I'm am trying to find a replacement for my aging Archer C7, now that I have gigabit. It looks like my best options are, from the pinned recommendations thread, to either try using a Raspi4, or using an x86 mini PC.
While I have a Pi I might be able to experiment with, I'd prefer to try going down the x86 path, since then I can use official builds, and can also run other x86 based software on the device.
My question was, are there any specific recommendations for x86 devices that can handle gigabit throughput with OpenWRT?
I saw the pinned thread referenced the ZOTAC ZBOX Edge CI341. I was also wondering about using a PCEngines APU2 (since I know people in the forum have talked about them before), or a Seed ODYSSEY.
Since there are so many mini-pc vendors out there, there any minimum requirements I should be looking for in a mini-pc, like a minimum CPU passmark score, to determine if it can handle my target speeds?
Hi, I bought the product below. I preferred was Celeron 3865u processor. The device works perfectly, its power consumption is low. Average temperature is in the range of 35-40 degrees. AES support is available. It has an automatic turn-on feature when the power fails. If you are curious about anything, you can ask.
I reviewed the product on the link, photos are available. It is in Turkish language.
Running Snort(IDS/IPS), banIP, Adblock, Samba, DNSCrypt, and luci-app-sqm. Runs really well, very low temps and low power consumption. You can set the jumper for auto turn on when a blackout occurs
These looks good too, a bit on the high end though(a bit more pricey):
I was hoping to target around $200, but I'm flexible (if there's something that a $400-500 device gives me that people think is important, I'd be willing to hear a case for it). But I already have a Raspberry Pi running PiHole and DNSCrypt, and another device serving as a NAS, so the router would be pretty much just for routing/DHCP/firewall/VLANs/charts and not much else.
I could potentially move Wireguard termination from a Raspi to the router itself, and maybe move PiHole, but to me those are nice-to-haves rather than hard requirements - the Raspi that provides Wireguard termination and PiHole is sitting in my basement and I'm happy to just leave it there since it looks like it is meeting my needs.
I've never run intrusion detection software - just had fail2ban on my SSH systems (I'd actually be kind of curious why people would want that for home setups - what's the primary use case there?)
Anyway, since I was envisioning something pretty simple, that's why I was asking about the PCEngines APU2s, or a Mini PC like the ZOTAC. If those devices can handle 1Gbps routing from the WAN (including PPPoE overhead), and I can still have a basic firewall and get bandwidth stats, I suspect I'd likely be happy, and I think those are around $200 once you account for memory/drive/enclosure/etc, so that was where I was starting.
(though, again, if people think I'm missing out of something critical, I'd be curious to hear, I'm migrating from an Archer C7 so right now my setup is pretty basic).
But since there are so many mini-itx manufacturers (and so many embedded CPU skus), I was looking for a set of baselines for gigabit throughput (as well as any others, like if running a IDS costs requires I add an addition 500 Mhz to the CPU clock to maintain gigabit, that would be really useful).
APU2 sounds like it might be a good fit for you [edit: maybe not, see slh below]. The Zotacs are also good performers, only Realtek nics on the one hand, but on the other they support dual channel memory. Read the reviews of the one you pick carefully; some models had quality control problems.
If it's room to grow you want, an interesting option is a used HP T730, an SFF with a PCIe slot. These are popular with pfsense and OPNsense users. The RX-427BB CPU compares favorably with the Celerons used in the base Zotacs and Qotom/Protectli boxes, check around on the geekbench browser for some comparison numbers. Sometimes you can find them at a good price from a liquidator, like this one for $100+shipping (warning to future readers, note the date of this comment, link likely stale by now): https://www.ebay.com/itm/HP-t730-Thin-Client-4GB-RAM-AMD-RX-427BB-APU-NO-HD/154350987934
Give yourself room to grow with a quad-port NIC (if going Intel on this, buy used from a reputable puller, these are heavily counterfeited and a "new" T4-i340 or better for less than $100 is guaranteed fake).
Since OpenWRT by design is absurdly easy on disk activity, any cheap old SSD will do you just fine, so we're talking maybe $150 all in.
The APU2 is rather dated by now, while it can achieve routing speeds of 1 GBit/s line speed, it only manages that barely (on linux, e.g. not on xBSD) without much (any) headroom (it won't be able to cope with that using sqm or VPN uses). If there is a 1 GBit/s line available, this shouldn't be a consideration - yes, the form-factor and I/O features are hard to fine elsewhere, but the AMD Jaguar generation simply isn't fast enough.
OK - so no APU2 then. Thank you - this is incredibly helpful!
Thank you - I'll start looking at the T730 (and finding a PCI-E card). It seems like that's just what I'm looking for. I don't think I need to get a NIC with multiple ports - the output is going straight into a switch in the basement (unless there's some hazard of using the in-built NIC for inbound/WAN and the PCI-E one for LAN?)
To check, the Zotek with two NICs uses a Intel N4100, which has a passmark score of 2452, and the HP T730's RX-427BB has a passmark of 2584. Would you say that, as long as whatever I chose has a CPU passmark around there or better, I should be alright for gigabit (and potentially room to grow)? Or are there other things besides specs I should also be aware of in this space?
I'd expect either of them to handle a gigabit very comfortably with room to spare. There's always some fine-tuning involved in your particular situation so I can't promise that one is faster than the other. (One thing that tends to pay off as you approach your bandwidth ceiling is moving the CPU affinity of the NICs' interrupts to different cores; otherwise you can get CPU bound even when you should have plenty of processing power remaining. At least get one of them off of core 0 where they all seem to stick by default.)
I can't personally promise anything but the HP seems more reputable than the Zotac, and the PCI slot gives you futureproofing and a choice of NIC. (Also maybe don't limit yourself, a dual port NIC card will let you do useful things like control the routing between internal subnets with different trust levels. A DMZ, an IoT network for untrusted smart devices, and so on.)
Edit: oh yeah, read lots of forums before buying, not just this one. The T730 is discussed on the pfSense forums, on reddit, on a very good site called servethehome.com, probably others. Also, contact the dealer and verify he's including the OEM power supply with the right wattage: some people have gotten substitutes and these things apparently don't run with anything less.
Thanks! I went ahead and ordered the T730. The comments about it on Serve The Home and elsewhere seemed solid (and were incredibly useful in figuring out the SSD form factor). And I managed to find a used intel i340-T4 NIC.
Also thank you for the advice on tuning the interrupts.
The passmark question was less about HP vs Zotac and more for future people coming into the thread - for example, I could have rulled out the APU series earlier if there was some base "here's the recommended specs for handling gigabit, don't get a processor below this point."
Regardless - thank you again - definitely looking forward to trying out the T730 (and the extra room means I might be able to consolidate PiHole and Wireguard on it as well)
Agree that'd be useful, though of course there are variables. It's surprising what can and can't route a gigabit full duplex. Right now I'm running an RPi 4 with a dual USB NIC and it does it easily; again, after moving the built-in eth0 interrupt off of core 0. (Unfortunately the interrupt for the USB bus won't budge so the other two nicks are stuck on core 0, but this does the job.) Anyway, what you've got is considerably beefier.
Speaking of interrupts, it'll be interesting to see what happens with the i340 -- its driver has much more sophisticated built-in behavior there, and I'm not sure what you'll need to do, if anything. I used that same T4-i340 card on my default router for some time, but was running OpenWRT as an LXC container under Ubuntu, so OpenWRT had no control over the interrupts. I did it this way because machine was so overpowered that I could use it for a lot of networking purposes, yes, including VPN host and client, while delegating routing to a container. it never broke a sweat.
Huh - now that's interesting. My Pi currently runs as my docker host since I'm not running anything strenuous, but, once I have the T730, having OpenWRT in a container could make it easier for me to do several things with the box. Did you notice any issues with throughput?
None at all. Unlike virtualization, LXC introduces essentially no overhead; you're still running on bare metal, just ring-fenced. Managed with lxd, the NICs usually configured as macvlan, which has a lot of advantages, such as if you want to make the distinction between other guests and external hosts invisible to the router: as far as it's concerned everything it can see is just another machine.
The downside of doing essential routing in one corner of a very-capable machine is that you end up doing lots of other important things on it, and then your router is subject to the downtime and maintenance needs of all those other services. After a couple of years I decided that a router belongs on dedicated hardware, untouched by other considerations so it just stays up, ignored because it just works. Which is why the Pi 4 is currently the right balance for me.
I do still run OpenWRT containers for other purposes on that former box, as it's a an ideal lightweight linux platform with a web management interface for running various services. (If I need something less "embedded" and more "rolling-release" or running arbitrary sw I generally use Alpine.)
For $250 / €200 you might be able to build a super cheap headless amd/am4 zen setup (e.g. using a 3000G or an r3 3100) - if you don't mind the physical space / size
Unmarked solution just so other people can continue to add their own recommendations without the thread auto-locking (though I think it's solved for me - thank you again everyone for the information!)
Also, small question for the Qotom and Protectilis users, what models are you using? Some of the processors seemed pretty anemic from benchmarks, and it seemed like you'd need to go to their $400+ tier to get a CPU that's equivalent to the Zotec with the Intel N4100 Zotec in the pinned thread (which is about $150 without SSD).
I wouldn't under estimate the Power of the Qotom or Protectli a proper CPU vs a celeron.
Going by my cheapie XCY Mini PC I know it doesn't even come close to the high end Qotom or Protectli, but it's good enough for what I use it for. Barely breaking a sweat
Unfortunately other family members use the internet here as well hence the drop in speed.
HFC 1000/50
I'm saving up for a very high end Qotom. I would love to get a Qotom soon
Does the T730 have AES-NI support? The Celeron does. That's a ton of CPU power, for handling a Gb link and more, but if VPN or other crypto use is in the mix, it might make a lot of difference.
I happen to use a Zotac CI327 the past couple of years, it has a celeron a bit earlier than the 4100.
I'm keeping an OpenWrt x86 VM router as a cold backup for occations, when dedicated HW router needs to be taken down. Those moments are rare, but still, does not require much as I try my best to keep the procedure stable. I only have to remember keep both up to date not just the active one.
And when on the start line for update/upgrade first the passive VM. After 1st stage set HW router passive and get VM active. After 2nd stage the opposite. Not highly automated just that the procedure flows well through, possible mistakes and problems get detected more pre- than post- and I always have a fast, easy and tested to work backup router to activate.
While using stable releases I can't remember none case for going back. All the cases are, where my configuration management, a sort of, and activate-deactivate procedures have had failures.
