Hi,
I'm looking for something like the APU-Board for LEDE.
Is the BPI-R2 recommendet?
Are there any other recommendations and experience?
Thanks in advance!
Best regards
Why something like and not the apu board?
What features do you need?
1 Like
While this is a wide-open question, the specifics around "like the APU" I'd agree with @juppin on. They're solid in their design and component selection, as well as thermal management and fabrication. It has a 4-core, 64-bit, x86 processor with AES-NI. It has 3 or 4 Intel NICs. It has real SATA, rather than relying on SD cards with their slow speed and limited lifespans. It's a quite capable board.
A built-in switch is a liability when you can't control its state on boot and, no matter how many sockets it has, is limited by the actual NICs attached to it, typically one or two, on-SoC.
An apu2c4 with an external, managed switch falls into the "something decent today" category for many people, myself included.
8< snip here >8
Your "future" may different than others', but here's one guess at the next five years.
I wouldn't have guessed ten years ago that gigabit speeds would be common in the home.They're here now and speeds are likely to increase as the providers try to outdo each other. I don't expect that commodity-grade 10 G networking will be available in the next year or two, so that means at least two, independent NICs per high-bandwidth "port":
- Upstream -- 2
- Wired -- 2
- Wireless -- 1
- Management -- 1
That's a six-NIC (not just six-socket) device. No commodity-grade SoC is going to have the I/O bandwidth to handle that. Throw in fancy SQM and you're well past SoC-class devices and into CPUs. Throw in VPN at anywhere near gigabit rates and you're definitely past SoCs.
For "future proof" in a five-year window, I'd guess:
- 4-core, 64-bit, x86 processor, 2 GHz or faster
- 4 GB RAM
- Redundant SSD drives, 16 GB each, 32 GB preferred
- Six or more Intel NICs
- OS for the above that can split the I/O load across multiple processors
- External APs
- External managed switch
Or just buy something decent today with the expectation that you'll get a few years out of it.
Jeff, I agree with you about the specs on the machine, but it's not cheap, to get AES-NI we're talking about $250 or $300 these days at the lowest end. If you want i3 or i5 you're talking $500 to $1000 depending on RAM and storage etc.
One way to help the budget would be to use the machine for more than pure routing. For example fileserver for media, remote backups for a VPS, a PBX, whatever.
In the context of trying to do that, and for security reasons, does it make sense to run routing in a virtual machine, or a systemd container or something? What do you think is the best way to accomplish resource sharing here?
My own thoughts, which I haven't tried out, would be to run a very stripped down Debian install, and then run routing in one system-nspawn container and fileserving etc in a second systemd-nspawn container. Put the WAN and LAN NICs directly into the routing namespace, create a LAN bridge between the LAN NIC and a veth, and put the other end of the veth into the fileserver namespace... have NO NICS in the base namespace.
This seems to have lower overhead than KVM virtualization, and should provide better performance. The security should be better than running all the functions together in the same namespace... and the utilization of the resources should be better than just buying a multi hundred dollar device and using it for pure routing.
any thoughts?
I strongly disagree on this if youre talking about american $. Its way cheaper since AES-NI finally arrived on smaller cpus. Im talking about 100€ (or for you more like 150$) for an entire system with 2 nics that is gigabit and vpn capable.
What Openwrt really need is better optimisation in matter of x86 usage. I see better results on more experimental machines running with Arch Linux.
1 Like
Today?
I run an apu2c4 which has a 4-core, 1 GHz processor (with AES-NI), 4 GB RAM, and three Intel NICs at the border. All-up with a couple 16 GB SSDs, case, and wall wart it is under $200 and idles at well under 10 W of AC mains. I run another to handle my "inside" routing and VLAN isolation.
I run my services under FreeBSD in various jails on a single physical host (Celeron J1900), each with their own networking stack and firewalls. Critical services like DHCP, DNS, NTP, and Kerberos have alternates running on Raspberry Pi for power-consumption reasons (we need to run off UPS for extended periods).
Okay more like yesterday 
Well, looking at the suggested specs it's not just AES-NI, but
- 4 core, 2Ghz or more
- 6 Intel NICs
- Redundant SSD Drives
for example.
Doesn't quite meet those specs, as it's 1.8 Ghz, but maybe close enough... It's $420
If you wanted to go core i5 for example:
So perhaps Jeff's specs are slightly above what he really thinks is necessary (but the whole idea is to get something like 5 years + out of it so that's appropriate).
So I still think today you're likely to spend $400+ for the actually speced out level of performance.
a LOT of the time, this device will sit there idle... so it seems appropriate to try to find ways to use it for multiple purposes, and then prioritize the routing function so that it's available when needed.
The bottom line is now that "home" connectivity speeds are greater than what some considered "enterprise" connectivity just a few years ago, any "future-proof" solution isn't a sub-$200 all-in-one router on the market today.
With future as the operative word, UP AI Edge has some interesting bits to stitch together, albeit a bit on the spendy side.
Today I think you can get away with just 2 NICs bonded into a managed switch, future proofness I think requires 4, but 6 is probably overkill but may not actually bump the cost that much.
In any case, future-proofing out 5+ years I think requires a decent gigabit managed switch, in the future you're going to have ipv6 with multiple subnets, run servers off your home LAN so you can access your files without special "cloud" services, and you'll have special guest networks and IoT networks to segment your network for security, and maybe a high priority VOIP VLAN network to let you take business calls as if you were at a corporate office, etc... Getting a managed switch gives you ability to to prioritize traffic on your LANs and bond links between different parts of your network (like say if you have a work-from-home office where several PCs are all hooked up and need speedy fileserver access)
I definitely agree with @jeff about home networks starting to need what used to be Enterprise grade equipment. Fortunately the expenses are dropping.
Build the thing yourself, get some parts second hand. I can get here a quadcore with nearly 2ghz and aes-ni for ~70€. No need for that much ram and ssd under OpenWRT. And just my 2 cents: Intel Nics are overrated under linux.
Conceptually it would make make sense to do the routing on the bare iron and to only move the server-like tasks into VMs. Security wise it's still something that would keep me worried, not so much for more externally facing services (e.g. webserver, pbx, etc.), but at the latest when it comes to internal services like file servers, backup targets, etc.
systemd containers are on the bare iron, there's no processor virtualization involved. They are however separate namespaces. I think you wouldn't want the router in the base namespace, where it could do things like spawn processes that would enter your other namespaces. If the router container is compromised you'd want it to at least be unable to easily further compromise your fileserver etc. That at least was the thinking behind my suggested design. I have yet to go there in practice.
I understand your reasoning, the problem just is that the router is the only one among your listed services that needs direct hardware access (at least on the interface level) - to all (or at least most-) network cards. Sure, it is possible to pass these through, but it's overhead directly at the potential bottleneck.
I don't think there's any overhead involved, unlike with VMs, there is just 1 kernel running, the fact is just that only processes inside the given namespace will be able to access those NICs. It's more like a fancy chroot than anything else.
Well, if you're talking about a complete system with RAM and storage... for what amounts to $80, you have some amazing deals! Here, even if you build it yourself, a motherboard + i5 processor + RAM + SSD will actually cost you more in parts than those all-in-one devices I linked, even if you go Celeron you're still in the $200 or more range and it'd be rare to find more than 2 NICs on a build-it-yourself mobo, you can get some SuperMicro boards with 4 NICs that are very nice, but pricey.
I use an asrock rack j1900 d2y which is a capable board but a little older tech and no AES-NI... it's $165 without ram and only has 2 NICs
I personally think that Partaker 6 NIC device is pretty well priced and would definitely consider using that for a future proof device. But for that price I'd be looking to use it for more than just routing!
So, for me, the question of how to effectively use multiple functions on an x86 device securely is quite a good and related question to the original question of what makes for good future proof hardware.
More like 100€ and that involving mostly new parts. Well you have my apologies, those are some sad prices you have there that i werent aware from. For that money you can have here a server grade intel soc (atom/celeron based) mainboard with 8 cores and 20watt tdp and bunch other features like ipmi, double nics and so on.
Thanks for all the replies!
I need something with 2-4 nics. The routers outside (15-20 devices), installed with openwrt, should connect to the central over wireguard or ipsec. The throughput should be 30-50 Mbit/s.
Thanks
With wireguard you can pick nearly everything. Take a look over the Futro s550 (s2) and a cheap network card on Ebay. Put a switch behind it (or simply a normal VLAN capable OpenWRT routerin switch mode) and youre ready to go. Cost you like 40€. The Futro itself cost 15€ and is a great VPN Offloader for that price range.
1 Like