At the moment, I am using a single Dell Optiplex 7010 box as a multipurpose server: it runs OpenBSD and a lot of its base applications (relayd
for reverse proxying, httpd
as a HTTP server, pf
as a firewall, etc) and some from the ports tree (like nsd
for an authoritative NS, unbound
for LAN DNS, …). It also runs a single Alpine VM inside that in turn hosts some dockerized apps (like Lemmy :-))
This setup is suboptimal, as OpenBSD’s virtualization support is still in its early stages, so I wanted to make a defining change: move OpenBSD + all base stuff to a separate ‘firewall’ box and dedicate my 7010 to be a docker host (probably installing alpine linux directly).
My question is: what hardware can you recommend for the OpenBSD box? I would want something with low power consumption. It does not have to be beefy, most of the resource-hungry stuff will probably be on the docker box. One thing though: it would be nice to be able to handle gigabit network throughput for the future.
I have been looking at APU2 boards, Raspbery Pi 4B (I am not sure about the OpenBSD support, though), Intel NUCs, and also Dell Optiplex micros and minis. It would be great to get away with a budget below €100. Thanks in advance for any insight!
I run my home firewall on an old thin client (an HP t730, if I remember right). That does the job well and is about comparable to a laptop (minus the screen) for power consumption.
Another more current option that sounds good is the Zimaboard. I haven’t touched one, but people are seemingly going nuts over it. It’s a little x86 single board computer (about Raspberry pi size) with two gigabit NICs.
Thanks, never heard of Zimaboard, sounds interesting
I think a mini micro would be a good option as shown here, not sure the openBSD support though
A Lenovo m720q with a PCIe riser for your NIC. Try to get on with the 8th gen i5. These typically go for ~$100USD on hardwareswap, and a bit more in ebay.
You can also add a m.2 A+E network card to a dell or HP. The 720q is the best IMO over all but if you just need WAN/LAN and some basic routing there are plenty of low cost 1l PC’s.
The m.2 A+E card/adapter replacing the wifi card is new to me. Very cool.
It’s a great and easy way to take a thin client or older SFF 1l PC and turn it into a high performance router for often less than the cost of an SBC. And often has better features like virtualization so you can run multiple applications.
Wow, that’s cool. Is that an Intel based nic, driver support is good?
The 10g sfp+ are mellenox connect x3, the rj45 is a 2.5g realtec. There are Intel based m.2 A+E cards but they are hard to find.
I have not had any issues with realtec on proxmox or PFsense.
Thanks, I haven’t considered ThinkCentres much yet. I should have mentioned that I am located in Central Europe, so I am a bit more limited on options where I can get hardware. I am a bit worried about shipping costs when ordering from abroad.
I found an offer for an M700 tiny with an i5-6500T, 8GB of DDR4 RAM, and an SSD included, for €120. Is that in a similar ballpark as the M720q you mentioned?
Honestly, I don’t think I am likely to find 8th gen i5 boxes in my area (haven’t seen any adverts so far).
The m700 is a fine box, but doesn’t have the PCIe slot for an add in nic. This would limit it’s utility as a router box. Even a m720q with a pentium would work well as a router box.
With what @infinitevalence recommended I think the M700 is a good inexpensive option if you don’t mind doing some work on the case to hack in another ethernet port. Something like this would even get you 2.5Gbe: https://www.aliexpress.us/item/3256804495748525.html
It’s Realtek, but there appear to be OpenBSD drivers. That exact one will not work with the headers hanging off the back of the card (that end of the card is right behind the power button in the front corner of the PC). But if they were desoldered and replaced with vertical headers it would work perfectly. There might be something similar with different connectors, or a 1Gbe Intel card available.
I have a spare M700 that I just opened up to take some measurements. There is ~4mm space above most of the m.2 wifi card with the drive caddy installed, or ~18mm with the caddy removed. Even with the caddy installed there is that ~18mm open space above the back 5-6mm of the card, so a vertical connector there would work , but would conflict with the install/removal of the drive caddy since it slides toward the front of the case to remove. further modification would be needed to use them together.
At the back there is ~50mm side-to-side space between the fan exhaust and ethernet port. Only 32mm if you only take up the space of the accessory video port. In that width you have ~15mm vertical space (above the row of ports at the bottom), and ~32mm depth (from the inside of the case back to the back of the SATA connector for the 2.5" drive). You would basically just need to enlarge the optional extra video/serial port opening.
You could even fit a multi-port interface at the back, up to 50mm wide. But you wouldn’t be able to use the case screw any more since it’s in that space. And you would need to cut the tab it screws into off the case’s top cover. But the case should still close ok because of the way it slides into place.
Now I’m thinking about ordering that adapter for my own machine to hack in a 2.5Gbe port.
Thanks for the tips and your measurements!
The PC Engines APU2 boards are really great for this in terms of routing performance per watt, but the prices are up. If you can find a used one it might be possible. I use one for routing and a Lenovo ThinkCentre M700 tiny as a server. The M700 is around double the power consumption at idle, but they are both pretty low power. On 120v the APU2 is ~5w, and the M700 is ~10w when idle.
There are a couple of Celeron N2830 fanless mini-pc router options on aliexpress for under €100. It’s 2 core vs the APU2 4 core CPU, but it’s faster per-core, so it should do basic gigabit routing without too much trouble (the APU can do it with OPN/pfSense, but only with some tuning).
And that’s where I think you may have some trouble. I expect OpenBSD will be slower on the network than those FreeBSD-based distributions. And they max out at gigabit on the APU2 platform. But you could always decide later to switch the OS if you need gigabit performance.
Thanks for these insights! Gigabit is of secondary priority at the moment, just a nice to have. Maybe in the future I would break things up even more and have a dedicated firewall with minimal resources, then this machine I am planning on getting now would be a dedicated OpenBSD based server for proxying, load balancing, etc (basically everything I can do easily on OpenBSD without docker) and finally I would also have a stronger box for several docker services.
I like the dell SFF. Not micro pcs but SFF. Solid builds, had for cheap and generally do running bsd.
Wouldn’t there generally be a significant power draw difference between an SFF and a smaller (micro, mini, SBC…) machine?
No not really. Often the processors are the same (though there may be versions of micro desktops that have power focused processors like deletion or atom). These are mostly the same setup and the biggest difference is the form factor itself and (because there is more space) serviceability for adding (ie: pcie slots etc)
The sff often have 3-4 pcie slots and integrated psus that are a little more impervious to power fluctuations because the psus have bigger caps. The micros generally have the pico psu style (aka laptop style power brick) and no pci slots (the m715q/m720q think center basically being a unicorn in that is does have a pcie riser)
A dedicated router will mostly be idle (in comparison to a desktop workload) and since they are more common than the think center. Probably easier to source and cheaper.
check out Protectli Vault. They have different hardware configuration options depending on what you need.
Protectli supports virtually anything you want to slap on it, be it BSD or Linux based. A popular approach is to put Opensense on it (BSD based firewall).
I can vouch for it, quality hardware and silent. Easy to repurposed.
I know of protectli, but I wouldn’t consider it a low-budget option. I mean it is reasonably cheap, but I was hoping I could get away with some much cheaper used hardware.
Youre right, The 2 port vaults are $176 which is almost double your budget. I figured you could find a used one for cheaper, but I just looked around and you cannot :(
You can check out ODROID. The ARM version for $83 and a x86 version for $129. You can play around with specs and models and get those numbers down lower. Pretty large community playing with them, BSD probably can support them or at least the info is most likely in a forum somewhere.