Mini PC Hardware

Thanks, but it is my understanding that IPFire uses VLANs to combine networks. In other words offer more networks than the IPFire PC has interfaces.
I have the opposite problem - I want more networks than IPFire supports because it has a built-in (rigid) limit of RED, GREEN, BLUE & ORANGE. Yes I can configure extra interfaces in Linux, but then maintaining the firewall rules and various other options is all on me because the IPFire WUI won’t support it.
EDIT: I imagine I’d probably also face problems when doing updates. That’s not what I want, I always want to be running the latest (secure) version.

Edit: This post is off-topic from the original discussion about hardware. I mentioned the network limit as it was one reason I didn’t buy the previous Lightning Wire appliance. It’s great that they now offer one with 4 ports!
The topic of the limited number of networks came up a few times in the old forums.

Firewalls are basically always a SPOF. That is not great, but for almost every use the cost of full redundancy is too high. And if you only have one internet connection, there is only little benefit in redundant firewalls, etc.

That is not what I wanted to say, although some people have said that here. I myself bought cheap when I was a student and the board just died after not even 2 years. It is especially annoying because I didn’t have a backup system (see SPOF above).

My point was that if you buy this, it needs to be suitable for many years. Firmware updates must be available for at least 5 years in my opinion and so on. It is just not likely that you will upgrade because your demand for performance is unlikely to increase that rapidly.

Nobody should be running any untrusted code on their firewalls. But you must have heard of a thing called the “Intel Management Engine” and some other fancy alternatives that are running on your hardware being full of vulnerabilities. Someone might be able to inject code. Having exploits that are harmless but can break out further on the system is indeed a big risk and should not be played down.

I thought that that is well known. It is in my profile even.

And yes, we sell those appliances, but that is not a main part of the business. That is rather to provide something that just works and it does. But selling hardware is not a profitable business at all. So my point is rather that I would prefer everyone to buy good hardware (and there is others out there, but I am absolutely convinced that we have the best) instead of creating too much extra work for the developers to support buggy cheap stuff.

1 Like

When I referred to “baseboard management system” I meant “Intelligent Platform Management Interface”. I should have said “out-of-band management system” as that’s a better generic term.

The solution you refer to is Intel’s “AMT”. It is typically only on higher-end CPUs with certain motherboards. I believe Celeron CPUs never have features like that.

This good article from Purism states “Intel AMT requires three parts to work. 1. an Intel CPU that supports the vPro feature set; …”. and the J1900 does not feature “vPro”.

Thank you, I must confess I’ve not seen your profile in this new platform.

I had the same problem lately. My 5 year old IPFire office router (a Jetway car PC) died, without any warning.
So, what hardware to chose?

I need 2 or more fast NICs, AES-NI support and low power consumption while still have enough CPU power.
I took a look in several boards, NUCs and mini PCs.
Best I could find (and almost ordered) was the fitlet2, a nice piece of hardware.
Anyway, shipping and needed extra cards made a total of 410 €, IMHO too expensive.

So, long story short, best HW I could find (and ordered) was the apu4c4 board, together with a 128 GB mSATA drive. I really hope, the Kingston SSD is reliable, the mSATA interface is rare these days.

I know, the mini IPFire appliance uses the same board, so why not order from LWL?
There is no price given and there is no online shop with fast VISA/PayPal checkout, in stock info etc.

So, please, @ms, setup an online store for these devices and next time I need one, I order it there.

Yes, I am working on that :slight_smile: But we do accept credit card and can handle payment online. I just need an email and need to place orders by hand right now.

I reported on my recent purchase of a mini PC for IPFire here:

https://forum.ipfire.org/viewtopic.php?f=86&t=23022#p126256

Price has since come down to about USD122, for the minimum, working configuration. It has much the same spec APU as the Geode 412LX, plus AES. It appears to be less vulnerability than the Celeron J1900, that was mentioned earlier in this thread.

A downside is the single Ethernet port, although it can be purchased with WiFi card, to provide Blue network. At the price, I can live with USB-Ethernet for the second Ethernet port. I don’t need Orange network.

Mine is branded “vpopn”. The unit is sold under many brand names. Anyone purchasing one needs to take care to get the model having A6-1450 APU. A variety of Celeron, i3 etc are offerred in the same case, but would have more vulnerabiliites, even though some might have more Ethernet ports and even be less expensive.

Reliability does remain to be determined, but I’m using it for only a home network and always have a reserve IPFire box.

Rod

With all the nice and cheap chinese MiniPCs please keep in your mind that you will never get BIOS/Firmware Updates.

2 Likes

Whilst that is generally true, I don’t see it as a significant risk. The three different brands of miniPC that I have purchased all came with mainstream AMI UEFI and are probably configured and tested to work reliably with Win 10.

Secondly, many entry-level devices, including brand names, whether miniPC, laptop or desktop have limited selectable options in the firmware anyway and updates might not resolve any issues that are peculiar to IPFire.

Thirdly, brand-name is not a guaranteed solution. I have long used an old ASUS laptop as an IPFire box, but can’t run IPFire from an internal HDD in it because the BIOS requires CHS partitioning that is incompatible with the way IPFire partitions. It runs reliably from the i586.img on USB drive and IO is not an issue for a basic IPFire configuration.

I can’t agree with that: exspecially because of Intel CPU and IME vulnerability it is highly recommended to get EFI/Firmware Updates and you won’t get them for cheap chinese PCs even the hardware works perfectly andf is high quality. That’s why I came off these products. Some of my HP and Dell business products for example are older than 6 years and still get firmware updates.

1 Like

It’s not clear to me that firmware updates have much mitigation of CPU vulnerabilities. Those interested could check the firmware update history that most brand-name manufacturers provide for their products. The issues mostly addressed are compatibilty with newer CPU models or bugs preventing sub-systems, such as network, initiating.

Operating System updates do provide Intel CPU microcode patches, that might be partly effective.

IME tends to be installed only on business class machines. Indeed, it is an option (that is not installed) on my 11 yo HP Core 2 duo desktops. Hence unlikely to be an issue on economy miniPC.

All of my miniPC have been AMD A4, A6 or A8 APU. The A6 1 GHz, that is running IPFire, has 1% CPU utilisation for a home network. It should cope with any feasible home network and probably SOHO as well. Business users might well prefer a brand-name system and could get same having AMD CPU/APU.

The last Intel box that I purchased was a 2010 vintage netbook having NM10 Atom. Ironically, it was reported as not affected by any of vulnerablities a few months ago and would be an adequate IPFire box for home use.

Sounds to me you’re not up to date with hardware. AMD-A series are very slow, but good enough for private firewall hardware. I also use AMD-A4 5000 for private firwall hardware and it works fine for a 5 persons household with IDS and url filter + proxy + anti-virus + QOS active @ 120MBits cable.

I’ll never use Intel Atom again. No PCIe lanes and it’s that slow it’s not funny anymore.

As always, it is horses for courses. My VDSL2 FTTN link is capable of only 30 mb/s - but I pay for only 13. I use IDS & proxy but have no need of anti-virus, VPN or QoS. VoIP phone comes directly off the modem/router.

You also have a larger household to cater for. Many of my associates need to cater for only 1 to 3 persons

What is the CPU utilisation of your 1.5 GHz A4 5000, on IPFire duty ? Faster AMD A-series are available, but power consumption would go up proportionately under heavy use.

Yesterday evening the line was hot with 3 users and aprox. 14,7 MB/sec == 117,6 MBits/sec.
The CPU workload came up to 75%.

Just had a look: it’s an A4-5050 that is 5 years old now.

It does look like your firewall still has a little in reserve.

The A4-5050 is 1.55 GHz, locked. A comparison with my A6-1450, on cpu-world.com, indicates that your APU has slightly higher clock speed than my 1.4GHz turbo and faster RAM, but otherwise they are very similar.

Yeah it’s faster but old and slow. I got mine >4 years ago and it was the only alternative to Intel Atom / Celeron Mini-ITX Boards with at least PCIe x4 für my quad intel gigabit addon card:

https://www.cpubenchmark.net/compare/AMD-A6-1450-APU-vs-AMD-A4-5050-APU/1908vs3009

@xperimental

Nice to read you again, Terry, and this time posting nearly the opposite of what I read last time. Far away from DDR4 and so…

What I’d like to give my 2 cents here: Of course, the first instance to do microcode updates, is the BIOS. But it’s not the only instance. Every OS, which it is starting, is able to do further updates as well. And btw, not only intel uses microcode, but AMD as well. Maybe vulnerability is not as obvious, but it’s as basic. So I think, no BIOS update will never be quick enough to keep me safe. Only the OS I’m running can be.

Even the post ist 3 month ago, I can’t see any difference to my other posts. The system I was talking about was >4 years old and has been taken out of service because it was too slow for my upgraded 1GBits internet connection. You try to compare totally different situations, exspecially considering the time line.

Well, I don’t think, that I try to compare totally different situations. You only quoted the intro of my reply to reply to…

The microcode vulnerability, I was talking about actually, was and still is an issue, regardless of the hardware platform, internet connection speed and time line. And even if AMD’s microcode may be not as attacked as intel’s for now - attackers will go AMD sooner or later. Just like virus programmers went from Windows to other OSs, only that in case of microcode, there is no community to warn or create and publish defending patches as quick as for non-Windows-OSs. And now I really compare: Even if the company, who’s devices I use, is the most attacked one (intel), I’d not feel safe with the alternative, who stated about this, some one and a half years ago: “We don’t beleive, that we are affected.” Maybe the original statement was a bit else, but it denied their own vulnerability just by a belief nevertheless.

@jopa
Your assumption that AMD devices will eventually be a target for all attacks is not supported by the group that first discovered these vulnerabiities. They concluded that each generation of AMD CPU, that represents only 2% of the CPU “fleet”, requires a somewhat different Spectre attack. They also concurred with AMD’s stance that their CPU are not vulnerable to Meltdown. All of which makes AMD CPU less profitable targets.

Ordered a couple of the HLY Mini PC Celeron J1900 4 port Gigabit Ethernet LAN
https://www.aliexpress.com/item/4000002573982.html
works great ordering another and spare board only
4G Mem and 16G Mini SSD
a few bios adjustment to force to boot from USB flash then nothing to it.
Only do not have serial console working but plan on doing that since want to have serial easier to use for me
running GeoBlocking, IPS VPN tunnel and still hardly using much memory much better space, hardly the heat and power of the older desktop PC’s were using. I am not using content filtering if get a chance maybe test that see how utilization is. I have all red green blue and orange interfaces in use but small number devices but a lot of traffic from just a few. Although Gigabit interfaces which helps LAN to LAN still under 100mb on Internet, but all working better than expected on this hardware. could not beat the price, needed new old stuff was failing and had a limited budget could not build anything for less.

1 Like