So, I recently stumbled over the ESPRESSObin and was wondering if anyone here has any expierences on running a firewall like pfSense, OPNsense or IPFire on it.
According to reddit pfSense runs on it, but there is still no downloadable image anywhere to be found.
Aside from that, I’m also wondering whether its CPU is strong enough to run a firewall with some kind of IDS on it.
Hence, if you have any experiences or ideas please let me know
One of the developers for pfSense got running on the ESPRESSObin back in January with an aarch64 test image and it was able to sustain a 1GB uplink.
As far as when it will be available I do not know but looking at the release notes pfSesne 2.4.4 will officially be adding support for ARM64 so it might not be too long.
Yeah, they posted on reddit that they would be using espressobin in an upcoming product themselves, and that full support was coming. But not just yet.
Performance is largely irrelevant for IDS, as long as you have enough performance to firewall the traffic at the speed you want the IDS will not make it slower.
My experience is IDS do make things slower (regex matching ~100MB/s takes some oomph)
I wouldn’t expect it to be much faster than an Armada 385 based routers like wrt1200/1900/3200/omnia … ie. borderline ok to nat/firewall a gigabit in kernel software without any tricks.
In comparison, a Braswell/Apollo Lake/Gemini Lake based Celeron systems are much more capable in similar form factor, however, at the same price point (200-300 whole system) you can also consider b350+ryzen if physical dimensions, and a couple of watts extra are not an issue for you.
SOHO/consumer-level embedded devices don’t have the processing power to NAT gigabit in software. Once you turn off hardware offloading by enabling QoS or IDS/IPS your speed drops precipitously, typically to <300Mbps.
If you want to NAT gigabit and also packet shape, IDS, or client VPN, you have to either purchase enterprise hardware (very expensive) or roll your own using real desktop-class CPUs. Atom can’t do Suricata in software at gigabit speed either, you need a core or Ryzen-based CPU.
The problem is, I do mind the space and the extra power consumption. (I have a spare 2500k with a mainboard in my cellar, but I won’t be using it due to first space and second power consumption reasons).
I’d be fine with that, considering my Internet isn’t faster than 16Mbps…
I would like to have a client VPN running though. Considering the EspressoBin’s CPU does not natively support AES, I won’t be purchasing it after all…
However, a friend of mine has discovered the following board and we are thinking about picking them for our respective firewalls. (Well, I’m considering it, he will most definitely purchase one).
VPN at 16Mbps shouldn’t be a problem for most SOHO hardware. My old RT-AC68u router could handle ~20Mbps with OpenVPN and PPTP was much faster.
I have no experience with that board specifically, but a quick google says PFsense was developed against the Clearfog Pro, so that’s the clear choice between the two. Looking at price, though, they do seem rather expensive for embedded ARM hardware. Since space and power consumption are your primary concerns, that tradeoff may make sense for you.
But honestly I would consider a Ubiquiti Edgerouter Lite instead. It’s like a hundred bucks, can NAT 16Mbps in software no problem, around 10MBps OpenVPN and >50 on IPsec, and has tons of features.
A friend of mine recommended this router a while ago and it surely has its merits. I’ll take a closer look again, but I think I’d still prefer a real firewall^^
Ok, I think I wasn’t specific enough what I meant with the term real I’d like to have some kind of IDS. Doesn’t matter if it’s Snort or Suricata, it just has to be some kind of IDS
Are you sure espresso bin doesn’t support aes in hardware, the marvell Armada 385 (Linksys wrtXXXXac series routers) for example, has acceleration support checked into mainline Linux kernel. … The CPU is also plenty fast to do a little aes in software (around 100-150Mbps is where it tops out in software, hardware tops out around 400Mbps with ipsec). I’d expect espressobin CPU to be faster.
The aforementioned friend currently uses an old notebook as pfsense with an old (non-AES Intel CPU) an he expierences a slower network connection when tunneling, than w/o or when tunneling on the client. He assumes this issue is AESrelated.