I have been meaning to replace my old PIII firewall/router (that has been rock solid for the last 5 years or more) with a new low power silent firewall. Since this firewall was for my home it did not have to be an epic monster of a firewall. The PIII type speeds were doing just fine. I started looking at all of the different commercial options I could find that met the following requirements:
I started the search with Soekris Engineering. I wanted the most powerful one closest to my requirements. That was their Net6501-50 model. It met requirements 1,2,3,4,5,6,7 but not 8. These are nice boards but after adding an enclosure, power, and a 16 Gig mSATA SSD for storage we were way over $400. So they were out.
Next up was the MSI MS-9A58. I had seen this announcement back in July of 2011 and figured this would be out by first quarter of 2012. Boy was I wrong. As far as I can tell this thing is vaporware. It can not be found being sold publicly anywhere. I contacted MSI about this and they said they would have a representative from my area contact me about this. I never heard anything back from them. So I was not going to waste any more time with them. They were out.
Next was the Lanner Inc FW-7535. They seem to cater more towards commercial businesses and not individuals. They met all the requirements except that pesky price again. They were $430 and that was before you added storage or RAM. So they were out.
This was starting to look grim. I could not find any commercial product that fit my requirements. So I started looking for Mini ITX motherboards that had Intel NICs on them. That is a feat in and of itself. Most Mini ITX/Micro ATX have crap NICs. Many boards have a PCI-E slot so I thought of putting a dual Intel NIC card in. Those cost a silly amount of money and blow the budget. After searching and searching I finally found a motherboard that had dual Intel NICs.
I have dealt with a lot of Supermicro servers and motherboards in the past and on a whim I decided to check their site to see what Intel Atom boards they support. Low and behold they sold a Intel Atom D525 mobo with dual Intel NICs. Then I saw the average going price for this mobo. $220 US dollars. Whooo, that is a lot of money for a little Mini ITX mobo. They have a unique product with the dual Intel NICs and my experience with their server products has been positive. So I had to spec out all the other parts to see if I could make my budget.
Here is the parts list with the prices I got from Amazon in early 2012.
Woot! Under $400 US dollars for everything. This is equal or more powerful that most of the commercial offerings. 4G of DDR3 RAM. 30 Gig SSD. Dual core processor. This little guy is going to rock. Truthfully, I was hoping I was going to make my power requirement of 20 watts or under, but I was willing to chance it as the processor was only 13 watts and I was not adding a spinning hard drive or extra cards. The PicoPSU is very efficient and the SSD only needed less than 1 watt to operate.
All the parts arrived in about 1.5 weeks. I unboxed it all and assembled everything. It all fit together nicely. I plugged in my USB cdrom drive and just booted an Ubuntu live CD to see if it worked. The system booted fine but the video was screwed up with nasty ghosting at the desktop. To fix that I had to select F6 during boot and then select "nomodeset". Then everything looked fine. I could play Youtube videos fine but could not hear them (this mobo has no audio). Things looked and acted fine. Time to load and test the new firewall OS OpenBSD.
I loaded the amd64 SMP version of OpenBSD 5.0 on this machine and all major hardware was recognized fine. Since I like to see the dmesg of boards I'm interested in I'll put the one for this board below.
OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.\^MP
real mem = 4283957248 (4085MB)
avail mem = 4155797504 (3963MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9f000 (19 entries)
bios0: vendor American Megatrends Inc. version "1.1a" date 12/17/10
bios0: Supermicro X7SPA-HF
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI EINJ BERT ERST HEST
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P4P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) GBE_(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.25 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,^XE,LONG
cpu0: 512KB 64b/line 8-way L2 cache
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu1\M-: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu1: 512KB 64b/line 8-way L2 cacje
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu2: 512KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3z Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRRlPGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,IMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CTL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
cpu3: 512KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 4
acpimcfg0 at acpi0 addr 0xe0000200, bus 0-255
acpihpet0 at acpi0: 14318179 Hz\^Kacpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P0P1)
acpiprt2 at acpi0: bus 1 (P0P4)
acpiprt3 at acpi0: bus -1 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
ac`iprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus 2 (P0P8)
acpiprt7 at acpi0: bus 3 (P0P9)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel Pineview Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd0000000, size 0x10000000
inteldrm0 at vga1: apic 4 int 16
drm0 at inteldrm0
"Intel Pinevyew Video" rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 4 int 16
uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 4 int 21
uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x02: apic 4 int 19
ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 4 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 28 function 0 "Intel 82801Y PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi
pci2 at xpb1 bus 2
em0 at pci2 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: msi, address 00:25:90:62:d3:fc
ppb2 at pci0 fev 28 function 5 "Intel 82801I PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
em1 at pci3 dev 0 function 0 "Intel PRO/1000 MT (82574L)"$rev 0x00: msi, address 00:25:90:62:d3:fd
uhci3 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 4 int 23
uhci4 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 4 int 19
uhci5 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 4 int 18
ehci1 at pci2 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 4 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
pci4 at ppb3 bus 4
pcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x02: msi, AHCI 1.2
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed t10.ATA_OCZ-VERTEX_0IJGRSLOH16TO7LUU361
sd0: 30533MB, 512 fytes/sector, 62533296 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 4 int 18
iic0 at ichiic0
lm1 at iic0 addr 0y2d: W83627DHG
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-8500 SO-DIMM
spdmem1 at iic0 addr"0x51: 2GB DDR3 SDRAM PC3-8500 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.8
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1*isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x61/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 qort 0x2e/2: W8;627DHG rev 0x25
lm2 at wbsio4 port 0xca0/8: W83627DHG
mtrr: Penti}m Pro MTRR support
lm1: disabling sensors
wscsi0 at root
scsibus1 at vscsi4: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on sd0a (d3a068d6a74e03de.a) swap on sd0b dump on sd0b
syncing disks... done
Temp readings next to the cpu heat sink at idle (in a ~22 deg C room) was 36 deg C. Loading up CPU 0-3 I got the case temps up to 43 C. I put a temperature probe next to the heatsink to check this. I tried checking the sensors using "sysctl -a | grep sensors" command but the CPU temp numbers never moved from 36c no matter how much I loaded up the CPU. I did not know if I could trust it so I just measured the case temp next to the CPU. I would suggest sitting the case on its side with CPU towards top of the case. It keeps it cooler than laying it flat on the ground.
Power usage for the machine at idle is 15 watts. Power usage with all CPU cores going is 20 watts.
Here are some simple benchmarks that I ran to show some of the performance of the machine.
The first is generating random data from /dev/random
[root@gateway ~]# dd if=/dev/random of=/dev/null count=819200 819200+0 records in 819200+0 records out 419430400 bytes transferred in 21.866935 secs (19181033 bytes/sec)
Next are Openssl speed tests
[root@gateway ~]# openssl speed
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md2 961.79k 2204.30k 3090.33k 3435.46k 3551.23k
mdc2 2757.37k 3157.72k 3274.24k 3296.39k 3309.42k
md4 9164.99k 34461.12k 108403.33k 235022.10k 358481.21k
md5 7061.10k 24726.32k 71144.30k 132955.46k 178292.52k
hmac(md5) 9646.12k 32317.85k 84986.66k 143599.30k 180604.20k
sha1 7502.78k 24256.14k 58607.92k 90639.36k 107998.48k
rmd160 7355.56k 23067.55k 54773.38k 83895.57k 99242.46k
rc4 77418.12k 89134.72k 92382.77k 93491.91k 93761.83k
des cbc 18798.24k 19890.53k 20251.74k 20341.95k 20367.07k
des ede3 7232.13k 7402.37k 7453.83k 7466.91k 7465.96k
idea cbc 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00
rc2 cbc 15679.25k 16484.81k 16689.58k 16741.58k 16754.62k
rc5-32/12 cbc 73649.78k 89319.22k 96025.50k 97772.87k 98269.76k
blowfish cbc 38657.85k 42950.85k 44114.70k 44479.50k 44571.57k
cast cbc 29368.53k 31625.61k 32448.47k 32649.28k 32682.48k
aes-128 cbc 24440.93k 25611.21k 26016.21k 26124.72k 26149.86k
aes-192 cbc 21626.17k 22536.93k 22852.96k 22932.37k 22953.70k
aes-256 cbc 19363.58k 20121.02k 20372.97k 20436.92k 20453.09k
camellia-128 cbc 38105.79k 41741.00k 42644.70k 42953.75k
43003.58k
camellia-192 cbc 30015.58k 32199.14k 32733.85k 32915.59k
32933.34k
camellia-256 cbc 29983.15k 32196.21k 32731.10k 32913.08k
32932.85k
sha256 5836.80k 14645.67k 27516.54k 35321.35k 38500.85k
sha512 4325.79k 17296.19k 32305.03k 49482.50k 58550.92k
aes-128 ige 28312.23k 30521.42k 31355.86k 31537.15k 31522.73k
aes-192 ige 24590.47k 26277.66k 26867.62k 27001.09k 26986.02k
aes-256 ige 21750.73k 23051.08k 23504.44k 23604.96k 23586.53k
sign verify sign/s verify/s
rsa 512 bits 0.000835s 0.000059s 1197.1 16812.6
rsa 1024 bits 0.003065s 0.000152s 326.3 6580.4
rsa 2048 bits 0.016939s 0.000462s 59.0 2166.2
rsa 4096 bits 0.106317s 0.001573s 9.4 635.8
sign verify sign/s verify/s
dsa 512 bits 0.000600s 0.000630s 1666.2 1588.0
dsa 1024 bits 0.001475s 0.001690s 678.0 591.6
dsa 2048 bits 0.004462s 0.005293s 224.1 188.9
Lastly, a few iperf tests. I did not do much here so these numbers could likely be improved.
# From firewall to Linux box. Linux tweaked BSD no tweaks. Both mtu's 1500. # Same result with PF firewall on or off with pass all ================================ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 192.168.0.246 port 46813 ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 56225 connected with 192.168.0.246 port 5001 [ ID] Interval Transfer Bandwidth [ 4] 0.0-60.0 sec 5.12 GBytes 733 Mbits/sec # From linux box to firewall. BSD no tweaks. MTU 1500 # PF on with pass all rule ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) [ 3] 0.0-20.0 sec 1.27 GBytes 544 Mbits/sec # From linux box to firewall. BSD no tweaks. MTU 1500 # PF off ------------------------------------------------------------ Client connecting to 192.168.0.246, TCP port 5001 TCP window size: 977 KByte (default) [ 3] 0.0-20.0 sec 1.53 GBytes 657 Mbits/sec # From linux box through firewall to other linux box. BSD no tweaks. MTU 1500 # PF on with pass all rule [ 3] 0.0-20.0 sec 1.54 GBytes 661 Mbits/sec # From linux1 box through firewall to linux2 box. Bidirectional. BSD no tweaks. MTU 1500 # PF on --------------------------------------- root@host:~# iperf -c 10.10.10.20 -i 1 -t 20 -d ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 33884 connected with 10.10.10.20 port 5001 [ 5] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38954 [ ID] Interval Transfer Bandwidth [ 4] 0.0-20.0 sec 386 MBytes 162 Mbits/sec [ 5] 0.0-20.0 sec 1.60 GBytes 688 Mbits/sec # From linux1 box through firewall to linux2 box. Bidirectional. BSD w/tweaks. MTU 1500 # PF on root@host:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38960 ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 34046 connected with 10.10.10.20 port 5001 [ ID] Interval Transfer Bandwidth [ 6] 0.0-20.0 sec 492 MBytes 206 Mbits/sec [ 4] 0.0-20.0 sec 1.60 GBytes 688 Mbits/sec # From linux2 box through firewall to linux1 box. Bidirectional. BSD w/tweaks. MTU 1500 # PF on ----------------------------------------------------- root@box:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 4] local 192.168.0.30 port 5001 connected with 10.10.10.20 port 38992 ------------------------------------------------------------ Client connecting to 10.10.10.20, TCP port 5001 TCP window size: 977 KByte (default) ------------------------------------------------------------ [ 6] local 192.168.0.30 port 34128 connected with 10.10.10.20 port 5001 Waiting for server threads to complete. Interrupt again to force quit. [ ID] Interval Transfer Bandwidth [ 6] 0.0-20.0 sec 423 MBytes 177 Mbits/sec [ 4] 0.0-20.0 sec 1.56 GBytes 671 Mbits/sec
I'd say I'm pretty pleased with the outcome of this build. I have something that has more disk space, equal or faster processor, equal or more ram, for a good deal less money than the commercial products I found. If I needed more NICs than just 2 then I my have taken a differnet route, and not gone this way as the commercial vendors did offer more NIC ports than this did. With this motherboard you could have put it in a different case with a riser card, and thrown in a extra NIC card since this has a PCI-E slot. That would give you one more NIC port. In the end it met my needs, and I had the satisfaction of doing it myself.
I was setting up a friends net connection for them and saw that comcast gave them a wireless Linksys cable modem/router. Well if it was just like all the other linksys routers the default password for the routers webpage should be "admin". It was not (big suprise). Comcast has had someone (linksys?) modify the firmware for them for this router. It has been stripped down to a very basic set of things you can do. Problem is the set a username an password for this router/modem and it was not a linksys default password. After some searching I finally come to find out the login id is "comcast" and the password is "1234". If you do a hard reset of the modem (little black button on the back of the unit) this is what the default userid and password will revert to.
