Are there any good x86 routers?

This looks like a great motherboard. I'm hoping it will be affordable too.

What about the PCs that are being sold for pfSense? Are they compatible with LEDE?

Yes should boot if you start over USB just EHCI, XHCI, UHCI driver can boot 90% of all systems but many other driver a not included for full Mainboard support.
@RangerZ APU2 is to slow for full Gbit speed you get max ~600 with cake

Quad-Core x86 CPU is too slow for 1Gb/s ?

yes with cake APU2
Intel Pentium G4400 2x faster ~ and is just a 2 core cpu
Intel Pentium G4560 3.5x faster with HyperTherd Support
Intel® Celeron™ N3350 is slower than APU2 !!
Intel® Celeron™ J1900 is a little faster than APU2 i think you get 700 Mbit with cake

EDIT: I mean with faster Single Thread Performance

700 Mbit used to be max speed for APU1
https://pcengines.ch/apu1d4.htm

APU2 also has aes-ni allowing partial VPN acceleration.

@trimo: Did you make a speed test under latest APU2?
I have a few APU1 here, I can make a speedtest.

number of cores does not matter nearly as much as raw clockspeed (single-thread performance)

I know but when you see 4 real cores then you can expect a decent performance.

Well, the processor microarchitecture does matter more for a single-thread performance. Celeron Jxxx/Nxxx are based on low performance Atom microarchitecture. I personally use mini-PCs with Celeron 3205U/3215U/3755U/3765U - they are real Intel Core based processors.

No dint have it anymore can not confirm it again but the main problem cake not support threads if im not wrong without power full CPU is hard to get cake with 1Gbit.

I use Gigabyte C1037UN-EU Intel(R) Celeron(R) CPU 1037U @ 1.80GHz
is able to saturate a pppoe gigabit connection without problem , one core CPU is ~60%, but I don't use sqm, I'll try later with sqm

edit: cake CPU ~65%

First off, I concur with the Intel NIC recommendations for anything over a few hundred Mbps. The on-board Realtek NICs have all kinds of problems when you push them hard, even with a robust OS. Intel makes some dual-channel server boards that can be had for ~$30 in OEM pack. There are a couple of generations of PCIe ones, and I don't recall which is which any more. They are great on a miniATX or larger board. It can be a challenge, especially with the older series, to find a microITX board that supports them.

For raw CPU, I can't speak for OpenWRT/LEDE, but I've been running GigE full speed through FreeBSD with more sophisticated firewalling and flow shaping than LEDE/OpenWRT is capable of on hardware as slow as an Atom D330. Those eventually were retired, not because of speed, but because of RAM limitations with the advent of ZFS as my preferred file system. I've been running Celeron J1900 and 1037U for several years now with "full" bandwidth on multiple adapters and very low latency.

Which comes to the final point. Look, LEDE is great for embedded devices, but with 1 Gbps of bandwidth, you're a significant hacking target. OpenWRT sucked for even keeping up with kernel and security patches. You couldn't even get the source for years-outdated, security-related ports to compile your own in many cases. LEDE is marginally better, but I wouldn't trust either with network security, especially with such an attractive target. Busybox and all the works-alike software that you need for trying to run in a tiny memory footprint with limited disk space are nowhere near as robust as their regularly tested and updated originals. Not to mention a royal pain when it comes to sysadmin, when you find out that less is really less than you expected, or that you have to install diff to do something that should be simple.

With an x86-class system, do yourself a favor and run a regularly updated, secure operating system. Yes, I prefer FreeBSD from both a performance and security standpoint, but you can lock down Debian/Ubuntu/RedHat pretty well.

Edit: Regrettably, the moderately priced 1037U motherboards with a PCIe slots able to handle dual-port adapters don't seem to be available any more. I've been looking at the Gigabyte GA-H270N-WIFI as a possible alternative, but the cost goes up once you need to add something like an Intel G4600 and a cooler. At least it comes with dual Intel GbE. I have not tried this combo (yet).

Please explain why this user is more of a target than someone with a 50Mpbs service?

Depends on who they are getting their bandwidth from and what netblock. Much more interesting to scan moderate- or high- bandwidth netblocks for the telltale signs of weak security than it is a 56k modem pool.

I don't consider LEDE/OpenWRT to be secure or reliable enough to be the only firewall in place, at any speed. I have always run a more secure firewall behind the OpenWRT/LEDE devices on an OS that is better vetted for security and has patched software that is readily available in a timely manner.

On the other hand, OpenWRT/LEDE was adopted by a large number of ISPs and hundred of thousands of people are using it. Take the example of SFR box in France, it is running OpenWRT. So OpenWRT/LEDE is probably quite secure, otherwize all those routers would already be hacked.

I agree a problem comes when you install tons of software on the main firewalling router. Installing dozen of sofwares on a firewall is crazy. A firewall should always be minimal...

Jeff, I used to run a Debian box with minimal kernel compiled staticly. What is nice in Debian, is that when you are happy with a kernel compilation, you can recompile it staticly using two commands. It then becomes way more difficult to hack Don't you think?

On the converse, I don't like the idea that upon a zero-day hack, LEDE/OpenWRT is wide open and the hacker can install easily any package/kernel mod. Security agencies (I mean "foreign", not your own country) probably have ready-made toolkits for OpenWRT/LEDE. There should be a way to "lock-down" LEDE completely, like I used to do it with a Debian distro. We should be able to recompile the kernel staticly and replace current kernel, using one or two command lines, like in Debian.

Also, with LEDE, serial console is not protected, boot is not signed, etc ... It makes a lot of small glitches, but we can fix them in the future. What is important in a short future for security is: secure boot with/without console, static kernel on demand (by the way, it is always "leaner", etc ...

Dear Jeff. I did not find the right words. LEDE is a great advance compared to embedded devices with no to little upgrades. Think about my D-Link 1210-P, which was apparently compiled under Fedora Core 3 back in 2004. It is probably plenty of security holes. If all those hardware were running LEDE, the world would be more secure, because LEDE can be upgrade easily and maintained.

@ffries Yes, I agree, OpenWRT/LEDE is worlds better than the firmware installed by most manufacturers! At least when it's installed, it is reasonably current with updates. I agree also that there should be a way to lock it down even further. My own preferences would to have a filesystem that was effectively immutable without physical access to the device. I'm used to FreeBSD where the immutable and append-only flags can't even be written by root once the kern.securelevel is raised. But we're drifting off topic. Perhaps worth discussing on another part of the forum.

Back on topic, while not an x86 machine and not "turn-key" for LEDE, I've had initial good indications from an Odriod-XU4(Q). With a Plugable-branded ASIX AX88179 USB 3 dongle, I can get "1 Gbps" through both the adapters. It runs a Samsung Exynos5422 which should have plenty or processing power with four of the A15, 2.1 GHz cores (and then four of the "little" ones). Linux kernel 4.9 is available for it. Under $100 with the USB dongle, power supply, and case.

hello,
this kind of mini-pc is cheap and should be very good for LEDE:
https://www.aliexpress.com/item/4-Ethernet-Lan-Mini-PC-Idustrial-Routers-J1900-Quad-Core-Celeron-desktop-computer-2-0Ghz-windows10/32779903683.html

you should get more value out of a unit with i210 nic's for they are newer and have multiple hardware queues

The issue with the j1900 based product is there is no AES-NI so not the ideal choice for OpenVPN