If you don’t want to mess around too much, get the Netgate. It’s not the best “bang for the buck”-ratio but it does work and will most likely do fine for your network. What you should be aware of when getting “old” hardware is known hardware vulnerabilities (there’s a lot of later generations of x86) which you may or may not care about. If you can stand a bit of thinkering the RockPro64 running FreeBSD and a dual port Intel PCIe NIC can be a good tradeoff that doesn’t break the bank and good exercise in general.
4 Likes
Are you talking about intel me stuff? Wouldn’t that only be an issue when using built-in nic?
1 Like
getting “old” hardware is known hardware vulnerabilities (there’s a lot of later generations of x86)
Let’s drop the buggy x86 and all go to POWER9 hihi 
2 Likes
Correct me if I am wrong, but isn’t that stuff exploited by having execution permission on the system? So routing packets should be safe in theory.
4 Likes
This is what I used for awhile as a pfsense appliance until I went rackmount. Never had any problems with it and it is cheap enough that if you want to eventually go 10Gb you aren’t going to feel like you wasted your money.
3 Likes
Alternatively to OpenSense or PFSense, you could also try Sophos Home. If nothing else, it is a different experience.
Hardware wise, maybe you can get a small industrial PC (like a Shuttle DS10U3).
1 Like
Yeah, that’s definitely something to keep looking for.
It was an interesting suggestion and I did not really know those NanoPis before.
To also answer your question, I currently have a 100MBit connection but I plan to upgrade to 300MBit later, so the router/firewall should be able to handle the throughput. However, everything internal will be connected to the switch and as a result no internal traffic should go over the router/firewall.
Also interesting, at first glance there is the issue with the single Ethernet port but given I have a managed switch I could configure it accordingly. (Don’t know if I want to go this route though…
Yeah, as I have said above it is an option, but not one I would like to take…
Which is very much appreciated, maybe I don’t need/want a NanoPi now, but I might remember them at an applicable time.
Spectre and Meltdown have been fun, haven’t they. Thanks for the suggestion, I will look into it.
This might be a tiny iota over the specified budget though…
What has also come to my attention are the following two Unifi solutions:
- EdgeRouterX → this would be a very low cost solution, but it would not be a firewall
- DreamRouter → This would have the benefit of everything being manageable with the Unifi Console, but pfSense is probably much more powerful
- I have perused the blog linked by @TimHolus and stumbled over a cheap firewall review. I then went ahead and searched for PCs with the mentioned chip (j4125) and found something on Ebay. Currently, this seems like the best bang for the buck option…
3 Likes
When you do inter-VLAN routing/firewall/IPS/etc., then you really want >1Gbit/s throughput.
That network segmentation (which any company bigger than a lemonade stand should be doing!) is the reason why even the smallest appliances can handle multiple Gigabit per second.
At home though, if you have 2 VLANs (your network + Guest Wifi), you already are in the top 10% I would say 
2 Likes
These are “hen’s teeth” unless you’re willing to pay scalper pricing on eBay.
I would just go with the Netgate 1100. It powerful enough for you connection and would be rock solid.
1 Like
I’ve been using EdgeRouter X since 2016. It does have a sophisticated firewall when configured as an Internet gateway.
1 Like
Shouldn’t my switcu basically handle inter VLAN routing?
Currently, the J4125 looks very promising to be honest…
It’s also a more or less dead-end platform bring MT7621 (MIPS), not like their Octeon platforms are any better in that regard but the EdgeRouter X is quite cheap at least…
2 Likes
Be aware that FriendlyElec hardware in general have quite poor support overall despite using popular SoCs etc
2 Likes
Not only them, many sbc have a similar situation, so I always advise to choose a sbc that has good support somewhere and by someone. From FriendlyElec I have ZeroPi and armbian supports it without any problem. For sbc it’s a good idea to choose one that has armbian or dietpi support… or very specific ones like ipfire.
1 Like
MT7621 inside ERX is still suitable for SOHO use. It manages my Internet connection starting from 100M to now 1000M. No problem.
I run 100+ firewall rules, one of them a blacklist of over 50k malicious IP addresses/networks. Run a SSH forwarded connection to the cloud across continents, peak speed ~50Mbps. Run a IKEv2 VPN for my smartphone when I’m out and about, peak speed ~150Mbps. Also run a HTTP load balancer for a couple of Internet servers behind the router. All these are in addition to usual router tasks.
However, the EdgeMax line is long over due for a refresh in both hardware and firmware. I won’t recommend people to buy ERX or other EdgeMax routers. In fact, I don’t recommend people to buy any Ubiquiti products. They got a big problem in managing the company for the last five years or so.
Many EdgeMax corporate users have quitted. My ERX is on its leg. I’ve planned to move to VyOS on tiny x86_64 PC. Since ERX is still doing very well, I can’t find a reason to pull the trigger yet.
1 Like
You’re likely better off getting one that’s supported by mainline Linux and/or BSD distro(s) as Armbian seems rarely upstream patches etc. Never looked into DietPi but looking a their website it appears they’re most about packaging and not so much about platform development?
2 Likes
MIPS still works however “everyone” is moving away from it at this point however the MT7621 can service quite fast connections if you don’t task it with too much stuff compared to lets say Atheros MIPS SoCs but it’s not something I would recommend buying “new” unless it’s dirt cheap.
1 Like
In that case, the number of sbc will probably decrease even more?
2 Likes