It sure does "Gemini Lake"
1 Like
Hmmmmmmm - - - - very interesting.
Some time ago - - - - coming up to 2 years ago I was asking a question re: gigabit and possibly faster connection(s).
Blockquote
1000Mbps is quite fast to do NAT, firewall, and potentially QoS of some kind. I recommend a good managed gigabit switch and some kind of dual or more NIC mini PC as router. With relatively modern CPU like Celeron 3000 or 4000 series 4 core processor you will be able to handle firewall, NAT, and cake SQM at full speed or near to it. you can also handle services like web proxy for access controls or caching things like Linux distro packages or other services.
Blockquote
That information suggests something quite different that what you are.
I have found out the hard way that claims in the computer hardware section are mostly to be deprecated. So I use equipment that has one more notch in the capacity area to minimize my long term headaches.
By separating the two functions I am making sure that each function has enough processor horsepower and TIME to do what I'm asking them to do. If I were looking toward an even 250 Mbit connection I would be doing things differently. Except - - - - I'm NOT looking at a 250 MBit connection.
Wow - - - - - I didn't think I was kicking in the anthill when I asked the original question - - - - got to be a right 'exciting' thread for a while - - - grin.
Thank you to all who pointed out that Intel's J4115 'does' have potential security problems.
That's too bad because otherwise that sbc would be quite a nice option. It has low power consumption, pretty good hardware (really like those 2 2.5 Gbit capable NICs) and a reasonable pricing structure. With some looking I can't find anything out there in the wild using the AMD equivalent especially at this level of pricing.
Dunno why the sbc designers feel they just 'have to' include graphics on the board. I've got plenty of projects where there is somewhere between 0 and non-existent re: the need for on-board graphics.
Pretty much all Intel CPUs are in the same boat.
Also any other modern CPU is at least partly vulnerable, You can check out articles about "side channel attacks" and Spectre vulnerability.
Consider that these vulnerabilities are mostly mitigated in software (by the OS) on Linux at least (so in OpenWrt), I don't know about pfsense/OpnSense as that's FreeBSD, but this means losing some performance, between 5% and 10% as a very rough estimate.
It's Realtek NICs so not everyone shares this sentiment. Especially under pfsense/OpnSense/FreeBSD.
Many are sticking to used 10gbit server cards with SFP+ slots for their "more than gigabit" needs.
The J4115 just like all Intel laptop "CPUs" is in fact a SoC where everything is integrated in a single chip (cpu/chipset/graphics/sata/usb/whatever), similar to Raspberry or most other SBCs where also the graphics is integrated in the same chip.
The most you can do is not run the lines and not solder the physical port, but that only saves you a few cents per board, so why bother.
Umm, no, not really. the "firewall" is still doing NAT on the same amount of traffic of the "router" in your setup, you are just doing it twice, once on the "router" and once on the "firewall".
Since as you said you are not planning on running much else on the "router" there isn't much load it's taking off the "firewall". I mean yeah, Wireguard I guess, but at this point you might as well turn the "router" into a "VPN server" so it does not have to NAT all the traffic that is also being NATed on the firewall.
Hmmmmmm - - - - this email makes things at least somewhat more confusing.
If ALL contemporary CPUs have the vulnerability - - - then why the very vehement responses decrying the Intel J4115. Something like all procs have and/or still have hardware flaws at least mostly mitigated
by using Linux OS versions might have been more appropriate.
Re: Realtek NICs there have been a few people in the OpenWRT dev group that have spent a lot of time and effort working on getting OpenWRT working as a managed switch. See : Support for RTL838x based managed switches (not quite the way that I'd want to format that but that's a direct copy of the header).
Just for clarity - - - - does your aversion to Realtek NICs extend to suggesting that one not purchase a SBC that uses such for use with OpenWRT?
Thank you for your point re: SoC design.
I understand what you're saying - - - yet - - - when I'm reading network design documents from, hopefully, only the last few years that almost every one that discusses network hardware suggests having two separate pieces of equipment at the level of a moderate sized office.
Please advise
If you are doing a deep packet inspection / intrusion detection type system then having that be on a separate device makes sense.
I suspect they say a different piece of hardware because they assume you will have a dedicated router from your ISP and they're just saying you should also have your own firewall. Basically that's ISP Router/Device -> OpenWrt -> Your LAN not then also another router+firewall before the LAN.
Yes it's correct but you are missing some context so you got into "cargo culting" (aka mimicking what pros do without fully understanding why, leading to strange situations).
The main reason all this circus exists is because it's good security practice to put stuff on separated subnets to keep it isolated. You could very well take a 10.x.x.x LAN addresses and leave the netmask WIDE OPEN 255.0.0.0 on everything so all the many millions of devices you can fit in such a LAN can all talk directly to each other, but that's very very bad for a bunch of reasons, not just security (a simple multicast can crash and burn your network for example).
So you need to segregate stuff.
For a relatively small network where you don't have a whole lot of internal subnets you can just get by with attaching more cables to the "firewall" appliance (or use VLANs and managed switches) and have it do router for everything. And that's fine, a lot of small and medium businnesses do that.
As the network grows, network then it becomes increasingly difficult or silly to do that.
For example you have a bunch of PCs in a department on their own subnet and the company's firewall is literally in another building. What are you gonna do, drag a cable over? Fine. What happens if you have dozens of departments all over the complex, you drag dedicated cables for everybody?
You eventually reach a point where it's just easier to add some high-bandwith lines to connect everybody (say fiber) and add routers between the subnet and this high-bandwith line.
Yes there are many other ways and multiple tiers of routers (and switches with VLANs) that can aggregate traffic from some subnets and move it around still segregated on the same wire, but this is what I'll use for the example to get the point across.
The router is a "dumber firewall with less rules" (as they do blur the lines to some extent) whose job is just to do the NAT for its own little (or not so little) subnet so you can design a network that isn't a massive spider web of insanity with a huge failure point in the middle, the single gateway/firewall.
This is still technically double (or more) NAT to go anywhere, yes, there is no escape from that.
But here is the part you missed: in most companies the traffic towards the external network is NOT the biggest component.
Most of the network traffic is internal so it will bounce from one department to the other, between servers and clients of whatever internal softrware they use to manage stuff, talking to internal databases and so on.
So in many instances most of this traffic will never reach the firewall/gateway, and you might very well need far more powerful routers than the firewall/gateway actually is.
This is how they "remove load" from the firewall/gateway. Because in a company network a lot of traffic does NOT need to go through the firewall anyway.
But in your proposed setup, you are just placing them in a daisy chain, with all traffic going through one and then through the other, do you see the difference?
For most realistic home networks.... the network traffic follows a different path. I mean sure you might have a NAS or a home server and you will need fast access to shared folders and stuff but you won't have multiple high end servers running at full load getting hammered constantly by company software operated by thousands of employees droning on their office PC.
So the need to have dedicated routers for internal network routing is much less.
Most home labs will get by perfectly with managed switches and VLANs so they can join traffic from multiple stuff (IoT unsafe crap, cameras and whatnot) on the same lines while still keeping it separate from the "trusted" device network and have their single firewall/router/gateway sort it all out.
I mean nobody stops you from doing like big boys do and get a bunch of embedded device routers (normal home routers you flash with OpenWrt for example) and do that instead, but don't expect it to matter that much for performance.
well, in the kind of network you're talking about it would be rare to NAT between subnets, it'd just be regular routing, NAT would only occur at the gateway between the enterprise and the internet. Other than that, yes to the rest.
1 Like
That's a full SoC with a (weak) CPU and an integrated managed switch controller (that is actually doing the heavy lifting). The managed switch controller is the component that is physically connected to most/all the ports, and runs its own firmware blob to do the job. The CPU running OpenWrt is mostly to provide a decent user interface for the switch controller and do some basic routing (if it's a so-called L3 switch) but it's not the star of the show.
A network switch device is NOT like a PC where you add many many network cards. The main CPU is not looking at packets, that's too slow for the switch job. Can be still fast enough for home use of course, that's a very different scale.
NICs are ethernet controllers, and it is a standalone device that is connected over PCIe (usually) or USB to something else, a PC or a SoC like the Odroid.
This is what you find on a network card for a PC.
As I said I have more experience with Realtek Gigabit ethernet controllers, and I've seen enough times they have bugs or quirks or drop connection when loaded too much and sometimes lock up and won't come back until reboot.
USB gigabit controllers from them are worse, in my experience.
They are common because they are cheaper than Intel or Broadcomm (or Aquantia for the 2.5 and 5.0 and 10 Gbit)
I can't talk about Realtek SoCs or switches as I don't have much experience with them (with Linux/OpenWrt anyway, I'm sure I used many devices that have them inside, pretty much all non-businness switches and low-end managed switches use Realtek chips).
Businness switches use Broadcomm, Intel, and other specialist brands.
So again, Realtek are the cheaper ones, and it's a fact, does not make them bad, but they had to cut costs.
Same story for PC audio, Realtek is the most common and the cheapest. Although it's been mostly OK in that.
I'm just going off generic brand distrust here, I don't have direct experience with these NICs specifically but I've been burned enough by the gigabit ones and I know Realtek's main market segment is "X but cheaper".
I would avoid them if possible, and if not possible I would do some searching to see if anybody has had issues with the specific chip used in the device I want to buy, ( not necessarily the same device.
As I said they use PCIe so they can be installed in a PC card or in a PC motherboard (and they are, afaik), the ones in the Odroid are not special or different, it's just all soldered to the same board.
Yeah I'm oversimplifying a bit. My post got too long already. 
@ajoeiam
Another option would be Rockpro64 and a dual port Intel NIC (pulled), that would be around 100 EUR excluding PSU and memory card/eMMC. I don't know about OpenWrt but at least FreeBSD runs great (with pf and friends) =)
Went looking to see what I could find for Intel NICs anyway and your 100 Euro figure is somewhat optimistic - - - seemed like most of the options were more like 150 to 250 (for a 2 port) NIC.
A bigger issue, I think, is that the boards expect a PCI-E 8 connection and I can't find one of the sbcs that has any more than a pci-e 4 port.
Any suggestions as to how to get over that hurdle?
It would seem the cost -- utility equation has bit again!
The m/c initially being looked at is definitely a much cheaper alternative than any of the other suggested options. A pity that cheap seems to be the prevailing modus. I for one would prefer value as a modus.
Dell 07MJH5 and 424RR from what I can tell (you need to verify it yourself though)
Fujitsu D3035-A11
HP 361T - https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03352569
https://www.servershop24.de/dell-i350-t2-adapter/a-123127/
https://www.gekko-computer.de/sonstiges/Controller/Netzwerkadapter-intern/HP-Netzwerkadapter-361T-2-Port-1Gb-PCI-E-656241-001.html
I've only used D3035-A11 myself but they should all be the same from what I can tell.
Maybe he is not buying new (also "new" is usually a ffing lie, it's old server hardware, it's most likely used), maybe you are searching only with generic terms, to get the good deals you need to look for NIC name or card name.
Or maybe he is buying from china. I also buy used server cards from china, and yes you can get one for 85 euro like this https://www.ebay.it/itm/Intel-X540-T2-10-Gigabit-10GBe-10Gbit-Dual-Port-Converged-Server-Adapter-PCIe/142005082547
Customs don't usually block or make me pay anything for small packets like that, of course if it gets blocked by customs and you need to pay 20% VAT plus other customs fees it is less interesting.
Another point here is that if you buy old server hardware you need to look for what was most common and plentiful if you want the cheap stuff. Apparently, cards with 10Gbit SFP+ ports (a slot that can fit different modules, fiber, copper ethernet, and more) and optical fiber modules are what was most common in servers so they are stupid cheap now that every old hardware reseller has buckets of them everywhere.
For example you can get this puppy from France for 75 euro (shipping included) that is a dual Intel 10Gbit NIC with SFP+ slots, bundled with two fiber modules as well (that if they are also 10Gbit would cost around 15 euro apiece, you probably want to ask the seller for the model of the SFP modules before buying so you know if they are good or not) https://www.ebay.it/itm/Intel-82599ES-Dual-Port-X520-DA2-E10G42BTDA-2PC-Intel-SFP/402724633029
If you don't need a long-range connection (i.e. it is only coming and going from a switch, so only a couple meters), you don't even need fiber+fiber modules and you can get short SFP+ patch cables which cost less.
It's better if you stick with Intel or broadcomm NICs on these cards because the driver may or may not be packaged or even exist at all in OpenWrt.
For example this one https://www.ebay.it/itm/STANDARD-PROFILE-Brocade-1860-18602-Dual-Port-10-16-Gbps-SFP-PCIe-x8-2-0/113821327550 looks nice but is using a brocade NIC and the driver exists in Linux (called bna) but is not packaged in OpenWrt, I'll buy one now so I can add the package in a few months.
The PCIe ports are flexible by design, as long as the connector allows this physically (i.e. it is cut in the back like this https://www.evercase.co.uk/images/Accessories/FlexibleRiserCards/Opened%20PCI-E%20slot.jpg so you can fit a longer card or you use a riser with a similar arrangement, or you have a steady hand and you can cut the slot's back or even cut the card), then you can connect a x8 on a x4 and it will work fine but you will have only half the bandwith. Assuming a PCIe ver 2.0 (which is what the cards usually have), you have 500 MB/s up and 500 MB down per lane (at the same time).
It's MegaBytes, not MegaBits, so that translates into 4Gbit up and 4Gb down per lane. Since it's a x4 interface you have 4 lanes, so the PCIe can carry 16 Gbit up and 16 Gbit down. If you connect a card with two ports (as you should) you get that each port can go up to 8 Gbit (theoretical, in practice a bit less). Is it less than the rated 10Gbit of most used server cards? Yes. Is your internet bandwith anywhere near that? You wish, but probably not.
Consumer SBCs in general tend to be very conscious about prices so they commonly have to do compromises on the type and brand of the components.
The SBCs "without compromises" are the devboards or the industrial SOM (system on a module), and the prices are much higher.
I'm personally not a fan of SBCs in general, they make too much compromises and the device will always be a "jack-of-all-trades" where I end up using less than 50% of the features. I see them as toys or test systems, where it's useful to have all possibilities open, but for a dedicated system you are always paying for a ton of stuff you will never use.
In your situation I would have just bought a powerful router and flashed with OpenWrt, but if you REALLY need the 2.5Gbit ports you can't do that.
I would personally just use a mini itx motherboard with a 10 Gbit card, but I know that when just the card costs nearly as much as the whole SBC you are looking at around two or three times as much money. While the system you get is more powerful, more modular and overall better, you probably don't need all that bling, even the Odroid is most likely overpowered for what you want to do.
So no I'm not trying to sell you stuff, just pointing out other options.
As a point of reference, I have plenty of 10Gbit cards in my home network but this is my home router/firewall/wifihttps://www.pcengines.ch/alix2d3.htm (with a mini pci card with wifi n in the slot in the middle) look at them specs brother, not even gigabit ethernet lol, I wish I had to replace this but I doubt I will before 2030.
hmm, I thought you guys were talking about 10Gbit cards, since he mentioned 150-200 euro prices. Where does anyone even get a gigabit card for such insane prices? Ebay has truckloads similar gigabit cards for 20-30 euro and even quadport cards for not much more
Not if you want really old variants or chinese knockoffs? (Intel i350-T2 or newer)
Does a "really old" gigabit chipset make any difference for a (home) router? I'm only aware of virtualization features and whatnot that could be missing, and dumb things that do more harm than good like jumbo frame that may not be supported. I have been using quad cards with 82571GB intel chipset or BroadCom BCM95719 in firewall builds and I've not seen any problem even if both are like 5 years older than the i350 chipset you mention (which is from 2011).
Also note that stuff I linked is not a knockoff, it's all server pulls. There are also "knockoff" cards made with harvested chipsets but they are obvious, but they are not in the 10 Gbit range.
There are i350-T2 as well for more or less the same price as your links https://www.ebay.it/itm/DELL-INTEL-I350-T2-DUAL-PORT-PCI-EXPRESS-NETWORK-ETHERNET-CARD-0V5XVT/124629027689
Since it's probably the same seller or a competitor. The same UK, german and french companies that sell used server hardware have ebay listings as well.
But that's beside the point, if he just wanted a small device with a couple gigabit ports he would have much more choice than just Odroid H2+ and a mini-itx build is more expensive than that so you might as well spend 30 more euro than you would on a "modern" Gigabit card and go for a 10 Gbit card.
So I thought you were talking of 10Gbit cards.