So, I recently stumbled over the ESPRESSObin and was wondering if anyone here has any expierences on running a firewall like pfSense, OPNsense or IPFire on it.
According to reddit pfSense runs on it, but there is still no downloadable image anywhere to be found.
Aside from that, I’m also wondering whether its CPU is strong enough to run a firewall with some kind of IDS on it.
Hence, if you have any experiences or ideas please let me know
My experience is IDS do make things slower (regex matching ~100MB/s takes some oomph)
I wouldn’t expect it to be much faster than an Armada 385 based routers like wrt1200/1900/3200/omnia … ie. borderline ok to nat/firewall a gigabit in kernel software without any tricks.
In comparison, a Braswell/Apollo Lake/Gemini Lake based Celeron systems are much more capable in similar form factor, however, at the same price point (200-300 whole system) you can also consider b350+ryzen if physical dimensions, and a couple of watts extra are not an issue for you.
SOHO/consumer-level embedded devices don’t have the processing power to NAT gigabit in software. Once you turn off hardware offloading by enabling QoS or IDS/IPS your speed drops precipitously, typically to <300Mbps.
If you want to NAT gigabit and also packet shape, IDS, or client VPN, you have to either purchase enterprise hardware (very expensive) or roll your own using real desktop-class CPUs. Atom can’t do Suricata in software at gigabit speed either, you need a core or Ryzen-based CPU.
The problem is, I do mind the space and the extra power consumption. (I have a spare 2500k with a mainboard in my cellar, but I won’t be using it due to first space and second power consumption reasons).
I’d be fine with that, considering my Internet isn’t faster than 16Mbps…
I would like to have a client VPN running though. Considering the EspressoBin’s CPU does not natively support AES, I won’t be purchasing it after all…
However, a friend of mine has discovered the following board and we are thinking about picking them for our respective firewalls. (Well, I’m considering it, he will most definitely purchase one).
VPN at 16Mbps shouldn’t be a problem for most SOHO hardware. My old RT-AC68u router could handle ~20Mbps with OpenVPN and PPTP was much faster.
I have no experience with that board specifically, but a quick google says PFsense was developed against the Clearfog Pro, so that’s the clear choice between the two. Looking at price, though, they do seem rather expensive for embedded ARM hardware. Since space and power consumption are your primary concerns, that tradeoff may make sense for you.
But honestly I would consider a Ubiquiti Edgerouter Lite instead. It’s like a hundred bucks, can NAT 16Mbps in software no problem, around 10MBps OpenVPN and >50 on IPsec, and has tons of features.
Are you sure espresso bin doesn’t support aes in hardware, the marvell Armada 385 (Linksys wrtXXXXac series routers) for example, has acceleration support checked into mainline Linux kernel. … The CPU is also plenty fast to do a little aes in software (around 100-150Mbps is where it tops out in software, hardware tops out around 400Mbps with ipsec). I’d expect espressobin CPU to be faster.
The aforementioned friend currently uses an old notebook as pfsense with an old (non-AES Intel CPU) an he expierences a slower network connection when tunneling, than w/o or when tunneling on the client. He assumes this issue is AESrelated.