Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

I have not tried yet, but I assume at least in the VeloCloud case the Marvell switch and/or the SFP slot may require further custom initialization.

The VeloCloud EDGE 500-N and EDGE 540-AC will definitely need custom firmware to support the Marvell switches used. The EDGE 510-AC may be able to configured with stock OpenWrt as it uses the processors Ethernet with a Marvell PHY. However, I still haven't figured out how to get it to boot successfully from USB. It just hangs after the line:
Booting from 0000:7c00

does anyone know any place in EU that we could get without import tax, products similar to simplewan https://forum.openwrt.org/t/tips-for-getting-cheap-used-x86-based-firewall-with-full-gbit-nat-a-pc-engines-apu-if-you-are-in-the-us/104490?u=atux_null?

i just bought a VeloCloud 520-AC, for 40€. if the chances are low for Openwrt to work with it one day, what are the chances to have pfsense/Opnsense working ?

From a technical point of view, worse.

The velocloud OEM firmware was built upon (a heavily modified) OpenWrt 15.05.x, for which source (and apparently the required igb patches to teach it about the mdio connected Marvell switch) exists. For opnsense/ pfsense no drivers exist, they'd need to be written/ ported.

Obviously motivated developers might be able to get this working for either OpenWrt or opnsense/ pfsense, it's an open question who's going to 'win' there (or if there is anyone actively working on it at all) - but it's not trivial (nor would it to be getting the necessary changes merged into mainline igb) and may very well 'never' happen for either project. On the scale of things, this (at least for linux) should be easier than getting a new mips/ arm target ported from vendor sources (as the patches appear to be relatively clean, self contained), but it's still low-level netdev development (combined with quite some social work to convince Intel developers and linux netdev to accept the resulting patches into igb) and some unknowns waiting to happen.

4 Likes

Might have found another candidate - Trustwave TS-25.

Seems to run an Atom E3845 and 4x Intel gbit NICs, according to this auction - https://www.ebay.com/itm/324883108350

image


eBay prices are quite high at the moment, but down the road, who knows.

2 Likes

Barracuda builds X86-based firewall appliances under the "CloudGen" label. So there's another search term to save in your favorite classifieds website.

As I hinted at above, I recently got my hand on a Barracuda F18, for a dance and a song*. Slightly disappointingly it turned out to be the Revision A model running an Intel C2358 CPU (the Revision B would run an Apollo Lake CPU). It contains 2 GB DDR3 RAM in one of the RAM slots and a 128 GB Intel S3110 SSD (which, for some reason, only reports 67 GB ... binned by Intel perhaps?).

I only have a rather poor setup to test its routing performance, but cursory tests indicate that it can saturate a gigabit line without breaking much of a sweat: iperf3 shows 940 mbit/s WAN<>LAN with one of the CPU cores at barely 20%.

Hardware-wise it is a step-up from other similar firewall appliances:


The build quality, both of the case and the board, is significantly better than for example the Lannertec OEM devices as used by R&S/GateProtect, although I couldn't find the actual manufacturer marked anywhere on the board.

The board has four gigabit ports, four USB2.0 ports. Internally there's two one MSATA and one Mini PCIE connector (on the top right) and PCI-E connectors (at the right edge), presumably for storage and a wireless card (the back side of the case has mounting holes for wifi antennae). The BIOS is EFI capable, but it doesn't allow any modifications -- even basic ones like a BIOS admin password -- so it is basically relegated to a status display. BIOS and console are exposed through the VGA connector and the RJ45 "console" RS232 port.

The only downside to the device is that, for whatever reason, it gobbles around 12W in idle. Which might not be a huge consideration in a SOHO environment -- which is where this very machine will spend its future OpenWrt life. But with current power prices 12W are a lot when running 24/7 at home. (As a point of comparison: my Celeron J1900-based R&S GateProtect GPO-150v2 idles at slightly more than 5W.)

4 Likes

Well !
i didn't know that CPU has integrated lan ports ?

they say it could be 4x1Gb or 4x2.5Gb ?
I thought they were using external intel nics

Manufacturer/Model information is under the heat sink. MICRO-STAR Model MS-S1401. The one I have only has a 30GB Intel SSD. There are still 8 more of them available for $20 + shipping on ebay. Search Barracuda F18.

it says :
Condition: For parts or not working

I think it's because they don't have power supply. The one I got works just fine.

Ah, I suspected as much. Thank you for the info (unfortunately it doesn't really lead anywhere useful, like a manual or BIOS update).

I bought mine for €20 + shipping. But I didn't even need the firewall itself, I bought it for the rather nice 19" rack shelf with exposed/routed ethernet ports, the firewall itself was a bonus. :wink:

1 Like

Of note: Unlike similar firewall appliances that run on regular random 12V supplies, the F18 revision A requires a 19V power supply.

... which might be a factor in the unusually high power draw: Even powered down in standby it draws some 5 to 6W. Without deeper knowledge, it looks like the board wastes a good amount on voltage conversion.

This looks interesting, if anyone can find what hardware is inside:
Fortinet Fortigate-50E FG-50E

1 Like

Nuage Networks 7850 NSG-X200
around 220$ but for this price you have :

1 Like

NUAGE NETWORKS 7850 NSG-C
Around 105$

This thread is "Tips for getting cheap used x86-based firewall..." not "I have a cheap used x86-based firewall... so i'm going to make a review".

if one is obliged to have the router to speak about it then it should be specified.

someone should remove the term "cheap" and replace it a with a PRICE in USD.
For me 220$ is cheap...probably not for you or for anyone in some countries. a fixed value will make rules clear for everyone.

By the way 220$ for a router with thoses specs...i don't think it's expensive, wherever you live...
it's an Intel Xeon D1527 4c/8t with 16GB and 2 SFP+ !

Value is vague, and up for interpretation.

Wattage (the xeon box says up to 300w), and/or price might be better.

ok i edited my message

1 Like