Raspberry Pi as HW-Firewall?

[Waterdevil]

Hello World,

what would you suggest for purpose of firewall and proxy?

I've found "banana pi BPI-R1 Open-source smart router"

I think it should:
be cheap
have wired 1x1GB input and 1x1GB output
nice to have wlan.

Would banana pi with gentoo be a good thing?
How much mem should it have?


Or what is your suggestion?

Many thanks.
_________________
_____________________
Aut semper aut numquam

Main-Sys: LianLi modded Big Cube 8000,X11DPG-QT,MEM:64G,LSI 9305,HDD:102TB(16x3T,8x6T,4x1T,1x0,5Tm.2,4x0,5TSSD),nVidia GTX1060,NIC:2x10GbSFP+,Fans:20,PSU:1200W+500W,UPS:APC1500VA,FibreChannel,Tandberg LTO-6

[lwlvl]

Hello Waterdevil,
Having some kind of Pi as a network-firewall maybe okay, but two things I experienced with it:
1. Having only one network-interface can lead clients in the LAN to "override" their network-config and bypass the firewall.
2. on heavy load the Pi sometimes slows down the connection.

A solution to problem 1 can be a USB-NIC plugged into the Pi -> Issue solved.
If you want to have WLAN, my Question is: Do you want to host a Wifi or simply connect to one?
I don't really know how compatible the driver for let's say a Rasp Pi 3 is in setting up a Wifi.

Cheers,
Jan

[lwlvl]

[joanandk]

[Waterdevil]

Thank you for your suggestion.

I thought of a price for very complete of 70 Euro...
_________________
_____________________
Aut semper aut numquam

Main-Sys: LianLi modded Big Cube 8000,X11DPG-QT,MEM:64G,LSI 9305,HDD:102TB(16x3T,8x6T,4x1T,1x0,5Tm.2,4x0,5TSSD),nVidia GTX1060,NIC:2x10GbSFP+,Fans:20,PSU:1200W+500W,UPS:APC1500VA,FibreChannel,Tandberg LTO-6

[1clue]

I would avoid all pi lookalikes. I went down your line of questioning a few years ago, learned a lot. What I went with is possibly out of your budget but maybe you can look and find something that works for you.

I'm going to tell you what I think is wrong with the pi, and then tell you why, and why I'm recommending what I recommend.

I think the Raspberry Pi is a great board for what it is, but what it is good for does not include routers for a list of reasons. Some of those reasons include:

1. The board can't give high throughput to any I/O device.
   
2. USB and network and "disk" share the same chip with the same bandwidth limitations
   
3. The chip also relies heavily on the CPU for I/O performance, which means your firewall rules and NAT will compete with I/O
   
4. This is not "server grade" hardware, nor even "desktop grade" hardware. I have several, and while I do use some for actual work that earns me money, almost all of that has a backup device in case one fails.
   

I recommend:

1. An intel Atom or equivalent, or maybe an arm a8 if your load is predicted to be small and you're not using Gentoo.
   
2. 2x or more built-in Intel gigabit NICs.
   
3. Independent controllers for USB, disk or any other devices supported.
   
4. Expandable to 4g RAM.
   

The 8-core atom I have took about 8 hours to do a @world rebuild with the new profiles. An arm chip is going to be intolerable. Also if you are using it as your router your -j value needs to leave a couple cores available for routing. I think the new cxxx series atoms to be the minimum to run a practical Gentoo on unless you have a compile farm sitting somewhere. I'm an intel bigot, I have no idea what the equivalent AMD chips would be.

Many off brands of NICs and other hardware (Realtek, etc) don't implement all of the ethernet protocols in hardware. They may be able to support the bandwidth, but if you watch the interrupt rate they demand a lot of CPU time from the main processor. That means the faster your network traffic the less your CPU can handle routing and NAT and firewall rules. Or anything else. Intel NICs (for example anything using the 'igb' driver, i354, i210, i350) is a good implementation that does almost all the work on the network chipset, leaving the CPU to do other things. So up to 1gbps you want Intel, and I've heard that people going to 10gbps want Chelsio NICs.

There is a lot of router hardware out there and some of it is perfect for a home or small business network, and priced competitively.

https://store.netgate.com/ has some cheap options. Look at their pfSense hardware, not sure if you can still get it without the pfSense license. pfSense is a good firewall but since you're here I expect you want to do this in Linux.

https://mikrotik.com/products/group/ethernet-routers might be worth looking at, especially since you're in Europe (based on your Euros comment). I believe these systems can run Linux. At any rate they're supported hardware with licensed management software so they're probably not junk. I've never owned this brand but I have watched it.

I eventually got this: https://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm which turned out to be about USD $1100 all in, including an SSD and 16GiB RAM and a 1u case. I love the IPMI interface SuperMicro has, this box never had a keyboard or monitor connected but you can get a GUI screen in a remote desktop sort of way, and you can power it up or down, set fan speed or whatever right from their IPMIView app. There are some issues with that one though: First, the Intel c2000 series atom chips suffer from a hardware bug that, when the board is used heavily for years, it can brick the device permanently. There is no fix. Second, it doesn't support vt-d to donate pci devices to a VM. So right now it's a kvm/docker device. Although it can, by my lab tests, compress and encrypt at almost 2gbps. That's a little iffy because I don't have adequate hardware to test that with it doing actual routing, and my internet connection is only 100mbps. I doubt I'll be getting a bricked device because my box rarely sees high cpu count except when I rebuild my @world.

My intent with that board was to make a virtualization host and put two router VMs on it, one Gentoo and the other pfSense, and donate a real NIC to each device with a bridge between. I never got the networking part right though, so it didn't do router duty very long because I wanted the kvm/docker server more.

If you want to go the supermicro route, then I'd recommend the c3000 series. It supports vt-d, it will undoubtedly not have that bug, and it supports pcie3. It has sata3 and some of them have m.2-pci interfaces. Some support 10gbps NICs right on the board. If I had to do it all over again I'd get a smaller version of the c3000 series for my firewall device and implement both Linux and pfSense. Two cores of this hardware is more than enough for even gigabit networking as long as you're not doing IDS/IPS work. 4 cores is probably enough if you want that, 8 is for sure. Then get another one maybe c395x-based 16-cores/64g RAM for kvm/docker. Something with a lot of disk slots and good support for pcie disks.

[joanandk]

@1clue: Well done! I have similar opinion. My recommendations for you (1clue) would be using a newer (E5) Xeon if you want to do VMs, Routing and other things.

BR

[NeddySeagoon]

Waterdevil,

You talk about Raspberry Pi in your topic title and banana pi BPI-R1 in your post.
The two are very different.

A raspberry pi does not offer 1G networking. All its USB ports and Ethernet are on a single USB 2 port. That's 440Mbit/sec.
The wifi on a Pi 3 is on a separate SDIO port but that's 200Mbit/sec at best. It may only be 50Mbit.
That does not allow for any overhead.

Its not a suitable device for a router.
I've not looked at the banana pi
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[1clue]

[fluffysheap]

IMO the best option here by far is a router running OpenWRT or its successor, LEDE. Unlike the various Pis, these devices are actually designed for networking, and by using one of these purpose-built distributions you get a lot fewer problems. OK, it's not Gentoo, but at least it's real Linux. You could probably run Gentoo if you really want, but I don't know that you'd gain anything.

The Raspberry Pi, in particular, is a terrible choice for this sort of thing. It uses a USB 2 hub as a system bus, meaning that there is a theoretical max of 450 Mbit/sec total data throughput through the device, and of course as with all such things it is slower in practice. The built-in network port - 100MBit only - is also attached to this single USB hub. (If you use a WiFi model, the WiFi, which is 2.4GHz only, is attached to a UART, which is even slower! At least it's on a different bus.) And you need a separate USB-ethernet adapter if you want an upstream and downstream port, which every respectable router/firewall should have. Don't forget you also need a case, power supply and SD card (not included).

For about the same price, on the other hand, you can get a device with all the pieces that don't come with the Pi, a real gigabit switch with multiple ports, a real gigabit uplink port (not always truly gigabit speed over it though, especially at low price points), fast WiFi with increasing levels of 5GHz support, and maybe even hardware-accelerated routing.

The RPi is a great device, but not for this. Other Pi-like devices have higher performance than the Raspberry, but none of them, really, will match a router at networking. To match a router with general-purpose hardware you need a real PC with good-quality NICs, which is a MUCH higher price point.

[1clue]

I haven't used OpenWRT for a few years, but when I looked it was pretty awful. It's the reason I went with more expensive hardware.

For one thing, the GUI numbered the ports differently from the command line, and differently from the way my ports were numbered on the case. The command line numbered them in sync with the numbers on the case.

The device was mostly functional up to but not quite where I wanted my functionality to be. Didn't do VLANs well (my hardware was capable) and didn't handle VPNs well. Forget about IDS/IPS.

The final straw was that when I started using OpenWRT I got on the forums, and people were waiting for builds for their routers. I found my build, it was roughly a year since my router had a new build. A year later, I was still on that build, and the people I saw complaining when I joined were still waiting too. The inevitable "you can always download the source and build it yourself" argument worked. I bought a good board with good devices and put Gentoo on it, about USD $1100, all in. You could definitely do the router thing cheaper and still have good hardware. a dual core intel atom c2000 series or c3000 series would do the trick if you're not trying to run Gentoo, or if you don't want IDS/IPS.

[Ronaldlees]

Hi,

I must concur with the folks who mentioned the Pi as being a little too bound-up, network wise, for a router. I use a Pi2 as an access point, and another as a proxy, but in both cases the network speed is pretty mediocre. I have a high tolerance for it, and don't do much video streaming over those links.

What I think is needed is a small SoC/SBC with two Gigabit ethernet interfaces, such that a complete high bandwidth path (in/out) is available. Such a device might be had in the Dreamplug, although I haven't used one myself, and cannot say how well it would do, perhaps due to other factors than just the Gigabit ethernet. I am, like you are, looking for a speedier router/ap/proxy/etc type of setup in a small Pi like form factor. The Dreamplug is already on Gentoo:

https://wiki.gentoo.org/wiki/DreamPlug

There are some other candidates, like the Utilite, that have two Gigabit ports, but some people say those tend to run hot (unless they've fixed them). The routerboard (RB953GS) has two Gigabit ports, but is a little pricy. Dittos for the TS-7970 2 port Gigabit board.

The Odroid XU4 has a single Gigabit ethernet port (that's what I'm running to type this). It's running Gentoo, but a single Gigabit port does not a fancy router make.