
OpenBSD on PC Engines APU2 - walterbell
https://github.com/elad/openbsd-apu2
======
eladx
Author here... Surprised to see this made it to HN. :)

The reason I installed OpenBSD on this device rather than a ready-made
firewall solution is that I had some ideas for a router that would protect
networks with a lot of untrusted IoT devices. Some of them required changes to
the network stack, and OpenBSD's proved to be very elegant and clean for this
purpose. Not to mention the proactively-security approach etc.

~~~
hollander
On the Github page you could mention that the APU is quite often used to
install pfsense on, which in turn runs on FreeBSD. A short explanation why
OpenBSD is better than FreeBSD can do no harm. Maybe the people who're going
to do this need no such explanation, but the occasional visitor may appreciate
a bit more story.

~~~
a012
Is there's a comparison between FreeBSD vs. OpenBSD in packets filtering,
routing performance et al?

~~~
aomix
Well, to the best of my understanding. FreeBSD will generally have better
performance while OpenBSD has the latest pf syntax and features. This is a
source of animosity between the two projects that I don't fully understand.

FreeBSD has done a lot of work to enable SMP for their pf so that gives it the
edge on modern multicore systems. This work wasn't able to be used in OpenBSD
so that was unique to FreeBSD for a long time. Right now OpenBSD is in the
middle of doing the same for pf and their network stack. So the performance
difference shrinks on every release. The newer pf syntax and features make
writing rulesets easier, like replacing ALTQ with prio for traffic shaping.

------
zdw
APU's are amazingly good replacements for proprietary firewalls.

I have a few original APU's running OpenBSD and they've been rock solid, save
for one that got knackered hard enough to pop the mSATA SSD out of it's
socket.

It'll be really nice when the BIOS bits to turn on the 4GB APU2's ECC RAM
support end up in coreboot.

~~~
jbronn
Other highlights:

* High quality Intel NICs (3x i210AT)

* AES-NI instructions

* SIM socket (for 3G cellular modem in PCIe slot)

------
Theizestooke
I thought this was about running OpenBSD on the PC Engine video games console
(Turbografx).

~~~
enqk
That would have been quite the challenge, with only 8kB of ram!

------
justinclift
Out of curiosity, have you measured the power draw from the wall socket with
your configuration?

Kind of wondering what "real world" measurements indicate. :)

~~~
Tharkun
I'm a heavy APU2 user. They mostly sit around 7W. Which is a lot more than
most off the shelf wifi routers and the like.

~~~
dom0
The DTAG VDSL2+Vectoring standard modem ("Speedport W 724V", I and some other
people tend to call them shitport) pulls about this much in idle. The DrayTek
VDSL2+Vectoring modem also pulls about this much.

Both without WLAN (enabled).

------
chrissnell
So what's the realistic throughput for an APU2 in a firewall configuration?
(one port for LAN, one for WAN, forwarding traffic, no firewall rules)

~~~
keeperofdakeys
In my tests I was getting around 70MB/s routing with a few dozen firewall
rules. However I'm not sure if this was a limit of the APU2, or the devices I
was using to generate the traffic.

It also has accelerated crypto, so ipsec/openvpn shouldn't be much slower than
routing.

~~~
aomix
This summer I had a router running OpenBSD on the older apu1d and was seeing
nearly 700mbps on iperf with a basic rule set. But I don't know how iperf
relates to real world performance.

~~~
dom0
iperf has been, at least for me, a good benchmark for how fast file transfer
_might_ be, if everything goes well. Usually they are a bit [say, NFS] (or
much [say, NFS on Windows]) slower.

------
BuuQu9hu
Why do you need Linux to install OpenBSD?

~~~
technofiend
You don't, but you can only flash the BIOS from Linux.

~~~
foodstances
You can flash the BIOS on the APU from OpenBSD. Just `pkg_add flashrom`.

~~~
technofiend
Sweet! Hopefully the author sees this: his site mentions using Linux for
flashing.

------
hsnewman
Or just install pfsense!

~~~
eladx
See my other comment - I'm using it as a foundation for further development.

