Recommendation cheap unit for a 74 years old senior citizen :-)



  • G'day all  ;D

    My neighbor, one of the nicest and kindest men I ever met, recently both suffered from a brain stroke as well as had heart surgery. He needs to slow down now, and I am setting up equipment for him so he and his just as kind Mrs. can explore this 'new thing called the internet' ( ;D ;D ;D ).

    I bought him a Lenovo Thinkpad, ordered a Ubiquity WAP for outside, bought him a nice 24" monitor, and now I need a pfSense appliance for him (I want it to be pfSense since I am to do 'maintenance', and I know pfSense so I want to stay here and not move to stuff like Tomato/DD-WRT).

    Of course, seniors are on small pensions so I am trying to keep it nice for him: both in the price of the appliance as well as in the power usage and the noise.

    I doubt I will be installing Snort on it, so it will basically be firewall/routing, and a VLAN for his wireless (using Radius enterprise). He might consider wanting to use a VPN-client to browse the internets via something like PrivateInternetAccess, as he too doesn't like the idea of everything being monitored by everybody.

    I did some enquiries elsewhere and was recommended an Alix D2 appliance. However:

    • These have realtek NIC's, not Intel
    • In this very board I've found some threads from members who can't seem to get it to work nicely with pfSense.

    To be honest, I was hoping to avoid setup problems this time, as in the past year I've had enough problems myself getting my pfSense boxes to work, so I'm getting a little bit like 'hmmmm' when it comes to the Alix units.

    Would anybody be willing to help me help this nicest old man?

    What would be suitable, reliable, equipment for this purpose? Ideally somewhere around 200 EUR (= 160 GBP = 270 USD). I am in Europe, so buying in the USA will be a no-no as we have now all discovered the latest scam is the 'shipment costs' by the big carriers  :-[

    Thank you in advance on behalf of my old neighbor, his wife and me  ;D

    Bye,



  • Are you sure you are not overengineering it a bit? vlans and radius servers, sounds to me to be a tad excessive.

    To help answer your question.
    In that price range I would look into the PC engines APU board http://www.pcengines.ch/apu.htm
    And yes that also uses Realtek NICs, but I would none the less be surprised if it is not sufficient for this use case.



  • @RuneTM:

    Are you sure you are not overengineering it a bit? vlans and radius servers, sounds to me to be a tad excessive.

    To help answer your question.
    In that price range I would look into the PC engines APU board http://www.pcengines.ch/apu.htm
    And yes that also uses Realtek NICs, but I would none the less be surprised if it is not sufficient for this use case.

    Thank you for your answer, Rune  ;D

    Well, if I am overengineering for my old neighbor, then I am overengeering for myself too, as I use the same setup. And I would feel a little bit silly if I would tell my old neigbor 'for myself I have it set up professionally, but you don't need that'.

    The APU/Alix boards is what I wrote about, I've found some threads about them being problematic to set up. I will search for them and post them here.

    But aside from these threads: are these strong enough for the requirements?

    Thank you,

    EDIT:

    But aside from these threads: are these strong enough for the requirements?

    I found a thread, but I can not interpret this data  :-[

    [url=https://forum.pfsense.org/index.php?topic=73885.0]https://forum.pfsense.org/index.php?topic=73885.0

    These performance numbers, in the very first post, would they appear sufficient?

    EDIT2:
    This is one of the threads that made me sweat about how easy install will be for a noob like me:

    https://forum.pfsense.org/index.php?topic=59555.250


  • Netgate Administrator

    Hmm, my German isn't so good. However those figures are what is exepcted, better even. Many people were hoping for Gigabiot throughput from the APU before it was released but I think that was unrealistic. ~450Mbps seem perfectly sufficient, no? Even if it's 250Mbps that would be OK.
    What sort of throughput are you aiming for?

    Just to clarify (I already did in a PM) the original Alix board uses VIA NICs, the APU uses Realtek.

    Steve



  • @stephenw10:

    Hmm, my German isn't so good.

    It is a miraculous language  ;D

    It closely resembles Dutch, not too strange since we are neigbors and once you realize you need not go back too far in history to see that country borders were completely different you'll understand why these languages sound alike.

    However, I think the Germans have the world record for the longest word ( ;D ):

    Rindfleischetikettierungsüberwachungsaufgabenübertragungsgesetz
    

    However those figures are what is exepcted, better even. Many people were hoping for Gigabiot throughput from the APU before it was released but I think that was unrealistic. ~450Mbps seem perfectly sufficient, no? Even if it's 250Mbps that would be OK.
    What sort of throughput are you aiming for?

    Just to clarify (I already did in a PM) the original Alix board uses VIA NICs, the APU uses Realtek.

    Steve

    My neigbor has, just like me, a 30/2 VDSL line. So if the 30 is the same kind of the number as the 450, then that would not be a problem I guess. But what is confusing me in addition is the VPN-client. I mean, suppose he goes via a VPN-provider like PrivateInternetAccess, then because of VPN there is a lot of cpu needed, right? Won't this APU be slowing down internetting via VPN?

    And the 4GB of this:

    http://linitx.com/product/pc-engines-apu-1c-system-board-with-4gb-ram/14116

    Will probably be sufficient for Snort, as on my Snort on the Intel board (see sig) I have 20% RAM = 1,6GB running Snort, Radius, Vlan, Dual WAN.

    So basically, will the cpu be good enough for these requirements and the 30/2?

    Thank you again Sir Steve  ;D



  • I am using the APU with a 100/2,5 MBit connection. It really works great. I used the hints given in this thread https://forum.pfsense.org/index.php?topic=73885.0. As I am lazy, I also used the configuration with the 30GB mSATA SSD.

    Hardware is less than 250 EUR, Power consumption is around 10-13 Watt. Following the installation instructions in this thread the hardest part was to connect via USB-Serial adapter  :D

    Installation was done in around 30 minutes.

    Now I run DHCP, some firewall rules and squid on it. I had an outdated Astaro Hardware before, but switched to the APU Hardware. The Astaro Hardware will have cost around 100 EUR/year more for power than the APU-Hardware and will have been rather equal cpu-power!
    The APU doesn't need a fan, so you can't hear anything (and has no fan that could break down)



  • @Hollander:

    He might consider wanting to use a VPN-client to browse the internets via something like PrivateInternetAccess, as he too doesn't like the idea of everything being monitored by everybody.

    I wonder what makes he think that services like PrivateInternetAccess give any real privacy protection these days.



  • @Mitterwald:

    I am using the APU with a 100/2,5 MBit connection. It really works great. I used the hints given in this thread https://forum.pfsense.org/index.php?topic=73885.0. As I am lazy, I also used the configuration with the 30GB mSATA SSD.

    Hardware is less than 250 EUR, Power consumption is around 10-13 Watt. Following the installation instructions in this thread the hardest part was to connect via USB-Serial adapter  :D

    Installation was done in around 30 minutes.

    Now I run DHCP, some firewall rules and squid on it. I had an outdated Astaro Hardware before, but switched to the APU Hardware. The Astaro Hardware will have cost around 100 EUR/year more for power than the APU-Hardware and will have been rather equal cpu-power!
    The APU doesn't need a fan, so you can't hear anything (and has no fan that could break down)

    Thank you very much for your 'live'-info; appreciated  ;D

    I am almost ready to go the APU-route for my neigbor, I just want to make sure that the CPU can handle a VPN-client without choking.



  • @robi:

    @Hollander:

    He might consider wanting to use a VPN-client to browse the internets via something like PrivateInternetAccess, as he too doesn't like the idea of everything being monitored by everybody.

    I wonder what makes he think that services like PrivateInternetAccess give any real privacy protection these days.

    Which makes me assume you know it is not privacy at all  ;D

    In which case I would love for you to share what you know and he (and I) do not know.

    What was on my todo-list and which I can post here as well, was this: I've read somewhere that BF-CBC is not secure, as this can be easily 'deep package inspected', even by the ISP. Is this true?



  • I was always wondering, how can you trust any third party to forward all your traffic thorugh? What's the guarantee, that they are not doing exactly the opposite of what they say? I mean, capturing all the traffic and forwarding it to NSA is the easiest way to do it like this. And they take your money also, making you believe that you are actually privacy-protected. From who?


  • Netgate Administrator

    Yes, that's the problem with VPNs. You can be reasonably confident that the traffic between you and the VPN end point is secure (as long as you're not using an NSA sponsored encryption!) but that is all. After it is decrypted at the end point all your traffic is visible to anyone operating the end point or to any further hops before it's final destination. Now that may not be an issue. If your goal is to hide your traffic from your ISP, for example, then you've done that.

    Do we have any figures for Snort or VPN on the APU? I'm sure there are some.
    Again in German:
    https://forum.pfsense.org/index.php?topic=73885.msg403913#msg403913
    Looks fairly capable.

    Steve



  • Yes indeed.

    To be honest, I trust my little ISP 100x more, than any third party public/payed VPN endpoint, which actually does nothing else but aggregates traffic in order be more easily captured…

    I see one reason to use VPNs like this though, for example to access geo-protected content from outside the allowed area. For example, to use BBC's iPlay service from outside UK. But that won't give me any privacy, at least looking from UK...



  • @stephenw10:

    Do we have any figures for Snort or VPN on the APU? I'm sure there are some.
    Again in German:
    https://forum.pfsense.org/index.php?topic=73885.msg403913#msg403913
    Looks fairly capable.

    Steve

    Thank you Lord Steve  ;D

    I accidentally found this morning on page 6 of the thread you refer to this:

    @JAP:

    Ich verwende das Teil als VPN-Router mit dem CYBERGHOST Dienst OpenVpn Verschlüsselung AES-256-CBC.
    Durchsatz auf einem 16Mbits Anschluss 13Mbits konstant im download mit OpenVpn.
    Fakt ist 100% mehr Durchsatz als mit einem handlsüblichen Router wie Asus RT-AC66U,da geht noch mehr.
    Wegen der Leds u. des Pushbuttons warte gespannt.

    So he loses around 20% using the VPN, but that is with the AES-256-CBC. I use BF-CBC, and I have no clue if that will make a (dramatic) difference when I use the APU. I use it on the first box in my sig, suggested to me by an extremely knowledgeable and kind person on this board, so I take it my CPU and board are more powerful than the little APU.

    But perhaps BF-CBC is less a struggle for the CPU, so it might be less performance loss? Or the other way around of course.



  • @robi:

    I was always wondering, how can you trust any third party to forward all your traffic thorugh? What's the guarantee, that they are not doing exactly the opposite of what they say? I mean, capturing all the traffic and forwarding it to NSA is the easiest way to do it like this. And they take your money also, making you believe that you are actually privacy-protected. From who?

    @stephenw10:

    Yes, that's the problem with VPNs. You can be reasonably confident that the traffic between you and the VPN end point is secure (as long as you're not using an NSA sponsored encryption!) but that is all. After it is decrypted at the end point all your traffic is visible to anyone operating the end point or to any further hops before it's final destination. Now that may not be an issue. If your goal is to hide your traffic from your ISP, for example, then you've done that.

    @robi:

    Yes indeed.

    To be honest, I trust my little ISP 100x more, than any third party public/payed VPN endpoint, which actually does nothing else but aggregates traffic in order be more easily captured…

    I see one reason to use VPNs like this though, for example to access geo-protected content from outside the allowed area. For example, to use BBC's iPlay service from outside UK. But that won't give me any privacy, at least looking from UK…

    Could I ask what you mean with the part in bold? How is this easier?

    My reasoning for using a VPN is this: I actually don't trust my ISP enough, nor any other ISP in my country. Since the NSA stories it is clear that governments around the world all spy on their citizens massively. Only some days ago Vodafone declared that in the UK the government is automatically, without any warrants and judges, tapping all cell phones. So my reasoning is: what is easier for governments to do than to tell all national ISP's to not ask questions when the men in black arrive and install mysterious black boxes in their server rooms? So goes my reasoning: it is not that easy for any national government to install mysterious black boxes in server rooms of ISP's/VPN-providers in other countries. So if my VPN exit point is not in The Netherlands but in Germany, at least my own government can not automatically see what I do. The German government of course can, but they will probably not be interested in me, as I am not living in their country. Of course, should I be a criminal whom the Dutch government is after, they might, and probably will, ask the German government to tap me via the VPN-exit point in Germany. But knowing our neighbors, they will probably want some international warrant for that. So what I've effectively achieved (at least that is what I am assuming) is that I've put automatic surveillance into manual surveillance.

    Now I am not doing anything illegal, but I still don't like this 'big data that will bite you in 20 years from now when the world without doubt has turned into a massively ugly place'. My assumption from automatic to manual should have taken care of that.

    Unless I am wrong, which is not to be ruled out as I am Dutch, and most of us are plain stupid  ;D

    Please correct me if my reasoning is wrong somewhere?


  • Netgate Administrator

    @Hollander:

    so I take it my CPU and board are more powerful than the little APU.

    Yes, significantly.

    @Hollander:

    But perhaps BF-CBC is less a struggle for the CPU, so it might be less performance loss?

    Yes, Blowfish appears to be faster than AES-256, especially if you have Blowfish set to it's default 128bits. See Seth's nice graph from an Atom D510:

    Steve



  • @Hollander:

    My reasoning for using a VPN is this: I actually don't trust my ISP enough, nor any other ISP in my country. Since the NSA stories it is clear that governments around the world all spy on their citizens massively. Only some days ago Vodafone declared that in the UK the government is automatically, without any warrants and judges, tapping all cell phones. So my reasoning is: what is easier for governments to do than to tell all national ISP's to not ask questions when the men in black arrive and install mysterious black boxes in their server rooms? So goes my reasoning: it is not that easy for any national government to install mysterious black boxes in server rooms of ISP's/VPN-providers in other countries. So if my VPN exit point is not in The Netherlands but in Germany, at least my own government can not automatically see what I do. The German government of course can, but they will probably not be interested in me, as I am not living in their country. Of course, should I be a criminal whom the Dutch government is after, they might, and probably will, ask the German government to tap me via the VPN-exit point in Germany. But knowing our neighbors, they will probably want some international warrant for that. So what I've effectively achieved (at least that is what I am assuming) is that I've put automatic surveillance into manual surveillance.

    Now I am not doing anything illegal, but I still don't like this 'big data that will bite you in 20 years from now when the world without doubt has turned into a massively ugly place'. My assumption from automatic to manual should have taken care of that.

    Unless I am wrong, which is not to be ruled out as I am Dutch, and most of us are plain stupid  ;D

    Please correct me if my reasoning is wrong somewhere?

    Are you serious? To my knowledge Denmark doesnt work together with the NSA. In Germany it is known that ALL citizens are spied by the NSA and that germany is one of some "heavily spied" Nations worldwide - like Afghanistan and IRAK.

    Our cancellor "Angela Merkel" didn't want to do anything against this, it is even KNOWN that the german "Geheimdienst" cooperates heavy with the NSA.
    Some folks now have startet a complaint against the US Nation and the NSA because of massive spying. The "Bundeststaatsanwaltschaft" (I would call it the most important Lawyer in Germany) has REFUSED to start an investigation!

    If you are lucky your traffic is routed via USA or Great Britain to Germany, which woldn't help you at all.

    I started using pfsense at home for exactly the reason to protect my home as much as possible.

    Use encryption whenever possible, but don't trust any company or nation!


  • Netgate Administrator

    @Hollander:

    So if my VPN exit point is not in The Netherlands but in Germany, at least my own government can not automatically see what I do.

    Yes, that's true. However what they can see is that for some reason you are choosing to encrypt all your traffic and send it to another country. Like it or not that's probably going to cause someone to be suspicious. That's just the world we live in unfortunately. Just need to persuade many more people to start using 100% encrypted traffic for yours not to look unusual.  ::)

    Steve



  • German secret service is the LAST to trust, except for Five Eye and the Sweds (deep in the rectum of the US…) and the Danish, doing the surveillance of the German mobile net for the US and the CSC story and and and...

    The aim is "master the internet", i.e. 100% coverage.

    I'm 100% sure my tunnels are decrypted ALL THE TIME I use them, from compromised encryption standards, etc. pp.

    Read about the people behind OpenSSL, not that funny.
    Cisco buying Snort, not funny AT ALL.

    Deal with it. The net is fu**ed up, totally, completely and for a very long time, if there will be any form of privacy at all in the future.



  • @Hollander:

    My reasoning for using a VPN is this: I actually don't trust my ISP enough, nor any other ISP in my country. Since the NSA stories it is clear that governments around the world all spy on their citizens massively.

    Long story short, I think you are walking straight into their trap by using a VPN like this. A VPN solution like this doesn't even need any black box to capture the unencrypted data. I'm 100% sure that these VPN companies are nothing more than one of the many tools NSA and their brothers to get the data. As stephenw10 said, by using it constantly you're doing nothing else than attract attention to yourself.

    Actually, there's nothing to hide by using home internet decently. Torrents and stuff could cause an issue, but they could easily track you through the VPN if they would (since you are in a contract with the VPN provider, you already gave all the data about yourself when you paid for the service - and that makes even easier to track you down than researching through your own country's ISP databases or blackboxes).

    A 74 years old senior citizen has nothing to be afraid concerning privacy IMHO… by the time anybody would want to use his data against him, he would most probably not using internet anymore...



  • I would like to thank you all very much for your inputs and help. I will go on and buy the APU for my neigbor.

    Your insights on the VPN are food for thought, and therefor much appreciated also  ;D



  • @chemlud:

    German secret service is the LAST to trust, except for Five Eye and the Sweds (deep in the rectum of the US…) and the Danish, doing the surveillance of the German mobile net for the US and the CSC story and and and…

    Herr Mitterwald seems to think Denmark is still to be trusted, and I vaguely recall there is a VPN provider over there who salutes himself for that.

    @chemlud:

    Read about the people behind OpenSSL, not that funny.

    Deal with it. The net is fu**ed up, totally, completely and for a very long time, if there will be any form of privacy at all in the future.

    Could I ask which story of the people behind OpenSSL?

    And, if I may; how do you deal with it then? Nothing at all?



  • Hum, sorry, I forgot, one last question: do I need to put a SSD in there, or can I stick with an SDHC card or something like that? (I had trouble understanding the stuff about ´USB connectors´ in the other thread. I know nothing except for connecting a HDD to a SATA-connection, and a USB is a stick that sticks outside my computer  ;D

    It is not easy for a stupid Dutch person btw to type on a German layout keyboard, as I am currently doing: each sentence takes about 10 minutes  ;D ;D ;D


  • Netgate Administrator

    It depends on what you end up running on it. Use an SD card of you aren't going to be using Snort or Squid.

    Steve



  • @stephenw10:

    It depends on what you end up running on it. Use an SD card of you aren't going to be using Snort or Squid.

    Steve

    Thank you Knight Steve  ;D

    I've changed my mind: I will not buy an APU.

    The reason is the people that know, on this forum, are recommending switching from Snort to Suricata. I did this yesterday as a test. My RAM is now 72% of 8 GB, so 5,6 GB. the APU has only 4 GB. And who knows what the future will bring for Suricata. I want to give the old senior citizen something he can use for the next 10 years.

    This box looks nice:

    http://www.mini-box.com/M350S-enclosure-with-picoPSU-80-and-60W-adapter

    (Via: https://forum.pfsense.org/index.php?topic=70936.0).

    Now of course is to find an appropriate motherboard and CPU - not too expensive for this old man. There once was a great great man on this very forum who helped me get my Intel board and Celeron CPU as a good match.  You never know if he will pull something out of his magical hat again  ;D


  • Netgate Administrator

    I must have missed my name in the honours list.  ;)

    That is a surprisingly high memory usage even for Snort. I'm guessing you have a lot of rules and have the filtering algorithm set to something memory hungry.
    What seems like only a few years ago (more like 10 at least!) I used to run IPCop here at home. At the time I had an 8/0.5Mbps DSL connection and the hardware I was running was a Cyrix-333 with 196MB RAM. I ram Squid and Snort on that machine with no noticeable slow down. Here's a guy filing a bug report because Snort won't run in 96MB! It's hard for me to get my head around the current Snort requirements given that.  ;)

    There are many people using the M350 it seems to be well tested.
    I'm yet to find a board that seems as suitable for a moderately powerful firewall as the DQ77KB. Supermicro have some pretty nice options, for example: http://www.supermicro.com/products/motherboard/celeron/X10/X10SBA.cfm
    Don't know if anyone else has tried them yet and they're expensive. There are other manufacturers coming out with similar boards though. Celeron J1800/1900, dual Intel NICs, mini-ITX, DC power-able seems like a sweet spot for a home firewall.

    Steve



  • @stephenw10:

    I must have missed my name in the honours list.  ;)

    :o ??? :P

    (The man I was referencing knows who I mean - he keeps on refusing to let me buy him a coffee ;D )

    @stephenw10:

    That is a surprisingly high memory usage even for Snort. I'm guessing you have a lot of rules and have the filtering algorithm set to something memory hungry.
    What seems like only a few years ago (more like 10 at least!) I used to run IPCop here at home. At the time I had an 8/0.5Mbps DSL connection and the hardware I was running was a Cyrix-333 with 196MB RAM. I ram Squid and Snort on that machine with no noticeable slow down. Here's a guy filing a bug report because Snort won't run in 96MB! It's hard for me to get my head around the current Snort requirements given that.  ;)

    It apparently is a (rather serious) problem with Suricata. At the peak this morning it was running 94% ( :o ). That is almost 8 GB of RAM. Then I stopped it and went back to Snort.

    It was running on 4 interfaces, with Snort subscription 'security' and all ET rules except for two (I'm playing with it, I know it is overkill). On Suricata, like said, it ran between 70-95%, on Snort it is back to 32%.

    @stephenw10:

    There are many people using the M350 it seems to be well tested.
    I'm yet to find a board that seems as suitable for a moderately powerful firewall as the DQ77KB. Supermicro have some pretty nice options, for example: http://www.supermicro.com/products/motherboard/celeron/X10/X10SBA.cfm
    Don't know if anyone else has tried them yet and they're expensive. There are other manufacturers coming out with similar boards though. Celeron J1800/1900, dual Intel NICs, mini-ITX, DC power-able seems like a sweet spot for a home firewall.

    Steve

    Thanks for this suggestion, Steve  ;D It indeed is an expensive board, and given that socket (not 1155), it is probably not upgradeble(?)

    I was looking at the supermicro X10SLV: http://www.supermicro.com/products/motherboard/Core/H81/X10SLV.cfm

    That is upgradeable I think(?),

    Bye,


  • Netgate Administrator

    Indeed that is upgradable. Just as an example Asrock make a number of boards for embedded integration some of which are virtually identical the that Supermicro. For example:
    http://www.asrock.com/ipc/overview.asp?Model=IMB-180
    A different CPU socket but otherwise very similar. No idea where you could buy that though.  ::)

    Steve



  • The similar asrock board is not rangeley, but rather avoton.  No quick assist, only two Ethernet, and that asrock board is tuned for storage.

    I have had an APU on a 1gps/1gps connection for a few days (yes, to my home), it tops out at just under 300Mbps.  The same Mac gets over 900mpbs directly connected.

    I'll be replacing the APU shortly.


  • Netgate Administrator

    Not jealous of your home gigabit connection at all!  ::) is that Google fibre or have you got others offering 1Gbps in Austin now?
    I think there would be quite a few people interested in what hardware you choose to run for that connection Jim.

    Steve



  • This is Grande.  AT&T is also offering 1Gbps/1Gbps in ATX, but even though they have fiber on the side of my house, they don't want to offer me the service.

    When Google arrives, I'll be keeping both.


Log in to reply