This got me thinking about implementing a decent home network firewall solution, above and beyond the default one you get when running your average broadband router.
Security aside, I’m also a big fan of stats and pretty graphs, and these are quite simply hard to come by with some of the basic consumer broadband router solutions.
While the Raspberry Pi, especially in its 4th incarnation, has a decent amount of power behind it, it’s not quite in the ballpark to be running pfSense. Mainly as it only has one Ethernet port out of the box, and while there are methods to extend this, I wanted a piece of hardware that had what I needed ‘out of the box’ but was still minimalistic in nature.
Enter the PC Engines APU boards. These are system boards designed for this sort of thing, complete with multiple Ethernet ports, decent amounts of RAM (2 gig upwards) and AMD G Series processors. They can boot from an SD card or added m-Sata SSD storage.
Getting on board
Instead of putting all the bits together myself, I purchased a pre-built system from LinITX. The spec was as follows:
- APU2 E2 board (2 gig RAM, 3 Ethernet ports)
- 16 gig M-Sata SSD
- Power supply (12V)
- pfSense pre-installed on the SSD.
My reasoning on going with this spec:
- 2 gig RAM is easily enough to run a consumer firewall for a typical home family network. (The system is running at around 430 Mb in use most of the time).
- SSD storage rather than SD card. This is for resilience. SD cards are just not that great when it comes to computer usage. I had two die within a week which left a bit of a sour taste in the mouth.
The kit arrived next day, which was wonderful service.
In terms of size, you are looking at something twice the width of a typical Raspberry Pi case. As the board pictures show, there are no cooling fans, so it is rigged for silent running.
One slight annoyance is that there is no power switch – as soon as the power cable is plugged in, the thing will start booting!
The system booted up into pfSense with no issues. The Dashboard showed that the APU board was running a very old coreboot (BIOS). In fact, 4.0.7 was so old it didn’t even appear as a Legacy version on the PC Engines coreboot web pages.
In general the rule is not to update your BIOS unless there is an actual reason to, due to the potential risk of bricking the device. For the APU boards, however, there were various fixes since 4.0.7 that seemed pretty relevant — especially if you wanted to perform a re-install of anything without messing around with kernel and boot parameters.
But how? I didn’t at this point have a null-modem cable to control things when booting from a USB stick to perform the flashing procedure.
I then realised that, duh, pfSense is running on FreeBSD which is more than capable of running flashrom directly.
Which version? 22.214.171.124 is the latest at the time of writing. Is it safe? Well, if in doubt, ask Twitter…
I followed ‘Method 1’ as documented here. No scary messages appeared in the process, and I was met with:
Verifying flash... VERIFIED.
One reboot later, and pfSense remained happy, and reported the new version of the BIOS was there.
Switching to OPNsense
pfSense was working well. PPPoE worked first time with my broadband setup (once I had an appropriate modem) along with all the other home networking bits that you would expect.
However, mainly for political reasons, I wanted to switch to OPNsense. Some of the actions taken by those involved with pfSense over the years had been, to be blunt, pretty unprofessional and the community element of OPNsense felt a lot better to me.
As mentioned earlier, I didn’t have a null modem cable, which is needed to access the APU boards over the serial cable: There is NO monitor output!
The drivers were provided on CD but were thankfully also easily found via the StarTech web site. The cable worked first time, once hooked up to a laptop running Windows 10 and MobaXTerm. The serial port settings are provided by PC Engines.
This allowed the quick installation of OPNsense. Configurations between the two products are not directly compatible, but re-creating my pretty simple setup really didn’t take very long. As with pfSense, the basics such as PPPoE worked straight out of the box.
I did a quick speed test via https://www.speedtest.net/ – this actually provided my fastest download speed yet! That’s not scientific at all as there are so many variables with these sorts of things, but at least it shows no reduction, right?
The box is running happily at about 22% RAM utilisation, so plenty left for additional bells and whistles.
The CPU is up and down, due to Netflow logs being enabled, but peaks at 25% when data analysis is going on.
This is one of those ‘does what it says on the tin’ products. LinITX provide a good package deal (even if the BIOS was very old, but easily rectified), and delivered very quickly too.
The hardware has proven rock solid so far: Despite flashing, re-installing etc, there have not been any surprises at any point.
Based on my limited use so far, both pfSense and OPNsense run well on the hardware. You would be happy no matter what your choice of flavour. Note that you can install other things too… here’s an Ubuntu example.
If you are looking to have a home firewall box, this is definitely a good way of doing it. I’d be interested to hear if you are doing it in any other way though!