New: NitroWall for Professional Network Security

Our ever-growing product portfolio was still missing a trusted network router and VPN gateway as a counterpart to two-factor authentication using Nitrokeys. Here is NitroWall! Your firewall, intrusion prevention system (IPS) and VPN gateway. Trustworthy thanks to open source firmware and software. For professional users with professional requirements.

Firewall and Intrusion Prevention System (IPS)

Based on the powerful OPNsense, NitroWall meets all the requirements of a professional firewall and IPS such as multi WAN, hardware failover, routing protocols, web filtering, and two-factor authentication.

VPN

VPN gateway for IPSec and OpenVPN with powerful Intel Quadcore CPU with AES-NI for fast data throughput. Secure two-factor authentication via Nitrokey (instead of password) is possible with IPSec.

Open Source Firmware Coreboot

Instead of a proprietary BIOS, the NitroWall uses the open source firmware Coreboot, which offers transparency, minimal attack surface and high speed.

High Speed

Unlike common ARM-based systems, NitroWall contains the powerful Intel Quadcore CPU J3160 with 1.6 GHz and AES-NI. 8 GB RAM, SSD and four Gigabit Ethernet ports provide sufficient resources.

  • Unencrypted LAN: 940 Mbps
  • OpenVPN AES256-GCM: 887 Mbps (UPDATED)
  • IPSec AES128-GCM/AES-XCBC/AES128-GCM: 635 Mbps

Fanless, Rugged Metal Chassis

NitroWall features a small, rugged metal chassis. It does not require a fan, making it completely silent and virtually maintenance-free. In addition, NitroWall is very energy efficient.

Numerous Operating Systems

Instead of OPNsense, NitroWall can be operated with other operating systems such as pfSense, Ubuntu, Windows or Proxmox.

Robust Industrial PC

Thanks to its closed housing and compact size, NitroWall is also suitable as a robust industrial PC in combination with operating systems such as Ubuntu or Windows.

Buy NitroWall now!

Frequently Asked Questions

Is NitroWall suitable as a replacement for my home router?
Generally not. NitroWall does not include a DSL or cable modem but requires network access via Ethernet. But NitroWall can be operated behind home routers. In addition, the configuration is aimed at professional users with appropriate prior knowledge.

16.5.2022

Comments

Wireguard support?
Yes, via OPNsense plugin(s), there are various guides available on the internet, e.g., https://www.ivpn.net/setup/router/opnsense-wireguard/
What is the typical power consumption in active and idle mode?
max power consumption is 16W and typical is <10W
does it have serial console support?
Yes, the hardware comes with an RJ45 serial connector, not tested together with OPNsense
Why not support Wireguard VPN protocol? It should be ultra fast, and still secure.
Enough power for five VLAN with more than 20 firewall roules to route between the LAN‘s?
Generally yes, although in reality this will likely not depend on the amount of rules and/or VLANs but more on the actual traffic to be filtered and routed. Eventually, please understand that we cannot give guarantees for questions of this specificity because it is trivial to construct an example in which the answer will be "clearly yes" (very low traffic) and also another trivial example (extensive traffic) in which the answer will be "no".
OpenBSD?
As OPNsense is FreeBSD, I would wildly assume OpenBSD will likely also work, but it was not tested by us explicitly.
yes, works great with OpenBSD 7.1
awesome, thanks for testing and letting us know!
Made in Germany? Or China?
The hardware itself is manufactured in China, we build the firmware (coreboot + seabios) and replace the proprietary bios, disable ME, ensure component compatibility etc.... As of our knowledge there is simply no Germany (or even European) (oem) hardware manufacturer which has similar mainboards available. We would love to make more use of (at least) European suppliers, please reach out to us if you know any with similar products.
Why does the nitrowall hardware look similar to the hardware protectli and others sell? And can you use other OSes that support coreboot e.g PFsense?
They look similar because they likely use the same OEM supplier for the hardware. As of now and in short-term we will only offer OPNsense as pre-installed OS, pfSense should work w/o issues, although likely we will (also in the future) not offer it because their license is, let's say: at least "weird" and not an open-source license as of our understanding.
How can I get OpenSense updates after the pre-installation? The hardware of the nitrowall is Intel based, but as far as I now the only precompiled OpenSense images are AMD based.
There is a very robust updating mechanism from inside OPNsense, which works reliable and also easily manages major version jumps. Furthermore the images for installation of OPNsense are indeed called "amd64" (see https://opnsense.org/download/) but this denotes the architecture and not the CPU type. Means AMD has introduced the 64bit extensions to the i386 architecture, this is why they are called "amd64" (see e.g., this explanation why 64-bits versions are called amd64). So in short: of course OPNsense images run also with Intel CPUs.

I got a CryptoStick v2 all the way back in 2012 and have been happy with your efforts since. I just wanted to say thank you for taking a step into filling this niche too. I'm an extensive user of OPNsense having switched all my gateway/routing/edge appliance activities to it for both myself and a number of clients over the last few years, but I've run it primarily on SuperMicro 1U boxes. I've wanted a better option to fill the role in smaller scale/managed home solutions, and while using a NUC or other embedded options is of course doable it's nice to see you take a step towards making it more turnkey. Deciso, the company behind OPNsense Business Edition, does offer a number of options too but they neuter important hardware functionality and many of them are very long in the tooth and mediocre value. A few comments though:

    1. A 16GB flash card just shouldn't even be something you offer IMO. At RPi price points sure, but at $500+ you should really try to have the 120 be the basic default. CPU ceiling can't be helped, but people should be able to play around with IDS/IPS, web proxying, plenty of log space (circular logs are dead now) etc. A decent basic 250GB NVMe SSD like the PNY CS1030 is about $34-40 retail. I just don't think it's a place to penny pinch vs user experience personally.
    2. Having said that at the $500 level you should be a bit more generous, I'm going to turn right around and hope you can pull off a $100-200 Arm (probably not x86) version down the road too! Obviously at that point there would need to be some more feature cuts, just two ports etc.
    3. If this does well enough for you, I hope you can fund some focused improvements in OPNsense itself. In particular given your original business, it'd be nice to have webauthn support for the OPNsense web gui as well as easy native key support for ssh and logging into the console.
    4. I can't tell, but I hope you're installing this as ZFS native particularly on the 120+ drives. Even with one drive being able to detect (and repair with copies=2+) corruption is useful, as is snapshots and boot environment rollbacks if something goes pear shaped.

Anyway, best of luck with this! I'm delighted to see a slow but growing appreciation for how important open source is for network edges after ages of people getting burned by crappy appliances (happening again right now! Ars Technica just had a piece on yet another massively widespread flaw, "Gear from Netgear, Linksys, and 200 others has unpatched DNS poisoning flaw"). OPNsense remains too technical/clunky for a lot of users for now, but the foundations are good and if you do want to put some time in it's so nice to have normal open PC management/recovery for such a critical piece of infrastructure. I hope it does well enough in its niche for you.

Hey sonar, thanks for your inputs, highly appreciate them. (I also re-formated your comment, hope that's ok). Generally, we currently also still "investigating" this product and its acceptance, based on that we'll surely adapt the product itself and the available configurations. Hard to tell right now where this will go, obviously this also depends on how good it sells, but overall we are already investigating different hardware alternatives, but a ARM platform is currently not within this pool. On the other side we are also looking into options how to better integrate OPNsense into our ecosystem (mainly Nitrokeys) and of course we are using ZFS for all installations.
I just got my nitrowall today! I had to remove the SSD to be able to boot from USB and install Vyos as I found no way to change the default boot device. After this small workaround vyos is running sucesfully.... BUT changing configurations is painfully slow. Just "configure" and then "show" takes 6 seconds while unionfs-fuse will consume 50% or so of a CPU. It was not so slow when I was running on a KVM guest on proxmox. Will need to see if I find a solution as this performance makes the solution unusual to work with via Terraform - refresh times out.
Hey, usually it should be possible to change the boot device by pressing "esc" directly after starting the NitroWall (and a connected display). We had some reports that not all usb-keyboards work without issues (slow key-press recognition), maybe using another keyboard might already help. For you VyOS issue: generally we ship OPNsense exclusively as a pre-installed solution as this is the solution we regularly test, please understand that it is not possible for us to test a wide range of network/firewall-systems. That being said, I did some searches and the VyOS hardware support page is lacking the Intel Celeron J-family processor in any of the recommended systems, what might be an indication that the CPU is missing some instruction. Sorry that I cannot help more here...
what about ipfire? Is there any problems with it or just concentrating on one OS?
IPFire should work, but you would have to install it by yourself. You are right, we are trying to focus on a small number of OSes.
ah, ok. But you see no problems such as in relation to pfsense with ipfire, isn't it? What were the reasons for choosing OPNsense instead of for example ipfire?
OPNsense delivers a very good user experience and robust update mechanisms, while allowing very complex setups. It's a very flexible package overall, thus in our eyes a good choice for a wider, still professional audience.
ok, thanks!
Just wondering. Does it make sense to use this box/CPU with Proxmox and run virtualized Opnsense passthru on it with a 200mbps AES tunnel , and Pihole and another small Debian based ssh/onion/http server? Can it handle all this or do you have better hardware suggestions? Another question: can the HAP bit still be set on these boards (as they are newer than the old tweakable Thinkpads used by the privacy community) Last question: do you still accept BTC?
For higher performance needs we can offer a NitroWall with an i7. The HAP bit is already set, thus ME is deactivated. And Bitcoin, yes you can buy using btc.

Add new comment

Fill in the blank.

Nitrokey - Made in Germany