Converting a Cisco IronPort to a overkill home router.


When i started researching for a new firewall I had my current firewall (pfsense) virtualized. This can work in many environments but the reason it couldn't work in mine was I didn't have a High Availability environment. This means if any part of my server infrastructure went down, I lost internet for all devices. I kept restarting my server for some testing so it became very inconvenient.

My quest for a better solution began. I decided to figure out what i needed from a firewall/router. After some time researching options and configurations, i came to a handful of requirements.

1. Compatibility with an Open Source firewall (Pfsense, Opensense)
2. Rack Mountable
3. Small(ish)
4. Expandable.

The chosen one

There were several first choices when picking a router. The usual like an r210 II or a whitebox build like   These are both very great options but they both have their own downfalls, the R210 is a full blown server and the whitebox would cost more to make rackmount. Then JDM suggested the HP 290 but although it was extremely energy efficient it was a bit bigger than preferred and not rack mountable.

The search continues

With the above choices out of the round up i continued looking for more options. I came across several more USFF options like the generic intel PCs,   an PCEngines APU and a few others.

Many of these options are awesome just for the highly efficient factor alone. Thinking back it's amazing how far computers have come in just 10 years.  But they either weren't expandable, or just didn't have great compatibility to  PFSense or OPNsense.

After feeling like I've exhausted my options i came across a post on reddit about using an Cisco Ironport for a home router. These were originally built for advance web threat detection and monitoring for up to 1,500 users. They allegedly were able to detect Zero Day exploits and because of the major footprint cisco has on the world of networking they are able to analyze 100s of terraybytes of data and filter out malicious software and exploits.

Overall these were built for a purpose and that purpose required some pretty strong hardware. Acording to several forum posts they are based on the same board as the ASA 5525 but missing a few chips that allowed more nics. The Ironport s170 to the core is a mini server. It has 4GB ram and a pentium. Both are upgradable, the ram to 32GB and the cpu has plenty of options including a variety of Xeons and a few i3/5 if AEs-ni are needed.

The final Test

After seeing that the Ironport crosses off all my needs and wants, I decided to buy one off of ebay. And at that moment I was in the final leg of the race. I was ready to get this up and running, but I had to solve a  small problem, it didn't have a video output and the console wasn't cooperative. Fortunately it had a header on board that I could "convert" to a vga output.

After hooking up a converter I was able to get the install going. I chose OPNSense over Pfsense mainly because of the whole AES-NI debacle, but that's a whole post itself. The install was pretty straight forward and didn't require anything special, however I did only install on one ssd, but with two you should be able to just select a raid 1 from OPNsense.


Overall I'm pretty impressed with what this little thing can do and it's only under $100 used. You can't find anything else that comes close to this within the price point. Plus you don't have to buy any additional hardware like a quad nic or a shelf to rack mount. In additon, if you wanted too, you can probably add some more ram and stronger processor and you have a pretty good hypervisor host.


Popular posts from this blog

Enhancing connectivity from AWS to my on-premise network

My Journey Towards High Resilancy