Another successful OpenBSD setup

I’ve been buying these little boxes from AliExpress for years to use as firewalls and routers. My oldest one is almost 9 years old now! OpenBSD installs just fine. Just a BIOS tweak to always boot up after power is restored.

@selfhosted #selfhosting #selfhosted #openbsd #runbsd

    • LiveLM@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      How?
      I’ve been thinking about setting up one of these cheap boxes as a NAS but I cannot ever find one with 4 Sata ports. Is there a solution for this?
      I could use external USB Hard drives but that just feels so janky…

      • shyguyblue@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Can’t speak to cheap boxes, so usb might be the way, but I use a Zimaboard. Two built in SATA ports, and a pci-e daughter card gives me two more ports. Full disclosure, i don’t do anything more than 1080p, bad eyesight…

        • LiveLM@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          9 months ago

          I’d love to use a Zimaboard too but they’re not available were I live.
          I could import one but the currency conversion + import taxes make it very not worth it.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    9 months ago

    I personally never understood the desire for BSD. BSD was good back in the day but we now have Linux which is better supported and protected under the GPL.

    • Violet_McQuasional@feddit.uk
      link
      fedilink
      English
      arrow-up
      23
      ·
      9 months ago

      PfSense and OPNsense are both killer router “out of the box” distros built on BSD. I say this as a Linux user, with little interest in running BSD for my applications, but… Respect to BSD. ✊

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        I run OpenWRT and it works pretty well. The only potential issue is the updates but if you have a plan it isn’t a problem.

        Maybe I’m missing out but from my perspective it is way cheaper to buy a off the shelf router with OpenWRT that can handle gigabit speeds than it is is to build/buy a entire computer that pulls way more power and is several times the cost.

        • winky9827b@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          9 months ago

          I recently installed OPNsense specifically because I had to buy a mini PC with 2.5 gig ports. There simply isn’t anything reasonable on the market for the prosumer above the 1 gig threshold. Running splendidly on a Beelink EQ12.

          Also, OPNsense has things OpenWRT doesn’t offer (plugins, IPS, etc.)

        • Ajen@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Openwrt works great for gigabit networks with simple firewall rules and no IPS. But used 10-56gbps enterprise equipment is getting pretty cheap, and more complicated firewall configurations need more powerful hardware than the typical openwrt router.

          And 56gbps on a home LAN might be overkill, but that’s not important.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        9 months ago

        I couldn’t agree more. I’ve been running PFsense for about 5 years, great little toy, not 1 single issue. BSD has been paramount in my life for my firewall needs. And I only run Linux on everything else (desktops and servers), but there is not a single FOSS firewall distro out there that can match, much less surpass, a BSD based firewall.

    • BringMeTheDiscoKing@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      I one heard ast describe Linux’s code quality as ‘marginal’ (presumably speaking of the kernel)

      Of course, it was ast talking at BSDCan but still, harsh words from a master.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      9 months ago

      I use one with 6 LAN ports and a fanless 10th gen i5 running OPNsense, and it has worked well for years. It runs many services including Unbound DNS and Suricata with capacity to spare. It’s much better than any consumer router, though I run WiFi separately with an Asus AI Mesh set to AP mode.

      The only concerns are that you don’t get BIOS updates, and you don’t know for sure that there’s nothing nasty in the firmware. But then you don’t really know that on consumer routers either.

    • towerful@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      Mine died after 2 years after a power cut.
      I havent tried to debug it yet. At the time, it would power on but a monitor didnt see anything from the video port, and it didnt seem to actually boot.
      I presume it is toast.

      If you dont need compact, a rebfurbed SFF with a 4 port network card is gonna be cheaper

      • emptiestplace@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        9 months ago

        Ok, cool - do we have astroturfing on lemmy now?

        pfSense has a very good record, but OpenBSD’s record and code quality are literally unparalleled.

        Conversely, I spend a fair bit of time working on devices made by SonicWall, Fortinet, etc. and it’s all fucking garbage.

        Are you concerned about it being designed in China in addition to the conventional and thoroughly ubiquitous “manufactured in China”? Please explain your concerns in detail.

        • const_void@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          As @floofloof@lemmy.ca stated:

          The only concerns are that you don’t get BIOS updates, and you don’t know for sure that there’s nothing nasty in the firmware.

  • madcaesar@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    9 months ago

    Sorry for my ignorance I tried googling but what is this exactly? A server for files or? A media server?

    • rhys the great@mastodon.rhys.wtf
      link
      fedilink
      arrow-up
      14
      arrow-down
      1
      ·
      9 months ago

      @madcaesar @otl It’s a small server running OpenBSD, configured to operate as a router and/or firewall.

      Linux and the *BSDs can operate as very good routers and firewalls, usually being much more configurable and enabling you to do more complex than off-the-shelf consumer-level hardware routers. Using them on a small form factor computer with a cheap switch in front of them can give you a better performing and nicer to use alternative.

  • cmnybo
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    9 months ago

    Do any of those cheap Chinese computers ever get any firmware or bios updates?

    • const_void@lemmy.ml
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      2
      ·
      9 months ago

      No and they don’t provide the source either. Makes you wonder what’s running in there.

    • Bitflip@lemmy.ml
      link
      fedilink
      English
      arrow-up
      14
      ·
      9 months ago

      I’d be surprised if it wasn’t just based off the UEFI sdk examples containing 30+ CVEs over the last couple of years. If anything, it won’t get patched for logofail and all the others UEFI exploits we’ll definitely see in the coming years.

    • scrion@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      3
      ·
      edit-2
      9 months ago

      I was wondering… that tp-link probably negates anything remotely resembling security on its own. But yeah, you can update some of these noname boxes easily, others, not so much.

      I have dealt with (in a professional capacity) Chinese manufacturers that are under the impression they do not have to provide a working build tree for the kernel, let alone firmware, so its a gamble if you’re not talking to a major Chinese name brand. Mind you, I was ordering hundreds of those boxes, so there was some leverage.

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        edit-2
        9 months ago

        That TP-link is a dumb switch. Unless you’re telling me that someone is going to find an opening in the firmware and hack their way into the ARP table or something (in which case the threat model here just became state actors and I don’t think the OP is safe with this equipment), I don’t think it affects much, if anything.

        Now, if I’m mistaken and that is actually a managed switch; god help them with network security.

        • Link@rentadrunk.org
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          2
          ·
          edit-2
          9 months ago

          It is a managed switch. What’s wrong with TP-Link managed switches?

          I have a basic Netgear managed switch for VLANs.

          • MigratingtoLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            The problem is that their Web interface and firmware in general are not updated (at all). I think it’s even possible for script kiddies to hack into such managed switches, which forms the reasoning behind my comment.

            Does your switch produce its Web interface over TLS?

            • Link@rentadrunk.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              9 months ago

              Doesn’t look like it but if I set up VLANs unless an user is on the correct VLAN they can’t access the web interface. And the only way for them to get access is to get physical access and plug a device into the correct port.

        • scrion@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          9 months ago

          They do make managed switches, but just to be completely clear, my comment was mostly hyperbole. I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

          • MigratingtoLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            9 months ago

            I did realise that, and apologies for my tone earlier.

            With that said, this seems to be a slight bias - unless the PCB has some nefarious spy-chip built inside, hardware is hardware, regardless of where it comes from.

          • floofloof@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

            I think it can make sense, since there are so often vulnerabilities in consumer router firmware, and because those devices are so common the vulnerabilities are profitable to exploit. Running a BSD-based router on a cheap Chinese PC is likely to be better security for the router’s OS and software itself, even if you don’t know for sure about the firmware on the board (which you don’t with consumer routers either, really). Overall you could still have reduced your attack surface compared to a popular consumer router.

  • Da_Boom@iusearchlinux.fyi
    link
    fedilink
    English
    arrow-up
    15
    ·
    9 months ago

    I recognise that internet router on the right. That looks like the “smart router” Telstra gives their customers - we have one we used to use back when we had Telstra cable. It’s currently playing the duty of an Ethernet switch for dad’s office.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    8 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    AP WiFi Access Point
    DNS Domain Name Service/System
    NAS Network-Attached Storage
    SATA Serial AT Attachment interface for mass storage
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL

    5 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

    [Thread #543 for this sub, first seen 25th Feb 2024, 15:45] [FAQ] [Full list] [Contact] [Source code]

  • wernsting@lemm.ee
    link
    fedilink
    English
    arrow-up
    7
    ·
    9 months ago

    What bios tweak do you apply? That’s the one thing I still need to do.

    These things are awesome!

  • fmstrat@lemmy.nowsci.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    I have one of these with PFSense on it. Works great, but when I had it in a hot room I had to zip tie a 120mm fan to it 😀

    • winky9827b@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      9 months ago

      I bought some half-inch silicone feet to separate mine from the shelf it sits on. The added airflow underneath seems to do just fine.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I’m bent on getting as many people as I know to self-host everything possible and to guard their home networks. The garbage out there today is too much.

        • Oliver Lowe@hachyderm.ioOP
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          > The garbage out there today is too much.

          For sure. I’m hoping that with much cheaper and more reliable hardware
          that we have now, it makes it easier for indivduals and small groups
          to run services that could only be run by big dysfunctional companies.
          Fingers crossed!
          @jjlinux @selfhosted

          • youmaynotknow@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            9 months ago

            It’s not much, but I got a friend from church (die-hard Apple user) to love away from all that crap. He now owns a Pixel 6 Pro running Graphene and is running PopOS on an Intel Mac. Sold his IPhone too.

            He says that I am the only person he knows that preaches 2 Gospels 🤣🤣