That's the least of your issues....
1 Like
I wasn't clear enough, with "none of that is a major problem for a router/firewall as it's not running untrusted applications or VMs" I was talking of both the IME and the spectre/meltdwon and related vulnerabilities.
The list do not include the intel j4115 so probably not affected by this vulnerability.
1 Like
Given what causes these vulnerabilities is a deep architectural flaw, and also that processors 3 generations later made years after it are still vulnerable that's a definite X doubt for that.
I don't think that table is an exhaustive list of all affected CPU models, if a family or gen is affected all cpus of that family/gen are affected.
It sure does "Gemini Lake"
1 Like
Hmmmmmmm - - - - very interesting.
Some time ago - - - - coming up to 2 years ago I was asking a question re: gigabit and possibly faster connection(s).
Blockquote
1000Mbps is quite fast to do NAT, firewall, and potentially QoS of some kind. I recommend a good managed gigabit switch and some kind of dual or more NIC mini PC as router. With relatively modern CPU like Celeron 3000 or 4000 series 4 core processor you will be able to handle firewall, NAT, and cake SQM at full speed or near to it. you can also handle services like web proxy for access controls or caching things like Linux distro packages or other services.
Blockquote
That information suggests something quite different that what you are.
I have found out the hard way that claims in the computer hardware section are mostly to be deprecated. So I use equipment that has one more notch in the capacity area to minimize my long term headaches.
By separating the two functions I am making sure that each function has enough processor horsepower and TIME to do what I'm asking them to do. If I were looking toward an even 250 Mbit connection I would be doing things differently. Except - - - - I'm NOT looking at a 250 MBit connection.
Wow - - - - - I didn't think I was kicking in the anthill when I asked the original question - - - - got to be a right 'exciting' thread for a while - - - grin.
Thank you to all who pointed out that Intel's J4115 'does' have potential security problems.
That's too bad because otherwise that sbc would be quite a nice option. It has low power consumption, pretty good hardware (really like those 2 2.5 Gbit capable NICs) and a reasonable pricing structure. With some looking I can't find anything out there in the wild using the AMD equivalent especially at this level of pricing.
Dunno why the sbc designers feel they just 'have to' include graphics on the board. I've got plenty of projects where there is somewhere between 0 and non-existent re: the need for on-board graphics.
Pretty much all Intel CPUs are in the same boat.
Also any other modern CPU is at least partly vulnerable, You can check out articles about "side channel attacks" and Spectre vulnerability.
Consider that these vulnerabilities are mostly mitigated in software (by the OS) on Linux at least (so in OpenWrt), I don't know about pfsense/OpnSense as that's FreeBSD, but this means losing some performance, between 5% and 10% as a very rough estimate.
It's Realtek NICs so not everyone shares this sentiment. Especially under pfsense/OpnSense/FreeBSD.
Many are sticking to used 10gbit server cards with SFP+ slots for their "more than gigabit" needs.
The J4115 just like all Intel laptop "CPUs" is in fact a SoC where everything is integrated in a single chip (cpu/chipset/graphics/sata/usb/whatever), similar to Raspberry or most other SBCs where also the graphics is integrated in the same chip.
The most you can do is not run the lines and not solder the physical port, but that only saves you a few cents per board, so why bother.
Umm, no, not really. the "firewall" is still doing NAT on the same amount of traffic of the "router" in your setup, you are just doing it twice, once on the "router" and once on the "firewall".
Since as you said you are not planning on running much else on the "router" there isn't much load it's taking off the "firewall". I mean yeah, Wireguard I guess, but at this point you might as well turn the "router" into a "VPN server" so it does not have to NAT all the traffic that is also being NATed on the firewall.
Hmmmmmm - - - - this email makes things at least somewhat more confusing.
If ALL contemporary CPUs have the vulnerability - - - then why the very vehement responses decrying the Intel J4115. Something like all procs have and/or still have hardware flaws at least mostly mitigated
by using Linux OS versions might have been more appropriate.
Re: Realtek NICs there have been a few people in the OpenWRT dev group that have spent a lot of time and effort working on getting OpenWRT working as a managed switch. See : Support for RTL838x based managed switches (not quite the way that I'd want to format that but that's a direct copy of the header).
Just for clarity - - - - does your aversion to Realtek NICs extend to suggesting that one not purchase a SBC that uses such for use with OpenWRT?
Thank you for your point re: SoC design.
I understand what you're saying - - - yet - - - when I'm reading network design documents from, hopefully, only the last few years that almost every one that discusses network hardware suggests having two separate pieces of equipment at the level of a moderate sized office.
Please advise
If you are doing a deep packet inspection / intrusion detection type system then having that be on a separate device makes sense.
I suspect they say a different piece of hardware because they assume you will have a dedicated router from your ISP and they're just saying you should also have your own firewall. Basically that's ISP Router/Device -> OpenWrt -> Your LAN not then also another router+firewall before the LAN.
Yes it's correct but you are missing some context so you got into "cargo culting" (aka mimicking what pros do without fully understanding why, leading to strange situations).
The main reason all this circus exists is because it's good security practice to put stuff on separated subnets to keep it isolated. You could very well take a 10.x.x.x LAN addresses and leave the netmask WIDE OPEN 255.0.0.0 on everything so all the many millions of devices you can fit in such a LAN can all talk directly to each other, but that's very very bad for a bunch of reasons, not just security (a simple multicast can crash and burn your network for example).
So you need to segregate stuff.
For a relatively small network where you don't have a whole lot of internal subnets you can just get by with attaching more cables to the "firewall" appliance (or use VLANs and managed switches) and have it do router for everything. And that's fine, a lot of small and medium businnesses do that.
As the network grows, network then it becomes increasingly difficult or silly to do that.
For example you have a bunch of PCs in a department on their own subnet and the company's firewall is literally in another building. What are you gonna do, drag a cable over? Fine. What happens if you have dozens of departments all over the complex, you drag dedicated cables for everybody?
You eventually reach a point where it's just easier to add some high-bandwith lines to connect everybody (say fiber) and add routers between the subnet and this high-bandwith line.
Yes there are many other ways and multiple tiers of routers (and switches with VLANs) that can aggregate traffic from some subnets and move it around still segregated on the same wire, but this is what I'll use for the example to get the point across.
The router is a "dumber firewall with less rules" (as they do blur the lines to some extent) whose job is just to do the NAT for its own little (or not so little) subnet so you can design a network that isn't a massive spider web of insanity with a huge failure point in the middle, the single gateway/firewall.
This is still technically double (or more) NAT to go anywhere, yes, there is no escape from that.
But here is the part you missed: in most companies the traffic towards the external network is NOT the biggest component.
Most of the network traffic is internal so it will bounce from one department to the other, between servers and clients of whatever internal softrware they use to manage stuff, talking to internal databases and so on.
So in many instances most of this traffic will never reach the firewall/gateway, and you might very well need far more powerful routers than the firewall/gateway actually is.
This is how they "remove load" from the firewall/gateway. Because in a company network a lot of traffic does NOT need to go through the firewall anyway.
But in your proposed setup, you are just placing them in a daisy chain, with all traffic going through one and then through the other, do you see the difference?
For most realistic home networks.... the network traffic follows a different path. I mean sure you might have a NAS or a home server and you will need fast access to shared folders and stuff but you won't have multiple high end servers running at full load getting hammered constantly by company software operated by thousands of employees droning on their office PC.
So the need to have dedicated routers for internal network routing is much less.
Most home labs will get by perfectly with managed switches and VLANs so they can join traffic from multiple stuff (IoT unsafe crap, cameras and whatnot) on the same lines while still keeping it separate from the "trusted" device network and have their single firewall/router/gateway sort it all out.
I mean nobody stops you from doing like big boys do and get a bunch of embedded device routers (normal home routers you flash with OpenWrt for example) and do that instead, but don't expect it to matter that much for performance.
well, in the kind of network you're talking about it would be rare to NAT between subnets, it'd just be regular routing, NAT would only occur at the gateway between the enterprise and the internet. Other than that, yes to the rest.
1 Like
That's a full SoC with a (weak) CPU and an integrated managed switch controller (that is actually doing the heavy lifting). The managed switch controller is the component that is physically connected to most/all the ports, and runs its own firmware blob to do the job. The CPU running OpenWrt is mostly to provide a decent user interface for the switch controller and do some basic routing (if it's a so-called L3 switch) but it's not the star of the show.
A network switch device is NOT like a PC where you add many many network cards. The main CPU is not looking at packets, that's too slow for the switch job. Can be still fast enough for home use of course, that's a very different scale.
NICs are ethernet controllers, and it is a standalone device that is connected over PCIe (usually) or USB to something else, a PC or a SoC like the Odroid.
This is what you find on a network card for a PC.
As I said I have more experience with Realtek Gigabit ethernet controllers, and I've seen enough times they have bugs or quirks or drop connection when loaded too much and sometimes lock up and won't come back until reboot.
USB gigabit controllers from them are worse, in my experience.
They are common because they are cheaper than Intel or Broadcomm (or Aquantia for the 2.5 and 5.0 and 10 Gbit)
I can't talk about Realtek SoCs or switches as I don't have much experience with them (with Linux/OpenWrt anyway, I'm sure I used many devices that have them inside, pretty much all non-businness switches and low-end managed switches use Realtek chips).
Businness switches use Broadcomm, Intel, and other specialist brands.
So again, Realtek are the cheaper ones, and it's a fact, does not make them bad, but they had to cut costs.
Same story for PC audio, Realtek is the most common and the cheapest. Although it's been mostly OK in that.
I'm just going off generic brand distrust here, I don't have direct experience with these NICs specifically but I've been burned enough by the gigabit ones and I know Realtek's main market segment is "X but cheaper".
I would avoid them if possible, and if not possible I would do some searching to see if anybody has had issues with the specific chip used in the device I want to buy, ( not necessarily the same device.
As I said they use PCIe so they can be installed in a PC card or in a PC motherboard (and they are, afaik), the ones in the Odroid are not special or different, it's just all soldered to the same board.
Yeah I'm oversimplifying a bit. My post got too long already. 
@ajoeiam
Another option would be Rockpro64 and a dual port Intel NIC (pulled), that would be around 100 EUR excluding PSU and memory card/eMMC. I don't know about OpenWrt but at least FreeBSD runs great (with pf and friends) =)
Went looking to see what I could find for Intel NICs anyway and your 100 Euro figure is somewhat optimistic - - - seemed like most of the options were more like 150 to 250 (for a 2 port) NIC.
A bigger issue, I think, is that the boards expect a PCI-E 8 connection and I can't find one of the sbcs that has any more than a pci-e 4 port.
Any suggestions as to how to get over that hurdle?
It would seem the cost -- utility equation has bit again!
The m/c initially being looked at is definitely a much cheaper alternative than any of the other suggested options. A pity that cheap seems to be the prevailing modus. I for one would prefer value as a modus.
Dell 07MJH5 and 424RR from what I can tell (you need to verify it yourself though)
Fujitsu D3035-A11
HP 361T - https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03352569
https://www.servershop24.de/dell-i350-t2-adapter/a-123127/
https://www.gekko-computer.de/sonstiges/Controller/Netzwerkadapter-intern/HP-Netzwerkadapter-361T-2-Port-1Gb-PCI-E-656241-001.html
I've only used D3035-A11 myself but they should all be the same from what I can tell.