RT-AX88U Swapfile

[RMerlin]

I personally never run it on a VM, but I believe they solved this issue:
https://redmine.pfsense.org/issues/8954
Other people say it also works with VT-d enabled, if supported.
https://software.intel.com/en-us/ar...ms-for-efficient-virtualization-of-io-devices

Don't know if that would apply to Xen (my Qotom runs XCP-NG). I only experimented with OpnSense a bit last year (overall it felt nicer than pfsense, where some of the stuff I wanted to test with it didn't even work properly - namely that DPI engine which's name I forgot).

 

[Val D.]

Don't know if that would apply to Xen

OK, you like to complicate things too much.
Intel VT-d needs software support too. For testing purposes VM is good, but I wouldn't share a working network Firewall on a VM.

namely that DPI engine which's name I forgot).

OPNsense uses Suricata engine, pfSense has Snort and Suricata available. pfBlockerNG doesn't work in OPNsense, they have some workaround for IP/DNS filtering, but automatic updating of lists is an issue. At least it was few months ago when I played with it. Finding information about OPNsense is the major problem. You ask something and the first results in Google are for pfSense, thinking you made a typing error or something.

 

[RMerlin]

That was suricata. The pfsense updater didn't work when I tested it, but the Opnsense one did.

 

[Val D.]

That was suricata. The pfsense updater didn't work when I tested it, but the Opnsense one did.

It's working now on pfSense, but Snort rules (in case one wants to use them too in Suricata) require Registration or Subscription, otherwise only GPLv2 Community Rules are available. I use ETOpen rules, still free to use. Can't blame Talos (Snort) though, a lot of research is involved in packet inspection security. What I couldn't manage to do on OPNsense is blocking per IP first and then seeing more details what was it in Suricata. In pfSense it works with the same category lists in pfBlockerNG and then the same category rules in Suricata. In the same time I had to be careful with wife rules... I have both Subscription and Registration there, no choice.

 

[miroco]

An alternative to a Qotom, is an APUx from the Swiss company PC Engines.

https://www.pcengines.ch

The APU2C4 and the successive successors D and E revisions are also popular choices for building a personal firewall. It's a 64 bit platform with an embedded AMD G series GX-412TC 1 GHz CPU that support amongst other things AES-NI and ECC RAM (make sure you get the 4GB version and upgrade it to at least BIOS v4.8.0.5 Mainline to get ECC support). No VGA, serial only.

PC Engines - BIOS
https://pcengines.github.io

TinyCore Linux to upgrade BIOS
https://pcengines.ch/howto.htm#TinyCoreLinux

pfSense Router : I assemble and review a router based on the PCEngines APU2C4

OS install
https://pcengines.ch/howto.htm#OS_installation

Choose OS image
https://opnsense.org/download/
https://www.pfsense.org/download/
https://www.ipfire.org/download/ipfire-2.23-core139

Write image to USB stick.
https://www.balena.io/etcher/

On a ***Sense (Free/HardenedBSD) installation you can expect a 500 to 600 Mbit/s throughput. If you install IPFire or OpenWRT (Linux) you will get gigabit throughput easily.

Thera are however tweaks that promise gigabit throughput also from a ***Sense installation.

https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/
https://teklager.se/en/knowledge-base/opnsense-performance-optimization/

As always, choose hardware based on your expected user scenario.

PC Engines - Shop
https://www.pcengines.ch/newshop.php?c=4

~$150US APU2E4 4GB ECC RAM/16GB M-Sata SSD/Case/AC adapter

Don't forget a null modem cable.

 

[L&LD]

Continue inventing Reboot and Reset procedures in consumer routers.

'Inventing'? Hardly!

I've always stated that I have simply collected and organized the procedures that have been proven to work to get a router to a good/known state. Mostly from older posts from the many contributors here and from my own experiences in this field while I followed in their footsteps.

 

[Val D.]

An alternative to a Qotom, is an APUx from the Swiss company PC Engines.

Good little boxes, but for similar price all Intel based Qotom or Protectli (more expensive) offer more power and flexibility. I don't like to buy hardware just enough for today. What PC Engines offer is easily replicated with HP t620 Plus thin client + Intel NIC PCIe card. And HP version is faster, actually. PC Engines hardware is more power efficiency oriented. I was looking at PC Engines too, but decided to go different way.

 

[rgnldo]

I know the limitations very well, but I don't like many devices. I use only a MacBook, a bootable pedrive with Arch Linux (for when you need the sys admin), an active router (AC86U) and an inactive one (AC68U).
With my active services and memory management, I can maintain some interesting services on the AC86U. 89% ram.