “energy saving CPU”. But i wonder if there are any Athlon 200GE Mini ITX board that could do the trick a bit better into small enclosures.
Yes, that is what those appliances are designed for. The suggested Athlon processor has a TDP of 35W which makes it impossible to cool in such a small box.
And yes, there are other processors out there, but performance is not the only objective here.
Michael @ms - can you post the Processor Vulnerability Mitigations for the IPFire Mini Appliance?
@dnl-ipfire - thank you for posting this! I was/am curious about the differences since I have a J1900 also.
FYI - I started this wiki page but did not finish it.
They are here, although the page is slightly broken from the wiki migration:
I am not sure if there is a point for building too many pages like this. Is it possible to buy exactly the same system again? Just a benchmark of the processor architecture does not help anyone at all.
The reason why the Lightning Wire Labs appliances and PC Engines pages are there is that many many people use that hardware and therefore it created a demand.
I just want to avoid that we have loads of abandoned pages that nobody can update or maintain any more.
The devices we are talking about are for small-scale networks. For example a small branch office, a small office or a home office. Such networks may only have a few pieces of network equipment, a router, a switch and some WiFi access points. It makes sense to use the router to route between networks given the (fairly) small volume of traffic between most networks and the (relatively) few users.
Despite such networks being small, I’m a big advocate of segregation. I use a wired network (GREEN) a the wireless network (BLUE) and would like a wireless guest network (currently I have this segregated in the wireless network equipment as guest devices don’t need to talk to other WiFi devices). I also have an IOT and/or printer network (I use ORANGE - but with very restricted internet access). Some people even go further and a “black” network for the network equipment itself (the management interface for the switches and WiFi access points which don’t need internet connectivity (as they have alternate ways of installing updates).
In this design the IPFire box becomes a single point of failure, but so is the Network switch. I’m talking about small scale here, not a large business.
I should also add that I have colleagues who have avoided IPFire because of the limited number of networks. They have small test labs in their home and needed multiple networks for testing, not for security reasons.
I’m not sure why you think MiniPCs won’t also last for years
While they seem to have infrequent firmware updates, I understand that the attack surface is small. Sensible people don’t run risky/untrusted code on their firewall PC and these devices do not have baseboard management systems (for example).
I think it would really help if you were upfront about what you (and some of the core developers?) do for a living. I understand that you do consulting work regarding IPFire and you sell these appliances. That’s great! People will understand and respect that. They may choose to support the project through using your business or buying your appliances.
You can always argue that regardless of the technical merits, the appliances you sell are likely to be easier for people to use, because they’re well tested by you and your team.
EDIT: Improved clarity