Been very interested in OpenBSD for a while. Planning on installing it onto PCEngines' APU + antenna and using it as a router. Following this guide: https://openbsdrouterguide.net/ .
Serve the home [1] regularly reviews all sorts of low end small form factor hardware and aliexpress hardware. You'd probably be better served (heh) by scanning their website before investing in hardware. You can get an aliexpress device with much more horsepower and higher speed ports. If your budget is $200 then fine, but if you find out later doubling your budget gets a box that sustains 1 gigabit speeds or $600 gets you a machine that sustains 2.5gbe speeds and your $200 was wasted, it would be great for you to discover that now.
Another piece of advice I received from an OpenBSD contributor is to lurk on the mailing lists and see what the OpenBSD developers (esp. those that hack on networking code) actually use themselves and get that if you care about stability and performance.
greetings fellow traveler. I am also a big fan of openbsd for home router/firewall. Been running it since the early 2000s.
I've gone through a lot of hardware in that time. From an old dec alpha (kernel panic'd often) to only x86 these days.
In recent years I've started to use these low-cost, fanless, intel machines from aliexpress. They're usually pretty great. Recently I upgraded (ServeTheHome's reviews were very helpful!) from a box I got in 2018 from aliepxress that had 6x 1gbe ports to a newer box with 2.5gbe since my fiber ISP has 10gbe ports right now (and there are no cheap, fanless, low-power intel boxes with 10gig nic's). Specifically a Celeron N5105 (N6005 was not available earlier this year, so I canceled and ordered N5105) with 4x 2.5gbe nic's, this one[1] from Topton, though I believe other vendors on aliexpress are all selling basically the same thing.
The unit works pretty well, however, I noticed with OpenBSD 7.0 and 7.1 that one CPU core was constantly pegged at 100% servicing interrupts. Running `top -S` showed the acpi kernel thread was the culprit, and `systat` showed `acpi0` as the source of interrupts. The box worked fine and could route (with NAT and filtering) the full 2.5gbps internet connection fine, but it would run hotter and probably use more electricity than needed.
I enabled ACPI_DEBUG which did not make for a usable box at all due to the amount of debug prints being generated but it was enough to verify the interrupt spam coming from the ACPI GFE _L6F handler. A google search shows this is not particularly uncommon and is due to buggy motherboard firmware. Both Linux and FreeBSD have a way to disable interrupts on a live system. OpenBSD does not however. And FWIW, I booted an opnsense live CD based on FreeBSD and this interrupt storm was not happening. So I assume FreeBSD may have seen this particular bug or just happens to handle it already. This box should be fine with any of the FreeBSD based OS's. Which is often bundled on these firewalls you buy from aliexpress.
The usual fix for these interrupt storms from buggy BIOS's is an eventual fix from the vendor. In this case though I don't expect to ever seen a BIOS update for this box, and there really is not a website to go download one from anyway. The vendor on aliexpress assured me that if they ever release a new BIOS that they would tell me. I doubt this will ever happen.
In any case, I have "solved" the issue finally with a small kernel patch I found on the excellent openbsd mailing lists. The issue in that case was different, older hardware, but the symptoms were the same.
Long story short I am posting all of this here so that if someone else runs across this same issue they will be able to resolve it much faster than I was.
Did that increase your overall throughput? Drag racing pfsense vs OpenBSD on a xeon vmware system shows much less throughput on the OpenBSD system. I'm totally willing to pay the overhead for a more secure system, but I do still have certain performance goals.
no, i am able to saturate a 2.5gbps connection with NAT and filtering with or without ignoring the interrupt storm. Perf was never an issue, just higher temps (it's a fanless box) and probably energy draw (i never measured that so i am not sure how much)
> I've read that the PCEngines struggles to keep up with network traffic in excess of 100Mb/s.
For reference, quick iperf3 TCP tests on my APU2 (cpu[0123]: AMD GX-412TC SOC, 998.27 MHz; em[0123] at pci[1234] dev 0 function 0 "Intel I211" rev 0x03):
LAN host <-> APU: ~410 Mbps
LAN host <-> APU (over WireGuard): ~140 Mbps
However, I've put em[123] together as a veb(4) switch without pf involvement and two LAN hosts will get almost the full gigabit between them over that. Would need something bigger if I had a faster uplink or more complex LAN requirements.
That page has some outdated information. There's an official guide on OpenBSD's own website: https://www.openbsd.org/faq/pf/example1.html - No need to rely on third party blogs with BSD most of the time. Official docs and man pages are always better and up to date.
You managed to buy an APU2 or is this existing? They are pretty much uobtanium as of now.
I ran OpenBSD on my now deceased APU2. Never had any issues as it was solid up until it died, likely from lazily leaving it in a room which routinely reaches >90 F / 32 C in the summer. When the stars align and they release the SFP version, I'm going to grab one.
It exists? I got mine from Teklager, shipped internationally. Unfortunately the SFP didn’t work with my ISP’s fibre module (it would flap). I believe this is a Linux thing though. Otherwise quite happy with it.
