Another successful OpenBSD setup

I’ve been buying these little boxes from AliExpress for years to use as firewalls and routers. My oldest one is almost 9 years old now! OpenBSD installs just fine. Just a BIOS tweak to always boot up after power is restored.

@selfhosted #selfhosting #selfhosted #openbsd #runbsd

  • scrion@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    3
    ·
    edit-2
    9 months ago

    I was wondering… that tp-link probably negates anything remotely resembling security on its own. But yeah, you can update some of these noname boxes easily, others, not so much.

    I have dealt with (in a professional capacity) Chinese manufacturers that are under the impression they do not have to provide a working build tree for the kernel, let alone firmware, so its a gamble if you’re not talking to a major Chinese name brand. Mind you, I was ordering hundreds of those boxes, so there was some leverage.

    • MigratingtoLemmy@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      edit-2
      9 months ago

      That TP-link is a dumb switch. Unless you’re telling me that someone is going to find an opening in the firmware and hack their way into the ARP table or something (in which case the threat model here just became state actors and I don’t think the OP is safe with this equipment), I don’t think it affects much, if anything.

      Now, if I’m mistaken and that is actually a managed switch; god help them with network security.

      • Link@rentadrunk.org
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        2
        ·
        edit-2
        9 months ago

        It is a managed switch. What’s wrong with TP-Link managed switches?

        I have a basic Netgear managed switch for VLANs.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          9 months ago

          The problem is that their Web interface and firmware in general are not updated (at all). I think it’s even possible for script kiddies to hack into such managed switches, which forms the reasoning behind my comment.

          Does your switch produce its Web interface over TLS?

          • Link@rentadrunk.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            9 months ago

            Doesn’t look like it but if I set up VLANs unless an user is on the correct VLAN they can’t access the web interface. And the only way for them to get access is to get physical access and plug a device into the correct port.

                • MigratingtoLemmy@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  9 months ago

                  If the switch is managed (I’m assuming it supports L3 functions which means inter-VLAN routing), then it’s possible to hop VLANs on the switch.

                  • Link@rentadrunk.org
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    9 months ago

                    My Netgear switch doesn’t support Level 3 routing. It only supports basic VLAN functions.

      • scrion@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        9 months ago

        They do make managed switches, but just to be completely clear, my comment was mostly hyperbole. I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          I did realise that, and apologies for my tone earlier.

          With that said, this seems to be a slight bias - unless the PCB has some nefarious spy-chip built inside, hardware is hardware, regardless of where it comes from.

        • floofloof@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

          I think it can make sense, since there are so often vulnerabilities in consumer router firmware, and because those devices are so common the vulnerabilities are profitable to exploit. Running a BSD-based router on a cheap Chinese PC is likely to be better security for the router’s OS and software itself, even if you don’t know for sure about the firmware on the board (which you don’t with consumer routers either, really). Overall you could still have reduced your attack surface compared to a popular consumer router.