Any recommendation on hw for running pfsense as a home router? Hard mode: without the Intel backdoor

Any recommendation on hw for running pfsense as a home router? Hard mode: without the Intel backdoor.

Other urls found in this thread:

aliexpress.com/item/Dual-Core-Mini-PC-Barebone-4-Ethernet-Lan-Nano-Itx-Core-i5-5250U-Pfsense-Firewall-Mini/32800603727.html
amazon.com/dp/B00XOKJS10/_encoding=UTF8?coliid=I4BOIYVXCZ93T&colid=3MR24H35ZMFSC
gigabyte.com/Motherboard/GA-N3160TN-rev-10#ov
wiki.openwrt.org/toh/netgear/wndr3400
pcengines.ch/apu2.htm
twitter.com/SFWRedditVideos

What kind of throughput do you want, and do what packages enabled.

100 Mbps wan, gigabit LAN.
Basic stuff and maybe vpn.

>without the Intel backdoor.
heh
heh
heh

Well the SG-1000 sold by pfsense can do 200mbps+ WAN.

Super low power draw, ARM based.

Then use whatever gigabit switch you want for your LAN.

just buy an edgerouter lite, you idiot.
pfsense has horrible qos, not especially designed for security, will require hardware accelerated cryptography instructions within 2 years, and at a minimum you're spending about twice as much as an ERL.

Help me stop the pfsense meme, guys. Please shill for ubiquiti edgerouters on Sup Forums.

(At the very least, if you're going to roll your own router, do it with a secure linux distribution like centos/fedora/alpine, or with openbsd, or with straight freebsd. Avoid distributions targeting routers like pfsense/opnsense/ipfire/etc.)

Have some pfsense, edgelord.

I bought this

aliexpress.com/item/Dual-Core-Mini-PC-Barebone-4-Ethernet-Lan-Nano-Itx-Core-i5-5250U-Pfsense-Firewall-Mini/32800603727.html

>Ubiquiti
>Not using Mikrotik for routing and switching
Ubiquiti is great for wireless ap's though.

RouterOS would be dank if they had hardware offload for the NAT and a wifi chip from this decade, SwitchOS is pretty shittier, you can use any office-garbage tier hpe switch if you really want LACP and radius auth.

Routers and wireless APs should be separate anyway.

Jesus, and I thought this one seemed like overkill for a router..
amazon.com/dp/B00XOKJS10/_encoding=UTF8?coliid=I4BOIYVXCZ93T&colid=3MR24H35ZMFSC

>celeron 3215U
No AES instruction set, so future pfsense builds wont work

and I bought it to learn pfsense and play with lots of stuff, then I might just get some ARM cheap shit build and re-use the i5 mini pc to something else...

>not especially designed for security
Examples?
>will require hardware accelerated cryptography instructions
Why should anyone care?
>and at a minimum you're spending about twice as much as an ERL.
A 4 core with 4gb RAM costs like $100, and you get x86 quality hardware with that.

What sort of WAN throughput do you get?
I'm interested in pfsense, but i've got 1gbps WAN and would like to take advantage of that.

I have 15 Mbit internet connection ;)

I got it to play with pfsense for real instead of on virtual machines...
to give it real traffic
I played with it when it came but was kinda disillusioned by it.

I expected some serious easy to digest data about sites visited by users.
but shit gets rather complicated with https and man in the middle
but its not even that, I would push out certificates its not that big off an issue to not use transparent proxy, but fucking data presented in lightsquid are just bullshit table about number of visits.

I needed something more, something to show boss, time graph of the day and at what times for how long facebook is visited...
not that.. that feels bad

after that I kinda picked on other stuff to do and did not play much with my pfsense box

>100 Mbps wan
Are you a retard?


Anyway, get a high clocked Xeon, 8GB of memory, 3 gigabit NICs (you may want to use a DMZ at some point later in time) and an SSD.

That's really all you need for pfsense.

I've set up pfsense for my company (~40 employees). We have 1gbit/s up and down, pfsense runs IKEv2/ipsec, has a DMZ and acts as a DHCP server for around 150 devices.

It runs a Xeon E3-1290, 16GB of DDR3 memory, a SanDisk 64GB SSD. The mainboard has two ethernet ports and two quad port ethernet cards, one for DMZ, one for LAN. Both quad port ethernet cards are bonded for redundancy and throughput.

Handles 40+ users with heavy traffic on LAN and VPN just fine.

>acts as a DHCP server for around 150 devices
nooby sysadmin junior
huh, you dont run windows server there?
domain controller is typicly in charge of DNS and DHCP, always read it as a major recommendation to go that way

>pfsense
enjoy no support

>ubiquiti

I want the hipster to go.

Jesus Christ, talk about waste of hardware.

Can't you just get a basic ITX SoC Atom board and 1 or 2 used Intel LAN cards? The prebuilt stuff seems rather expensive in comparison.

Serious question. Obviously didn't look into it much.

>Sup Forums hates pfsense now

What the fuck happened?

>without the Intel backdoor
don't use the onboard NIC, or toss the AMT shit in a bit bucket VLAN

e.g. something like gigabyte.com/Motherboard/GA-N3160TN-rev-10#ov

>realtek LAN

>pfsense
Install Untangle on a Vault Protectli box. Leave that vulnerable freeware shit in the trash where it belongs.

>hurriyet

The ones with 2x Intel are fuck expensive though. Guess it's cheaper to hunt for Intel cards on ebay and buy a board with 2 PCI slots?

It's not if you're pushing a decent amount of data through the pipe and shaping the traffic. Keep in mind you'll find yourself in a RAM crunch if you want to do any kind of verbose logging.

no more love for FreeBSD, it's all over

That "girl" must have something to do with it.

Enjoy your remote memory dumps from the Intel ME.

Router question, this seems to be the correct thread.
I got a wndr3400 v2, trying to use openwrt, they say it's supported but no download link?
wiki.openwrt.org/toh/netgear/wndr3400

>Intel ME
null route the fucking traffic, it's not airgapped with a goddamned carrier pigeon, the fud is ridiculous

>No intel pls
>"Anyway, get a high clocked Xeon"
>A Xeon at that
Can you read nigger

fact is you cannot know what traffic triggers ME will respond to. Nobody outside of Intel and major governments knows.

>calls people nooby junior
>uses windows

It uses the onboard NIC and default VLAN. If you're paranoid, don't use either of those things and you'll be fine.

When you use something like this there is no option not to use the onboard NIC. IME hardware will always see your traffic before the routing/network stack/firewall software in your OS. So there is no option to null route questionable traffic, even if you fully knew what to block, which you cant.

>you dont run windows server there?

Opinion trashed.

>So there is no option to null route questionable traffic, even if you fully knew what to block, which you cant.
Set up a managed switch w/ untagged port(s) for your ISP(s) modem/ONT/whatever, tagged port(s) for your router, and tag the WAN traffic in your firewall config, leaving the untagged traffic with nowhere to go.

Who is the new king? Am I supposed to throw my pfsense router away now?

Wat? How would that help? As far as we know it runs on the processor itself so it can respond to payloads embedded in absolutely anything that eventually gets loaded into RAM, even if encrypted.
Likewise it can silently modify anything it wants in order to get data out.
What you suggest would only protect against an old fashioned malicious BMC (which are not used anymore by anyone), even newer BMCs such as Aspeed have direct memory access and are not affected by that kind of protection.

Even if you don't use the onboard NIC ME is still active, it runs on the processor and not on the NIC.
Your only chance is ARM based, very old x86 platforms or something expensive like OpenPOWER.
Even with ARM you have to take care with trustzone. Raspberry line for example is not secure.

If you can handle the incompatibility and low performance go ARM, if not go intel with me_cleaner and hopw for the best.
I'd say try your luck with cheap

>it runs on the processor itself
No it doesn't, the ME is a separate processor.

It is a separate processor that runs on a higher privilege level, has full memory and DMA access, can control every aspect of the processor, is bundled on the same die and won't allow the processor to run unless itself is up and running.
Fair enough, it does not run on the same processor, it is even worse than that.

I use an old dell core cuo.

For 99% of paranoia cases, if you set up pfSense/whatever-firewall to VLAN tag your WAN traffic, you'll be fine. Is it possible to backdoor this? Of course, anything is possible. Is it likely to be done willy-nilly to automatically detect every single firewall's specific environment, version and user config and backdoor them accordingly from the ME, modifying processor state and memory contents without crashing the running firewall? Highly fucking unlikely.

uh, my home cable modem/wifi ap/gb switch device & windows firewall enabled on server + client pc's is all I need.

Any user know a low power draw hardware capable of pushing gig traffic over wan via suricata? I want inline IPS mainly.

The kind of attack you are trying to protect yourself from is just not going to happen.
ME was clearly designed from the ground up to be much more sophisticated than that. You are not going to find a suspect, encrypted packet that contains the payload to activate ME just like that. The payload is going to be embedded in something else.
Do you really think they would have had the trouble to inject a second processor in the same die, give it a higher privilege level, load it up with every security measure known to man and make it easily deflatable by a simple, obvious and standard firewall rule?

And, unlike what you said, they don't need nearly as much detail about your device as you seem to think. Simply knowing which kernel family you are running, which server software and protocol where to hide data in would be more than enough to compromise just about any extremely well secured devices in a large scale.

>make it easily deflatable by a simple, obvious and standard firewall rule?
Yes, because it's not nearly as sophisticated as you presume it to be.

Ubiquiti APs are mediocre as shit. Everyone sucks their dick for whatever reason I assume just because they're cheap.
The throughput is sub par. Their management controller requires java and is all around trash. No serial configuration. No band steering. No management VLAN or VLAN tagging. And on top of that their support is crap and their forums are full of literal third world shitters.

Aruba blows Ubiquiti out of the water all day every day.

my ap-ac has management and tagging, but it definately isnt anything special

just buy an hp t5740, expansion slot, and dual port nic for

meh, I use an AP AC Lite in my upstairs to add some extra coverage to my network, in the same room I get 350-400mbps, from 2 rooms away it's still 250mbps+.

Not that bad for under $80.

>windows server

>without the Intel backdoor.
PcEngines APUs

They're pretty good and have AMD CPUs. A lot of people use them specifically for pfsense and so there's perfect hardware support.

pcengines.ch/apu2.htm

And it has AES-NI too.

Too bad it maxes out around 550-600mbps WAN throughput with just routing and NAT.

Go check out mini-box dot komm They might have what you are looking for.

I want the APU.2c4 with an updated Great Horned Owl APU since the jaguar APU it currently uses is from ~2013/14.

Great horned owl seems like the perfect embedded APU platform for gigabit WAN performance.

pic related

>VP9 Decode
Fucking AMD, I knew it, not capable to have a proper hw VP9 decode on your GPU but you implement in on a fucking APU first? Fuck you.

AMD had vp9 hw decode since polaris, only up to 1080p. On vega it seems like they are going the hybrid approach with gpgpu to achieve 4k decoding. Sadly all the reviews focused solely on game fps benches and no one looked into the improvements on VCE 4.0 and UVD 7.0

>AMD had vp9 hw decode since polaris, only up to 1080p. On vega it seems like they are going the hybrid approach with gpgpu to achieve 4k decoding.
Exactly why I'm mad at them.
I'm sure the APU will decode VP9 at 4K@60fps, meanwhile we get hybrid garbage since Polaris

VyOS is the objectively superior free opensource router OS.