Just bought today for 240 EUR a mini PC to replace my Turris Omnia (OpenWRT based) at home with Nethsecurity.
It was the last piece in the shop and I have a M.2 spare disk and some RAM from repaired notebooks.
I have a optical internet connection at home with 1/2.5Gbps.
I’m looking forward for add blocking, reverse https proxy and connecting from outside to a home VPN.
So Nethsecurity is the best solution, the same I use in work and i get a full 2.5Gbps download…
Just sharing my joy.
I wish I could run NethSecurity on an ARM64 device.
Unlike x86_64, which uses UEFI/ACPI for universal hardware discovery, ARM64 requires hardware-specific Device Trees and tailored bootloaders for every single board. Maintaining separate images for the fragmented ARM ecosystem would exponentially increase build times and support overhead. I assume this is why the project focuses on the highly standardized x86_64 platform to ensure maximum compatibility.
Probably, but nothing beats a Raspberry Pi or any other ARM fruit/druid device in price and practicality. So having a bootloaders for Pi and maybe another will go a long way… At least A way opposed to NO way… 
Which specific SBC do you have in mind?
Using a Raspberry Pi with a USB network card as a router is painful.
I know just some NanoPi and Banana Pi useful as a router.
I had BPI-R3 in my hands.
NAT and stateful firewall was OK, but any other protection and enhancements
lowered the speed to 200-300Mbps.
BPI-R4 has a A73 core and should be better.
Anyway at that time i didn’t find a suitable case for the BPI-R3 and a 1U position,
so I ended using a Turris router in a server rack.
For ultimate horsepower and traffic at and above 1Gbps I prefer a x86-64 CPU with a short pipeline.
Well, I actually do not care too much about performance or what kind of fruit. In a small environment (home or small office) the specifics ot tech and hw do not matter much. Easy of use, affordability (around a 100 coins) and reliable router/firewall software with some things to tune. OpenWRT or NethSecurity. Just not a commercially motivated, less futured “light” version just because the hardware has a small footprint and trying to sell the ecosystem and support. All kids in the class should get the same attention.
Then the difference between a Pi (with native/usb LAN/WAN) and a Banana is neglectible.
I just found on a local eshop the Banana Pi BPI-R4 for ± the same price (230 EUR).
The mini PC i bought has 4x 2.5Gbps ethernet ports, a case and a power supply, no RAM and disk (will use some spare).
The Banana Pi has 4x 1Gbps ethernet and 2x 10Gbps SFP ports, no case and no power supply, 8GB RAM and 8GB eMMC.
I bought this mini PC because of the 2.5Gbps ports (10Gbps would be even better).
But you can get a second hand x86-64 mini PC for a good 1Gbps firewall for 90 EUR or less.
For example HP T620 Plus or Fujitsu Esprimo G558 etc.
That is less the price for a Raspberry Pi 5 without a second network card and a case and a power supply and a disk.
And for 90 to 200 EUR there are router mini PCs from AliExpress with a Intel Celeron J1900, J4125 or a N100 processors.
This is cheaper then any ARM64 solution.
or 270 euros, I’m running both NethSecurity and OPNsense on this mini PC, and it performs wonderfully with both firewalls.
With OPNsense installed as the secondary system, performance improves even further, especially in terms of connectivity — I get the impression that the drivers are better optimized. That said, both firewalls run extremely well, stable and smooth.
On a third installation using the exact same hardware, I’m running Sophos Firewall Home Edition, and in that case as well, performance is simply fantastic.
Here are the hardware specifications:
Quad Core N100 6 LAN Firewall Mini PC
CPU: 12th Gen Alder Lake N100 Processor (6M Cache, 4 Cores / 4 Threads, up to 3.40 GHz)
System: Supports OPNsense, ESXi, Linux, Windows
RAM: 16GB DDR5
Storage: 2 x M.2 NVMe + 1 x SATA 3.0 slot for 2.5" SSD/HDD
GPU: UHD Graphics
Display: 2x HDMI + 1x Type-C (triple 4K output)
Ports: 6 x i226-V 2.5GbE LAN, 1 x Type-C, 1 x USB 3.2, 4 x USB 2.0, 2 x HDMI, 1 x TF Card Slot
WiFi: Supports WiFi module installation (requires adapter board)
Power: 12V
Operating temperature: -20°C to 60°C
For this price range, it’s truly an outstanding machine for firewall and advanced networking use.
I was simply thinking of one of these devices and slap NethSecurity on it.
To be frank, I do not understand why a simple firewall on a simple device needs to be this complicated today. Please reframe form techie stuff to avoid a clouded the discussion.
So I wonder, what is the problem? Who like to make the most money?
So for one party, the hardware platform is the problem, and for the software party, the lack of preferred hardware is the problem. So we all end up with a problem, staring at each other and the revenue stream.
Geeze, it’s jus a firewall, based on known and open source software and ongoing monitored threads, nothing new here, everything is being logged, monitored and documented, yet still, ‘no, no, no, it is much more complicated then that’.
Sound a bit like “As long as somebody sells guns, we can make money out of fear of that thread”. Welcome to the support contracts and light versions.
I think netifyd didn’t work for other archs but that may change in future versions, see Switched to NethSecurity (on arm64) - #13 by Tbaile
I guess it’s not simple to support a lot of archs like openwrt does. For example even supported openwrt devices sometimes lack some features like wireless, buttons etc.
240 € and additional effort (costs) for installation, administration…?
I lovingly pat my UniFi Cloud Gateway Ultra on its plastic back.
For €100, I have everything I need. Plug it in, switch it on, and it works right out of the box.
Hi Folks,
I’m running nethsecurity on arm64 for a few months now without any issues other than the missing netifyd as @mrmarkuz mentioned. Uptime >2months still counting 
First used a Nanopi R6S with a 4-big, 4-little (8) core SOC with a throughput of aprox 2.3 Gbits/sec. Now using a Nanopi R5S with a 4-little core SOC with a throughput of aprox 300 Mbits/sec as the CPU hits 100%. Still enough for my needs.
Rational is the low energy consumption when idle, still need to build a 1W<powermonitor< 20W to get real insight. On the 5Vdc side of the power brick it ramps down to aprox 18mA.
I had a gut feeling you might had…
Any pointers for devs or users on how to get it going on a fruit model ?
As it stands now a user has to build a custom image as described is in the developer documentation. That’s not all, some tweaks (patches) are needed like I have done. (I hope) Good described here: Commits · markVnl/nethsecurity · GitHub
If you happen to have an Nanopi R{4,5,6}s my development (images)repository is public
Note: until now I did not atempt to upstream the tweaks as it seems to be impossible to include full functionality, including netifyd.
EDIT: Still have to check the full commit looks like licensing for netifyd opened up te be build for a custom image:
Hi all, I’m not very active here, but I’d like to share a few thoughts.
ARM-based boards are definitely interesting, both in terms of cost and power consumption. They can be a very good fit in scenarios where high performance is not a strict requirement.
When you start looking for performance that better matches today’s available network bandwidth, things change a bit. ARM hardware that can deliver higher throughput tends to become more expensive, starting to approach the price range of x86_64 systems. At that point, while the power consumption advantage remains, the cost advantage becomes smaller. Even a basic entry-level x86_64 system can usually handle well over 1 Gbps of throughput.
Another factor is hardware coverage. With x86_64, we can support a very large range of systems with a single build, from small fanless boxes up to much more powerful servers with different performance levels, network interfaces, and price points.
With ARM, things are a bit different: the tooling to build images is there, of course, but in practice each board typically needs its own image. That means setting up and maintaining build environments, dealing with board-specific issues, and testing everything on each platform.
So supporting ARM is definitely possible, but it still requires work and the right skills to maintain it properly.
Also, just as a bit of context, the current NethSecurity development effort is mainly focused on adding new features and consolidating what is already there, so the available time and resources are currently committed in that direction.
In this context, @mark_nl has already done a really great job: he has built images for some boards that are among the most interesting ones currently available, and he is continuing to work in this area.
My honest suggestion is to try the images he made, since they are already publicly available. Thank you again, Mark, for the work you have done and for the effort you are putting into this.
Hopefully this gives a bit more context about the current situation. And of course, contributions and experiments in this area are always welcome.
