Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

While I was watching for old stuff I could play with on ebay I noticed that a few sellers are offering a few "cloud managed routers" (i.e. if you don't pay a subscription they are paperweights) from a company called "simplewan" that looked oddly familiar.

here some pictures (from auctions, not mine) they are bright orange.

simplewan 31600×1200 313 KB

simplewan2999×749 66.2 KB

simplewan 1999×749 52.6 KB

The images are a dead giveaway, these devices seem to just be a branded version of PCEngines APU1 (the ones with black USB 2.0 ports) and PCEngines APU2 (the ones with the blue USB 3.0 ports) mini-PC firewall/routers.
These devices are labeled SW301DA or SW302DA but it is unclear if that relates to the hardware inside, the only 100% sure way to tell them apart is the USB ports on the back. Since you probably want the APU2 ones because they are better, ALWAYS watch the photos and send a message to the seller to confirm that you are getting the ones with BLUE USB 3.0 ports.

I've seen some that have been branded by someone else (kumo or xactlink or nextiva) and have a box with a different color (blue or gray) but they are all called "simplewan" in the listings and are obviously the same thing if you look at them from the port side.

PC Engines APU devices are generic mini PC firewalls with a BIOS so it's a good candidate for reuse with OpenWrt or pfSense OPNSense or IPFIre.
This is APU1 board https://pcengines.ch/apu.htm
and this is APU2 board https://pcengines.ch/apu2.htm
The case also acts as a heatsink so it's a fanless device

I bought the ones with USB 3.0 ports and they were indeed APU2C2 from PCEngines (2GB ram, 3x gigabit ports with Intel ethernet).
This is the spec page of the devices I have bought and opened https://pcengines.ch/apu2c2.htm
They seem to be running some random BSD-derived firmware on the same 4GB SLC SDcard PCEngines also sells. Mhh, a free 4GB SLC Sdcard is included boys.

Yes I'm not in the US but I still managed to get heavily discounted prices on a few lots (well below market price in the EU while still paying the import fees) because apparently nobody wants to buy used "cloud managed routers" aka hardware that does not work without paying a businness subscription to simplewan.

But since the hardware is not really locked down, you can just open them, pull the SDcard and flash whatever you want on it. Or install a mSata SSD and run from that. The devices are not "locked" to use only their original firmware.

The brand/logo can be easily removed from the case if you leave the metal part in a bit of "gentle nail polish liquid" (i.e. not straight acetone) overnight for the white ink to soften up and then remove gently with a plastic tool. You need a sealed plastic container for this to work, of course.

This other site (that sells normal PC Engines APU new in EU but is otherwise unrelated to my post) has a few articles you might want to check out, for connecting to these devices using the serial port from Windows https://teklager.se/en/knowledge-base/serial-connection-putty-windows/
And upgrading the coreboot BIOS to a more recent version (which isn't strictly required to use OpenWrt, but newer versions should unlock CPU turbo so it would get some more performance)
https://teklager.se/en/knowledge-base/apu-bios-upgrade/

As for performance, APU2 can NAT at full Gbit on Linux and 650-700 on pfSense (see benchmarks here https://teklager.se/en/knowledge-base/apu2c0-ipfire-throughput-test-much-faster-pfsense/ and in the other article where they mention OpenWrt being at 1Gbit on single or multi streams, because Linux https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/ ).
It also has AES-NI crypto acceleration.
They mention "with a new bios" for the pfsense performance because new BIOS enables CPU boost to 1.4 Ghz so the CPU can clock higher when only a few cores are loaded (as I said BSDs can only run the interrupts on a single core)

They also show some benchmarks for VPN performance on APU2 and it's 100-150 Mbit/s for OpenVPN (again pfSense is lower and OpenWrt is higher), or 600 Mbit for Wireguard https://teklager.se/en/knowledge-base/apu2-vpn-performance/

APU1 are less powerful than that, and have no AES-NI support but you can still expect around 900 Mbit/s NAT on Linux and closer to 500MBit on pfSense and OPNSense
https://forum.mikrotik.com/viewtopic.php?p=420450&hilit=alix+apu

If you want to upgrade the BIOS on your new APU, please check the article on the wiki where I also uploaded a dedicated OpenWrt image for BIOS flashing https://openwrt.org/toh/pcengines/apu-bios-update

Thnx,

noticed it's $40 or make an offer för the usb3 version.

Might just grab one for fun ,)

480MBps WAN throughput, is kind of a let down, but no real surprise.

Is anyone interested in these ?

If so, drop me a PM. I can probably get them to EU for roughly €55/piece including shipping and customs, excluding shipping from me to you, within EU (from .se).

No strings attached, no upfront payment (until I'll be sending them to you).

Those numbers (and specs) are for the APU1 ones, with USB 2.0 (also see the image in the pdf). Seems these devices were originally all APU1 with 4GB RAM but then PCEngines discontinued them and seems they just started shipping APU2 with 2Gb RAM instead.

Also their numbers are for whatever old BSD the stock "firmware" is based on, which is usually lower performance on NAT than Linux because it is not able to split interrupts on more than one CPU core.

APU2 is a better CPU, it can NAT at full Gbit on Linux and 650-700 on pfSense (see benchmarks here https://teklager.se/en/knowledge-base/apu2c0-ipfire-throughput-test-much-faster-pfsense/ and in the other article where they mention OpenWrt being at 1Gbit on single or multi streams, because Linux https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/ ).
It also has AES-NI crypto acceleration.
They mention "with a new bios" for the pfsense performance because new BIOS enables CPU boost to 1.4 Ghz so the CPU can clock higher when only a few cores are loaded (as I said BSDs can only run the interrupts on a single core)

They also show some benchmarks for VPN performance on APU2 and it's 100-150 Mbit/s for OpenVPN (again pfSense is lower and OpenWrt is higher), or 600 Mbit for Wireguard https://teklager.se/en/knowledge-base/apu2-vpn-performance/

Ok,

I thought SW302DA was the USB3 version, seems the eBay auctions might be misleading.
They say SW302DA, and show the model with USB3 ports.

like https://www.ebay.com/itm/402927106518

(or the PDF's wrong)

Both devices with APU1 and APU2 have the same product name in the sticker on the bottom. This was true for the ones I bought and also for the ones still up.

look at this auction where they have an image of the underbelly of the device where you can see the sticker https://www.ebay.com/itm/274515561265

As I speculated above, PCEngines have discontinued the APU1 and at some point their inventory ran out. Simplewan just bought the APU2 in its place, while not bothering to update documentation since it's a cloud-managed router anyway, the users aren't going to complain as long as it does the same things as the older hardware version did.

Thankfully the two boards are easy to tell apart if you look at the ports. If it has blue USB ports it's a APU2 and the specs I linked, if it has black USB ports it has APU1.

ok,

then it's just me not reading carefully enough

cudos for explaining.

now clarified in the OP as well

Found someone benchmarking an APU1 on Linux (Mikrotik RouterOS) and NAT is 800 Mbit/s or higher depending on the test. Because again the CPU is multicore and Linux can use all cores for interrupts
https://forum.mikrotik.com/viewtopic.php?p=420450&hilit=alix+apu

@bobafetthotmail This is a Winner, Winner, Chicken Dinner!!

I have been looking for one of these for some time to replace an ALIX. PC-Engines has been out of stock for quite a while and recently bumped deliver from July to January. I knew there were some clones, but had not come across any. Thank you!!

Looking at the SimpleWan auctions indicates that there are 2 part numbers for these, a SW301DA and SW302DA. (Actulay 3, there is a SW251DA-NA which looks to be the PC-Engines ALIX) Both show 4GB of memory. The TECHNICAL DETAILS look the same, including the picture, but there are different specs under CAPACITY. I think we can infer the 301 is an APU1 and the 302 an APU2.

So you write:

APU2C is not a complete part number, it's only the product and rev. The 2GB would be APU2C2. If the spec sheets are correct, you should really have the APU2C4 (4GB).

Yeah that sounds right. Although the technical details are of an APU1 in both pdf, it seems the whole pdf is a straight copy with a different part number. So it's a bit meh.

Given the docs are a bit of a lie, that ebay sellers are not precise at all (see this one for example, https://www.ebay.com/itm/402927104945 the device has blue USB ports so it's a APU2, yet he listed it as SW301DA, because reasons) and that they are easy to tell apart by USB port color I think it's still best to use visual inspection. I'll add that part number to the list.

Yes I meant APU2C2, like the spec page I linked. Gosh I need to fix the OP again
The ones I have are the 2GB RAM model, i checked both from a live OpenWrt, the bios says this on boot and I also checked the RAM chip spec sheet. I'm pretty sure.

I was hoping for 4GB because of the ECC support and obviously higher value, but for the price I bought them I was fine with 2GB too. Some time ago I bought an embarrassingly large batch to refurbish and resell on EU ebay since apparently APU shortages are a thing in EU too.
So yeah, I have a bunch, and they are all 2GB. I can't say 4GB is impossible, but I think it's unlikely.

I'm pretty sure they never really needed 4GB for their original firmware anyway, I think Simplewan just bought them because they were cheap or available at all.

He actually has 2 auctions up. This is the other for the SW302: https://www.ebay.com/itm/402927106518
If you compare the pictures they are identical. There are 2 other auctions that claim to be SW301's and show black USB ports, so I expect he error-ed and does not know it. His feedback was problematic so I paid a few dollars more elsewhere and avoided the drama (I hope).

And yeah, I screwed up. I missed that the spec sheet for the 302 has the T40E (APU1) as opposed to the GX-412TC (APU2). So bad info all around. Caveat Emptor

APU1 is not easy to find on the PC-Engines page so here it is.

Some time ago I found this post by Logan Marchione suggesting the Intel i210AT in the 4GB version is better than the 1211AT in the 2GB product. Any thoughts, practical vs technical?

What's wrong with my link in the OP. I have a link to the generic APU1 page and from there you can go to the two pages for the 2GB and 4GB.

afaik that just means that on BSD you can split the load of multiple connections on more than one core.
For example with i211AT you have two queues and this means that if you have two connections each gets executed by a different core. No you cannot split a single connection on multiple cores.

In this specific case (see below) each CPU core is strong enough to do the job with 2 cores with power to spare, so you don't really need more than two queues unless you somehow have some very large firewall rule list or something.

All the above is funny talk on Linux because on x86 (and maybe other architectures as well, depending on drivers) it uses all CPU cores anyway regardless of the number of queues.

So my experience is that using random Intel/Broadcomm ethernet cards on Linux/OpenWrt x86 router devices is usually fine as long as the CPU isn't absolute garbage like old Atoms. APU2 is on the weak end of x86 CPU power and it's already routing at 1Gbit with power to spare.

I linked up in the OP a couple articles from teklager (a seller of custom firewalls in EU) where both OpenWrt and IPFire (a Linux-based Firewall distro) are just routing at Gbit, single connection, multiple connections, no **** given.
While with the same APU2 on pfSense there is an article about "tweaks" like enabling the multiqueue support since by default it uses a single core and here a single core can only route like 600 Mbit with stock BIOS, and then installing Bios update to enable CPU boost to get more performance out of a single core, and even then a single connection is still capped at 850 Mbit regardless of queue size of the ethernet controller because that's the max a single core can do in this device even with CPU boost.

EDIT: I just realized that the guy that wrote the blog post you read did not talk about enabling multi queue in pfsense which was not enabled by default at the version he is using. But he does not notice any issue because even with that disabled the APU2 is saturating his WAN connection anyway, so yeah.

Actually nothing other than I was already on the PC-Engines website and it never occurred to me to look here to get there. Suppose that makes my link superfluous.

Thanks for the sanity check on the Intel Ethernet. No practical issue for most people.

Regarding BIOS, do you have a suggestion for version if not the latest? It looks like that this site has even newer BIOS than the PC-Engines website.

Also which method do you think is the easiest for upgrading. There are some in this link you gave and also on the PC-Engines site. It also looks like this can be done from Open-WRT if I make my own software, but not there yet. Should I just follow the Windows method with TinyCore USB Installer?

Now I need to find a serial cable and a card reader.....

No I just flashed latest, mostly following teklager instructions. The instructions on PCEngines site are ancient (as the site itself, more or less) and only explain how to update the ancient BIOS versions.

OpenWrt in recent releases (I don't know when) has disabled /dev/mem access so flashrom does not work. Do the flashing from something else (you can also custom compile an OpenWrt but why bother)

Specifically, I wrote a IPFire image on the SDcard, configured RED interface (the wan) so I could have internet access, installed the flashrom package, then wget the right image and give the flashrom command manually as mentioned in the steps for pfSense (flashrom is the same application everywhere).

flashrom -w apu2_v4.XX.X.X.rom -p internal:boardmismatch=force

Since in the newer versions of BIOS they have changed board name string, the IPFire auto firmware update does not work (it expects to update a newer bios with the new board name string) and that's why you have to force the flash with the "boardmismatch=force".
So since you are forcing flash of the image, BE VERY SURE you have downloaded the bios image for your version of APU, probably apu2_vXXXXXXXX. I don't think the others are so different to make it unbootable (it's mostly the same thing with different IO), but the apu1 bios will probably brick it as it is a different CPU.

After you give the command you will first see first a bunch of errors because it tries a lot of different flash chips and does not find them, this is OK, eventually it finds the right chip and does the flashing process. Here, I saved you a heart attack.

For all subsequent devices was just slap in the card, boot, run the command, reboot to check all is still OK. I've done this many times at this point, no problems.

In case something goes wrong and you brick it, there is a convenient "bios chip override" official tool https://teklager.se/en/products/router-components/spi1a_flash_recovery that allows you to boot again the device, remove the tool and then try flashing again the onboard chip.
Afaik there is a different one for APU1 as well.

Another thing, if you want to enter the (very basic) BIOS settings menu you probably need to connect a keyboard to the device USB ports to press the right key on boot. After that you can use the keyboard of the PC connected through serial to set or unset the options.

And if you don't have your heart set on PC Engines product, this is an x86_64 device supported in 21.02 and master for about US $50 shipped within US.

Power supply is proprietary (barrel plug + secure lock) so make sure to buy one with power supply included. While I have only tested SG-105, according to tech data, both SG-105 and XG-105 are OpenWrt-capable (most other Sophos appliances are not).

Interesting, I think Sophos is a bigger rabbit hole than you think.
Seems like a bunch of people has been running vanilla OPNSense and pfSense on various Sophos appliances as well, like SG115 and SG230 and SG330rev1, and that any appliance running "Sophos UTM" should work in theory as that's just a x86 Linux distro
https://forum.opnsense.org/index.php?topic=4196.0
or SG 125

And the official docs here https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Architecture.html
say
XGS series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for hardware acceleration. The Xstream Flow Processor is a Network Processing Unit (NPU), which accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection and deep packet inspection. After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to Xstream FastPath, which runs on the dedicated Xstream Flow Processor specifically designed for FastPath operations.

Which is a fancy way of saying it's still a x86 box with an additional hardware acceleration module (which is probably not supported outside of their own thing)

You might want to start your own thread with this.

What additional hardware would be recommended for wifi? Is the link below still the latest?

PC Engines APU2 - Recommended! - Hardware Questions and Recommendations

@bobafetthotmail Alberto -- I was reluctant to recommend something I personally have not tried and Sophos conveniently lists only throughput as the hardware specs for their appliances, but you are right, looks like both SG and XG models 1xx are x86_64 based and are probably flashable with OpenWrt.

I was going to get an 125/135 (maybe even with wireless radio) as I'd prefer more ports on my router, but I'm unlikely to get it before September 21st and maybe even October 21st.

If anyone else gets a model other than SG-105, please send PRs similar to this: https://github.com/openwrt/openwrt/pull/4024 -- the ports on the enclosures are marked in the weird order and the decision was made to keep the OpenWrt WAN/LAN ports according to markings on the enclosure.

My personal recommendation is to use another device for wifi, configured as dumb AP https://openwrt.org/docs/guide-user/network/wifi/dumbap

Not because this device is bad, but because in many cases the router/firewall is not in the best physical spot to create a wifi network.