Last updated on August 16, 2018
For something approaching 20 years, I’ve used OpenBSD to firewall my network from the internet and provide basic network services (DHCP, DNS, NTP, VPN, etc.). Just recently I’ve decided to retire OpenBSD and stand alone computers from the role of firewalls for something smaller, lower power, and easier to manage and upgrade.
I’ve been steadily moving towards smaller and lower power systems for as long as I’ve been doing OpenBSD based firewalls. My first machines were nothing more than mid-tower desktops that I had upgraded away from. In 2000-2003 I made my first moves towards building something more specialized, when I switched from using old towers to building a specific micro-atx pizza box style machines; though still with standard Athlon XP CPUs and parts.
In 2010 I replaced the micro-ATX Athlon XP with a mini-ITX based Intel Atom D510 machine. This halved the power consumption, from somewhere around 80-100 W[1] to something closer to 40 W.
Around 2015 or so I started looking into running OpenBSD off a USB flash drive instead of a standard hard drive. Part of this was to remove the power consumption of the HDD from the equation. In this, final configuration, the D510 machine with 2 NICs and 2GB of RAM turned in at a somewhat respectable 30 W. Though that was hampered by an abysmally bad PSU with almost 0 power factor correction that pulled nearly 60 VA.
Low power for the sake of low power, has never really been my objective. Even though I live in a developed urban area in Florida, the consistency of the power here swings wildly from unshakeable at times, to completely flaky. And this isn’t counting random instances like a 50 pound Royal Palm leaves falling on and breaking a power line.
Because of the variability in the power, I run all my computer gear on UPSes. In the case of my network stack (firewall, switch, wap, and file server) this is run from a single 1500 VA UPS. More power efficient devices means that I can keep things up longer when the power goes out, and hopefully long enough to make it through most or all of the event while still having internet access.
I hadn’t been looking at replacing my Atom based OpenBSD machine until hurricane Irma blew through. When we got power back, and I went to power it back up it was throwing a warning that it shutdown due to overheating not power loss.
You could say that this was the last straw for me.
OpenBSD on a Memory Stick
I mentioned earlier that one thing I had done in the past was to to switch from running OpenBSD on a hard drive to running it off flash memory sticks. In some ways this was really nice. Not so much for for reasons, but because in the past, I’ve had upgrades go awry and ended up hunched over my iPhone trying to google how to fix something that wasn’t working.
Well, let me talk about this a little… where to begin.
The idea of running off a USB stick was partly to save a bit of power, and partly to address issues in upgrades failing then not having any internet access to figure out how to fix them.
In the broad strokes, I build my firewall images in a Virtual Box VM that was roughly configured to match the configuration of the physical machine (2 nics, 2GB of ram, and 2 CPUs [not that this matters]). One I had the VM instance setup the way I wanted it, with the software I wanted running on it, I could use Virtual Box’s command line tools to convert the VDI files into raw disk images, which I could then dd or otherwise directly transfer to the USB stick.
There were some minor details I’m leaving out here — one being having to change a hostname.if file from development to production configurations — but for the most part, this was the broad overview of the process.
To get OpenBSD running on a USB stick, there are a couple of modifications you generally want to do. /var, /tmp, and to a lesser extent /dev should be run as memory based file systems. Meaning you need to move at least /var to something like /var.skel to populate /var on boot, and manually sync changes to /var back to /var.skel occasionally and on shutdown.
The other potential issue is moving config changes (such as adding new hosts or new DNS settings) from the production machine back to the VM and the next generation. To do this effective, you’ll need some custom code, which I never bothered to write, to be able to scp config files from one computer to another and then apply them as diffs or something to that effect.
Ultimately, it was the two factors in building the image with non-standard things like /var as a tmpfs, and having to figure out how to port configurations to the new version, that I was starting to get rather tired of this whole process.
OpenBSD’s release cycle didn’t help either; not that there was anything wrong with it. They released new versions every 6 months, and the installers for the new versions could only upgrade from the previous version. So you had to keep on top of updates — which isn’t a bad thing — and at 6 months it was just infrequent enough that I’d be forgetting the little details by the time I was doing it again. (It didn’t help that as the OpenBSD project made improvements and changes the install process changed too.)
Ubiquity Edge Router X
OpenBSD had my back for 20 years, moving to something else was definitely a change. So the question then became what to pick.
I’ve been following Ubiquity’s products for a while now, I wanted to upgrade my wireless network to their UniFi wireless access points when I was doing that upgrade — and didn’t largely because I cheeped out, and yes, I regret it. And I’ve seen a lot of positive things about their Edge Router series of “carrier grade” mini-routers. Plus the Edge Router X was dirt cheep, like cheaper than a fancy Asus router/WAP cheap, like $50 cheap.
And did I mention the power consumption? Without POE enabled, the ERX maxes out at 5W. That’s 1/6 of the measured wattage my old firewall was drawing (and 1/10-1/12 of the actual power draw on the UPS).
This is going to be fantastic for keeping my network stack online in power outages. The last time I lost power and shutdown my server, my UPS reported that I had about 5000 seconds (83 min) of uptime. With the new Edge Router X online and my old OpenBSD firewall decommissioned, the UPS reports 4300 seconds (71 minutes) without even turning off my server.
Plus there are a number of ancillary aspects that will be nice to have. For example, I don’t have to worry about the power failing and the router not syncing config changes to the flash. With the ERX, you commit those changes to flash when you make/test them, and you don’t have to worry about how it powers off.
So aside form being much lower power, how does the ERX stack up to the old OpenBSD box.
Well, to start with, upgrades are easier. Simply download the new firmware image from unbt.com and upload it through the GUI to the router. Settings are persisted/converted to the new firmware, and there’s no long slog of trying to get things to work right.
Secondly, there’s a very nice web GUI. Well, I think it’s very nice at least. I’m more than comfortable working in the command line, but for somethings it’s really nice to just be able to pop open a browser and do something with an easy to understand GUI. Plus the ERX reports on the bandwidth traveling over various ports, and can even do deep packet inspection to look at how your bandwidth is being used.
All told, I really like the ERX. It’s different, and that’s a source of some learning curve — which has been doubly hard given that I’m still recovering from dealing with hurricane Irma — but it’s been smooth enough. I had the ERX up and running and completely fulfilling the roles of my OpenBSD machine. While it’s different, it’s not been an unreasonable process and there’s quite a lot of information available for configuring the ERX online.
Sadly, it seems like this is the end of my use of OpenBSD. In my experience, it’s been a truly reliable and secure OS. Moreover, it’s been a great platform for the router/firewall environment that it’s been handling. In some ways, I’m definitely a little sad to be giving it up. That said, while OpenBSD has been keeping up with modern practices and computing, I haven’t. In fact, I’m becoming less and less interested in dealing with the ins and outs of computing the way I have in the past. This ultimately means that while I certain can manage an entirely custom firewall build, I ultimately don’t want to.
- TDP of 51W, plus overhead of board, nics, and hard drive. ↩︎