Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

Can I DD a duplicate image from the SDcard to a mSATA drive and just removed the SD card?

Yeah, using OpenWrt on the SDcard to DD a new image to the mSata drive works fine.
It works the same for all x86 (or any architecture that can boot from multiple sources, really) see https://openwrt.org/docs/guide-user/installation/openwrt_x86#installing_openwrt_in_an_internal_drive

Although there is no real need to use a mSata drive for a normal OpenWrt install, since it does not write to disk unless you are saving the configuration.

mSata is required for pfSense or OPNSense or a normal Linux distro afaik as those do write logs and stuff constantly to the drive.

Or if you want to install applications that write to disk on OpenWrt, of course.

At least for pfSense, the storage requirements are indeed insane. A few years ago I wanted to quickly test something using pfSense running from a USB stick (ivy-bridge pentium g2020, 16 GB RAM, internal HDD disconnected, to keep its installed data safe) - it was unusable. Booting took ages, even once fully booted up, it remained extremely slow (and I had more than enough RAM to cache the entire USB stick). OpenWrt works just fine in a setup like that - and even full-blown desktop linux tends to run quite well from USB sticks, if there's enough RAM for caching (yes, you notice and want to use fast USB sticks, but even with slower ones it remains usable).

Yeah it's not particularly optimized, boot time is measured in minutes even on Sata SSD for FreBSD-based projects. Also FreeNAS/TrueNAS take a while to boot and it's just a NAS system with a web interface.
On the same hardware (a somewhat lousy Atom S1260 with 8GB of ECC ram) an OpenSUSE 15.3 Linux distro with similar services (ZFS storage array, web server, Syncthing, a few SMB shared folders) is up and running in less than 10 seconds.
Between this, the fail to do multicore routing properly (that results in Linux-based firewalls eating their lunch and dinner with more than double the performance), and the extremely pickyness on hardware I'm not a fan of anything based on *BSD.
Yes they have a much more web polished interface, but boy they run bad.

Heads up, new BIOS is out.
https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.14.0.5.rom
Release date: 2021-10-19

I have posted here in the split thread about Cable Creations RS232 to USB adapters for use with the PC-Engines APU2

Are any BIOS tuneables recommended such as IOMMU, Watchdog, or SD 3.0 mode?

IOMMU can be enabled if you run virtualization and you want to passthrough devices to the VM,
Watchdog I never tested but should be something that will auto-restart if the OS does not send a signal,
SD 3.0 is compatibility mode to boot correctly with newer SD card standards and I think is better to enable it since "newer" is relative to many years ago, when this device was designed.

So what packages are needed against 21.xx to duplicate functionality from the 19 image?
Was looking at using the customize option here:
https://chef.libremesh.org/?version=21.02.1&target=x86%2F64&id=generic

what 19.xx image are you trying to duplicate?

The 19.xx image you made from the beginning with some extra default software packages and hardware support packages.

I made a snapshot image with tools for flashing BIOS and a kernel that allows flashrom to work. It was not intended for daily use, only as a tool for BIOS update.
These are the packages I added:
luci, flashrom, ca-certificates, ca-bundle and luci-app-ttyd

But flashrom needs a kernel that has /dev/mem enabled, I compiled from source so I could change that option.
You cannot change that with Image Builder or from that website (that is just using Image Builder).
That's why I made a pre-built image, because it's not convenient to rebuild from source for most people.

If you want hardware support packages, install the packages mentioned here

(without the kmod-usb-core, kmod-usb-ohci, kmod-usb2, kmod-usb3 ) as those are already integrated in the default kernel for x86

Resurrecting this thread ...

Bought a couple of the APU1s on ebay (anyone in EU want one, let me know), and tried to update the BIOS using the TinyCoreLinux, but one of the units failed to boot it, looping at waiting to mount USB storage, or something like that.

So I installed IPfire, where flashrom threw /dev/mem permission denied, ït's fixed by adding iomem=relaxed as a kernel param, and rebooting - https://flashrom.org/FAQ .

Got a similar error message when I tried to upgrade the FW through openwrt, so it might be
the same issue.

since this is all x86-64 arch, you can use the same OpenWrt images I prepared and instructions from the article in the wiki to do the BIOS flashing for all APU lines https://openwrt.org/toh/pcengines/apu-bios-update
just use the right bios blob for your device, of course.

Btw, a bunch of Simplewans are back on ebay US, maybe not as cheap as the first batch.

2 Likes

Routing performance of the APU1, it almost maxes out one of the cores while doing it.

image

They're old and barely useable, something you wanted to confirm? :slight_smile:

That they're gbit capable, which I didn't expect they would be, old tests said
they wouldn't do more than 500ish (?). They're also a lot easier to get hold
of than the SW302s, on eBay, sellers let them go for less than $30.

I think they're perfectly capable, if you attach a router as AP or AP to them.

I have one as backup router to my 1/1 gbit, in case the main server/router
breaks, or needs maintenance.

Until you do something that's not bare minimum, at least they do 64-bit but that's about it. You also have a bunch of hardware vulns that you might want to take into consideration. It's not a huge bump going for a recent ARM based solution which at least mitigates a few issues.

Those numbers are probably showing the limitations of the platform. I just did a quick test on my RockPro64 (with Intel Dual Port NIC) and ended up with 112Mbyte/s (iperf3) although running FreeBSD during testing.

Agreed, except all those new:ish devices are hard to come by currently, due to chip shortages,
and what not, even if they were, they still wouldn't be close to < $30.

Tbh, I'd rather use some old hw powerful enough for my current use case, than spend $$$ on
new, future ewaste.

The SW30*s are pretty capable - mSATA, SATA, 2x mPCIe, etc.

The only thing they lack would be raw CPU power, and USB3, in the case of the 301.

imho

1 Like

If you do a bit of research getting a 4Gb ARM platform below 100 EUR with dual (well, 3 ethernet ports in total) shouldn't be that hard excluding PSU and a memory card though =)