Better firewall
I had no idea Via CPUs had built in hardware encryption. Apparently this has been the case for awhile. Of course I discovered this right after I ordered my parts and made my last blog post. After some research, it also appeared that support for it seemed to be built into Vyatta, the firewall distribution I intend to install.
I spent a few days trying to figure out if going with Nano, a single threaded CPU with hardware encryption, would benefit us more than the multithreaded Atom CPU that I originally purchased. I knew the Atom would be a better multitasker than the low powered Via Nano (U2300) I was looking at, but I was always unsure about how much VPN traffic it could push.
I tried looking around for benchmarks, but there wasn’t much useful information out there. I guess people who like to build low energy systems don’t do as much benchmarking as people obsessed with having the fastest gaming rigs. 
It finally occured to me to examine the hardware specs of the appliances that Vyatta sells. I immediately discovered that their Vyatta 514 appliance uses an older 1 ghtz Via CPU. Not only that, but the specs say it can do L3 forwarding at 200Mbps , and VPN forwarding at 113 Mbps (IPSec).
I was sold on moving to the Via CPU with hardware encryption/decryption.
Here’s my latest parts list. I also reduced the size of the flash here to keep the total below $400 without shipping or tax.
- Jetway NF76-N1GL-LF- $140
- AD3RTLANG – Jetway 3 x Gigabit LAN Daughter board – $48
- picoPSU-150-XT + 102W Adapter Power Kit – $70
- M350 Universal Mini-ITX enclosure – $40
- 4GB 40 pin Embedded Disk Card 4000 – $58
- 2GB DDR2 Memory – $28
Hopefully I’ll know by the end of next week whether or not these parts will all play nice together.
I am also interested in this mainboard, but there is bug in the vitualization feature of the nano stepping 2. This should be solved with stepping 3. Could you check the stepping of the cpu?
–
Hans
I won’t have it until tomorrow. I’ll try to figure it out by the end of the week but I’m not sure when I’m going to have time to do the system build yet.
FYI, I purchased this motherboard off of ebay from Jetway’s USA distributor.
http://myworld.ebay.com/jetwayproducts/
http://www.jetwaycomputer.com/
It’s $30-$40 cheaper than every other place I saw it.
Sorry, looks like stepping 2 on the board I got.
-Josh
Thanks for checking.
–
Hans
Hey Josh,
Any luck on your firewall? I’m looking to do something similar to your first hardware configuration.
Regards,
SaltH20Fish
I’ve been meaning to do another followup post. It’s still a work in progress. Basically the kernel in the current Vyatta community doesn’t have full nano support yet. So I embarked on attempting to compile a custom Vyatta distribution for my hardware. A little trickier than I initially anticipated.
I switched to a picoPSU-120, as that is a 20 pin ATX power supply and the 150 was a 24 pin. I bought a 24 to 20 pin cable and intend to keep the original 150 watt version for use with the original dual core atom board I purchased. I wanted my firewall build to be perfect though.
I haven’t had much time to do any testing, but the Realtek NICs do all seem to be detected in Vyatta community 5.
Hope this helps.
Joshua,
I found your blog while googling around for anyone who has used this same Jetway setup with Vyatta. I was intrigued by the multi-port board. So far, you are the only one who I have found so I am anxiously waiting to see how you make out. I do know from my googling that the paid build of Vyatta 5 has some Via patches in it that are not part of VC5 and from what I can tell, VC5 isn’t being updated any further. I have found that VC5 recognizes Realtek nics but in my testing with an AMD / Gigabyte machine, I have found that it is using an older driver and even though I am specifying 100 megabit full duplex, it is staying in autonegotiate mode. Because of this, I am getting tons of ethernet errors. I want to try and update the Realtek drivers in RC5 before procuring the Jetway hardware. I have setup a Debian build machine and followed docs of configuring the build environment but so far I haven’t been able to complete a build. I wanted to do a full build from source as a proof before attacking the Realtek drivers but the process dies about an hour into my build with an error. Please do post your experiences as you work on this project including anything you figure out about building from source. I would love to contribute my $.02 whenever I can with the little spare time I have.
Hi,
I really should do another post. While I haven’t touched the firewall in a few weeks, there is stuff I’ve done that I haven’t posted about. Right now it’s sitting on my network, I have one test virtual machine using it as a gateway, and I had gotten WAN load balancing working. But I’m still quite a bit away from actually replacing my old firewall.
Regarding your problems with the NIC, I’ve never used VC5, and I haven’t used my custom build enough yet to know if there are problems.
What I am using is a custom built ISO of Jenner, with a few modules updated to Kenner code (the kernel, vmware tools, and one other component that I can’t think of at the moment–I want to say wanpipe, but I’m not 100%).
Have you seen the roadmap? http://vyatta.org/documentation/product-roadmap
Just because the commercial stuff isn’t readily available as packages, doesn’t mean its not available. All the open source components can be grabbed and made into an ISO at any time. You just won’t have access to an update server.
I’ll try to do a post next week, but I can’t promise. I don’t even have my debian build environment set up right now as I reinstalled my laptop with the final version of Windows 7 recently.
Oh, and in case you missed the followup post to this one:
http://www.alexanderinteractive.com/blog/2009/10/firewall-the-continuing-saga-of.html
I did 4 total posts on the hardware build just because I kept making tweaks to it (and a mistake here and there as well)
FYI, it seems like Vyatta is releasing isos of VC6 alpha (Kenwood).
You can download here:
http://www.vyatta.org/downloads
It’s using a 2.6.31 kernel. Even if you don’t want to go with an alpha release, you can at least see how your NICS behave with this newer kernel.
I’m most likely going to be sticking with my custom build of Jenner for now. I still hope to do a post on building Vyatta.