[eladx]

Author here... Surprised to see this made it to HN. :)

The reason I installed OpenBSD on this device rather than a ready-made firewall solution is that I had some ideas for a router that would protect networks with a lot of untrusted IoT devices. Some of them required changes to the network stack, and OpenBSD's proved to be very elegant and clean for this purpose. Not to mention the proactively-security approach etc.

[hollander]

On the Github page you could mention that the APU is quite often used to install pfsense on, which in turn runs on FreeBSD. A short explanation why OpenBSD is better than FreeBSD can do no harm. Maybe the people who're going to do this need no such explanation, but the occasional visitor may appreciate a bit more story.

[a012]

Is there's a comparison between FreeBSD vs. OpenBSD in packets filtering, routing performance et al?

[aomix]

Well, to the best of my understanding. FreeBSD will generally have better performance while OpenBSD has the latest pf syntax and features. This is a source of animosity between the two projects that I don't fully understand.

FreeBSD has done a lot of work to enable SMP for their pf so that gives it the edge on modern multicore systems. This work wasn't able to be used in OpenBSD so that was unique to FreeBSD for a long time. Right now OpenBSD is in the middle of doing the same for pf and their network stack. So the performance difference shrinks on every release. The newer pf syntax and features make writing rulesets easier, like replacing ALTQ with prio for traffic shaping.

[walterbell]

Are there differences in firewall features, or is OS-level security posture the main difference?

[eladx]

One major drawback to OpenBSD's pf, at least from a research perspective, is its lack for extensibility. Both FreeBSD and Linux offer extensions that can come in very handy, for example a BPF matcher for packets as opposed to regular rules.

[INTPenis]

I also went with OpenBSD, first on Alix and then APU. Just now learned that APU2 existed due to your post.

But to me I think OpenBSD PF is just so simple to use that there is no need for pfsense. It's a simple firewall, has no services except opensmtpd relay and pf. All other services are inside the DMZ.

It's literally, install and forget. But that's not to say you shouldn't have proper patch management.

[hedora]

Hi! I used this guide. It worked like a charm. I highly recommend this setup for people looking at openbsd routers. Thanks!

One bit of feedback: It is a bit unclear what combinations of storage devices are needed for installation. I ended up with an unused SD card, since I just bought the whole list. Not a big deal, but it was kinda wasteful.