Background
As most folks know, security is paramount. Entering the field right around 2003 meant that I remember the days of the blaster and sasser worms on Windows XP. While basically all of the machines around my place run either Linux or some flavor of BSD. A bit of extra security and insight is always a good thing.
I've ran a number of different devices over the years for these purposes, including a Cisco PIX 501, ASA 5505, Raspberri Pi + Iptables and even a Juniper NS25.
All of the devices more or less performed admirably and I'd strongly recommend purchasing commercial hardware and a support contract if your business is going to rely on it.
However...
All these devices had limitations: The ciscos and Junipers: Licensing model was somewhat expensive. Updates outside of service contract were impossible, throughput left something to be desired.
My first attempt at doing this was with a Raspberry PI model B and Iptables, had pretty good luck and an amazing 2.5 YEARS uptime without so much as a hiccup. not bad for a $35 device and another $15 for a USB NIC. However, it too had a limitation:
The CPU couldn't handle the throughput.
The Idea and Solution
After growing tired of paying for a halfway decent pipe (Verizon Fios 75/50) and losing quite a bit on my edge. I decided to make a few changes.
I Put some thought into a few factors: 1. Operating System: Do I want Linux, PfSense, OpenBSD, or do I want to go with a Vendor's OS? 2. Flexibility: I need the ability to tunnel to my existing LT2P/IPSec endpoint on a colocated machine of mine. 3. Visibility: The Cisco devices had excellent monitoring capabilities for their time and platform. I'd like similar if all possible. The Pi didn't have the memory to run NTOP. 4. Price: If money wasn't an object, I'd fork a few grand to a commercial vendor like Palo Alto and call it a day.
I came up with an interesting solution: A Fanless Micro PC with 4 Intel NICs on board.
So onto amazon I went and found just what I was looking for in about 90 minutes of searching found exactly what i was looking for, a Mini PC: Amazon Link
I ordered it up, with a 4gb SODIMM, a mSATA to SD adapter, and a class 10 SD Card
I was greeted with an off brand box, obviously from somewhere in East Asia,
Opened it up, installed the RAM and Storage, connected a Keyboard, Display, and copied an OpenBSD 6.1 ISO onto a thumb drive to do the installation.
The documentation with the hardware was non-existent, so it took me a minute or two to get into the BIOS and configure the boot order and a few other options, but no big deal.
Installed OpenBSD, rebooted it, and connected an Outbound Internet connection (behind my existing firewall of course)
After Configuring PF (which we'll detail in the next article) I had a functioning gateway with great performance.
System load average at full speed on my FIOS Connection was 0.25, including with NTOP and Redis running!
Mission accomplished! Great Performance in a small, quiet, attractive package.