That would have been a good idea long time ago, these days… not so much.
most web-resources and traffic are SSL encrypted, so a proxy won't do any proxying.
most interactive websites are highly dynamic, not even providing anything to proxy (even if they weren't transported encrypted)
WAN speeds have risen to a point where proxying at home isn't as necessary/ useful as before.
--
Yes, intercepting proxies are possible - but, to be honest, do you really want to configure the proxy on all of your systems (including phones and IoT devices) and add your own man-in-the-middle CA as well...?!
Not to mention that MITM isn't ideal (if you want to catch pretty much "any" data as the majority uses HTTPS these days.
@ajoeiam
Depending on how paranoid you are be aware that J4115 does have quite a few hardware vulnerabilities and that your milage may vary using Realtek NICs. There is most likely no point at all to have two firewalls after each other (and will break port forwarding, UPNP etc), just run opnsense if that's what you prefer.
Then what I said above does not change much (Wireguard is very light on resources), whatever RAM you can install is OK and whatever storage you install is OK.
Squid can be run on OpenWrt too (there is a package), but caching proxies nowadays where HTTPS is commonplace requires to break point-to-point HTTPS encryption between the device and the server since it has to pass through the proxy, and to do that you must add your own custom certificate to all clients so they can validate the traffic. This is a massive pain to do, especially on mobile and IoT devices, and you are doing a MITM on yourself, if someone compromises the firewall now can inject all they want in your encrypted traffic and you have no way of telling.
Depending on why you wanted to run a proxy, there might be better ways to accomplish that like a VPN to your own cloud server, setting up a recursive DNS and/or encrypting DNS requests (which you should probably set up regardless).
It can also hamper them. Apart from the fact that you are duplicating both functions and not separating them, a daisy chain configuration will hamper the "firewall" in your proposed setup.
Since the firewall is seeing a NATted traffic from the router it has no idea of what each client in your local network is actually doing so you can only implement rules that apply to everything. No filters based on MAC, port forwarding for a specific client must be done twice (once on the "router"'s firewall and once on the "firewall's firewall) and so on.
Running two router/firewalls in daisy chain like that is increasing complexity as I mentioned above, since you can't split router from firewall so you have all issues of a double NAT setup. I suggest to reconsider.
I find it interesting that it would be considered "normal" to ask a hardware size question without telling the usecase. Resource usage varies wildly depending on your home network size, your internet bandwith and what services you install and run in OpenWrt.
Although none of that is a major problem for a router/firewall as it's not running untrusted applications or VMs. Also afaik the IME cannot communicate over the network if the device is not using Intel NICs.
Squid is still usable for access control at least until encrypted SNI becomes common. This use case is quite important for things like time of day access to websites or creating quotas for data usage like for youtube...
I wasn't clear enough, with "none of that is a major problem for a router/firewall as it's not running untrusted applications or VMs" I was talking of both the IME and the spectre/meltdwon and related vulnerabilities.
Given what causes these vulnerabilities is a deep architectural flaw, and also that processors 3 generations later made years after it are still vulnerable that's a definite X doubt for that.
I don't think that table is an exhaustive list of all affected CPU models, if a family or gen is affected all cpus of that family/gen are affected.
1000Mbps is quite fast to do NAT, firewall, and potentially QoS of some kind. I recommend a good managed gigabit switch and some kind of dual or more NIC mini PC as router. With relatively modern CPU like Celeron 3000 or 4000 series 4 core processor you will be able to handle firewall, NAT, and cake SQM at full speed or near to it. you can also handle services like web proxy for access controls or caching things like Linux distro packages or other services.
Blockquote
That information suggests something quite different that what you are.
I have found out the hard way that claims in the computer hardware section are mostly to be deprecated. So I use equipment that has one more notch in the capacity area to minimize my long term headaches.
By separating the two functions I am making sure that each function has enough processor horsepower and TIME to do what I'm asking them to do. If I were looking toward an even 250 Mbit connection I would be doing things differently. Except - - - - I'm NOT looking at a 250 MBit connection.
Wow - - - - - I didn't think I was kicking in the anthill when I asked the original question - - - - got to be a right 'exciting' thread for a while - - - grin.
Thank you to all who pointed out that Intel's J4115 'does' have potential security problems.
That's too bad because otherwise that sbc would be quite a nice option. It has low power consumption, pretty good hardware (really like those 2 2.5 Gbit capable NICs) and a reasonable pricing structure. With some looking I can't find anything out there in the wild using the AMD equivalent especially at this level of pricing.
Dunno why the sbc designers feel they just 'have to' include graphics on the board. I've got plenty of projects where there is somewhere between 0 and non-existent re: the need for on-board graphics.
Pretty much all Intel CPUs are in the same boat.
Also any other modern CPU is at least partly vulnerable, You can check out articles about "side channel attacks" and Spectre vulnerability.
Consider that these vulnerabilities are mostly mitigated in software (by the OS) on Linux at least (so in OpenWrt), I don't know about pfsense/OpnSense as that's FreeBSD, but this means losing some performance, between 5% and 10% as a very rough estimate.
It's Realtek NICs so not everyone shares this sentiment. Especially under pfsense/OpnSense/FreeBSD.
Many are sticking to used 10gbit server cards with SFP+ slots for their "more than gigabit" needs.
The J4115 just like all Intel laptop "CPUs" is in fact a SoC where everything is integrated in a single chip (cpu/chipset/graphics/sata/usb/whatever), similar to Raspberry or most other SBCs where also the graphics is integrated in the same chip.
The most you can do is not run the lines and not solder the physical port, but that only saves you a few cents per board, so why bother.
Umm, no, not really. the "firewall" is still doing NAT on the same amount of traffic of the "router" in your setup, you are just doing it twice, once on the "router" and once on the "firewall".
Since as you said you are not planning on running much else on the "router" there isn't much load it's taking off the "firewall". I mean yeah, Wireguard I guess, but at this point you might as well turn the "router" into a "VPN server" so it does not have to NAT all the traffic that is also being NATed on the firewall.
Hmmmmmm - - - - this email makes things at least somewhat more confusing.
If ALL contemporary CPUs have the vulnerability - - - then why the very vehement responses decrying the Intel J4115. Something like all procs have and/or still have hardware flaws at least mostly mitigated
by using Linux OS versions might have been more appropriate.
Re: Realtek NICs there have been a few people in the OpenWRT dev group that have spent a lot of time and effort working on getting OpenWRT working as a managed switch. See : Support for RTL838x based managed switches (not quite the way that I'd want to format that but that's a direct copy of the header).
Just for clarity - - - - does your aversion to Realtek NICs extend to suggesting that one not purchase a SBC that uses such for use with OpenWRT?
I understand what you're saying - - - yet - - - when I'm reading network design documents from, hopefully, only the last few years that almost every one that discusses network hardware suggests having two separate pieces of equipment at the level of a moderate sized office.
If you are doing a deep packet inspection / intrusion detection type system then having that be on a separate device makes sense.
I suspect they say a different piece of hardware because they assume you will have a dedicated router from your ISP and they're just saying you should also have your own firewall. Basically that's ISP Router/Device -> OpenWrt -> Your LAN not then also another router+firewall before the LAN.
Yes it's correct but you are missing some context so you got into "cargo culting" (aka mimicking what pros do without fully understanding why, leading to strange situations).
The main reason all this circus exists is because it's good security practice to put stuff on separated subnets to keep it isolated. You could very well take a 10.x.x.x LAN addresses and leave the netmask WIDE OPEN 255.0.0.0 on everything so all the many millions of devices you can fit in such a LAN can all talk directly to each other, but that's very very bad for a bunch of reasons, not just security (a simple multicast can crash and burn your network for example).
So you need to segregate stuff.
For a relatively small network where you don't have a whole lot of internal subnets you can just get by with attaching more cables to the "firewall" appliance (or use VLANs and managed switches) and have it do router for everything. And that's fine, a lot of small and medium businnesses do that.
As the network grows, network then it becomes increasingly difficult or silly to do that.
For example you have a bunch of PCs in a department on their own subnet and the company's firewall is literally in another building. What are you gonna do, drag a cable over? Fine. What happens if you have dozens of departments all over the complex, you drag dedicated cables for everybody?
You eventually reach a point where it's just easier to add some high-bandwith lines to connect everybody (say fiber) and add routers between the subnet and this high-bandwith line.
Yes there are many other ways and multiple tiers of routers (and switches with VLANs) that can aggregate traffic from some subnets and move it around still segregated on the same wire, but this is what I'll use for the example to get the point across.
The router is a "dumber firewall with less rules" (as they do blur the lines to some extent) whose job is just to do the NAT for its own little (or not so little) subnet so you can design a network that isn't a massive spider web of insanity with a huge failure point in the middle, the single gateway/firewall.
This is still technically double (or more) NAT to go anywhere, yes, there is no escape from that.
But here is the part you missed: in most companies the traffic towards the external network is NOT the biggest component.
Most of the network traffic is internal so it will bounce from one department to the other, between servers and clients of whatever internal softrware they use to manage stuff, talking to internal databases and so on.
So in many instances most of this traffic will never reach the firewall/gateway, and you might very well need far more powerful routers than the firewall/gateway actually is.
This is how they "remove load" from the firewall/gateway. Because in a company network a lot of traffic does NOT need to go through the firewall anyway.
But in your proposed setup, you are just placing them in a daisy chain, with all traffic going through one and then through the other, do you see the difference?
For most realistic home networks.... the network traffic follows a different path. I mean sure you might have a NAS or a home server and you will need fast access to shared folders and stuff but you won't have multiple high end servers running at full load getting hammered constantly by company software operated by thousands of employees droning on their office PC.
So the need to have dedicated routers for internal network routing is much less.
Most home labs will get by perfectly with managed switches and VLANs so they can join traffic from multiple stuff (IoT unsafe crap, cameras and whatnot) on the same lines while still keeping it separate from the "trusted" device network and have their single firewall/router/gateway sort it all out.
I mean nobody stops you from doing like big boys do and get a bunch of embedded device routers (normal home routers you flash with OpenWrt for example) and do that instead, but don't expect it to matter that much for performance.
well, in the kind of network you're talking about it would be rare to NAT between subnets, it'd just be regular routing, NAT would only occur at the gateway between the enterprise and the internet. Other than that, yes to the rest.
