apu4d4

I was looking for a way to use FreeBSD as router OS in my home. Its purpose was to route OpenVPN traffic from and to my network, so that an individual host configuration becomes unnecessary. My first setup was based on a raspberry pi and that works good enough and is so simple, that it can easily be fixed if something breaks.

I further improved the setup and installed a local DNS recursor in order to get DNS under my control. That allowed me to name my devices relative to a local domain, optimize the recursor cache to my needs and use DNS servers from the opennic project for which I needed the cache optimizations the most.

The old FritzBox and my problems with it

I used this setup for more than a year and was really satisfied with it, but it had a bottleneck in performance: My old FritzBox, which has no 5GHz WLAN support and is so old, that I am afraid to meantion its model in this blog post. The biggest issue with the FritzBox was however, that it has the DHCP leases list and tries to reassign the same IP to the same devices again, but from my experience this only works as long as there are no duplicate mac-addresses in the list and the list is kept somewhat short. I managed to break it several times and that caused the FritzBox to reject new devices. The hotfix for that was then to remove ‘unused connections’ from the list:

screenshot of the FritzBox web interface

To fix these issues with my FritzBox I first considered to buy again some dsl-wlan-router, but the first ‘but’ was, that I could not find any router with an open-source dsl modem in it. That made me think on how I could use my FritzBox as pure DSL modem and have wlan-router do the rest. The Netgear Nighthawk R7800 seems to be a good choice when it comes to openwrt on a router and also the Mikrotik ROUTERboard was considered by me. I will not go into the details, why I decided against these, because that is not only objective.

But a requirement for me arose out of these considerations: I wanted more flexibility with my setup and be able to replace individual parts, so that an upgrade of the WLAN would never again force me to change the hole setup. I found that interesting, because it lead me to the classic thought approach of having a dedicated access point, router and modem as the best solution for me.

The Ubiquity UniFi 6 Lite

I started by upgrading the WLAN with an Ubiquity UniFi 6 Lite Access point, because in my home all WLAN channels are already taken by others and I wanted to be able to compete in this environment again.

Image of the UniFi 6 Access point

This Access point does not provide a web interface for configuration. Instead it uses the so called UniFi Controller, a Java program (listening for HTTPs on port 8443), which can be installed on a number of operating systems via package manager, but it is also possible to buy prepared hardware with it. To keep things short: It is possible to run the program on any java supported hardware architecture theoretically, but it has mongodb as a dependency and it takes forever to compile mongodb. That disqualifies any OS to be used as UniFi Controller, which does not have binary packages for mongodb. A dedicated raspberry pi with linux works, but with FreeBSD it is not enjoyable, because it has to be compiled from source- on ARM at least.

The pc-engines APU2 platform and apu4d4 board

Here comes why I started to wonder how I could replace my raspberry pi with something, which has a little bit more juice to it and is based on a x86_64 architecture. My first prototype I based on Gigabyte j1900n-d3v computer, which I had laying around. Its main disadvantage was, that it could not boot without having a monitor connected and my attempts to fix that let me to manually update its bios with an in-system-programmer. I will keep that story for later. The device worked very good once it was up though.

Image of the APU4d4 board connected to a FritzBox

I researched further and found a little single board computer, which is said to be used by many for FreeBSD: The apu2 system. I ordered the version with 4 gigs of RAM and four network ports:

The apu4d4,
a case for it
the wall mount brackets

My first impressions were a bit mixed I have to confess, because its performance was not as good as with my J1900 based board and I had to reconfigure FreeBSD and set kern.ipc.nmbclusters=1001584 to have enough buffer memory for all four network cards. That fixed an issue for me, where FreeBSD logged, that the interface went down and up again.

These problems solved n the other hand:

It has a nice serial console
no trouble booting without a monitor connected
It uses the trustworthy open source seabios
It has more network ports
it boots quicker
its case is smaller

But what really starts to convince me, that this was a good decisition is, that it works reliably and that it would not be such a big deal to set up another device like that as with the J1900 board. That makes the setup easier to fix and/or keep a fallback device, which I found convinient with my raspi. Performance wise it is a good compromise between the raspberry pi and the J1900 processor, especially because it has hardware AES and that makes it somewhat harder in my use case to compare the solutions.

I am still evaluating and cannot say for sure if this will remain my preferred solution. But if I would decide to buy another of these boards, I would probably ask for the ECC RAM version of it, because that would possibly make it a really nice file server as well. This version of the APU should work exceptionally good to run OPNSense if you are looking for a trusworthy firewall system. I am not using it, because I am not planning to have a dedicated firewall and will be running further services on it so that the attack vector increases beyond a point where I would still use the system as a firewall.

Conclusion

Here in Germany we use to have WLAN-DSL-routers and until 2016 these were also part of the contract with the German service providers. That makes it hard to explain, why a setup with dedicated devices for routing, WLAN access and a separate modem are useful. I think, that this story was necessary for me to understand it and because I want to avoid unnecessary new acquisitions, I think it makes sense to separate the devices for now and at least until there is an open source DSL modem available.