New: NitroWall for Professional Network Security

Our ever-growing product portfolio was still missing a trusted network router and VPN gateway as a counterpart to two-factor authentication using Nitrokeys. Here is NitroWall! Your firewall, intrusion prevention system (IPS) and VPN gateway. Trustworthy thanks to open source firmware and software. For professional users with professional requirements.

Firewall and Intrusion Prevention System (IPS)

Based on the powerful OPNsense, NitroWall meets all the requirements of a professional firewall and IPS such as multi WAN, hardware failover, routing protocols, web filtering, and two-factor authentication.

VPN

VPN gateway for IPSec and OpenVPN with powerful Intel Quadcore CPU with AES-NI for fast data throughput. Secure two-factor authentication via Nitrokey (instead of password) is possible with IPSec.

Open Source Firmware Coreboot

Instead of a proprietary BIOS, the NitroWall uses the open source firmware Coreboot, which offers transparency, minimal attack surface and high speed.

High Speed

Unlike common ARM-based systems, NitroWall contains the powerful Intel Quadcore CPU J3160 with 1.6 GHz and AES-NI. 8 GB RAM, SSD and four Gigabit Ethernet ports provide sufficient resources.

  • Unencrypted LAN: 940 Mbps
  • OpenVPN AES256-GCM: 887 Mbps (UPDATED)
  • IPSec AES128-GCM/AES-XCBC/AES128-GCM: 635 Mbps

Fanless, Rugged Metal Chassis

NitroWall features a small, rugged metal chassis. It does not require a fan, making it completely silent and virtually maintenance-free. In addition, NitroWall is very energy efficient.

Numerous Operating Systems

Instead of OPNsense, NitroWall can be operated with other operating systems such as pfSense, Ubuntu, Windows or Proxmox.

Robust Industrial PC

Thanks to its closed housing and compact size, NitroWall is also suitable as a robust industrial PC in combination with operating systems such as Ubuntu or Windows.

Buy NitroWall now!

Frequently Asked Questions

Is NitroWall suitable as a replacement for my home router?
Generally not. NitroWall does not include a DSL or cable modem but requires network access via Ethernet. But NitroWall can be operated behind home routers. In addition, the configuration is aimed at professional users with appropriate prior knowledge.

16.5.2022

Comments

Wireguard support?
Yes, via OPNsense plugin(s), there are various guides available on the internet, e.g., https://www.ivpn.net/setup/router/opnsense-wireguard/
What is the typical power consumption in active and idle mode?
max power consumption is 16W and typical is <10W
does it have serial console support?
Yes, the hardware comes with an RJ45 serial connector, not tested together with OPNsense
Why not support Wireguard VPN protocol? It should be ultra fast, and still secure.
Enough power for five VLAN with more than 20 firewall roules to route between the LAN‘s?
Generally yes, although in reality this will likely not depend on the amount of rules and/or VLANs but more on the actual traffic to be filtered and routed. Eventually, please understand that we cannot give guarantees for questions of this specificity because it is trivial to construct an example in which the answer will be "clearly yes" (very low traffic) and also another trivial example (extensive traffic) in which the answer will be "no".
OpenBSD?
As OPNsense is FreeBSD, I would wildly assume OpenBSD will likely also work, but it was not tested by us explicitly.
yes, works great with OpenBSD 7.1
awesome, thanks for testing and letting us know!
Made in Germany? Or China?
The hardware itself is manufactured in China, we build the firmware (coreboot + seabios) and replace the proprietary bios, disable ME, ensure component compatibility etc.... As of our knowledge there is simply no Germany (or even European) (oem) hardware manufacturer which has similar mainboards available. We would love to make more use of (at least) European suppliers, please reach out to us if you know any with similar products.
Why does the nitrowall hardware look similar to the hardware protectli and others sell? And can you use other OSes that support coreboot e.g PFsense?
They look similar because they likely use the same OEM supplier for the hardware. As of now and in short-term we will only offer OPNsense as pre-installed OS, pfSense should work w/o issues, although likely we will (also in the future) not offer it because their license is, let's say: at least "weird" and not an open-source license as of our understanding.
How can I get OpenSense updates after the pre-installation? The hardware of the nitrowall is Intel based, but as far as I now the only precompiled OpenSense images are AMD based.
There is a very robust updating mechanism from inside OPNsense, which works reliable and also easily manages major version jumps. Furthermore the images for installation of OPNsense are indeed called "amd64" (see https://opnsense.org/download/) but this denotes the architecture and not the CPU type. Means AMD has introduced the 64bit extensions to the i386 architecture, this is why they are called "amd64" (see e.g., this explanation why 64-bits versions are called amd64). So in short: of course OPNsense images run also with Intel CPUs.

I got a CryptoStick v2 all the way back in 2012 and have been happy with your efforts since. I just wanted to say thank you for taking a step into filling this niche too. I'm an extensive user of OPNsense having switched all my gateway/routing/edge appliance activities to it for both myself and a number of clients over the last few years, but I've run it primarily on SuperMicro 1U boxes. I've wanted a better option to fill the role in smaller scale/managed home solutions, and while using a NUC or other embedded options is of course doable it's nice to see you take a step towards making it more turnkey. Deciso, the company behind OPNsense Business Edition, does offer a number of options too but they neuter important hardware functionality and many of them are very long in the tooth and mediocre value. A few comments though:

    1. A 16GB flash card just shouldn't even be something you offer IMO. At RPi price points sure, but at $500+ you should really try to have the 120 be the basic default. CPU ceiling can't be helped, but people should be able to play around with IDS/IPS, web proxying, plenty of log space (circular logs are dead now) etc. A decent basic 250GB NVMe SSD like the PNY CS1030 is about $34-40 retail. I just don't think it's a place to penny pinch vs user experience personally.
    2. Having said that at the $500 level you should be a bit more generous, I'm going to turn right around and hope you can pull off a $100-200 Arm (probably not x86) version down the road too! Obviously at that point there would need to be some more feature cuts, just two ports etc.
    3. If this does well enough for you, I hope you can fund some focused improvements in OPNsense itself. In particular given your original business, it'd be nice to have webauthn support for the OPNsense web gui as well as easy native key support for ssh and logging into the console.
    4. I can't tell, but I hope you're installing this as ZFS native particularly on the 120+ drives. Even with one drive being able to detect (and repair with copies=2+) corruption is useful, as is snapshots and boot environment rollbacks if something goes pear shaped.

Anyway, best of luck with this! I'm delighted to see a slow but growing appreciation for how important open source is for network edges after ages of people getting burned by crappy appliances (happening again right now! Ars Technica just had a piece on yet another massively widespread flaw, "Gear from Netgear, Linksys, and 200 others has unpatched DNS poisoning flaw"). OPNsense remains too technical/clunky for a lot of users for now, but the foundations are good and if you do want to put some time in it's so nice to have normal open PC management/recovery for such a critical piece of infrastructure. I hope it does well enough in its niche for you.

Hey sonar, thanks for your inputs, highly appreciate them. (I also re-formated your comment, hope that's ok). Generally, we currently also still "investigating" this product and its acceptance, based on that we'll surely adapt the product itself and the available configurations. Hard to tell right now where this will go, obviously this also depends on how good it sells, but overall we are already investigating different hardware alternatives, but a ARM platform is currently not within this pool. On the other side we are also looking into options how to better integrate OPNsense into our ecosystem (mainly Nitrokeys) and of course we are using ZFS for all installations.
I just got my nitrowall today! I had to remove the SSD to be able to boot from USB and install Vyos as I found no way to change the default boot device. After this small workaround vyos is running sucesfully.... BUT changing configurations is painfully slow. Just "configure" and then "show" takes 6 seconds while unionfs-fuse will consume 50% or so of a CPU. It was not so slow when I was running on a KVM guest on proxmox. Will need to see if I find a solution as this performance makes the solution unusual to work with via Terraform - refresh times out.
Hey, usually it should be possible to change the boot device by pressing "esc" directly after starting the NitroWall (and a connected display). We had some reports that not all usb-keyboards work without issues (slow key-press recognition), maybe using another keyboard might already help. For you VyOS issue: generally we ship OPNsense exclusively as a pre-installed solution as this is the solution we regularly test, please understand that it is not possible for us to test a wide range of network/firewall-systems. That being said, I did some searches and the VyOS hardware support page is lacking the Intel Celeron J-family processor in any of the recommended systems, what might be an indication that the CPU is missing some instruction. Sorry that I cannot help more here...
what about ipfire? Is there any problems with it or just concentrating on one OS?
IPFire should work, but you would have to install it by yourself. You are right, we are trying to focus on a small number of OSes.
ah, ok. But you see no problems such as in relation to pfsense with ipfire, isn't it? What were the reasons for choosing OPNsense instead of for example ipfire?
OPNsense delivers a very good user experience and robust update mechanisms, while allowing very complex setups. It's a very flexible package overall, thus in our eyes a good choice for a wider, still professional audience.
ok, thanks!
Just wondering. Does it make sense to use this box/CPU with Proxmox and run virtualized Opnsense passthru on it with a 200mbps AES tunnel , and Pihole and another small Debian based ssh/onion/http server? Can it handle all this or do you have better hardware suggestions? Another question: can the HAP bit still be set on these boards (as they are newer than the old tweakable Thinkpads used by the privacy community) Last question: do you still accept BTC?
For higher performance needs we can offer a NitroWall with an i7. The HAP bit is already set, thus ME is deactivated. And Bitcoin, yes you can buy using btc.
Just wondering how can I get the open source firmware files of the nitrowalls?
Hey, currently we are not uploading the binaries themselves, but you can easily build them using our coreboot-builder repository, just run `make nitrowall` or `make nitrowall-pro` and it will build completely inside a docker.
Does the cheaper one with the 8gb ram handle Surricata IDS with logging and Zenarmor well or do you recommend another with 16gb or 32 GB? For small home office.... Please provide links to the product recommended for this usecase
These are 2015 processors and I have some qotom box experience. Their CPU paste is usually dried out in under a year? Do you take care of this before shipping? What is typical men utilization for Opnsense with Suricata and zenarmor on this one. 8gb enough for 3 users?
Although the processor is older, the assembly is done on-demand and is not older than some months, thus CPU paste shouldn't be an issue. We had no overheating reports or similar, yet. We have no first-hand experience with Suricata and/or zenarmor. Although zenarmor states 8GB should be enough for 100-250 devices within their documentation - still hard to extrapolate. But 3 users feel like this isn't too much load.
Men utilization = mem utilization (ram)
Ah, read it as "mean" ... Nevertheless, cannot give you test data here, we don't really have experience to share here.
Hi, I got one of your boxes and installed opnsense. But why am I getting a max of 720Mbit/s using iperf3. This is the hardware line speed between the Intel NICs of the board and my client, which is 2.5Gbps laptop (Intel). The board has 4x Intel 1Gbit ports and the hardware line speed measured with iperf3 should be closer to 940Mbit/s . I am using a short CAT6 cable directly connected to the Nitrowall. No VPN , normal CPU load, it doesn't matter if powerd is set to HiAdaptive or off, it doesn't matter if HW offloading boxes for CRC etc are ticket on or off. The box seems to be underperforming for some reason and it is unable to handle/utilize a 1 Gbit stream. Please confirm if this is the norm due to older CPUs or if anything I can try to boost performance?
It works flawlessly with openvpn and wireguard. Just don't try to run surricata on it , the CPU is not powerful enough. But it easily handles 500mbps AES traffic with just over 25% CPU. (One core maxed out , due to openssl not multi threading). Its a old CPU (2016) and may be subject to Intel vulnerabilities and its a bit priced , but it comes with warantee which is an uncertain factor when buying Chinese Qotom. I basically paid 200 EUR extra for warantee and support. Now my little support question. Site says: "Unencrypted LAN: 940 Mbps" But I only get 720 Mbps using CAT6 cables and iperf3 LAN to LAN (receiving end is 2.5Gbps ) I wonder how the devs here got the 940mbps (the max speed for gigabit) directly on the cable. I hope I can tune this somewhere and hoping for an answer. The box is fine for 500mbps uplinks but for gigabit I would need to return it for a faster model, if I can't amp up the speed to the norm. But I trust I am probably making some error somewhere because the site says 940mbit so I guess they tested it
Hello, I am expecting a reply to the former message posted here. I got a unit but only getting like 720mbit/sec (using cat6 cables and 2.5gbit clients) directly on the interface using iperf3 (so not internet speeds). Your site says 940mbit unencrypted which is the max for gigabit on iperf3. Please tell me what could be the problem and what things I can check.. Running opnsense now with low CPU and under 10% men usage. I run iperf3 directly on the interface lan2lan... Please help , I really like to have some feedback and confirmation is this is a generic issue with this unit or something else?
Hey hey, that's really unexpected. There could be various reasons, also on client side as the 2.5Gbit drivers are still not perfect. Especially the igp driver has some power issues, did you try to switch off EEE ? Further on OPNsense side there are many options to optimize, see the docs some hints might be "activate PowerD", "TSO" ... Could you also share your current OPNsense version ?
Hi, I tried these things already. When I enable hardware CRC offloading, disable TSO and Receive buffer offloading (3 boxes , I tried all combinations) I get slightly different rates but all slower and unstable results in iperf3 with rates like 500-600mbps. When all boxes are ticked I get a stable 720mbps which is the max for this device. Regarding powerd: I tried HiAdaptive, and Max and I tried disabling it. Powerd has no effect at the throughput at all, CPU usage remains very low. Regarding the EEE in sysctl , when I toggle them, I lose connection to the firewall and the only way to restore it is power cycling the box. Current setting is default EEE=1. I really need to double check the client side again and fetch a machine to test against the firewall. What other things can I try? And can you test one of these boxes with iperf3 ? The problem could just be with these boards. I read some of the Qotoms with similar specs have the same data rate issues , getting no more than 80MBps Would be great if you have the time to test it in your lab and let us know Any other suggestion is welcome
Some update: With CRC offloading I get 750 instead of 720mbps TSO remains default , everything else default Then when I try a 64k windowsize and at least 2 iperf3 streams I am finally seeing a mixed total result of 930mbps But with one iperf3 stream and various window sizes all I am getting is around 750 (CRC hw offloading) or 720 (no CRC hw offloading) Any guesses? At least its doesn't appear to be a hardware problem but I think a client should be capable of getting 1gig in a single stream?
The plot thickens. When using iperf on the nitrowall as client and laptop as server (in reverse) I get the full 942mbps in 1 stream. When I use the laptop as client at least 2 streams with a 64k windowsize are needed. The results are much better now
That's an interesting discovery, my reflex would be to also try to increase the MTU. The fact that it is working with swapped server and client roles indicates that one side (your original client) seems to not be able to push enough data through the line. Did you also try other clients?
Hi, how can I update the coreboot bios with a more recent one to stay up to date? I can't find a link to firmware updates on your site. Please help
There is no binary distributed currently, images can be built through our coreboot-builder github repository.
Hello, is there a manual how to create the coreboot-file for updating the firmware on the nitrowall (the link above to github is not really helping) and also how to update the firmware it self? Could you writte such manual, if there is no?
Nope, sorry there is no further documentation available right now - but we are taking this with us and will release binaries directly to make this more accessible to our users.

Add new comment

Fill in the blank.