Tips for getting cheap used x86-based firewall with full Gbit NAT (a PC Engines APU) if you are in the US

The APU1 comes with a dual core CPU, at least according to the PC Engines themselves
Source: https://www.pcengines.ch/pdf/apu1.pdf

Please read more carefully, in the following sentence I stated "which at least mitigates a few issues" which isn't the same as all which you seem to imply.

Please reference what hardware vulnerabilities coreboot mitigates alone as I think that would be useful information for many of us. Most if not all are down to hardware design. Unfortuantely it seems that there's no table/chart available for older CPUs from AMD except for security announcements.

Intel does however provide one:

I'm not sure to what hardware you're referring to? By "rpi clones" I guess you refer to the form factor? From what I can remember I think only SinoVoip did make a card that was supposed to be a direct replacement but I'm not 100% sure. Amlogic have a bunch of nice SoCs that performs just as well or even better compared to the Broadcom based SoCs however one might be more suitable than the other depending on application and usage.

Thanks for the tip about the RC10, snagged an open box on eBay for $60.

2 Likes

From what I've seen over the years of tech news, the only somewhat certain thing is that Intel has it worse due to Meltdown and some others that are specific only for them. ARM is affected by more or less the same major vulns as AMD (and Power and everyone else, since speculative execution is a very common CPU feature).

Since nobody apart from Intel cares enough to make a table with all microarchs and vulnerabilities so it's not easy to compare them

Afaik the only way to get relatively updated info on non-Intel CPUs is read the Linux kernel source for cpu feature flags as that's what populates the "bugs" line in /proc/cpuinfo

This is that line from a first-gen ryzen CPU I have

bugs : sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass

so it's probably the case on APU boards (all versions) as well.

Never said coreboot mitigates hardware vulns, I said BIOS/UEFI is a much bigger security hole in x86 hardware in many instances, especially if it's old, while coreboot isn't, especially when updated.
Board firmware exploits are much more common than the ones for CPU hardware vulns.

I was going by OpenWrt's own hardware table and from the list shown in Armbian site for "dual network port devices", since they do support some of those Amlogic boards that aren't supported/supportable in OpenWrt https://www.armbian.com/download/?tx_category=networking

And by "pi clones" I meant "boards that have pi in the name" as that's what is commonly done by chinese board manufacturers. Like RockPi, BananaPi, OrangePi and so on.

The silicon shortage is real.

this brand just little good for me, or maybe i cant use

Speaking of, support for SG/XG-105 has been improved and support for SG/XG-135 has been added to the master branch: https://github.com/openwrt/openwrt/commit/ffab23d99d980974e502989994f3aaec3f462865.

Sadly, I can't deviate from official 21.02.1 builds on my Sophos hardware, so if anyone with the abovementioned models can test the snapshots image on SG/XG-135, please do.

Also, I can confirm that the wireless model of 135 has the WPEA-352ACN card which works just fine if you add the following packages to the image: kmod-ath10k-ct ath10k-firmware-qca988x-ct-full-htt ath10k-firmware-qca988x-ct wpad-openssl (or wpad-wolfssl instead of the last one).

3 Likes

I have Sophos SG105 rev3, SG115 rev2 and SG125 rev2 on the way and will submit a similar patch for those when they arrive!

2 Likes

Hello,
First of all I would like to thank @bobafetthotmail for introducing this little device to me. That was a really good deal!
I am very happy with my SW302DA a.k.a. PC Engines apu2 and I would like to ask you if this device can be added to openwrt as a specific target like other home routers. Not the generic x64 image I mean. I'm installing these "recommended packages" every update so which is made me to think about this.

kmod-leds-apu2 kmod-leds-gpio kmod-crypto-hw-ccp kmod-sp5100_tco kmod-usb-core kmod-usb-ohci kmod-usb2 kmod-usb3 kmod-sound-core kmod-pcspkr amd64-microcode flashrom irqbalance fstrim usbutils curl

ulpian

1 Like

Some further information on Sophos SG/XG devices. The SG/XG 105/115 rev 1/rev 2 devices all use a NEXCOM DNB120-S VER C board with either an Intel Atom E3826 for the 105 or Intel Atom E3827 for the 115. The difference between the rev 1 and rev 2 boards appears to be the use of a 64GB SSD in place of a 320GB 7200RPM disk. The rev 1 devices I have all have the Mini PCIe port populated while the rev 2 non WiFi devices are missing the Mini PCIe connector. 105 devices come with 2GB SODIMM and the 115 device has 4GB SODIMM. They all can be upgraded to 8GB.

I have created a pull request that adds support for the SG/XG 115 and 125 with and without WiFi and also adds the WiFi versions of the SG/XG 105. The wireless model of the 115 has a WPEA-128N card, the wireless model of the 125 has the same WPEA-352ACN as previously identified in the 135 model.

1 Like

@RaylynnKnight and @stangri do the sophos devices need packages not included in default image? for LEDs, buttons, speaker or watchdog?

I was thinking about creating a few "Device" templates with default packages for APU1, APU2/3/4 and for Cisco Meraki mx100, so that the build system will create images for those devices, as asked by ulpian, but I'm not sure about the odds of that succeeding, I think I saw core developers that were against adding multiple devices under x86 targets.

Currently there is only one "device" in x86 Geode target for "Traverse Technologies Geos" (which is some ancient device using a Geode x86 CPU).

1 Like

Only the wireless versions.

This is what I used for PC-Engines predecessor to the APU, ALIX. I used this with 13 thru 17, about 6 years. It has 100Mbps ports and 128 AES HW encryption. It came in two versions, with 128 or 256 RAM, which was big back then. I set it up with an Open-VPN server to access media while traveling (it was a different world back then, though it's not long ago). While testing (local) I could get mid teens performance, but it was hard to find an internet connection with more they 4-5Mbps, so not so great in practice.

I was quite happy with it as a Router (no wireless), and I suspect for someone on a slow LAN connection may still be a usable device. The device page indicates support up to 19, but there are 21 Images for this. FWIW, I never killed a CF card.

They use the same cases as the APU, and have been on Ebay for short money, but not much less than the SimpleWAN 301\APU1 TBH. None ATM.

FWIW, one thing I like about the PC-Engines devices is that they DO run on removable media. It's easy enough to swap cards to try different FW, though the case is a pain.

So...

I've had some time to play around with the Roqos RC10 I got on eBay.

It came with a 8GB mSATA SSD, two wifi cards - AR9287 and QCA9880,
and a 2GB DDR3 1333 SO-DIMM (upgradable).
CPU's a quad core Atom E3845, NICs are two Intel 211s.

It's fanless, power supply's 12V/2A.

There's an additional SATA connector, but it required a 2 pin to SATA power
cable, which I don't have, and there's really no spot inside the case for the
actual drive, just like in the PC Engines boxes.

Comes with an USB3 port, and a HDMI port - you could probably run Kodi in fHD
on this thing, if you'd like.

A Linux dist is preinstalled, and requires activation, I only made a dump
of the whole SSD, and installed OpenWRT, didn't look into the stock OS.

The wifi appears to be working in Openwrt, installed the modules, and
was setup one N and one AC network, tried to connect to them, and surf,
but didn't do any further testing.

At $60 I'd say it's a pretty competent device.

there some photos in the links at https://wikidevi.wi-cat.ru/Roqos_Core_RC10

3 Likes

A nice router, and a good price. Some clarifications below:

From Intel specs, it should support up to 8GB RAM.

One of these two is connected to a BCM53125 switch and provides 4 "LAN" ports. I assume there is no way to configure this switch to do VLANs so the 4 "LAN" ports can't be split.
This may or may not be a deal breaker for some people, but at least it's not an absolute garbage design like some Banana-pi "router" boards where both WAN and LAN ports come from the same "dumb" switch that must be configured by the OS (unlike most embedded routers where even if all ports come from the same switch the uboot bootloader will initialize the switch with the ports separated)

I still have an Alix board and mine could route around 60-70Mbit (which isn't that bad for a device that is limited to 100Mbit by its eth interfaces). It also has a mini-pci atheros wifi card with 3 antenna connectors that can do wifi n at EITHER 2.4ghz OR 5Ghz, and it works fine (can't comment on range since my house is tiny).
Never tried VPN but I wouldn't expect miracles, the CPU is literally 20 years old and was never particularly powerful to begin with.

Mine is "mothballed" in a ready-to-use state to be used as an emergency router in case my proxmox cluster blows up (my main router is a VM now).

It's 100% perfectly fine if your ISP doesn't give you that much bandwith, Luci web interface lags a lot though.

But it's a really low-end device (even midrange routers can route faster and have more CPU/RAM resources) so imho it makes sense only if you can get it for below 20 $/euro, or even for free.

Not sure if by "removable media" you mean USB too, but they can boot from USB drives as well (usb 2.0 is best for compatibility with bootloader, even if ports are 3.0.). If you are always tinkering with it, it's much more convenient.

don't really have swap anything, you can easily install several version of OpenWRT (or any other router / firewall OS) on the same card, just need to update the grub menu to match what's on the card..

TBH, feeling quite dumb right now. In all the years I had it I used the CF card and never thought about USB.

Mine is also ready to go, but on old FW

Not within my skill set. I was not looking to multi-boot. More to keep a known good config running and then be able to tinker for a bit with a new version before going to "production"

You might recall original ALIX case required you remove the board entirely from the case to swap the CF card. Thankfully when they went to the APU with its thermal seal to the case bottom, they'd redesigned the case so you could get the flash card out by merely removing the case top.

I did toy with the idea of cutting a slot in the front of the case with a dremel tool and attaching a tab of duct tape to the CF card so it could be removed and inserted with the case closed.

It's no rocket science...

1 Like