Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

It's ok if you are clear enough about what info you actually have, just saying "it seems" or "people have installed pfSense/OPNsense on it" is still a good tip for those that might have some laying around or want to do some experiments.
And let's be fair, BSDs are very picky about hardware and all x86 hardware they support is also supported by Linux. If it runs pfSense/OPNsense it's nearly guaranteed to be fine for OpenWrt too.

Given that this is a high-end firewall I think the wifi capability is secondary and I'm personally more interested in the "optional addon" drawers with more ports or SFP slots. I really hope they are just a proprietary connector for PCIe lines and they are just using normal Intel/Broadcomm controllers. So it's just plug and play on OpenWrt.

Hi there,
Thank you for letting me know this deal! I think I bought the last one with the blue ports.
Honestly I have never seen or used such a device before. So I hope I don't have to deal with any weird issues lol.
But yeah it's a bargain price. And I think it's a powerful and cool device for around $50. Besides it costs almost the same as rpi4 and usb ethernet adapter bundles.


1 Like

That was fast lol.

I think there are still a couple auctions of the ones with blue ports (based on "advanced 2" or " SW302DA" product ID in the auction title), but they have no photo of the ports side so ask the seller for more info to confirm they are the right ones first.
SimpleWan SW Advanced 2 Router SW302DA-NA
SimpleWan Lot of 11 units Advanced 2

A few months back there was a fantastic deal on ebay where someone was selling at least 20 compact fanless 6 Intel NIC Advantech appliances with a c2558 CPU and 8gb of ECC RAM, new-in-box or near enough, for about $200, later raised to $250.

I figured it was too good to be true and the likelihood that they had the C2000 bug seemed entirely too likely; it was odd that the apparently fairly knowledgeable vendor made no mention of it: usually reputable sellers will tell you outright that it's from a stepping that contained the correction, and it was simply too good a deal for such a potent device in bulk quantity in original packaging -- otherwise I'd have posted about it here.

Anyway, thought I'd mention it to anyone looking at x86_64 appliances: if they use the Avoton/Rangeley C2xxx SoC (which otherwise is a VERY good chip), get the product serial number and research it before buying. Because that bug will kill your device stone dead in as little as two years of normal use.


Yes, you are right. It's probably a big old-tech disposing situation.

I think this brand has a big lack of product naming.. I bought it from this link and the seller told me that it has blue colored USB ports as like as in the pictures. Also the sticker confirms that. But listing says simple wan advanced - not simple wan advanced 2.
I'm still not 100% sure about what' I'm about to get. It should be an apu2 right?

It's also worth noting that in many cases (Asrock Rack and Supermicro and Synology NAS boards) there is a hardware mod that can work around the problem and resurrect a board that died because of this CPU bug.

It usually consists of soldering a 220 Ohm resistor between a 3.3v pin and another pin, on a TPM header or a debug serial port.

So if you are into this kind of thing and you think you can figure it out by googling the guides for those other devices and adapting it to your own, more power to you.

That is because Simplewan sells a service, not devices. See their website no mention of hardware of any type.
These firewalls were just the end points of their SDWAN, aka a "cloud businness VPN" network thing that joins all people of the same company in a single virtual LAN regardless of where they are.
To do this they have cloud servers and provide managed end point devices to their clients.

Just like your ISP usually gives you a cable modem as part of the Internet access contract, and mostly controls the modem on their own.

Blue (USB 3.0) ports is APU2. Also SW302DA should be APU2.
The APU1 has black USB (2.0) ports and is usually called SW301DA.

I can't 100% guarantee it but I think you should get the right one.

1 Like

Oh, I understood it. Thanks a lot for detailed your explanation.
Have a good one!


After waiting about a day to give the OP a chance, I bought the first one of these. Looking forward to trying it out. The CPU is on the mild side to say the least: per-core it benchmarks substantially below the RPi 4's BCM2711 (what I'm using now) or the ubiquitious j1900 found in practically all of the Qotom/Protectli/etc fanless boxes from the last few years, and it's only got two cores. Yeah, it has AES-NI unlike either of those, but I don't run VPNs directly on the router for a couple of reasons, and crypto acceleration is hardly the only limiting factor on openvpn anyway.

But for routing alone it should be plenty, even with symmetric 1G fiber and several routed VLANs including IoT and always-on door cameras. Maybe even enough headroom for shaping, we'll see.

Would I be excommunicated from this forum for saying I'll probably try OPNsense on it first?

Horrors!!! :wink: Actually, you might be more in danger if it has Realtek ethernet chips, rather than Intel, and you like them... <kidding, kidding> :rofl:


Only if you don't explain why. :wink:

PS. Not clear which model did you end up getting.

There are some dynamic behaviors I like better, e.g. live status monitoring and dynamic firewall rule manipulation without stopping and starting the whole firewall. When you have a more powerful system sometimes you want a few of those features that expect a more powerful system. Also ISTR it handles multiwan a bit more cleanly and transparently, but I could be remembering that wrong.

The Sophos SG105 linked in the quote.

1 Like

Bought the same auction. It arrived last night, very well packed. Have not plugged it in yet, but did break the "Warranty Seal" covering one of the screws (which were put in by a gorilla so get the right size Philips). The board says APU2C.


That's great! I am so glad to hear that you have received the apu2. Mine hasn't arrived yet. I'm so excited.
Enjoy your new device!


I think it is apu2c2. This quote is from the first post of topic. The OP @bobafetthotmail

I bought the ones with USB 3.0 ports and they were indeed APU2C2 from PCEngines (2GB ram, 3x gigabit ports with Intel ethernet).
This is the spec page of the devices I have bought and opened


For anyone who needs a bit more muscle for only $25 more, here's a couple of SG115s for $75. Starting to think I should have held out for this; same overall specs as the 105 but better CPU and more and faster RAM.

What is the CPU in that thing? Also the other guy didn't say

Near as I can tell it's a 1.74 GHz e3827, as compared to a 1.46 GHz e3826, and it comes with 4GB DDR3 1333 rather than 2GB DDR3 1066. Don't quote me on that, because they've been through several revs on all of these. For OpenWRT the RAM scarcely matters, though. Even 1GB is a LOT of memory for OpenWRT.

1 Like

Is it possible to install OpenWRT on these units without the serial port null modem cable?

Yes the serial is not needed for installation of OpenWrt. Just pull out the storage (SD card in this case) and write the OpenWrt image in there. They also boot from USB so you can flash OpenWrt to an USB drive and plug it in (and remove the SDcard)

It should work similar for the Sophos firewalls as well, although they probably have a Sata DOM so to write in there you need an adapter or a PC where you can plug it in.

If you want to install pfSense you need the serial cable, if you want to install OPNSense or IPFire you shouldn't need anything as they also provide flashable images you can just write to the storage device from another PC

1 Like