Hacker News new | past | comments | ask | show | jobs | submit login
OpenBSD on PC Engines APU2 (github.com)
86 points by walterbell on Nov 28, 2016 | hide | past | web | favorite | 34 comments

Author here... Surprised to see this made it to HN. :)

The reason I installed OpenBSD on this device rather than a ready-made firewall solution is that I had some ideas for a router that would protect networks with a lot of untrusted IoT devices. Some of them required changes to the network stack, and OpenBSD's proved to be very elegant and clean for this purpose. Not to mention the proactively-security approach etc.

On the Github page you could mention that the APU is quite often used to install pfsense on, which in turn runs on FreeBSD. A short explanation why OpenBSD is better than FreeBSD can do no harm. Maybe the people who're going to do this need no such explanation, but the occasional visitor may appreciate a bit more story.

Is there's a comparison between FreeBSD vs. OpenBSD in packets filtering, routing performance et al?

Well, to the best of my understanding. FreeBSD will generally have better performance while OpenBSD has the latest pf syntax and features. This is a source of animosity between the two projects that I don't fully understand.

FreeBSD has done a lot of work to enable SMP for their pf so that gives it the edge on modern multicore systems. This work wasn't able to be used in OpenBSD so that was unique to FreeBSD for a long time. Right now OpenBSD is in the middle of doing the same for pf and their network stack. So the performance difference shrinks on every release. The newer pf syntax and features make writing rulesets easier, like replacing ALTQ with prio for traffic shaping.

Are there differences in firewall features, or is OS-level security posture the main difference?

One major drawback to OpenBSD's pf, at least from a research perspective, is its lack for extensibility. Both FreeBSD and Linux offer extensions that can come in very handy, for example a BPF matcher for packets as opposed to regular rules.

I also went with OpenBSD, first on Alix and then APU. Just now learned that APU2 existed due to your post.

But to me I think OpenBSD PF is just so simple to use that there is no need for pfsense. It's a simple firewall, has no services except opensmtpd relay and pf. All other services are inside the DMZ.

It's literally, install and forget. But that's not to say you shouldn't have proper patch management.

Hi! I used this guide. It worked like a charm. I highly recommend this setup for people looking at openbsd routers. Thanks!

One bit of feedback: It is a bit unclear what combinations of storage devices are needed for installation. I ended up with an unused SD card, since I just bought the whole list. Not a big deal, but it was kinda wasteful.

APU's are amazingly good replacements for proprietary firewalls.

I have a few original APU's running OpenBSD and they've been rock solid, save for one that got knackered hard enough to pop the mSATA SSD out of it's socket.

It'll be really nice when the BIOS bits to turn on the 4GB APU2's ECC RAM support end up in coreboot.

Other highlights:

* High quality Intel NICs (3x i210AT)

* AES-NI instructions

* SIM socket (for 3G cellular modem in PCIe slot)

I thought this was about running OpenBSD on the PC Engine video games console (Turbografx).

That would have been quite the challenge, with only 8kB of ram!

Out of curiosity, have you measured the power draw from the wall socket with your configuration?

Kind of wondering what "real world" measurements indicate. :)

I'm a heavy APU2 user. They mostly sit around 7W. Which is a lot more than most off the shelf wifi routers and the like.

The DTAG VDSL2+Vectoring standard modem ("Speedport W 724V", I and some other people tend to call them shitport) pulls about this much in idle. The DrayTek VDSL2+Vectoring modem also pulls about this much.

Both without WLAN (enabled).

Awesome, thanks. It sounds fairly reasonable compared to a lot of other gear I'm running here. :)

I also don't have the equipment to make "real world" measurements.

But I'm running my personal website on it* 24/7 for 6 months and I can hardly notice the change on the electricity bill. It's awesome!

* exactly the same config

Sorry, no, I don't have the equipment to do that... yet!

No worries. :)

As a data point, bought one of these 6 months ago (£20.00) for doing power draw measurement from the wall socket:


http://www.p3international.com/products/p4400.html (US equivalent)

It's been extremely useful for finding out how much power various equipment draws. For example, several of the "powered off" systems here - not sleep mode, just shut down via OS - still draw 4.5W+ continuously. Now I turn things off via the switch at the back of the power supply too. ;)

Mentioning this as you don't need to fork out heaps of money for (say) a Fluke meter. It's possible to get reasonably accurate consumer type.

(But, read the reviews first. There were probably 10+ other meters out there better priced... but most of them with reviews about their poor accuracy.)

So what's the realistic throughput for an APU2 in a firewall configuration? (one port for LAN, one for WAN, forwarding traffic, no firewall rules)

In my tests I was getting around 70MB/s routing with a few dozen firewall rules. However I'm not sure if this was a limit of the APU2, or the devices I was using to generate the traffic.

It also has accelerated crypto, so ipsec/openvpn shouldn't be much slower than routing.

This summer I had a router running OpenBSD on the older apu1d and was seeing nearly 700mbps on iperf with a basic rule set. But I don't know how iperf relates to real world performance.

iperf has been, at least for me, a good benchmark for how fast file transfer might be, if everything goes well. Usually they are a bit [say, NFS] (or much [say, NFS on Windows]) slower.

I was looking for something low power to run privoxy, probably on pfsense, and ended up doing the kickstarter for https://www.kickstarter.com/projects/874883570/marvell-espre... counting on ARM support for pfsense very soon.

Looks like that thing is actually using an AArch64 core, looks neat. Not sure how well pfSense would work on 64bit ARM, but Netgate is releasing this thing with pfSense support soon as well, in case you haven't seen it: http://store.netgate.com/SG-1000.aspx

It's pricier, but it does support pfSense directly when you buy one, which I do think is nice.

That's a very interesting figure because with my APU(1) I also can only reach about 560-700Mbit/s (70+MB/s) on bandwidth tests. Even though I'm supposed to have 1Gb with my ISP.

I always thought my ISP had poor equipment but it could be the APU.

Edit: And this is with a few rules, for home use.

Edit2: eh, my comment was actually for the other poster that had measured 70MB/s. Sorry to confuse you.

Why do you need Linux to install OpenBSD?

You don't, but you can only flash the BIOS from Linux.

You can flash the BIOS on the APU from OpenBSD. Just `pkg_add flashrom`.

Sweet! Hopefully the author sees this: his site mentions using Linux for flashing.

sometimes, I've installed and run Windows to update a firmware or bios or unlock a phone just because it could be done from another OS but its too much hassle working out how to bother for a one-time task which is already documented. It looks like in this case, there is a documented method using Linux, so.. thats simplest.

Or just install pfsense!

See my other comment - I'm using it as a foundation for further development.

pfsense is nice but it serves a completely different audience.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact