TIP1: RPI4 + VLAN enable switch and you have a versatile router
TIP2: USB3 + GbE = decent NAS
I still don't see any real advantage above the underestimated Odroid C2, which happens to support eMMC as well.
Well, as a NAS, agreed. but for a router, if you actually calculate the total cost for a PI plus accessories plus proper switch, then you may just get a a router, especially that the RPI 4 is still BCM. Don't forget that if using it as a router you would be paying for things you don't need such as 4K display for example. The big advantage of course that it can be re-purposed with just changing the SD card, plus the multiple USB ports and the expandable storage.
A Raspberry Pi 4 probably has better crypto speed than most of the US$75-class all-on-one routers, making it interesting for VPN use.
I agree that the ODROID C2 is a great little unit, especially at its price point. For me, its two drawbacks are a non-standard header connector and that I have to build Debian myself for it (Ubuntu has gotten to "helpful" over the years for my tastes).
FYI DietPi is Debian based and available for a lot of SBC's, including the Odroid C2.
The main benefit is that the RPI4 has substantially more CPU power & RAM than 95% of routers.
Been using RPI4 ($35) with a TL-SG108E VLAN switch ($30) works a charm.
Port 8 -> Access Port Vlan 8 - WAN
Port 7 -> RPI4 trunk port with vlan tagging
Port 1-6 -> Access Ports Vlan 1 - Internal
Not using WiFi (yet)
Just to give my 2 cents, for my specific project, the RPi4 simply has the best price to performance that we've been able to find so far. For $35 it hits almost 500Mbit over the encrypted yggdrasil mesh networking protocol, meanwhile the espressobin for more money only does ~300. Combine that with the smaller form factor of the Pi, the availability of cases (espressobin has a pricey bundle with the case but otherwise needs to be independently sourced / 3d printed), and the ubiquitous nature of the Pi (can be picked up same day at microcenter) makes it a great sell for mesh networking projects where a single port is fine for some configurations (relay node when combined with radios that have an aux ethernet, non-exit node, plus the flexibility to expand later with a USB3 eth adapter). In addition, the built in AC wifi makes it useful in an AP configuration. We are waiting with bated breath for openwrt support so we can include it in our automatic builds instead of having manually configured raspbian-based prototypes that lack a lot of the openwrt features because we don't want to reinvent the wheel if openwrt support is coming soon.
OpenWrt does support Raspberry pi 4 b, I'm using it as a vpn client with average speeds of 80 mbps ,great speed for a $35 device.
OpenSSL speed benchmark on OpenWrt:
root@OpenWrt:~# ubus call system board
{
"kernel": "4.19.57",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 3 (v7l)",
"model": "Raspberry Pi 4 Model B Rev 1.1",
"board_name": "raspberrypi,4-model-b",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r10622-e09da0169a",
"target": "brcm2708/bcm2709",
"description": "OpenWrt SNAPSHOT r10622-e09da0169a"
}
}
root@OpenWrt:~# openssl speed
Doing md4 for 3s on 16 size blocks: 3121842 md4's in 2.99s
............
OpenSSL 1.1.1c 28 May 2019
built on: Mon Jul 29 08:13:45 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: arm-openwrt-linux-muslgnueabi-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
md2 0.00 0.00 0.00 0.00 0.00 0.00
mdc2 0.00 0.00 0.00 0.00 0.00 0.00
md4 16705.51k 60229.65k 174903.81k 344357.21k 472470.87k 484418.44k
md5 39781.38k 103644.10k 201775.96k 264625.15k 290736.81k 291897.34k
hmac(md5) 14862.84k 53759.72k 138745.94k 226699.17k 283596.12k 287555.58k
sha1 39244.18k 101676.69k 197682.00k 258336.77k 283257.51k 284813.99k
rmd160 12648.92k 38548.47k 87865.86k 130038.10k 150765.57k 152464.04k
rc4 146242.21k 161480.84k 164204.03k 165571.55k 166436.86k 166242.99k
des cbc 30569.85k 31565.63k 31813.69k 31910.91k 31959.76k 31905.11k
des ede3 11472.44k 11647.45k 11692.71k 11698.18k 11709.90k 11703.64k
idea cbc 0.00 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00 0.00
rc2 cbc 21013.84k 21486.63k 21687.55k 21717.67k 21749.76k 21747.03k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00 0.00
blowfish cbc 52266.09k 56036.20k 56841.73k 57342.97k 57319.42k 57218.39k
cast cbc 50242.81k 53528.00k 54395.38k 54388.44k 54834.34k 54379.54k
aes-128 cbc 81303.91k 91043.99k 93121.84k 94192.64k 94639.45k 94333.61k
aes-192 cbc 70867.96k 76297.08k 79553.19k 80441.34k 80519.17k 80434.52k
aes-256 cbc 62744.51k 66822.42k 69417.81k 70040.23k 70246.40k 70107.14k
camellia-128 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-192 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-256 cbc 0.00 0.00 0.00 0.00 0.00 0.00
sha256 27665.74k 66055.36k 121110.69k 151879.75k 164083.03k 165167.10k
sha512 10105.03k 40514.22k 60127.12k 82336.09k 93487.10k 94851.26k
whirlpool 0.00 0.00 0.00 0.00 0.00 0.00
aes-128 ige 75997.69k 86769.28k 89634.47k 91054.83k 90819.24k 90204.84k
aes-192 ige 66765.34k 73794.92k 76878.42k 77629.44k 77824.00k 77425.32k
aes-256 ige 59403.92k 65007.51k 67467.35k 68065.62k 68141.06k 67753.30k
ghash 170551.80k 188023.85k 191572.48k 191956.31k 192525.65k 192708.61k
rand 1894.51k 6997.84k 21122.56k 41174.83k 57059.90k 59031.72k
sign verify sign/s verify/s
rsa 512 bits 0.000299s 0.000020s 3342.6 49587.0
rsa 1024 bits 0.001253s 0.000050s 798.2 20050.6
rsa 2048 bits 0.006901s 0.000154s 144.9 6495.9
rsa 3072 bits 0.018992s 0.000315s 52.7 3174.3
rsa 4096 bits 0.040323s 0.000536s 24.8 1867.3
rsa 7680 bits 0.222222s 0.001753s 4.5 570.6
rsa 15360 bits 1.571429s 0.006750s 0.6 148.1
sign verify sign/s verify/s
dsa 512 bits 0.000378s 0.000250s 2646.1 4007.1
dsa 1024 bits 0.000762s 0.000595s 1311.9 1680.8
dsa 2048 bits 0.002058s 0.001771s 486.0 564.5
sign verify sign/s verify/s
160 bits ecdsa (secp160r1) 0.0011s 0.0008s 944.9 1189.8
192 bits ecdsa (nistp192) 0.0015s 0.0012s 658.5 869.3
224 bits ecdsa (nistp224) 0.0022s 0.0016s 453.9 607.1
256 bits ecdsa (nistp256) 0.0002s 0.0006s 4216.2 1613.7
384 bits ecdsa (nistp384) 0.0080s 0.0055s 124.8 182.2
521 bits ecdsa (nistp521) 0.0201s 0.0136s 49.7 73.8
163 bits ecdsa (nistk163) 0.0012s 0.0023s 841.7 432.0
233 bits ecdsa (nistk233) 0.0019s 0.0037s 525.3 272.7
283 bits ecdsa (nistk283) 0.0034s 0.0067s 291.1 148.8
409 bits ecdsa (nistk409) 0.0072s 0.0140s 139.3 71.6
571 bits ecdsa (nistk571) 0.0167s 0.0325s 59.8 30.8
163 bits ecdsa (nistb163) 0.0013s 0.0024s 797.1 409.4
233 bits ecdsa (nistb233) 0.0020s 0.0040s 489.0 249.9
283 bits ecdsa (nistb283) 0.0038s 0.0074s 265.5 135.2
409 bits ecdsa (nistb409) 0.0080s 0.0156s 125.2 64.0
571 bits ecdsa (nistb571) 0.0189s 0.0366s 52.9 27.3
256 bits ecdsa (brainpoolP256r1) 0.0028s 0.0022s 357.5 448.4
256 bits ecdsa (brainpoolP256t1) 0.0028s 0.0021s 358.1 485.6
384 bits ecdsa (brainpoolP384r1) 0.0080s 0.0060s 124.8 165.5
384 bits ecdsa (brainpoolP384t1) 0.0080s 0.0055s 125.2 181.7
512 bits ecdsa (brainpoolP512r1) 0.0113s 0.0084s 88.3 118.7
512 bits ecdsa (brainpoolP512t1) 0.0113s 0.0078s 88.8 128.8
op op/s
160 bits ecdh (secp160r1) 0.0010s 999.1
192 bits ecdh (nistp192) 0.0014s 692.1
224 bits ecdh (nistp224) 0.0021s 476.5
256 bits ecdh (nistp256) 0.0004s 2347.7
384 bits ecdh (nistp384) 0.0077s 130.7
521 bits ecdh (nistp521) 0.0192s 52.2
163 bits ecdh (nistk163) 0.0011s 894.3
233 bits ecdh (nistk233) 0.0018s 560.2
283 bits ecdh (nistk283) 0.0032s 307.7
409 bits ecdh (nistk409) 0.0067s 148.7
571 bits ecdh (nistk571) 0.0157s 63.7
163 bits ecdh (nistb163) 0.0012s 840.2
233 bits ecdh (nistb233) 0.0019s 517.9
283 bits ecdh (nistb283) 0.0036s 278.7
409 bits ecdh (nistb409) 0.0076s 132.1
571 bits ecdh (nistb571) 0.0178s 56.3
256 bits ecdh (brainpoolP256r1) 0.0027s 375.0
256 bits ecdh (brainpoolP256t1) 0.0027s 375.4
384 bits ecdh (brainpoolP384r1) 0.0077s 130.7
384 bits ecdh (brainpoolP384t1) 0.0076s 131.2
512 bits ecdh (brainpoolP512r1) 0.0108s 92.3
512 bits ecdh (brainpoolP512t1) 0.0108s 92.8
253 bits ecdh (X25519) 0.0005s 2036.5
448 bits ecdh (X448) 0.0020s 506.4
sign verify sign/s verify/s
253 bits EdDSA (Ed25519) 0.0002s 0.0006s 5494.8 1813.0
456 bits EdDSA (Ed448) 0.0006s 0.0022s 1648.3 460.0
root@OpenWrt:~# uptime
12:43:01 up 17:48, load average: 0.00, 0.19, 0.47
Is that the rpi2 build? I wasn't aware that the builds were compatible across versions. I was looking out for a rpi4 image, since the openwrt wiki (last I checked) has no mention of the 4 or what image to use.
It's still missing from snapshots ¯\_(ツ)_/¯
https://downloads.openwrt.org/snapshots/targets/brcm2708/bcm2709/
Also is that 32 bit only support? The commit message suggests the 64 bit build isn't fully functional.
What's the profile name btw? Might as well start adding it to our project if it builds.
You could build it if you wish.
I don't own the device and therefore I don't know. You may ask @tmomas.
There is not an image specific for the Raspberry Pi 4 ,snapshots bcm2709 32 bits images can be used on Raspberry Pi 2B,3B,3B+,4B
Hardware based AES-NI is only available in 64 bit builds for the Raspberry Pi, right? Does anyone know whether we will see 64 bit OpenWRT builds in the future for the Raspberry Pi?
According to the RPi developers, Broadcom and the RPi foundation did not license the h/w crypto extensions (as necessary for hardware accelerated AES support). Basically every other ARMv8 hardware vendor did, the RPi4 does not (given that the RPi foundation is still pushing 32 bit ARMv6 images, they probably didn't care).
Does that mean it is impossible to use, even with software support? Or does that only mean that Raspberry Pi's "official" images lack this functionality? ie, would it be possible for OpenWRT to support this if it is build for the correct architecture?
It means the silicon doesn't contain the necessary IP blocks to support hardware accelerated crypto functions, regardless of the software you're going to run on it. While using it in ARMv8 mode will still provide better performance, you won't get hardware AES.
Got it, that makes sense. Thanks for clearing that up Will OpenWRT support the ARMv8 instruction set in the future? Would that be as simple as compiling the same image for a different target, or will that require additional work?
Does anyone know if the openwrt image for rpi provides any mechanism for overclocking? We've gotten a decent speed boost using raspbian and 1.75Ghz and plan on using active cooling on all our devices.
Overclock the rpi on OpenWrt is similar to raspbian, simply editing the config.txt in the /boot directory of the microSD card.I did a test on 2 Ghz using a regular heat sink and temperature hit 80 °C during the test.
Raspberry Pi 4 b 2 GHz openssl benchmark:
root@OpenWrt:~# cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq
2000000
2000000
2000000
2000000
root@OpenWrt:~# openssl speed
OpenSSL 1.1.1c 28 May 2019
built on: Mon Jul 29 08:13:45 2019 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) blowfish(ptr)
compiler: arm-openwrt-linux-muslgnueabi-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -O3 -fpic -ffunction-sections -fdata-sections -znow -zrelro -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSL_PREFER_CHACHA_OVER_GCM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
md2 0.00 0.00 0.00 0.00 0.00 0.00
mdc2 0.00 0.00 0.00 0.00 0.00 0.00
md4 22312.03k 80464.00k 234455.76k 459831.64k 629639.85k 648265.73k
md5 53301.98k 138269.33k 269234.09k 352757.42k 385796.78k 388606.63k
hmac(md5) 20363.18k 68089.73k 177498.62k 301418.50k 377217.02k 383920.81k
sha1 52477.95k 135640.83k 263416.15k 344583.51k 377525.59k 380005.03k
rmd160 16872.04k 51353.64k 117572.52k 173532.84k 200695.81k 202970.45k
rc4 195071.66k 214663.47k 218969.34k 221346.13k 221978.62k 222063.27k
des cbc 40740.36k 42102.25k 42472.87k 42569.73k 42562.90k 42620.25k
des ede3 15302.76k 15547.93k 15655.64k 15616.68k 15619.41k 15613.95k
idea cbc 0.00 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00 0.00
rc2 cbc 28013.22k 28677.53k 28929.37k 29000.36k 29010.60k 29016.06k
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00 0.00
blowfish cbc 70143.71k 74719.57k 76050.49k 76336.13k 76393.13k 76322.13k
cast cbc 67323.52k 71499.41k 72465.58k 72884.22k 72441.86k 72641.19k
aes-128 cbc 108758.92k 121282.67k 124734.24k 125689.17k 125796.35k 125561.51k
aes-192 cbc 94570.01k 101598.83k 106043.82k 107162.97k 107186.86k 107063.98k
aes-256 cbc 83705.85k 89150.74k 92619.61k 93500.76k 93720.32k 93443.41k
camellia-128 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-192 cbc 0.00 0.00 0.00 0.00 0.00 0.00
camellia-256 cbc 0.00 0.00 0.00 0.00 0.00 0.00
sha256 36885.09k 88275.39k 160978.43k 202307.93k 218912.09k 220326.57k
sha512 13510.17k 54115.88k 80571.93k 109762.49k 124431.02k 126682.84k
whirlpool 0.00 0.00 0.00 0.00 0.00 0.00
aes-128 ige 101712.02k 115867.46k 119690.33k 120927.57k 119496.70k 119788.89k
aes-192 ige 89230.10k 98496.30k 102757.80k 103681.71k 102656.68k 102525.61k
aes-256 ige 79506.68k 86857.56k 90023.08k 90713.09k 89879.89k 90424.34k
ghash 226646.46k 250854.27k 255623.42k 256037.89k 256871.08k 257037.65k
rand 2495.63k 9143.29k 27525.33k 54480.59k 76128.26k 78725.39k
sign verify sign/s verify/s
rsa 512 bits 0.000224s 0.000015s 4467.6 66594.4
rsa 1024 bits 0.000942s 0.000037s 1061.7 26887.2
rsa 2048 bits 0.005163s 0.000116s 193.7 8650.2
rsa 3072 bits 0.014300s 0.000235s 69.9 4250.3
rsa 4096 bits 0.030242s 0.000402s 33.1 2487.9
rsa 7680 bits 0.166066s 0.001315s 6.0 760.2
rsa 15360 bits 1.180000s 0.005058s 0.8 197.7
sign verify sign/s verify/s
dsa 512 bits 0.000283s 0.000185s 3533.9 5404.1
dsa 1024 bits 0.000574s 0.000451s 1741.7 2217.2
dsa 2048 bits 0.001545s 0.001351s 647.4 740.0
sign verify sign/s verify/s
160 bits ecdsa (secp160r1) 0.0008s 0.0006s 1265.3 1605.1
192 bits ecdsa (nistp192) 0.0011s 0.0009s 881.1 1146.9
224 bits ecdsa (nistp224) 0.0017s 0.0012s 603.5 807.9
256 bits ecdsa (nistp256) 0.0002s 0.0005s 5626.7 2151.9
384 bits ecdsa (nistp384) 0.0060s 0.0042s 166.4 239.8
521 bits ecdsa (nistp521) 0.0151s 0.0100s 66.4 99.8
163 bits ecdsa (nistk163) 0.0009s 0.0017s 1114.4 573.7
233 bits ecdsa (nistk233) 0.0014s 0.0028s 692.6 358.4
283 bits ecdsa (nistk283) 0.0026s 0.0050s 388.1 198.6
409 bits ecdsa (nistk409) 0.0054s 0.0105s 185.8 95.0
571 bits ecdsa (nistk571) 0.0125s 0.0245s 79.7 40.9
163 bits ecdsa (nistb163) 0.0009s 0.0018s 1060.5 542.8
233 bits ecdsa (nistb233) 0.0015s 0.0030s 651.7 333.8
283 bits ecdsa (nistb283) 0.0028s 0.0055s 354.2 180.6
409 bits ecdsa (nistb409) 0.0060s 0.0118s 166.6 85.0
571 bits ecdsa (nistb571) 0.0141s 0.0275s 70.8 36.4
256 bits ecdsa (brainpoolP256r1) 0.0021s 0.0017s 477.5 605.2
256 bits ecdsa (brainpoolP256t1) 0.0021s 0.0016s 477.5 641.6
384 bits ecdsa (brainpoolP384r1) 0.0060s 0.0045s 166.6 222.2
384 bits ecdsa (brainpoolP384t1) 0.0060s 0.0042s 166.8 240.9
512 bits ecdsa (brainpoolP512r1) 0.0085s 0.0063s 117.4 159.5
512 bits ecdsa (brainpoolP512t1) 0.0084s 0.0058s 118.5 173.5
op op/s
160 bits ecdh (secp160r1) 0.0007s 1343.1
192 bits ecdh (nistp192) 0.0011s 922.9
224 bits ecdh (nistp224) 0.0016s 635.4
256 bits ecdh (nistp256) 0.0003s 3127.8
384 bits ecdh (nistp384) 0.0057s 174.3
521 bits ecdh (nistp521) 0.0143s 69.8
163 bits ecdh (nistk163) 0.0008s 1193.1
233 bits ecdh (nistk233) 0.0013s 742.6
283 bits ecdh (nistk283) 0.0024s 410.0
409 bits ecdh (nistk409) 0.0050s 198.4
571 bits ecdh (nistk571) 0.0118s 84.9
163 bits ecdh (nistb163) 0.0009s 1119.8
233 bits ecdh (nistb233) 0.0014s 690.3
283 bits ecdh (nistb283) 0.0027s 372.1
409 bits ecdh (nistb409) 0.0057s 176.3
571 bits ecdh (nistb571) 0.0133s 75.2
256 bits ecdh (brainpoolP256r1) 0.0020s 499.8
256 bits ecdh (brainpoolP256t1) 0.0020s 499.8
384 bits ecdh (brainpoolP384r1) 0.0057s 174.4
384 bits ecdh (brainpoolP384t1) 0.0057s 175.1
512 bits ecdh (brainpoolP512r1) 0.0081s 122.9
512 bits ecdh (brainpoolP512t1) 0.0081s 123.8
253 bits ecdh (X25519) 0.0004s 2719.5
448 bits ecdh (X448) 0.0015s 672.8
sign verify sign/s verify/s
253 bits EdDSA (Ed25519) 0.0001s 0.0004s 7299.6 2409.9
456 bits EdDSA (Ed448) 0.0005s 0.0016s 2192.8 613.8