in Technology , 240 references
I finally got my hands on one of these things....
Which one? The apu2c0, which is a 2-Gigabit Ethernet, quad-core AMD, 2Gb RAM single board computer that is fanless, runs on 12v and has AESNI instructions in it along with a very nice assortment of options for storage and similar.
Specifically, it contains two mPCIe slots and one mSATA slot internally, plus an SD card slot -- all inside. It also has an RTC (battery backed) so it's basically a "tiny PC."
It quite nicely runs a bone-stock AMD64-bit FreeBSD distribution right out of the box, but since it will boot from the SD card you have even more options -- like running NanoBSD (normal operation in "read-only" mode) which makes it incredibly "hardened" in terms of risk of corruption from power interruption and similar events.
And oh by the way, the Gigabit interfaces are the modern ones -- they attach on the igb driver, not the older em. This means they have hardware-assisted checksumming for both IPv4 and V6, TSO and jumbo frame support plus the now-obligatory VLAN capability.
In short this damn thing is fast.
Since it can handle AES-NI internally it also makes a very dandy IPSEC gateway, should you decide you want to use one built into it (e.g. VPN.)
It boots off the serial port which is its console, so you need a null modem cable to configure it, assuming you want to change the defaults. But you don't need to -- as it comes you can stuff an SD card or mSATA bootable device in it and it will find it and boot from it right up front.
The Pi3 is not a bad little firewall for $35. But frankly, if you have any sort of "fast" connection you will saturate it's ability to move packets. It's just not that fast.
For about $100, however, this thing is a beast that punches well above its weight and since it's cooled by a heat spreader that transfers the CPU heat to the aluminum case it's also fanless and damn near indestructible. When it comes to packet forwarding and firewalling it is a screaming buy for anyone who wants a high-performance, rugged gateway box that you can stuff in a closet somewhere and have it "just work." Since it has front-facing USB ports you can even get cute and put private keys on a USB stick, insert during boot and then yank it with appropriate configuration -- which means if someone steals it they get nothing. (Of course this means it also can't come back online to run IPSEC unattended; that may or may not matter to you.)
There's only one "gotcha" -- it comes from Switzerland and the postal service will screw around with the package since the seller sends it registered mail. This means it may well take 2-3 weeks to get it once you order it, but trust me -- it's worth it.
I like this thing.
I have a bootable image for it containing all the typical firewall requirements in "NanoBSD" mode (but not the StrongSwan IPSEC package although I could certainly add it) that will come up, get an address on the first interface, and can then be logged into and configured as you wish -- but it's (quite) large; if someone has a place I can dump it who doesn't care about the size of the transfers involved in distributing it, or if you wish to toss me an SD card of 8Gb capacity or more in the mail with a SASE for its return I'll happily copy it on the card for you. The compressed image is ~650Mb and expands to 6Gb in size, which is appropriate to write onto an 8Gb or larger full-size SD card.