Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

@bobafetthotmail This is a Winner, Winner, Chicken Dinner!!

I have been looking for one of these for some time to replace an ALIX. PC-Engines has been out of stock for quite a while and recently bumped deliver from July to January. I knew there were some clones, but had not come across any. Thank you!!

Looking at the SimpleWan auctions indicates that there are 2 part numbers for these, a SW301DA and SW302DA. (Actulay 3, there is a SW251DA-NA which looks to be the PC-Engines ALIX) Both show 4GB of memory. The TECHNICAL DETAILS look the same, including the picture, but there are different specs under CAPACITY. I think we can infer the 301 is an APU1 and the 302 an APU2.

So you write:

APU2C is not a complete part number, it's only the product and rev. The 2GB would be APU2C2. If the spec sheets are correct, you should really have the APU2C4 (4GB).

Yeah that sounds right. Although the technical details are of an APU1 in both pdf, it seems the whole pdf is a straight copy with a different part number. So it's a bit meh.

Given the docs are a bit of a lie, that ebay sellers are not precise at all (see this one for example, https://www.ebay.com/itm/402927104945 the device has blue USB ports so it's a APU2, yet he listed it as SW301DA, because reasons) and that they are easy to tell apart by USB port color I think it's still best to use visual inspection. I'll add that part number to the list.

Yes I meant APU2C2, like the spec page I linked. Gosh I need to fix the OP again
The ones I have are the 2GB RAM model, i checked both from a live OpenWrt, the bios says this on boot and I also checked the RAM chip spec sheet. I'm pretty sure.

I was hoping for 4GB because of the ECC support and obviously higher value, but for the price I bought them I was fine with 2GB too. Some time ago I bought an embarrassingly large batch to refurbish and resell on EU ebay since apparently APU shortages are a thing in EU too.
So yeah, I have a bunch, and they are all 2GB. I can't say 4GB is impossible, but I think it's unlikely.

I'm pretty sure they never really needed 4GB for their original firmware anyway, I think Simplewan just bought them because they were cheap or available at all.

He actually has 2 auctions up. This is the other for the SW302: https://www.ebay.com/itm/402927106518
If you compare the pictures they are identical. There are 2 other auctions that claim to be SW301's and show black USB ports, so I expect he error-ed and does not know it. His feedback was problematic so I paid a few dollars more elsewhere and avoided the drama (I hope).

And yeah, I screwed up. I missed that the spec sheet for the 302 has the T40E (APU1) as opposed to the GX-412TC (APU2). So bad info all around. Caveat Emptor

APU1 is not easy to find on the PC-Engines page so here it is.

Some time ago I found this post by Logan Marchione suggesting the Intel i210AT in the 4GB version is better than the 1211AT in the 2GB product. Any thoughts, practical vs technical?

What's wrong with my link in the OP. I have a link to the generic APU1 page and from there you can go to the two pages for the 2GB and 4GB.

afaik that just means that on BSD you can split the load of multiple connections on more than one core.
For example with i211AT you have two queues and this means that if you have two connections each gets executed by a different core. No you cannot split a single connection on multiple cores.

In this specific case (see below) each CPU core is strong enough to do the job with 2 cores with power to spare, so you don't really need more than two queues unless you somehow have some very large firewall rule list or something.

All the above is funny talk on Linux because on x86 (and maybe other architectures as well, depending on drivers) it uses all CPU cores anyway regardless of the number of queues.

So my experience is that using random Intel/Broadcomm ethernet cards on Linux/OpenWrt x86 router devices is usually fine as long as the CPU isn't absolute garbage like old Atoms. APU2 is on the weak end of x86 CPU power and it's already routing at 1Gbit with power to spare.

I linked up in the OP a couple articles from teklager (a seller of custom firewalls in EU) where both OpenWrt and IPFire (a Linux-based Firewall distro) are just routing at Gbit, single connection, multiple connections, no **** given.
While with the same APU2 on pfSense there is an article about "tweaks" like enabling the multiqueue support since by default it uses a single core and here a single core can only route like 600 Mbit with stock BIOS, and then installing Bios update to enable CPU boost to get more performance out of a single core, and even then a single connection is still capped at 850 Mbit regardless of queue size of the ethernet controller because that's the max a single core can do in this device even with CPU boost.

EDIT: I just realized that the guy that wrote the blog post you read did not talk about enabling multi queue in pfsense which was not enabled by default at the version he is using. But he does not notice any issue because even with that disabled the APU2 is saturating his WAN connection anyway, so yeah.

Actually nothing other than I was already on the PC-Engines website and it never occurred to me to look here to get there. Suppose that makes my link superfluous.

Thanks for the sanity check on the Intel Ethernet. No practical issue for most people.

Regarding BIOS, do you have a suggestion for version if not the latest? It looks like that this site has even newer BIOS than the PC-Engines website.

Also which method do you think is the easiest for upgrading. There are some in this link you gave and also on the PC-Engines site. It also looks like this can be done from Open-WRT if I make my own software, but not there yet. Should I just follow the Windows method with TinyCore USB Installer?

Now I need to find a serial cable and a card reader.....

No I just flashed latest, mostly following teklager instructions. The instructions on PCEngines site are ancient (as the site itself, more or less) and only explain how to update the ancient BIOS versions.

OpenWrt in recent releases (I don't know when) has disabled /dev/mem access so flashrom does not work. Do the flashing from something else (you can also custom compile an OpenWrt but why bother)

Specifically, I wrote a IPFire image on the SDcard, configured RED interface (the wan) so I could have internet access, installed the flashrom package, then wget the right image and give the flashrom command manually as mentioned in the steps for pfSense (flashrom is the same application everywhere).

flashrom -w apu2_v4.XX.X.X.rom -p internal:boardmismatch=force

Since in the newer versions of BIOS they have changed board name string, the IPFire auto firmware update does not work (it expects to update a newer bios with the new board name string) and that's why you have to force the flash with the "boardmismatch=force".
So since you are forcing flash of the image, BE VERY SURE you have downloaded the bios image for your version of APU, probably apu2_vXXXXXXXX. I don't think the others are so different to make it unbootable (it's mostly the same thing with different IO), but the apu1 bios will probably brick it as it is a different CPU.

After you give the command you will first see first a bunch of errors because it tries a lot of different flash chips and does not find them, this is OK, eventually it finds the right chip and does the flashing process. Here, I saved you a heart attack.

For all subsequent devices was just slap in the card, boot, run the command, reboot to check all is still OK. I've done this many times at this point, no problems.

In case something goes wrong and you brick it, there is a convenient "bios chip override" official tool https://teklager.se/en/products/router-components/spi1a_flash_recovery that allows you to boot again the device, remove the tool and then try flashing again the onboard chip.
Afaik there is a different one for APU1 as well.

Another thing, if you want to enter the (very basic) BIOS settings menu you probably need to connect a keyboard to the device USB ports to press the right key on boot. After that you can use the keyboard of the PC connected through serial to set or unset the options.

And if you don't have your heart set on PC Engines product, this is an x86_64 device supported in 21.02 and master for about US $50 shipped within US.

Power supply is proprietary (barrel plug + secure lock) so make sure to buy one with power supply included. While I have only tested SG-105, according to tech data, both SG-105 and XG-105 are OpenWrt-capable (most other Sophos appliances are not).

Interesting, I think Sophos is a bigger rabbit hole than you think.
Seems like a bunch of people has been running vanilla OPNSense and pfSense on various Sophos appliances as well, like SG115 and SG230 and SG330rev1, and that any appliance running "Sophos UTM" should work in theory as that's just a x86 Linux distro
https://forum.opnsense.org/index.php?topic=4196.0
or SG 125

And the official docs here https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Architecture.html
say
XGS series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for hardware acceleration. The Xstream Flow Processor is a Network Processing Unit (NPU), which accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection and deep packet inspection. After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to Xstream FastPath, which runs on the dedicated Xstream Flow Processor specifically designed for FastPath operations.

Which is a fancy way of saying it's still a x86 box with an additional hardware acceleration module (which is probably not supported outside of their own thing)

You might want to start your own thread with this.

What additional hardware would be recommended for wifi? Is the link below still the latest?

PC Engines APU2 - Recommended! - Hardware Questions and Recommendations

@bobafetthotmail Alberto -- I was reluctant to recommend something I personally have not tried and Sophos conveniently lists only throughput as the hardware specs for their appliances, but you are right, looks like both SG and XG models 1xx are x86_64 based and are probably flashable with OpenWrt.

I was going to get an 125/135 (maybe even with wireless radio) as I'd prefer more ports on my router, but I'm unlikely to get it before September 21st and maybe even October 21st.

If anyone else gets a model other than SG-105, please send PRs similar to this: https://github.com/openwrt/openwrt/pull/4024 -- the ports on the enclosures are marked in the weird order and the decision was made to keep the OpenWrt WAN/LAN ports according to markings on the enclosure.

My personal recommendation is to use another device for wifi, configured as dumb AP https://openwrt.org/docs/guide-user/network/wifi/dumbap

Not because this device is bad, but because in many cases the router/firewall is not in the best physical spot to create a wifi network.

It's ok if you are clear enough about what info you actually have, just saying "it seems" or "people have installed pfSense/OPNsense on it" is still a good tip for those that might have some laying around or want to do some experiments.
And let's be fair, BSDs are very picky about hardware and all x86 hardware they support is also supported by Linux. If it runs pfSense/OPNsense it's nearly guaranteed to be fine for OpenWrt too.

Given that this is a high-end firewall I think the wifi capability is secondary and I'm personally more interested in the "optional addon" drawers with more ports or SFP slots. I really hope they are just a proprietary connector for PCIe lines and they are just using normal Intel/Broadcomm controllers. So it's just plug and play on OpenWrt.

Hi there,
Thank you for letting me know this deal! I think I bought the last one with the blue ports.
Honestly I have never seen or used such a device before. So I hope I don't have to deal with any weird issues lol.
But yeah it's a bargain price. And I think it's a powerful and cool device for around $50. Besides it costs almost the same as rpi4 and usb ethernet adapter bundles.
Cheers!

ulpian

That was fast lol.

I think there are still a couple auctions of the ones with blue ports (based on "advanced 2" or " SW302DA" product ID in the auction title), but they have no photo of the ports side so ask the seller for more info to confirm they are the right ones first.
SimpleWan SW Advanced 2 Router SW302DA-NA
SimpleWan Lot of 11 units Advanced 2

A few months back there was a fantastic deal on ebay where someone was selling at least 20 compact fanless 6 Intel NIC Advantech appliances with a c2558 CPU and 8gb of ECC RAM, new-in-box or near enough, for about $200, later raised to $250.

I figured it was too good to be true and the likelihood that they had the C2000 bug seemed entirely too likely; it was odd that the apparently fairly knowledgeable vendor made no mention of it: usually reputable sellers will tell you outright that it's from a stepping that contained the correction, and it was simply too good a deal for such a potent device in bulk quantity in original packaging -- otherwise I'd have posted about it here.

Anyway, thought I'd mention it to anyone looking at x86_64 appliances: if they use the Avoton/Rangeley C2xxx SoC (which otherwise is a VERY good chip), get the product serial number and research it before buying. Because that bug will kill your device stone dead in as little as two years of normal use.

Yes, you are right. It's probably a big old-tech disposing situation.

I think this brand has a big lack of product naming.. I bought it from this link and the seller told me that it has blue colored USB ports as like as in the pictures. Also the sticker confirms that. But listing says simple wan advanced - not simple wan advanced 2.
I'm still not 100% sure about what' I'm about to get. It should be an apu2 right?

It's also worth noting that in many cases (Asrock Rack and Supermicro and Synology NAS boards) there is a hardware mod that can work around the problem and resurrect a board that died because of this CPU bug.

It usually consists of soldering a 220 Ohm resistor between a 3.3v pin and another pin, on a TPM header or a debug serial port.

So if you are into this kind of thing and you think you can figure it out by googling the guides for those other devices and adapting it to your own, more power to you.

That is because Simplewan sells a service, not devices. See their website https://simplewan.com/ no mention of hardware of any type.
These firewalls were just the end points of their SDWAN, aka a "cloud businness VPN" network thing that joins all people of the same company in a single virtual LAN regardless of where they are.
To do this they have cloud servers and provide managed end point devices to their clients.

Just like your ISP usually gives you a cable modem as part of the Internet access contract, and mostly controls the modem on their own.

Blue (USB 3.0) ports is APU2. Also SW302DA should be APU2.
The APU1 has black USB (2.0) ports and is usually called SW301DA.

I can't 100% guarantee it but I think you should get the right one.

Oh, I understood it. Thanks a lot for detailed your explanation.
Have a good one!

ulpian

After waiting about a day to give the OP a chance, I bought the first one of these. Looking forward to trying it out. The CPU is on the mild side to say the least: per-core it benchmarks substantially below the RPi 4's BCM2711 (what I'm using now) or the ubiquitious j1900 found in practically all of the Qotom/Protectli/etc fanless boxes from the last few years, and it's only got two cores. Yeah, it has AES-NI unlike either of those, but I don't run VPNs directly on the router for a couple of reasons, and crypto acceleration is hardly the only limiting factor on openvpn anyway.

But for routing alone it should be plenty, even with symmetric 1G fiber and several routed VLANs including IoT and always-on door cameras. Maybe even enough headroom for shaping, we'll see.

Would I be excommunicated from this forum for saying I'll probably try OPNsense on it first?