OpenBSD Journal

Extra small firewall hardware

Contributed by jose on from the tiny-things dept.

Now that we're back on the air, Paranoid Admin writes: "A question for the audience.. I've been shopping around for the perfect small form-factor PC to use for an OBSD SOHO firewall. I dont want to use an old PC box due to the noise and power usage - Im looking for something small, cheap, and effecient. It must have 3 NICS and no fans. I've found a lot of mini-itx boards that look promising, but none seem to have 3 NICs.

What is everyone else using?"

(Comments are closed)

  1. By Anonymous Coward () rb a.t. gincks d.0.t. net on mailto:rb a.t. gincks d.0.t. net

    try openbrick. they have some links to vendors in North America and EU. I have one and love it. It will even boot from cf memory. booting from usb for install is tricky.

    1. By grey () on

      Just a thought, since they've been mentioned on deadly and mailing lists many times before, but how about a soekris? If you want something higher end, check out some of the nexcom gear, you can even get them with fxp's. If you want something higher end than that, then mini-itx is the way to go I guess. And if you want something higher end than that, best to look at some of the pc/104 type cards where you can get dual p4 or xeon's on a PCI card sells many things in that range, but they can be extremely spendy.

  2. By dan () on

    just drop a dual nic into the PCI slot, that's what I've done before, works great.

  3. By Greg Hennessy. () on

    I use a second hand CPQ Deskpro EN SFF here,

    30 quid at the local fair got me a small box thats

    Whisper quiet.
    6 gig drive.

    Its currently running 3.4 using its onboard intel nic with a SUN QFE in pci slot 1.

    CPU load as measured by symon since last may, has struggled to reach 10%.


    1. By colin () on

      A little of topic but...

      I have been using some Compaq Deskpro EN's SFF for snort IDS sensors but can't get the boxes to boot w/out having a keyboard attached

      Any ideas?


  4. By emb3dd3d () on

    if you want to spend the doe..

  5. By gollum () on

    The net4501 is a great little 486 based box with 3 nics
    ide flash support and optional hardware vpn cards...

    It's about the size of an 8 port netgear switch... and has
    support for OpenBSD, NetBSD, FreeBSD, Linux.. etc..

    I have built quite a few OpenBSD based firewall and VPN solutions with these things, and I have yet to find anything
    better for the price.

    Check out for current OpenBSD build scripts.

    1. By nethead () on

      Can't agree more. Everything on one package, and room for an encryption excellerator, plus runs on only 12 volts - NO NOISE!!

      Built several for friends using Cardflash as firewalls & they've worked out excellently over the past couple years - average uptimes of over 1 year per unit!

  6. By Greg Anderson () on

    I am in the same boat. Check out these links:

    1. By bob () on

      i think the soekris boxes is a good chosce
      i use two NET4801.

      best bob

  7. By SolarfluX () on

    PIII Dell Optiplex (speeds vary) makes a nice OBSD FW, it has a built-in 10/100 NIC with two PCI slots for NICs. Look for them on eBay (search 'small computer'). It's not the smallest thing compared to the others mentioned, but it's small enough, OBSD supports everything on it, it's cheap and you can just throw two NICs in it and go.

  8. By Anonymous Coward () on

    i previously used a soekris:

    pros: silent, almost instant boot up, cheap

    cons: slow, no permanent storage, limited expandability / can't change its purpose

    now i use a mini-itx:

    pros: silent (get the fanless + a seagate barracuda iv or v), 1-2 pci expansion slots -- i use a dual port nic, but also just bought a quad port (matrox fnic can be had for <$50 on ebay), dual purpose potential (if you're crazy like me, doubles as a digital mp3 hookup to my stereo, large net storage device), cheap

    cons: slightly more costly than the soekris, bigger footprint, but can be converted into many things

    1. By Anonymous Coward () on

      Sorry for the dumb question, but does a dual/quad NIC act as two/four NICs or it does some kinda load balancing or fault tolerance in terms of wiring?

      And does each interface use the same MAC address or different ones? I'm curious on the uses/advantages of this.


      1. By Greg Hennessy () on

        A quad card has 4 seperate nics on it.

        Of course you can do LB or FT using dot1q with them.


    2. By nethead () on

      > cons: slow, no permanent storage, limited expandability / can't change its purpose

      Depends on how you build & mount your file systems!

      I built & use one (512 meg flash card) that has a full root file system that can change - /var has quite a bit of storage - as I store weeks of logs in it, All of which do get backed up and stored elsewhere - after several weeks.

      1. By Anonymous Coward () on

        while it is true that you can mount read-write,
        compact flash often starts failing after some
        number of writes (10 million?), and if you're
        running some standard things (logs in particular)
        you're hitting that write count more quickly than
        you'd like, and will see failures in a quite 'human'
        amount of time...

        while you can offload your logs to a remote box,
        it made more sense for me to just make the remote
        box the firewall as well :)

    3. By MotleyFool () on

      mini-itx CON no default serial console

      I don't want to have to hookup a monitor to my firewall box.

      1. By Anonymous Coward () on

        yes, the first time u do an install (unless
        you've got a floppy that boots to serial console
        -- which may be easy -- i dunno), you can turn on
        serial console after the initial install...

        i've used serial console after the first install
        for everything...

        1. By MotleyFool () on

          But I want access to the BIOS via serial also ALA Soekris. If you have a system several hundred miles away and it's glitched it's BIOS you don't want to have to drive there to fix the problem. I've seen many BIOS gliches over the last 20 years.

          1. By Anonymous Coward () on

            So true. It's a great plus for a server system to be fully accessible through the serial port.

            I've heard there are special add-on cards that provide this kind of functionality (they act like a simple videocard to the server, and are able to send text-mode stuff over the serial port). Anyone who has some experience with those?

            1. By MotleyFool () on


              $350 for the card, hmmm, how much does a mini-itx systemboard cost?

  9. By SH () on

    OpenBSD has support for hardware AES on a new CPU from VIA (Eden-N).

    However, the VIA C3 CPU with the Nehemiah core (used in Eden-N) also has this. So does OpenBSD use hardware accelleration for this VIA C3 as well?

    Confusingly, on the VIA C3 site they talk about a new generation of VIA C3 with a "New Nehemiah" core. Are there two types of Nehemiah cores around?

    This appears to be a nice mini-ITX with dual LAN and one PCI available. If this can get hardware accelleration for 1GHz C3 Nehemiah core, I would seriusly consider buying it.

    1. By Anonymous Coward () on

      V series = The only one that supports the Dual PCI riser with its single PCI slot.

      M series = The first model aimed for multimedia. The M10000 (1Ghz) can handle all video without breaking a sweat.

      CL series = M series with dual LAN connections. Its too bad the LANs they use suck. There is a third party who makes VIA style setups but using Intel LAN connections. Its also in a non-standard format. :(

      MII series = Slight changes from the M series, some new connections.

      TC series = includes a DC-DC thingy. (Power related feature).

      Eden means the CPU onboard can operate in fanless or lower voltage than regular C3 and EPIA-based CPUs.

      Eden-N is a shrunk down version of CPU. Its about the size of a "quarter" compared to current EPIA-based CPUs. (maybe smaller...In any case, its insanely small.)

      A new format, even smaller than Mini-ITX will be released. Its called Nano-ITX. It will be fitted with the tiny Eden-N CPU running at 1Ghz.

      Later this year, VIA will release 2Ghz models, since they selected IBM to make the next generation of low power CPUs using 90nm SOI technology. (faster, and cooler).

      The upcoming one is called C5P (current Nehemiah-core is C5XL)...

      The next one (manufactured by IBM) is called Esther and is officially known as C5I. It will support more features in relation to its RNG and will have SSE2 and 200Mhz FSB, Pentium-M style FSB. (The current are using the PIII bus running at 100 and 133Mhz FSB).

      VIA also created a prototype DUAL CPU C3 on a Mini-ITX mobo...I'm waiting for this to be a retail product. :D

      1. By Alejandro Belluscio () on

        From the paper describing their AES implementation, they stated that the next core would also accelerate SHA-1.

      2. By Anonymous Coward () on

        "V series = The only one that supports the Dual PCI riser with its single PCI slot."

        ? M series certainly supports the dual riser.

        "M series = The first model aimed for multimedia. The M10000 (1Ghz) can handle all video without breaking a sweat."

        Wrong. Hardly the first multimedia centric model. V series was aimed at multimedia, with the infrared for remote header, video acceleration in the PLE133 chipset. It also had a header for an mpeg4 accelerator, which Sigma Designs never seemed to have released, or was only available to their OEM partners. Via just didn't know necessarily who was going to use the boards, but that was their first release. When they realzed who was buying the mini-itxs, they smartly shifted focus to the market.

        Also, there were 2 M1000s. Yes, same model number. covered this issue. The later of the two is the one you want, but you usually have to ask the supplier which they have (I forget how to distinguish this, but some suppliers advertised they were selling the refined core on pricewatch at the time).

        "MII series = Slight changes from the M series, some new connections."

        ...being CF and cardbus support onboard. Also, not yet released into general distribution. Unknown whether third-party near integrated power supplies can handle the new board layout.

  10. By hopfgartner () on

    I use frequently used notebooks for such tasks. They have modest power consumption, build in UPS, small form factor ... (e.g. have a look at eBay for some old compay armada 1750)

  11. By Anonymous Coward () on

    I'm surprised not to have seen mentioned epia-based Lex' Light+:

  12. By dominique () on

    Have a look at
    they have version with 3 NICs onboard. They make very good firewalls and although I have only used these with Linux so far, it seem compatible with OpenBSD. sell full barebone system based on these boards.


  13. By Wim () on

    Small, has size of small hub, 21 cm front, thumb high, hand deep.

    Tech Drawing

    Images of 4501 and 4801

    Cheap: prices range from EUR 195 to EUR 270 You can buy them from the US or from Belgium, local shipping.

    Efficient: kind of how you want to calculate this? Weight of machine per bandwidth? Price of a 4801 versus the time it takes to install it? ;-)

    Seriously, as you are talking about a 486/133MHz or a Geode/266MHz, you cannot expect unlimited resources. Interupts will kill you if you hit it with plenty of small fragmented packets (good way to make any system crawl, the Soekris just has shorter legs).

    Don't look at it as Slow -- it's fast enough for most uses, how many of you have more than a 5 Mbit connection at home or office?

    Storage: the 4801 can be equiped with a 2.5>

    Crypto cards can also speed up VPN connections

    wireless extentions via either miniPCI, full PCI or PCMCIA cards.

    But then again, I'm a bit biased ;-)

    1. By Anonymous Coward () on

      Just a few questions about the 4801:

      - How do you boot it? Is the only way to preload a flash card on another computer, or can you netboot it?

      - What (usb) cardreaders do you suggest for preloading Flash cards?

      - How well does an internal 2.5" harddisk work? Can the device do things like spin the disk down when not in use? (so that I can have a quiet backup server that only makes noise when in use)

      - Any problems with Flash durability? Let's say I'd want to keep some information between reboots, power failures,... Any problems if I overwrite the same file eg. daily? What happens if a Flash card fails on you btw? a kernel panic? Should I take special care (ie. rather add a file to a partition than overwrite the old one every time), or isn't that necessary?

      - Is there a dmesg of OpenBSD booting on one of these devices online somewhere?

      - What kind of NIC's are in there? Are they decent, like fxp's, or more crappy, like rl's?


      1. By Wim () on

        All Soekris boxes come equiped with a true serial console that supports booting from PXE (dirty, needs GRUB to do the second stage bootloading), booting from the CF or booting from build in harddisk.

        Any USB reader/writer that works. My favourite one is the Belkin CF/CF2 (EUR 20) but it seems that one is end of life... I would really like to buy some more but can't get them. There are also very cheap PCMCIA based ones available (EUR 10) but they attach differently: the USB one is an sd device while the PCMCIA one is a wd device. I have had less problems with multiple inserts and ejects with the USB one.

        The 2.5" disk works fine, like any other IDE disk. it's a bit slower, you can get 4200 RPM, 5400 and 7200 RPM disks, don't get the expensive 7200 RPM ones as they get too hot in the case. Spin down is something your host OS should take care of. The new 2.5" drives are surprisingly quiet.

        Flash has a limited lifetime for writes, reads are not such an issue. (specs say you can do 1 million writes, after that you probably get read/write errors). So everybody keeps their CF in read-only and uses a small mfs to store tmp files & log files. If you want to update a certain file every day, consider putting it on a ramdisk, instead of re-mounting the CF rw, changing file and remounting ro.

        the system boots like any ordenary PC: 4501 boot log

        4521 boot log

        4801 boot log

        The onboard NIC is based on the National Semiconductor DP83815 (MacPhyter) PCI Ethernet controller and shows up as an sis device. While it's a fairly cheap design, it's not as crappy as the rl or ne2k. There are some issues with short cables and wrong speed selection but I have not had that much complaints about it.

        If you want to see more pictures, have a look at or for more info, browse

        1. By AC () on

          login: root Password: # systat vm 1 Memory fault # reboot What's with the mem. fault ?

          1. By Anonymous Coward () on

            Maybe it was a bug in 3.4-beta?

          2. By Wim Vandeputte () on

            hmm blush, that is what you get from running experimental snapshots, never mind that.

            The issue has been fixed in the mean time

        2. By Anonymous Coward () on

          Which processes in obsd (-current) take advantage of the 1401 or 1411 crypto accelerator? The obsd site mentions support for the Hifn chips, but I don't have a clue what can use it.

          1. By Anonymous Coward () on

            See hifn(8). I've personally seen it working with triple DES OpenSSL-based VPN (openvpn). There is some overhead which could mean efficiency is reduced over software crypto for small packets.

            1. By Anonymous Coward () on

              There are some performance figures for minipci vpn card with openssl 0.9.7a on net4801 running
              FreeBSD 5.1 posted today on soekris-tech by Reto Burkhalter,

              With h/w accelerator and crypto framework:
              type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
              des-ede3-cbc 868.51k 3767.01k 14664.85k 47937.66k 1030052.66k

              Without h/w accelerator and crypto support:
              type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
              des-ede3-cbc 432.37k 448.18k 454.90k 458.31k 452.44k

      2. By sthen () on

        2.5" HD - In general they work quite well - OpenBSD doesn't yet support the controller on the 4801 in DMA mode though. Some people have had problems with CF on Primary and HD on Slave (see today's posts in soekris-tech).

        Flash durability - the flash card load-balances writes, so you can happily write to the same block again and again. They are just IDE-attached. When CF is written to very many times, it apparently just becomes read-only.

        Loading the flash - most USB readers seem to work without too much trouble - since they're usually fairly unbranded, your best bet is probably to buy one locally that can be exchanged if there's any trouble. I've found myself flashing mostly from a win2k box with the physdiskwrite tool linked from the m0n0wall website out of ease of accessibility, but dd works fine. CF-IDE adapters are available too but not hotswap, so more of a pain.

        NICs - fairly reasonable - not world's best, but no big problem. Until a recent fix in -current on a 4801 all NICs need to be ifconfig'd up, otherwise there's poor performance (driver bug). Very old drivers had problems with short cables on some cards, which was then fixed (but causing some problems with very long cables), but a better fix is now in -current. These all apply easily to -stable too.

        4801 dmesg, You'll probably want some patches from -current (machdep.c to disable the TSC which doesn't work correctly, and the if_sis.c I already mentioned). FreeBSD -current has slightly better support for the hardware at present. In general there's better support already available for 45x1 hardware than 4801 (error leds, watchdog timer, gpio, hi-res counter). But 4801 is getting there (e.g. volt/temp sensors are now accessible from all BSDs).

        If you want a fileserver too, something that can take 3.5" HDs might be a better idea (Seagate have quiet, fast, large drives in the shape of Barracudas, and I have the impression they're a little more robust than laptop drives).

        If you want some (small-ish number of Gb) HD storage, 4801 seems a good idea, maybe keep an eye on discussions on soekris-tech for a little while if you want to boot from flash (CF slave, HD master seems fine though).

        I have a 4501 firewall handling altq+pf on a reasonably busy ADSL line which hasn't gone above about 7% cpu (3.4+flashdist+nsh+symon pointing at symux on a fileserver, and that 7% cpu was probably from running scp), which I'm very happy with, and a couple of 4801s which I haven't decided on homes for yet (one is intended as a replacement home mail server, but at the moment I'm veering towards FreeBSD on that box).

        I've worked with EPIA boards too, the Soekris are a rather different class of kit. EPIA are a small 'normal PC', Soekris are inexpensive (but not in any way "cheap"-feeling) embedded systems. EPIA are probably a little easier to get to grips with (hmm, though it doesn't always feel like it after wrangling with vr drivers trying to increase the network stability under load), Soekris might require a little more effort but I found to be more rewarding to work with.

        Of course there is also the Pegasos ... mini-itx form factor, non-i386, but still there are vr chips...

  14. By Mestizo () on

    I like using the old Sun IPC/ IPX's. Can be usually be aquired from Ebay for under $10 USD. Slap a Sun HME quad card in with, install the OpenBSD/sparc port, and I have cheap quiet ome firewall.

    1. By Kurt Mosiejczuk () on

      Quad hme cards are not supported in sun4c class machines like the IPX/IPC. The plain 10 Mbit qe IS however.

      And the other thing to watch out for is that most sun4c machines now have weak or dead NVRAM batteries. I love the sun4c machines (especially the lunchbox IPC/IPX) but all my NVRAMs have died.

      1. By Anonymous Coward () on

        Do those use SBUS? I'm interested in this idea.

        1. By Anonymous Coward () on

          I used to use an IPX, but they're far from quiet. That little fan in the back kicks out a serious volume of air. Additionally, the cpus are rather slow - 40mhz box will work fine for nat, but can only push ~100kb/sec over blowfish/sha1 tunnels.

  15. By Chema () on

    There is this pegasos (I and II) board which seems to run OpenBSD.
    Even the product Pegasos Guardian as seen here a few days ago.
    Apparently it does not consume a significant amount of energy nor it is noisy.

    But I guess is more expensive and maybe more than you need for just a firewall.

  16. By trygve () on

    If you're just using a small form factor PC of some sort, and have room for one PCI card, you could always throw one of these in there:

    1. By Alejandro Belluscio () on

      This is just a NIC with an integraterd 4 port switch/hub (i don't really know.) The problem is that you can't segment your network with it. It's basically useless for any medium to advance fw setup.

  17. By matthew () on

    I also cannot endorse Soren's NET4501 box enough for this application. I have something like 5 in deployment, one of those for about two years now. It is an excellent piece of hardware, and Chris Cappucino's flashdist scripts make it easy to put a very very small subset of OpenBSD onto a compact flash card for them.

    You can also squeeze a (minimal) regular OpenBSD release (base.tgz, etc.tgz, misc.tgz, bsd) onto a 128MB compact flash card.

    Soren's NET4501 board has no moving parts at all, and draws ~8watts peak.

  18. By Arnaud ZIEBA () on

    It seems that Soekris Engineering has the product(s) (net4501 for instance). Is this what you're looking for ?

  19. By Anonymous Coward () on never tried them, i think they are canada based, but based on what you are asking for they sound right

    1. By MotleyFool () on

      NetWinder, very old h/w design, originally a Corel design, oh yeah, OpenBSD doesn't run on the netwinder h/w either.

  20. By Anonymous Coward () on

    I don't think I've seen them mentioned yet. I'm interested in their box with 3 lan ports in front (another in back), but not sure how OpenBSD friendly it is.

  21. By Anonymous Coward () on

    I was originally using a DEC AlphaStation 200 4/233 for my firewall/web/ftp server. I've since switched to using Sun Pizza boxes, initially I switched to a Sun Ultra 2/170, but have since been using a Sun SparcServer 5/110. Basically any Sun SparcStation/Server 4/5/10/20 or Sun Ultra 1 or 2 will make an excellent firewall, just slap a 4-port S-Bus ethernet adapter in the box. I really wouldn't recommend using anything less than a 110Mhz Sparc 4/5 or a 65Mhz Sparc 10/20.


    1. By MotleyFool () on

      yep, great boxes, however they don't fit the bill of quiet or low-power. My office gets much quieter when my Ultra2 isn't running.

      1. By Anonymous Coward () on

        Yeah, I'm thinking of putting all of my noisy hardware in a seperate room, and building my self a nice and totally quiet X-terminal... All the power, and none of the noise :)

  22. By Haroon Laghari () on

    I am sure that this device fullfill ur all requirments for further correspondence please mail me

  23. By Muce () on

    For the past 3 years I have had great success with an old smallish made in Tiawan MB with a p200 in it. What makes it palatable is that I noticed when running BSD (And maybe other Unix derivatives as well?) that the CPU generates much less heat than when running Winblowze or even Dos. It is noticebly cooler to the touch. Try it to see for yourself! So I replaced the fan and mini heat sink with a slightly larger heat sink pulled from a defunct audio power AMP. I also pulled a smallish PSU from an old DEC LPV and removed the fan. So it runs totaly silent! Even through summer heat and with always being on I have no problems with overheating or the telltale signs like random lockups. I reboot not more than once or twice a year and thats mostly from power line wiggles and such. For software I downloaded the BSD based $1000+ Gnatbox professional firewall distro which allows up to 5 nodes use for free just for registering and it works great in my 3 node (so far) home. When set to stealth mode all tests show no vulnerabliilties. They have lots of success out in the corporate world so I feel confident using their firewall software. I can connect and configure the firewall from a local console, telent, web browser or a great native windows software program. You coud use whatever Unix derivative based firewall software you like as most consumer based hardware is supported and you will acheive similar results! The box runs without keyboard or video. The one downside with my software choice is the requirement of booting from floppy. But in actual use I find that I reboot so infrequently and BSD unlike Winblowze NEVER accesses the flopppy on its own, so it really makes no differnce at all. I made an image of the floppy for backup and I am good to go. Two discarded intel pro nics from older lab pcs and I am rolling for next to ZERO cost! I mean P200 sytems can be found in your local trash if you care to look. (No honey not a homeless guy, its just some computer geek in our trash :) It may not sound as cool as a mini-itx based system but I am willing to bet it outperforms many of the low end stuff as the P200 is more than able to handle the traffic through a typical cable modem type setup. And it is just as quiet as the expensive Eden and M type fanless stuff! I am all for the latest and smallest hightech stuff as a techy type guy but I just can't seem to part with such reliable, inexpensive and great performing setup. Hell I placed it on top in the back of a file cabinet and hardley ever remember it's there. Sometimes hombrew realy is best. I hope some of you will find this info usefull. (Even if you don't admit it to anyone :) Heres to new uses for old trashed hardware!


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]