Netgate SG-1000 microFirewall

Author Topic: Unofficial QOTOM Hardware Topic  (Read 38190 times)

0 Members and 1 Guest are viewing this topic.

Offline kaiguy

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #90 on: August 07, 2017, 11:19:54 pm »
Wanted to post an update about the i7 Qotom. It's definitely overkill! 2 PIA connections set up with jgiannakas' helpful writeup is maxing out my 350/20 cable connection (on pfsense 2.4 beta). The highest CPU usage I've seen of either of the 2 openvpn connections never got above 20%. With a small USB fan from Amazon sitting on top of the box, average temps are about 34 degrees.

Really digging it, but an i5 would have still been more than enough for my needs.

tibere86

  • Guest
Re: Unofficial QOTOM Hardware Topic
« Reply #91 on: August 08, 2017, 08:04:01 am »
Wanted to post an update about the i7 Qotom. It's definitely overkill! 2 PIA connections set up with jgiannakas' helpful writeup is maxing out my 350/20 cable connection (on pfsense 2.4 beta). The highest CPU usage I've seen of either of the 2 openvpn connections never got above 20%. With a small USB fan from Amazon sitting on top of the box, average temps are about 34 degrees.

Really digging it, but an i5 would have still been more than enough for my needs.
Thanks for the update. Mind posting a link to jgiannakas' helpful writeup. I am not sure where to look.

Offline kaiguy

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #92 on: August 08, 2017, 08:46:23 am »
Thanks for the update. Mind posting a link to jgiannakas' helpful writeup. I am not sure where to look.
It's on page 2 of this thread. Link.

Offline ConsumerRouterLol

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #93 on: August 08, 2017, 01:07:59 pm »
Just set up my 2016/2017 model with the i3.

Set a bridge on the three lan ports, and am using 1 WAN port. I know, bridges suck, but one port is open and one is driving my wifi so it's fine.

Getting a couple errors I wanted to make sure aren't hardware related before I go asking in other sections of the forum.


Is anyone else having idle issues with static or DHCP mapping? I leave and come back to a PC and it's set itself to a 169.xxx.xxx.xxx address. I set the PC up to be static, and I can't seem to tell when but after some amount of time it does this. Could this be hardware / QOTOM / specific setting or the bridge I set up maybe?


Offline Brutos

  • Newbie
  • *
  • Posts: 24
  • Karma: +3/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #94 on: August 08, 2017, 05:32:01 pm »
I currently have 2 J1900 boxes from qotom one running sophos in bridge to filter the web traffic and the other running pfsense on the edge.

I was thinking of going for the i3 model with AES however one issue I have experience with both my boxes with i didn't with my custom home build box is whenever i install pfblockerng it crashes both boxes. I have swapped RAM and hardrive to rule each out still the same issue, i never once had this on my custom machine. So now i have to remove pfblockerng which i use to filter my openvpn clients when am on the road which works great.

Anyone experience this at all with current i3 models or previous qotom boxes?

Offline BBcan177

  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: Unofficial QOTOM Hardware Topic
« Reply #95 on: August 08, 2017, 09:49:23 pm »
I currently have 2 J1900 boxes from qotom one running sophos in bridge to filter the web traffic and the other running pfsense on the edge.

I was thinking of going for the i3 model with AES however one issue I have experience with both my boxes with i didn't with my custom home build box is whenever i install pfblockerng it crashes both boxes. I have swapped RAM and hardrive to rule each out still the same issue, i never once had this on my custom machine. So now i have to remove pfblockerng which i use to filter my openvpn clients when am on the road which works great.

Anyone experience this at all with current i3 models or previous qotom boxes?

What crash messages do you get? Are you just using the GeoIP rules or are you adding other Blocklists? 

Some blocklists like the FH Lvl1 contain bogons which shouldn't be used for Outbound blocking and can cause issues if used for that purpose.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Brutos

  • Newbie
  • *
  • Posts: 24
  • Karma: +3/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #96 on: August 09, 2017, 06:29:47 am »
I currently have 2 J1900 boxes from qotom one running sophos in bridge to filter the web traffic and the other running pfsense on the edge.

I was thinking of going for the i3 model with AES however one issue I have experience with both my boxes with i didn't with my custom home build box is whenever i install pfblockerng it crashes both boxes. I have swapped RAM and hardrive to rule each out still the same issue, i never once had this on my custom machine. So now i have to remove pfblockerng which i use to filter my openvpn clients when am on the road which works great.

Anyone experience this at all with current i3 models or previous qotom boxes?

What crash messages do you get? Are you just using the GeoIP rules or are you adding other Blocklists? 

Some blocklists like the FH Lvl1 contain bogons which shouldn't be used for Outbound blocking and can cause issues if used for that purpose.

Hi @BBcan177

So when it crashes it whole system crashes , I lose access to the GUI and if I connect a monitor its a screen full of just random text.
I am only using DNSBL to block ads no other feature is being used, its the best adblocker i have used.
I want to buy another qotom box due to their small footprint and being quiet but scared it will display the same characteristics.
I cant find any other  box with the same characteristics.

Offline Shad0wz

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #97 on: August 09, 2017, 09:43:37 pm »
Does it really make sense to get the i7-4500u over the newer i5-5250u?

http://cpu.userbenchmark.com/Compare/Intel-Core-i7-4500U-vs-Intel-Core-i5-5250U/2743vsm24945

I mean the i7 is an older haswell vs the newer i5 broadwell, Haswell was a 'tock' upgrade Broadwell was a 'tick' new architecture.
« Last Edit: August 09, 2017, 10:10:04 pm by Shad0wz »

Offline bingo600

  • Full Member
  • ***
  • Posts: 156
  • Karma: +12/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #98 on: August 10, 2017, 06:27:30 am »
Does it really make sense to get the i7-4500u over the newer i5-5250u?

http://cpu.userbenchmark.com/Compare/Intel-Core-i7-4500U-vs-Intel-Core-i5-5250U/2743vsm24945

I mean the i7 is an older haswell vs the newer i5 broadwell, Haswell was a 'tock' upgrade Broadwell was a 'tick' new architecture.
Imho No
And if you read the i7 ansver her indicates the same.

/Bingo
pfSense 2.4.2-p1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD

Offline kaiguy

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #99 on: August 10, 2017, 09:38:42 am »
Does it really make sense to get the i7-4500u over the newer i5-5250u?
I'm the one who got the i7... If I was to do it over again, I probably would have gone with the 5250u. But it wasn't a huge price difference and overall I'm happy with my box so no regrets.

Offline JasonJoel

  • Full Member
  • ***
  • Posts: 114
  • Karma: +15/-2
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #100 on: August 17, 2017, 10:16:05 am »
Anyone know why UEFI has to be turned on with this board to install pfSense? I much prefer disabling UEFI whenever possible, and sticking to legacy BIOS.

UEFI is just one more 'embedded OS' that need to be patched and managed if you want high security (which you should if using pfSense...). And QOTOM doesn't update BIOS very often - and certainly not for security updates, only for functional problems.

Offline johnkeates

  • Hero Member
  • *****
  • Posts: 832
  • Karma: +59/-1
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #101 on: August 17, 2017, 12:35:15 pm »
Anyone know why UEFI has to be turned on with this board to install pfSense? I much prefer disabling UEFI whenever possible, and sticking to legacy BIOS.

UEFI is just one more 'embedded OS' that need to be patched and managed if you want high security (which you should if using pfSense...). And QOTOM doesn't update BIOS very often - and certainly not for security updates, only for functional problems.

That's a misunderstanding right there. You can't actually 'turn off' UEFI. If a board is using UEFI firmware, the only 'BIOS' thing about it is that it can start a BIOS emulator or CSM to start a fake BIOS service after the UEFI already started. So in essence, you will always run UEFI, but you can opt to have BIOS emulated support on top of that as well.

There is no way to 'turn off' UEFI and 'turn on BIOS', as that is not what is actually implemented.

On top of that, you pretty much have to disable the CSM and only allow UEFI booting because pfSense 2.3 won't reliably boot off of the CSM in the Qotom firmware. In UEFI only mode, 2.4 boots reliably.

Offline JasonJoel

  • Full Member
  • ***
  • Posts: 114
  • Karma: +15/-2
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #102 on: August 18, 2017, 08:04:00 am »
Guess I learn something new every day. Doesn't really change the fact that UEFI is bad for security overall, though (my opinion).

More capability = more opportunities to exploit. Field loadable driver stacks = more places to inject bad code.

Might be handy for supporting new hardware, but I am in the camp that the BIOS should be as stripped down as humanly possible.
« Last Edit: August 18, 2017, 08:24:36 am by JasonJoel »

Offline johnkeates

  • Hero Member
  • *****
  • Posts: 832
  • Karma: +59/-1
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #103 on: August 18, 2017, 09:22:28 am »
Guess I learn something new every day. Doesn't really change the fact that UEFI is bad for security overall, though (my opinion).

More capability = more opportunities to exploit. Field loadable driver stacks = more places to inject bad code.

Might be handy for supporting new hardware, but I am in the camp that the BIOS should be as stripped down as humanly possible.

I'm a big fan of Coreboot and optionally SeaBIOS for systems that can't boot directly off of Coreboot itself. Netgate/pfSense official hardware often uses coreboot where possible (especially the embedded boxes) since it's much better for this type of devices. Google uses it too on their laptops.

The problem, however, is that Intel and AMD don't release all the required details, and also want you to run a secret bit of code in the platform embedded controller or else they shut down your system 30 minutes after power on (read more about: Intel Management Engine on the coreboot Wiki). Coreboot is even more barebones than a BIOS is, it's also much faster and much better to manipulate from a running system. You can upgrade and reconfigure it whenever you want, and after a reboot it immediately uses your settings.

Too bad the big manufacturers have so many requirements about added secret firmwares before a system will even work.

Offline reggie14

  • Full Member
  • ***
  • Posts: 125
  • Karma: +12/-5
    • View Profile
Re: Unofficial QOTOM Hardware Topic
« Reply #104 on: August 18, 2017, 03:14:05 pm »
Guess I learn something new every day. Doesn't really change the fact that UEFI is bad for security overall, though (my opinion).

More capability = more opportunities to exploit. Field loadable driver stacks = more places to inject bad code.

What do you think a legacy BIOS Option ROM is? We even have an example of that being weaponized.

I understand your general security concerns given the ever-increasing complexity of boot firmware, but turning on CSM support in a UEFI BIOS only makes things worse.  You retain your legitimate security concerns, since you're still running a UEFI BIOS, but now you add all the legacy BIOS concerns with running unsigned legacy Option ROMs (though, you're stuck with that anyway since FreeBSD still doesn't support Secure Boot under UEFI).