OpenBSD routers on AliExpress mini PCs
Oliver Lowe
I posted Another successful OpenBSD setup to the fediverse and got lots of questions. This is something I’ve wanted to write about for years now. Better now than never!
OpenBSD is one of my favourite operating systems. I’ve been using it on my workstations and laptops for almost 10 years now - even at my workplace! But this isn’t where OpenBSD really shines.
Two major problems with consumer-grade routers provided by internet service providers:
- They suck
- They’re boring!
I discovered a whole suite of cool network software in the default OpenBSD installation. It’s what makes OpenBSD perfect for edge/gateway network devices. So we’ve got some nice software – what about some hardware to run it on?
Discourse’s Scooter Computers
Jeff Atwood of Coding Horror, Stack Overflow etc. fame posted the blog article The Scooter Computer, saying of standard residential network devices:
Let’s face it: this is just a little box that runs a chopped up version of Linux, with a bit of specialized wireless hardware and multiple antennas tacked on … that we’re not even using. So when it came time to upgrade, we wondered:
Why not just go with a small box that can run a real, full Linux distro? Wouldn’t that be simpler and easier to keep up to date?
So then I wondered: why not run real, full OpenBSD on these boxes? Hardware support for OpenBSD isn’t as complete as for Linux, though… Challenge accepted!
Chinabox install
My most recent purchase is the XCY Firewall Appliance Mini PC for AUD140 (approx. $90 US, 85€). I affectionately call these devices chinaboxes. This chinabox came in some tidy cardboard, packed with foam. There’s also a VESA mounting plate thing and SATA cables:
It feels solid; it’s surprisingly heavy for its size.
It’s easy to get inside the box; just 4 Phillips head screws. Inside seems neat and tidy:
Time to power it on! Of course it comes with some kind of maybe-kinda-probably-not licensed Windows (10?) with user “Admini”:
But we’re not interested in Windows right now - if ever ;)
So I rebooted and got into the EVALUATION COPY
BIOS:
Running OpenBSD on x86 PCs often involves turning off or tweaking a bunch of things in the BIOS. But I only ended up doing a couple of minor things. To get the device to behave more like other networking equipment, I set the device to always power back on after power loss:
Secure Boot is unsupported by OpenBSD so I disabled that:
Finally I found some setting mysteriously called “OS Selection”. I reset this from Windows to Linux. If anyone has more info on what this could be please let me know!
Booting into OpenBSD over the network by PXE and also by USB started off fine:
For those unfamiliar, the OpenBSD process is super straightforward with basic plain text prompts:
Success!
Where it will sit for a (long) while:
And as a bonus my old firewall still humming along:
Tech specs
See also dmesg
output at the bottom of this article.
- Intel Celeron N2830, 1MB Cache, dual-core.
- 4 Intel I225V 2.5Gb network interfaces supported by igc(4)
There’s a lot of different hardware configurations available from the manufacturer. It’s probably best to see the original item listing at XCY Firewall Appliance Mini PC. In particular it would be good to upgrade this 10+ year-old CPU to something like the Intel N100.
Interesting Fediverse replies
It’s highly recommended to read through the replies to Another successful OpenBSD setup. Some highlights follow.
Warning! Prefer Intel I226 NICs
atx@hachyderm.io offers a good tip about NICs which I also ran into at a place I worked:
Nice write up. Watch out for the 225 NIC there are versions that are really bad and they’re known to show up on cheap Chinese hardware. It’s worth the extra $20 to make sure you the 226s.
BIOS/Firmware updates
cmnybo@discuss.tchncs.de asked:
Do any of those cheap Chinese computers ever get any firmware or bios updates?
None that I’m aware of, which sucks. However benja@ohnepunktundkomma.org let us know that CoreBoot may be available:
some of this boxes can run with #coreboot, so the #firmware is #opensource too. Protectli ported coreboot for their hardware, and with a little research you can find this hardware on aliexpress, of course under a different name.
Why?
Sorry for my ignorance I tried googling but what is this exactly? A server for files or? A media server?
Anything! It’s now a plain old server connected to the internet with a static IPv4 address and a /48 IPv6 subnet! relayd(8) is used as a HTTP reverse proxy and generic TCP proxy for internet services and custom software I write. For example:
- a public DNS-over-TLS resolver at
dns.srcbeat.com:853
, - an ActivityPub to SMTP relay experiment
- ad-hoc file/video sharing
TP-Link switch
that tp-link probably negates anything remotely resembling security on its own.
Yes having a managed switch is so surplus to requirements. I bought this one in a rush as it was cheap and had PoE. If anyone knows a 8-port unmanaged PoE switch please let me know! Or reply to Another successful OpenBSD setup via ActivityPub (Mastodon, Lemmy, KBin… you all know who you are ;) ).
dmesg
OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1992646656 (1900MB)
avail mem = 1911365632 (1822MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecdc0 (51 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 11/23/2022
bios0: INTEL J1900
efi0 at bios0: UEFI 2.4
efi0: American Megatrends rev 0x5000a
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG LPIT HPET SSDT SSDT SSDT UEFI CSRT
acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz, 2167.07 MHz, 06-37-08, patch 00000838
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU N2840 @ 2.16GHz, 2167.25 MHz, 06-37-08, patch 00000838
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 87 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x00000010 0x00000011 0x00000000
"DMA0F28" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"BCM4321" at acpi0 not configured
"BCM2E1A" at acpi0 not configured
"BCM4752" at acpi0 not configured
"INTCF0B" at acpi0 not configured
"INTCF1A" at acpi0 not configured
"INTCF1C" at acpi0 not configured
"SMO91D0" at acpi0 not configured
"MXT3432" at acpi0 not configured
iosf0 at acpi0 MBID
"PNP0A06" at acpi0 not configured
acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PLPE
acpipwrres1 at acpi0: PLPE
acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
acpipwrres3 at acpi0: CLK0, resource for CAM1
acpipwrres4 at acpi0: CLK1, resource for CAM0, CAM2
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround
cpu0: Enhanced SpeedStep 2167 MHz: speeds: 2159, 2158, 1992, 1826, 1660, 1494, 1328, 1162, 996, 830, 498 MHz
pci0 at mainbus0 bus 0
iosf1 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e: mbi
inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e
drm0 at inteldrm0
inteldrm0: msi, VALLEYVIEW, gen 7
ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0e: msi, AHCI 1.3
ahci0: port 1: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 1 lun 0: <ATA, SATA SSD, SBFQ> t10.ATA_SATA_SSD_231208AA00479_
sd0: 61057MB, 512 bytes/sector, 125045424 sectors, thin
xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0e: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured
azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0e: msi
azalia0: no supported codecs
ppb0 at pci0 dev 28 function 0 "Intel Bay Trail PCIE" rev 0x0e: msi
pci1 at ppb0 bus 1
igc0 at pci1 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 2 queues, address 00:e0:1d:95:95:99
ppb1 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0e: msi
pci2 at ppb1 bus 2
igc1 at pci2 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 2 queues, address 00:e0:1d:95:95:9a
ppb2 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0e: msi
pci3 at ppb2 bus 3
igc2 at pci3 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 2 queues, address 00:e0:1d:95:95:9b
ppb3 at pci0 dev 28 function 3 "Intel Bay Trail PCIE" rev 0x0e: msi
pci4 at ppb3 bus 4
igc3 at pci4 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 2 queues, address 00:e0:1d:95:95:9c
pcib0 at pci0 dev 31 function 0 "Intel Bay Trail LPC" rev 0x0e
ichiic0 at pci0 dev 31 function 3 "Intel Bay Trail SMBus" rev 0x0e: apic 1 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: NCT6779D rev 0x62
lm1 at wbsio0 port 0xa20/8: NCT6779D
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
efifb at mainbus0 not configured
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (2e7ae45a34eda944.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)