Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

Heads up, new BIOS is out.
Release date: 2021-10-19

I have posted here in the split thread about Cable Creations RS232 to USB adapters for use with the PC-Engines APU2

Are any BIOS tuneables recommended such as IOMMU, Watchdog, or SD 3.0 mode?

IOMMU can be enabled if you run virtualization and you want to passthrough devices to the VM,
Watchdog I never tested but should be something that will auto-restart if the OS does not send a signal,
SD 3.0 is compatibility mode to boot correctly with newer SD card standards and I think is better to enable it since "newer" is relative to many years ago, when this device was designed.

So what packages are needed against 21.xx to duplicate functionality from the 19 image?
Was looking at using the customize option here:

what 19.xx image are you trying to duplicate?

The 19.xx image you made from the beginning with some extra default software packages and hardware support packages.

I made a snapshot image with tools for flashing BIOS and a kernel that allows flashrom to work. It was not intended for daily use, only as a tool for BIOS update.
These are the packages I added:
luci, flashrom, ca-certificates, ca-bundle and luci-app-ttyd

But flashrom needs a kernel that has /dev/mem enabled, I compiled from source so I could change that option.
You cannot change that with Image Builder or from that website (that is just using Image Builder).
That's why I made a pre-built image, because it's not convenient to rebuild from source for most people.

If you want hardware support packages, install the packages mentioned here

(without the kmod-usb-core, kmod-usb-ohci, kmod-usb2, kmod-usb3 ) as those are already integrated in the default kernel for x86

Resurrecting this thread ...

Bought a couple of the APU1s on ebay (anyone in EU want one, let me know), and tried to update the BIOS using the TinyCoreLinux, but one of the units failed to boot it, looping at waiting to mount USB storage, or something like that.

So I installed IPfire, where flashrom threw /dev/mem permission denied, ït's fixed by adding iomem=relaxed as a kernel param, and rebooting - .

Got a similar error message when I tried to upgrade the FW through openwrt, so it might be
the same issue.

since this is all x86-64 arch, you can use the same OpenWrt images I prepared and instructions from the article in the wiki to do the BIOS flashing for all APU lines
just use the right bios blob for your device, of course.

Btw, a bunch of Simplewans are back on ebay US, maybe not as cheap as the first batch.


Routing performance of the APU1, it almost maxes out one of the cores while doing it.


They're old and barely useable, something you wanted to confirm? :slight_smile:

That they're gbit capable, which I didn't expect they would be, old tests said
they wouldn't do more than 500ish (?). They're also a lot easier to get hold
of than the SW302s, on eBay, sellers let them go for less than $30.

I think they're perfectly capable, if you attach a router as AP or AP to them.

I have one as backup router to my 1/1 gbit, in case the main server/router
breaks, or needs maintenance.

Until you do something that's not bare minimum, at least they do 64-bit but that's about it. You also have a bunch of hardware vulns that you might want to take into consideration. It's not a huge bump going for a recent ARM based solution which at least mitigates a few issues.

Those numbers are probably showing the limitations of the platform. I just did a quick test on my RockPro64 (with Intel Dual Port NIC) and ended up with 112Mbyte/s (iperf3) although running FreeBSD during testing.

Agreed, except all those new:ish devices are hard to come by currently, due to chip shortages,
and what not, even if they were, they still wouldn't be close to < $30.

Tbh, I'd rather use some old hw powerful enough for my current use case, than spend $$$ on
new, future ewaste.

The SW30*s are pretty capable - mSATA, SATA, 2x mPCIe, etc.

The only thing they lack would be raw CPU power, and USB3, in the case of the 301.


1 Like

If you do a bit of research getting a 4Gb ARM platform below 100 EUR with dual (well, 3 ethernet ports in total) shouldn't be that hard excluding PSU and a memory card though =)

I've been looking for interesting/ low-idle-power x86_64 devices capable of at least two 1000BASE-T interfaces on the European second hand market for the last couple of months, sadly there aren't that any compelling choices. Often even ancient stuff (500 MHz Via CPUs…) is still sold as if it were pure gold. While I'm certainly not a fan of the PC engines APU range in 2021, they may still fit their niche for the right price (albeit certainly not their current asking price for new devices, for that they're a tad too borderline with advanced features (e.g. sqm) at 1 GBit/s line speed).

frollic's iperf3 tests are surprisingly good, although I'd be slightly more pessimistic about real-world throughput figures under load, but that would still accomodate up to ~500-600 MBit/s WAN connections with some extra goodies (probably not with sqm) - as long as the price tag matches the expectations.

I think your best bet would be the Roqos Core RC10 as far as x86 and "decent"/cheap goes but I'm not sure how many went further than North America.

...or just embrace ARM64 :slight_smile:

1 Like

Totally agreed on the Roqos Core RC10 (I don need the wireless, but would still appreciate it), it's an interesting devices - but it sold mostly in North America (although they were offered on European amazon for a while); they're no longer listed (new) over here and I've never seen a used device being sold.

I'd be fine with ARMv8 (assuming a good support state for headless/ wired ethernet uses), if it can deliver and for a good price. But looking at e.g. the NanoPi r4s (ignoring the basically unavailable status), the prices have reached a range where a new Atom board and RAM can compete.

@frollic Did you try installing irqbalance? if you say a core is near-maxed maybe interrupts are not mapped to all cores

I wouldn't say "nearly gbit capable" for less than 50$ is "barely capable" That's a quadcore and even with no interrupt remapping that slams a core you still have 3 other "Gbit-capable" cores doing not much

Those 3 other cores are still fast as most ARM stuff

You mean the hardware vulns that also ARM designs used in current SBCs still have? Because it's an AMD CPU, not Intel. Most of the hardware vulns that affect AMD CPUs affect everyone else too.

The biggest vulnerability of x86 hardware in general is the BIOS/UEFI firmware itself, and APUs have an up-to-date coreboot, so that's already a big thing.

And even then, it's far from a big issue on a network device that isn't running untrusted applications or VMs

I looked at something like that recently and it's a tough fight to get APU1 level of connectivity, low TDP and metal case with 100 euro at the moment.

Even hot garbage like the rpi clones with Amlogic SoCs are priced at 50 euro and up for the bare board