> GL Tech (HK) Ltd: #601, 5W, Hong Kong Science Park, N.T. Hong Kong
> GL Intelligence, Inc.: 10400 Eaton Place, Suite 215, Fairfax, VA 22030
I'm a little curious about this. One of the reasons that some people run OpenWrt is for improved security. In the general security space, a Shenzen company isn't the most usual choice of vendor for Western countries. Also, the company having the US subsidiary/office/unit based in Virginia, and with "intelligence" in the name, hits a somewhat odd note.
Is it really any different than every person who insists on running pfSense for security reasons then immediately suggesting some Chinese shitbox PC off AliExpress as the ideal platform to run it on?
Also, since when has having a Wikipedia page proven a company legitimate? You know most companies author their own pages anyway, that's kind of how Wikipedia works.
> suggesting some Chinese shitbox PC off AliExpress as the ideal platform to run it on?
How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide, but it's implausible that a Chinese intelligence agency would indiscriminately deploy an attack that made use of a compromised Intel Management Engine firmware signing key to put firmware rootkits in cheap hardware sold to individual consumers.
On an embedded system like the OpenWRT Two where the entire BOM of the system will be public and the OS has full control over the raw flash memory, a purely software-based supply chain attack would be extremely difficult, and a hardware-based supply chain attack would be expensive. Do you think an intelligence agency would really bother with this for a device that is mostly going to be shipping to nerdy hobbyists?
There's more to a threat model than just recognizing that an attack may be technically feasible.
> How reasonable do you think it is to be this automatically suspicious of any computer coming from China?
Based on their track record? Pretty fucking reasonable.
I would say that most probably isn't malicious collaboration with the CCP, rather sheer incompetence. Shipping secure anything just isn't part of their culture. Read a comment on HN the other day from someone that evaluated Huawei hardware for a telco and swore it was so full of holes to be unusable.
The ingrained extreme cheapness of Chinese culture doesn't help. Security is viewed as a luxury - why waste time and money on it when that could be better spent elsewhere?
That said, the incompetence gives them plausible deniability when the intelligence agencies take advantage to exploit the holes for their own use.
What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD? Or that GL.iNet might be able to introduce to a system where OpenWRT is assembling the firmware image that gets flashed to the board, and if there are any closed-source components they'd be coming from Mediatek and not developed by GL.iNet?
Shipping telco hardware with a massive bespoke software stack implementing an impossibly-complex pile of standards is very different from what we're talking about here.
> What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD?
That's only a problem if the Active Management Technology feature is correctly supported by the OEM including wiring it up to a supported NIC, and the feature is enabled and provisioned by default, and the NIC in question is connected to a network that is a potential attack vector.
From what I can tell, the current NIC of choice for Chinese router PCs is the Intel i226-V, and such PCs come with 4-8 of those. In order to work with the Active Management Technology feature, those would have to be the more expensive i226-LM or i226-IT parts. So AMT is impossible to enable on those PCs and there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals.
> there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals
Are you sure about that? Because I remember something called ACPI that gets executed by the OS every time some configuration changes, such as power levels.
STH has reviewed Chinese PCs that come preloaded with malware. My MSI motherboard force installs Nahimic by default. Not technically malware but the same mechanism exists for malware.
Do you think any of that is relevant to the case of buying a barebones PC that doesn't include SSD or RAM, then adding those components yourself and installing a non-Windows OS?
If your MSI motherboard is installing Nahimic without an internet connection, it is doing so through a mechanism where the installer is made available to the OS in an ACPI table that Windows checks. That check can be disabled with a registry key to prevent such software from being re-installed, and the motherboard may have a BIOS option to disable the anti-feature (though the registry key method is generally more effective, since BIOS settings often get reset to defaults).
Please don't ignore the points I've already made about how a firmware-based attack against a non-Windows OS is a lot hardware to pull off. I'm not asking if you think a company would be willing to ship such malware, I'm asking what kind of malware you think is realistically possible. What do you expect a UEFI-based malware to be capable of doing in this context, given the constraints of the hardware we're talking about?
I’ve reluctantly come to the view that Apple is the best bet for a consumer to get a somewhat reasonable (price notwithstanding) compromise between hardware vertical integration and software that offers substantial bug bounties and large market incentives to not allow bad vulnerabilities to sit for too long. With deep enough pockets to hang tough if needed in various situations.
I completely agree about the buggy bloated software but all I’m saying is that it’s the best bet compared to actual consumer alternatives which are generally a frankenmix of the lowest cost components sourced from the lowest cost vendor with minimum effort spent to ensure and maintain any semblance of security.
Not only this, but most US companies do not really have any incentive to focus on security.
On HN there is an echo chamber with the shunning of companies who have experienced incompetence based breaches. Your average consumer does not know (beyond the news cycle) or generally even really care.
I think you can even look at FBI and NSA public service announcements and guides about consumer electronics security as a sort of ''shit this industry stuff is pretty bad we need to think about our goal differently,'' with regards to them trying to pick up some of the security slack that US companies shit out with their products.
The various 3-letter-agencies really are incentivized to help government and industry be legitimately secure against anything short of the sophisticated attacks they themselves can orchestrate
When you’ve got the sort of reach and resources they have, it does you no good if script kiddies or unsophisticated attacks are causing problems and you don’t need the easily preventable attack vectors they’d use.
Someone evaluated Huawei hardware for many telcos years ago and a lot of them decided the equipment is not only usable, it’s the best choice. So which ones were the incompetents or shills?
Im curious how you are currently writing those comments. Other than most of the hardware is made in CN or TW, there is not so much records targeting normal people.
Also you get good hardware cheap, it just works and helps us going forward. Enterprise crap from companies like Intel (especially their server disks) are nightmare for years now and last Juniper and Cisco hardcore bugs in software causing soft-drops without any metrics rising on-device - good luck with that.
I’m more than happy using CN stuff than imaginary safer and better US crap.
As someone who was personally a victim of the 1-2 punch of vulnerable HW and unquestionable malware that took advantage of said vulnerability from the same vendor (and I have the pcaps to prove it), I have sworn off CN garbage forever, I don't care if I have to pay 3x the price.
No one stops you from doing so, just know you will probably be part of a botnet sooner or later.
If you have proof, then why wouldn't you name and shame the vendor in question, or at least be less vague about what kind of product you're talking about? Talking about how you determined that you were being attacked through a combination of hardware and software vulnerabilities would be way more interesting and appropriate for this forum than generic anti-China complaints.
> How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide
The problem seems to be that this firmware doesn’t really get updated once the machine is sold.
That’s legitimate criticism for a security-critical network component.
It's not ideal, but it's not a deal-breaker for every use case. The kind of firmware you get on a barebones industrial-oriented miniPC style router from China doesn't have much potential for a remotely-exploitable vulnerability. Most of the NICs aren't even going to be touched by the boot firmware. The user-supplied OS can take care of applying CPU microcode updates. If the PC doesn't ship with a rootkit already present in the firmware, it's pretty hard for the firmware to be a security problem unless it's secondary to a security vulnerability in the OpenWRT or pfSense software.
Running an up-to-date OpenWRT or pfSense on a normal PC hardware platform with outdated UEFI firmware is still a big step up in security compared to running factory firmware+OS on a cheap consumer wireless router.
The people who source no-name/random-name computer/networking hardware off of AliExpress to use for routers aren't the security-conscious people I'm talking about.
As I said, GL.iNet is a popular company.
I didn't say that having a Wikipedia page proves that a company is legitimate.
Usually the kind of people installing their own router software are the homelabbers who would buy a netgate appliance or equivalent in a professional setting.
The existing OpenWrt One is running a version of Banana Pi, also a product by a Chinese company [1],[2],[3].
From their website, "Banana Pi open source hardware community is an open source hardware project led by Guangdong Bipai Technology, and supported by Taiwan Hon Hai Technology (Foxconn)."
I'm less concerned with their jurisdiction and company profile than their absent software/firmware maintenance.
I have a bunch of their different models and in practice most of them are unusable today (based on ancient upstream with missing important updates; their sources are a huge mess with scarce and out-of-date docs so have fun resolving that yourself; device dtb/driver require unavailable patches; IIRC their stock vendor firmware phones out and they seem to be pushing towards a centrally managed cloud platform I wouldnt trust)
It really is a shame as on paper and out-of-box-right-after launch their devices seem great but after spending too many days failing to get working builds for in particular the Mudi/E750 while realizing that stock firmware is unsafe in untrusted networks, I've given up on them until I see some drastic change in maintenance culture.
The collaboration with OpenWrt might make the "Two" an exception, I guess, if the OpenWrt people are involved and demanding enough.
You should be aware of how much collaboration the OpenWRT folks have with -say- Ubiquiti Networks. [0] And yet, OpenWRT runs fine on the UAP-AC-LITE and -LR.
I'd wager there's nearly zero collaboration between the overwhelming majority of the hardware manufacturers that create hardware that OpenWRT runs on and the OpenWRT folks.
Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
What does that have to do with anything? I'm speaking about experience of deploying existing gl.inet devices, marketed as "fully open source" with OpenWrt being front-and-center in marketing, as well as being promoted on the OpenWrt wiki.
That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything (if anything perhaps supporting the notion that glinet should be able to do better).
> Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
Yeah, that's quite uncharitable. Did you read the last line of the comment you replied to?
Speaking of ignorance... How many new embedded devices have you personally ported OpenWrt (or any Linux dist for that matter) to? How many glinet devices do you have experience deploying self-compiled builds to? How much time have you spent digging through their sources and patches?
In fact I'm quite surprised by this announcement. Gl.inet is famous for claiming that their os is based on openwrt, while it can be some vendor SDK that is based on some decade-old version of openwrt and have little in common today
> Did you read the last line of the comment you replied to?
Yes. I read your entire comment and thought on it for a while before I replied. It's stupid to do otherwise.
> That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything...
Yeah, except that it is. Your comment indicated that ongoing effort from the GL folks was relevant to having OpenWRT continue to run on the hardware:
> I'm less concerned with their jurisdiction and company profile than their absent software/firmware maintenance.
Ubiquiti is famously anti-open-source. They used to be less so with their routers, but always were very, very nasty when it came to their WiFi access points. There's no way in hell they're providing assistance (especially ongoing assistance) to the OpenWRT project.
This is honestly a fantastic deal for both sides, we get cheap hardware, they get working software. We're both terrible at doing the other bit and all governments are gonna have backdoors regardless.
I'd like an L3Harris gamer router with IBM CPU, Intel ROM/RAM, Xilinx DSP, and Analog Devices modem, all at $49, but only if there's going to be such a thing, ever...
MicroTik is European (Latvian) and makes some affordable routers. Their own RouterOS is closed source, but many models are supported by OpenWrt (no experience). If you are willing to spend more, OPNsense (Netherlands) also sells hardware. In the old days one could also recommend PFsense hardware, but they are becoming more and more closed (though you can usually run OPNsense on the same hardware).
QNAP is Taiwanese. Their QHora routers use closed software, but I think most models are supported by OpenWrt.
I would like to avoid Mikrotik at all costs since they are not only running questionable proprietary software, but has a history of GPL violation.
Currently they provide sources for GPL components this way, what a joke of a company:
>To get a CD with the corresponding source code for the GPL-covered programs in this distribution, wire transfer $45 to MikroTikls SIA, Ūnijas iela 2, Riga, LV-1039, Latvia.
The irony here is that it's the US who has been proven to break into allied networks and infrastructure and done both political and industrial espionage against their allies.
If global manufacturers would get with the program and ship blob-free hardware with mainline Linux support, owners could pick their desired firmware and software poison. Until then, we have Cambrian hardware innovation, old kernels and mystery firmware from Shenzen, which can be compromised by a broad spectrum of hostile actors.
Similarly, I'd like one from outside both american/european AND chinese influence. I think you'd be absolutely insane to trust either of them.
Honestly, if we're ever going to have a decent open hardware movement, I think it's going to come from a place like Nigeria or Peru, not a wealthy country.
I don’t see how ubiquiti not being open source is relevant here, as the original question was
> Can you recommend Western companies that would be able to produce similar hardware at the same price point?
Besides, I’m yet to see any open source routing software that’s half usable as a complete package. With the sole exception of VyOS, it’s all hot garbage, OpenWRT and pfSense included.
Ok, you may be in the wrong thread. This is a product for people who consider OpenWRT support to be a positive selling point. The OpenWRT One and OpenWRT Two are not products aimed at people who consider OpenWRT to be "hot garbage". They're not trying to produce generically good router hardware; they're trying to produce good router hardware for use with OpenWRT.
When somebody in this context is asking for similar hardware, it's reasonable to assume that OpenWRT support would still be considered important, or at least worth mentioning.
Mikrotik sells also bare boards. They come with their RouterOS platform (Linux based, closed) but some can run OpenWRT.
Also Olimex has really interesting and open products, but they're not primarily aimed at networking.
GL Intelligence is just their 'American Agency', or their legal representation in the United States since they are a foreign company. Probably an American consultant firm they fund. This is required. You can't use your Hong Kong lawyers here.
I don't understand this comment. All electronics assembling happens in Shenzhen. Be it Apple, Cisco or Microsoft. If anything this is par for the course.
What I personally would have liked to see was an EU based entity overseeing and taking responsibility for the project since neither US nor China really should be trusted with privacy these days.
This is awesome! I've been using OpenWRT for more than a decade, and I think it's great that they're designing their own hardware now.
I'm on a GL.iNet MT-6000 right now, and it's a great router. The stock firmware is based on openwrt, and they make it very easy to upgrade to an official openwrt release. I bought it before the OpenWRT One became available, but I probably would have gone with it anyways because it has two 2.5gb ports whereas the OpenWRT One only has a single 2.5gb port. I'm on 1gb internet right now, so that would be fine for the moment, my ISP has already been advertising 2gb service coming soon, and I'd like to upgrade once it's available.
It looks like the MT7988 chip they chose for the OpenWRT Two supports either two 10gb ports or one 10gb and a bunch of other ports, so I think they made the right call. It should be capable of handling up to 5gb internet service, so it'd be a better fit for someone like me.
I imagine it'll also be one of the first and likely best OpenWRT devices to support Wi-Fi 7.
There is experimental support for the Asus BT8 which is a be14000 device, there are snapshot builds for it but issues going back to the Asus firmware. Also banana pi R4 development board and it's got a be14000 WiFi card. These are all the devices I know that have support but many of the mt7988s should get added in time.
Is there a reasonable scenario where enough people vote "no" here? It seems unlikely, so a nuanced discussion where pros and cons are considered seems more productive. Seems like a yes/no vote makes more sense if there is actual contention or disagreement among internal factions.
If you vote no, you'll basically be seen as the stickler person without a good reason.
18 people are missing (abstained?), so could that be interpreted as an ambiguous "no"?
In a slightly different reality, most members might reasonably vote no if it was deemed too costly for the organization's budget, or if the champion of the project was seen as unreliable, or if there were genuine concerns with the chosen contractor. Some of these could change after a short bit -- a sudden funding source appears, a different leader of the project steps up, or they address concerns with the contractor bid.
It's weird reading the claim as there have been plenty of routers designed for OpenWRT in years prior. Some even quasi-bespoke. A selling point of the product is they release their source code but afaik this just means OpenWRT per se (and I suppose the bootloader) as various chips have closed source firmware anyway (much like other products that try to be as open source as possible).
Awesome, I hope this work continues. I got to put my hands on a One a few weeks ago at SCaLE 22x[0], where the Software Freedom Conservancy was the "Network Sponsor"[1] and the WiFi was being provided by a bunch of Ones.
> OpenWRT "One" and "Two" are physical routers designed specifically to run OpenWRT. This is describing "Open WRT Two", a physical piece of hardware, that will have a price-tag, rather than some new software release of OpenWRT.
OpenWRT "One" and "Two" are physical routers designed specifically to run OpenWRT. This is describing "Open WRT Two", a physical piece of hardware, that will have a price-tag, rather than some new software release of OpenWRT.
Yes. I was thinking it will only work or it works on $250 dollar routers but I know for sure that is not the case. And I didn't even know OpenWRT made hardware routers.
I search and looked at that router.... I wish someone from Eero or Ubnt hardware team would lend them a hand.
Possibly the result of little or no announcements elsewhere. I learned about the OpenWRT One existence only after searching what OpenWRT Two is 10 minutes ago.
I have one of their travel routers (Beryl), and they beat a U7 Pro (the one with horrible still unfixed firmware) in consistency and throughput with one device connected to 5 GHz. While I sit next to the UniFi AP and the Beryl sits behind a concrete wall. And it's not a small difference either. I run it in AP mode for game streaming now because the UniFi keeps dying, even when I'm the only device on 6 GHz.
The polish I'm missing on supposed premium products.
OpenWrt went crazy in the last few years. OpenWrt (the OS) is a mess:
- bugs are ignored,
- bug fixes ignored,
- improvements to core OpenWrt are ignored (although package PRs are still accepted somehow),
- almost no new documentation,
- no reply for documentation clarifications on the forum,
- significant parts of OpenWrt are not accessible for PRs or bug reports: fstools, procd, ubus, etc.
- no improvements to critical routing features, such as
hardware acceleration,
- routers abandoned left and right (kernel no longer fits in the factory partition) and absolutely no support for older kernels,
But now they have video acceleration, mesa, X, wayland, Doom, etc.
With OpenWrt Two, I bet they're going to make the same mistakes as OpenWrt One: not enough memory and not upgradable, wifi not replaceable, no usable expansion slots (mini-PCI, M.2) and, of course, no (e)SATA. Another e-waste product that will be obsolete even before it's available to buy.
> With OpenWrt Two, I bet they're going to make the same mistakes as OpenWrt One: not enough memory and not upgradable, wifi not replaceable, no usable expansion slots (mini-PCI, M.2) and, of course, no (e)SATA. Another e-waste product that will be obsolete even before it's available to buy.
Those are only mistakes if you ignore the realities of what hardware is available. A highly-integrated SoC designed specifically for wireless router usage is a more cost-effective platform than a generic x86 PC. Basing OpenWRT One and Two on such hardware means work to improve support for those systems is more likely to benefit OpenWRT support for mainstream consumer networking equipment that also uses purpose-built SoCs.
OpenWRT is not yet in a position to influence the hardware design decisions made by companies like Mediatek, Qualcomm, Broadcom for their consumer WiFi product families. Those chips are still designed around what's best for the big brands that are the primary customers: Netgear, Linksys, TP-Link, etc. Adding SATA controllers to a WiFi router SoC does not benefit Netgear, et al., nor does splitting out all the radios to separate chips that could be installed onto M.2 cards (miniPCI and miniPCIe being long obsolete and bandwidth-starved). Asking for eSATA is laughably unrealistic.
A focus on the kind of modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs) is what leads to the distractions you're complaining about: "video acceleration, mesa, X, wayland, Doom, etc."
For another approach to open source networking by Linux Foundation please check DENT OS [1].
> OpenWRT is not yet in a position to influence the hardware design decisions made by companies like Mediatek, Qualcomm, Broadcom for their consumer WiFi product families.
Perhaps I'm biased, but I do believe DENT is in much better position and has more chance of influencing the white-box networking vendor than OpenWRT with regards to their design decisions.
From the website:
"As a Linux Foundation project, DENT utilizes the Linux Kernel, Switchdev, and other Linux based projects as the basis for building a new standardized network operating system without abstractions or overhead. All underlying infrastructure — including ASIC and Silicon for networking and datapath — is treated equally; while existing abstractions, APIs, drivers, low-level overhead, and other open software are simplified. DENT unites silicon vendors, ODMs, SIs, OEMs, and end users across all verticals to enable the transition to disaggregated networks."
That doesn't even appear to be attempting to address anything relevant to consumer networking. It's a purely enterprise-focused project, mostly about putting a Debian-based OS onto rackmount ethernet switches.
>That doesn't even appear to be attempting to address anything relevant to consumer networking
Don't be too pessimistic, anything that can contribute to the disaggregation of networking technology will be good for the consumer markets since the companies producing these networking SoC namely Qualcomm, Mediatek, etc should care about their downstream revenues. By adopting the open eco-system champion by SONiC and DENT for networking technology disaggregation, it will definitely spill over to the consumer networking as well since these are the very same companies that design and manufacture the networking pervasive consumer networking SoC.
There are too many and numerous examples of Linux enterprise features that are spilling over to consumer Linux, and the latest is the real-time Linux kernel extensions although it did take like forever (i.e 20 years) to be adopted by the main line Linux kernel.
> Those are only mistakes if you ignore the realities of what hardware is available.
If you think the focus should be on what hardware is available, then why make a OpenWrt Two instead of buying the existing hardware?
> A highly-integrated SoC designed specifically for wireless router usage is a more cost-effective platform than a generic x86 PC.
This is exactly why OpenWrt One and probably Two too is just e-waste - because those cheap integrated hardware platforms are e-waste to begin with. They are indeed cost-effective, but only for a brief moment in time.
Wifi drivers are one of the most problematic part of linux kernel. Also, wifi standards are still changing very fast. Non-replaceable wifi is one of the things that's going to kill these boards.
OpenWrt One can only be used as a wireless router. There's no storage, no expansion slots, not even USB3. It can't be repurposed, can't be upgraded, can't even be used as an ordinary ethernet router because there's no switch. In less than a year, OpenWrt Two makes it obsolete. OpenWrt Two won't be any different, so why make it at all? What will that improve? There's tons of boards better than that (BananaPi R-series, GLinet routers).
So that's basically my argument.
(I didn't complain about the CPU. The CPU is probably the most future-proof component in there. Using x86 CPU is probably the worst design decision they could make.)
> Adding SATA controllers to a WiFi router SoC does not benefit Netgear, et al.
So what? That's what PCIe is for (and expansion slots).
Turris Omnia is almost 10 YEARS old and it's still being sold, and at outrageous prices, mind you, even second-hand. It's CPU is obsolete, it's miniPCIe slots are obsolete, it's ethernet is (almost) obsolete, it's memory is barely sufficient, and yet it's still usable as a home router, personal web server, file server, NAS, torrent client, remote download manager, TOR node, proxy, etc. etc. after 9 years! Why is that? Because Wifi was replaceable and it had 2GB RAM at a time when most routers only had 32MB.
Beat that, OpenWrt One&Two!
> A focus on the kind of modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs) is what leads to the distractions you're complaining about: "video acceleration, mesa, X, wayland, Doom, etc."
No, that's not it. A mini-PCIe / M.2 slot won't fit a GPU (well, it could, but...). A SO-DIMM slot instead of soldered memory also won't change anything. Meanwhile, GPUs are already there in most SoCs supported by OpenWrt, not just x86: Rockchip, Mediatek, Broadcom/RaspberryPi, you name it.
If devs were interested in GPU support, they could have contributed to Buildroot instead. Why did they add it to OpenWrt instead of Buildroot? Probably because it was easy: they're the main devs of OpenWrt with commit privileges. I'm not saying that they abused those privileges. I'm saying that their interest doesn't seem aligned with what OpenWrt is: an OS for routers.
> modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs)
And this is the second problem with OpenWrt One/Two. If an OpenWrt dev wanted to have an OpenWrt NAS, or an OpenWrt server of some kind, anythining other than (just) a router, only PCs fit the requirements. Not even Rockchip/BananaPi SBCs. Of course that dev is going to contribute with support for PCs in OpenWrt.
Am I understanding you correctly: your complaint about OpenWRT software is that they aren't focused exclusively enough on being a router, and your complaint about OpenWRT hardware is that they are focused exclusively on being a router?
GL.iNet's hardware has been great, but it's always annoyed me their products are designed with OpenWRT as an unsupported "advanced function" where updates lag behind the main project. If OpenWRT Two breaks this pattern, then I am very intrigued.
What I would want to have some company to make one device that would at the same time be:
1) router
2) smart tv (airplay, chromecast, miracast)
3) smart speaker
4) smart home gateway (matter)
5) wireless charging pad
6) private cloud (nextcloud)
7) private backup (removable nvm)
8) private vpn / dns / pihole / adguard
9) mini server
Everything in a nice package and preconfigure and ideally modular (upgradable ssd, wifi).
UmbrelOS [0] is interesting but its quite expensive and its only for home server (no router, no smart speaker, smart tv, wireless charging pad). Apple TV has a great hardware and cheap but so limited for 3rd party. Wish they made it modular that you could attach magnetic speaker, wireless charging pad and had some usb for attaching 4g modem.
Please check Synology products, a Taiwanese company. They have affordable products and solutions that provide all your listed requirements and then some more [1],[2]. Not sure if they have one device or several devices integrate together to perform the functions you've listed, more likely the latter.
Openwrt ticks a lot of those boxes if you add storage. For me, the location of my router makes using it as a charging pad, speaker, and TV device impractical anyway, and I can imagine I'm not alone in that.
Yes I understand in US where a lot of people live in houses this makes less sense but in asia and europe a lot of people live in apartments and they have their router and smart tv box in living room on tv desk. Such router covers whole apartment and direct wired connection to TV would reduce latency with airplay. Many also use 4g usb modem since mobile data providers are cheap there (e.g. in poland you can get 300GB for $7 with 5g included and no contract.
Depends on your preference for hypervisor/host, network performance, SR-IOV partitioning, need/avoidance of AMT vPro remote mgnt (e.g. Intel vs. Broadcom), OEM NIC firmware. I've used low-profile Dell quad-port NICs in the past.
I wonder why they are including a 5G port. There does not seem to be a lot of gear that uses it. An additional 1/2.5G or 10G SFP would make more sense.
> There's 30$ usb-c adapters out now. Where-as 10Gbe is usually $130+.
Sure, but if you include another SFP+ port, you can run that at 1, 2.5, 5, or 10gbit. Another SFP+ port gives you a BUNCH of options (including the "copper, fiber, or twinax?" option). A 5Gbit copper port locks you in to just that one configuration.
As for the expense of SFP+ modules, go check out the 10Gtek company. The optical ones are very inexpensive [0], and I've had eight of their optical SFP+ modules in my home networking hardware for many, many years with no problems whatsoever. I expect the copper ones to be just as reliable.
[0] And their copper ones are on the low side of average price
5GBASE-T can run on Cat5e/Cat6 cabling which people probably already have. This makes the router a viable product, which can improve your home network performance with minimal investment, just by swapping out your old router.
OTOH, the dual SFP+ configuration is more on the exotic side. It may make sense on some professional setting (or some outlier home network configurations - like yours), but I guess this is not the intended market.
The operator of the device. Who were you thinking of?
> 5GBASE-T can run on Cat5e/Cat6 cabling which people probably already have.
There are SFP and SFP+ modules that will do 1, 2.5, 5, and 10GBASE-T just fine. If the operator wants to run 1GBASE-T, they can. If the operator wants to run 10GBASE-[SL]R, they can do that, too. Options.
> The dual SFP+ configuration is more on the exotic side.
1) Used to be that having a gigabit Ethernet port was on the exotic side, too. (If we go far enough back, 10mbit was hella fancy.) Times change.
2) Here are two SFP+ ports for ~140 USD. [0] Here are four for 150USD. [1] Times change, man.
I can plug that port into an existing 10G switch and get 5G over that link, which can be a nice sweetspot (10G can be excessive in terms of power/heat) while we can fully saturate one of the 2.5G ports routed over it without saturating the uplink.
I hope the reason is that they'd have to remove several ports to upgrade that hard-wired 5Gbit port to a 10Gbit SFP+ port. Otherwise, it's very, very silly what they've done.
It figures that Realtek is a key part of the story. The availability of Realtek PHYs and NICs is what's finally allowing 2.5GbE and 5GbE to go mainstream for consumer equipment. Aquantia got bought by Marvell and ended up with enterprise-level pricing on all their stuff. Intel completely tanked their reputation for NICs with a few failed attempts to implement 2.5GbE support, and haven't even tried to introduce a consumer-grade 5GbE option. But now that Realtek is in the game, 2.5GbE is widespread in new desktop motherboards and fairly cheap in USB Ethernet adapters.
250 sounds like Banana R4 already won. Seeing different no-name boards such specs should be way less or we should have 2 10G fiber, 4-5 10G copper and some great specs in terms of computing... Did I miss anything?
From what I can tell of the block diagram, dropping the 2x 1gbit ports would not yield you a 2nd 10G SFP, as those would be running off the integrated switch as opposed to one of two USXGMII interfaces.
You would have to drop the other ports instead, and then you would just have 2x 10G SFP and a gigabit switch. Which is exactly how the BPi R4 is configured.
I don't know about the One. But some of the MediaTek CPUs apparently have hardware fq-codel support, or so I was told. I had a Gl.iNet with a MediaTek SoC (Flint 2) and it had great bufferbloat scores.
https://www.gl-inet.com/about-us/ says:
> GL Tech (HK) Ltd: #601, 5W, Hong Kong Science Park, N.T. Hong Kong
> GL Intelligence, Inc.: 10400 Eaton Place, Suite 215, Fairfax, VA 22030
I'm a little curious about this. One of the reasons that some people run OpenWrt is for improved security. In the general security space, a Shenzen company isn't the most usual choice of vendor for Western countries. Also, the company having the US subsidiary/office/unit based in Virginia, and with "intelligence" in the name, hits a somewhat odd note.
Also, since when has having a Wikipedia page proven a company legitimate? You know most companies author their own pages anyway, that's kind of how Wikipedia works.
How reasonable do you think it is to be this automatically suspicious of any computer coming from China? A generic low-cost barebones Intel PC certainly has plenty of space for compromised firmware to hide, but it's implausible that a Chinese intelligence agency would indiscriminately deploy an attack that made use of a compromised Intel Management Engine firmware signing key to put firmware rootkits in cheap hardware sold to individual consumers.
On an embedded system like the OpenWRT Two where the entire BOM of the system will be public and the OS has full control over the raw flash memory, a purely software-based supply chain attack would be extremely difficult, and a hardware-based supply chain attack would be expensive. Do you think an intelligence agency would really bother with this for a device that is mostly going to be shipping to nerdy hobbyists?
There's more to a threat model than just recognizing that an attack may be technically feasible.
Based on their track record? Pretty fucking reasonable.
I would say that most probably isn't malicious collaboration with the CCP, rather sheer incompetence. Shipping secure anything just isn't part of their culture. Read a comment on HN the other day from someone that evaluated Huawei hardware for a telco and swore it was so full of holes to be unusable.
The ingrained extreme cheapness of Chinese culture doesn't help. Security is viewed as a luxury - why waste time and money on it when that could be better spent elsewhere?
That said, the incompetence gives them plausible deniability when the intelligence agencies take advantage to exploit the holes for their own use.
Shipping telco hardware with a massive bespoke software stack implementing an impossibly-complex pile of standards is very different from what we're talking about here.
Historically remote code execution in the IME.
> an incompetent PC OEM
And then it never gets patched.
That's only a problem if the Active Management Technology feature is correctly supported by the OEM including wiring it up to a supported NIC, and the feature is enabled and provisioned by default, and the NIC in question is connected to a network that is a potential attack vector.
From what I can tell, the current NIC of choice for Chinese router PCs is the Intel i226-V, and such PCs come with 4-8 of those. In order to work with the Active Management Technology feature, those would have to be the more expensive i226-LM or i226-IT parts. So AMT is impossible to enable on those PCs and there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals.
Are you sure about that? Because I remember something called ACPI that gets executed by the OS every time some configuration changes, such as power levels.
Do you see the problem here?
Which ACPI table do you expect to be used for delivering malicious executable code?
If your MSI motherboard is installing Nahimic without an internet connection, it is doing so through a mechanism where the installer is made available to the OS in an ACPI table that Windows checks. That check can be disabled with a registry key to prevent such software from being re-installed, and the motherboard may have a BIOS option to disable the anti-feature (though the registry key method is generally more effective, since BIOS settings often get reset to defaults).
As opposed to the US, where it's the other way around [1]. You prefer that?
[1] https://en.wikipedia.org/wiki/Room_641A
On HN there is an echo chamber with the shunning of companies who have experienced incompetence based breaches. Your average consumer does not know (beyond the news cycle) or generally even really care.
I think you can even look at FBI and NSA public service announcements and guides about consumer electronics security as a sort of ''shit this industry stuff is pretty bad we need to think about our goal differently,'' with regards to them trying to pick up some of the security slack that US companies shit out with their products.
When you’ve got the sort of reach and resources they have, it does you no good if script kiddies or unsophisticated attacks are causing problems and you don’t need the easily preventable attack vectors they’d use.
Do you have a link? Would be nice to know more technical details.
https://news.ycombinator.com/item?id=43342304
No one stops you from doing so, just know you will probably be part of a botnet sooner or later.
The problem seems to be that this firmware doesn’t really get updated once the machine is sold.
That’s legitimate criticism for a security-critical network component.
Running an up-to-date OpenWRT or pfSense on a normal PC hardware platform with outdated UEFI firmware is still a big step up in security compared to running factory firmware+OS on a cheap consumer wireless router.
We need adversarial competitive firmware that comes from different sources the same as we have for software.
I know why we don't have that. It doesn't change the fact that that is what we need.
Don’t bother importing. They should start seizing these at the port
As I said, GL.iNet is a popular company.
I didn't say that having a Wikipedia page proves that a company is legitimate.
I know how Wikipedia works.
From their website, "Banana Pi open source hardware community is an open source hardware project led by Guangdong Bipai Technology, and supported by Taiwan Hon Hai Technology (Foxconn)."
[1] Banana Pi OpenWrt One:
https://www.aliexpress.com/item/1005007795779282.html
[2] Banana Pi website:
https://www.banana-pi.org/web/index.php
[3] Banana Pi:
https://en.wikipedia.org/wiki/Banana_Pi
I have a bunch of their different models and in practice most of them are unusable today (based on ancient upstream with missing important updates; their sources are a huge mess with scarce and out-of-date docs so have fun resolving that yourself; device dtb/driver require unavailable patches; IIRC their stock vendor firmware phones out and they seem to be pushing towards a centrally managed cloud platform I wouldnt trust)
It really is a shame as on paper and out-of-box-right-after launch their devices seem great but after spending too many days failing to get working builds for in particular the Mudi/E750 while realizing that stock firmware is unsafe in untrusted networks, I've given up on them until I see some drastic change in maintenance culture.
The collaboration with OpenWrt might make the "Two" an exception, I guess, if the OpenWrt people are involved and demanding enough.
I'd wager there's nearly zero collaboration between the overwhelming majority of the hardware manufacturers that create hardware that OpenWRT runs on and the OpenWRT folks.
Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
[0] Less than zero.
That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything (if anything perhaps supporting the notion that glinet should be able to do better).
> Your concern is entirely unwarranted and -if I might be a little uncharitable- seems to come from a position of ignorance (whether actual or feigned, I cannot tell).
Yeah, that's quite uncharitable. Did you read the last line of the comment you replied to?
Speaking of ignorance... How many new embedded devices have you personally ported OpenWrt (or any Linux dist for that matter) to? How many glinet devices do you have experience deploying self-compiled builds to? How much time have you spent digging through their sources and patches?
Yes. I read your entire comment and thought on it for a while before I replied. It's stupid to do otherwise.
> That someone from the community has made OpenWrt run fine on Ubiquiti gear has nothing to do with my comment and is not indicative of anything...
Yeah, except that it is. Your comment indicated that ongoing effort from the GL folks was relevant to having OpenWRT continue to run on the hardware:
> I'm less concerned with their jurisdiction and company profile than their absent software/firmware maintenance.
Ubiquiti is famously anti-open-source. They used to be less so with their routers, but always were very, very nasty when it came to their WiFi access points. There's no way in hell they're providing assistance (especially ongoing assistance) to the OpenWRT project.
QNAP is Taiwanese. Their QHora routers use closed software, but I think most models are supported by OpenWrt.
Currently they provide sources for GPL components this way, what a joke of a company:
>To get a CD with the corresponding source code for the GPL-covered programs in this distribution, wire transfer $45 to MikroTikls SIA, Ūnijas iela 2, Riga, LV-1039, Latvia.
But: Mikrotik has problems with end-user Wifi - Their APs are old and weak.
GL.Inet are firmly in the personal and budget enthusiast market.
The price differences between those two markets is almost 2:1.
Compulab in Israel has some customizable IoT boards, https://www.compulab.com/products/sbcs/sbc-iot-imx8-nxp-i-mx...
QNAP in Taiwan has QHora routers, but much higher price points.
Honestly, if we're ever going to have a decent open hardware movement, I think it's going to come from a place like Nigeria or Peru, not a wealthy country.
4x 2.5GbE (one of them even a PoE port)
1x 10GbE SFP+
WiFi 7 with MLO
$279
> Can you recommend Western companies that would be able to produce similar hardware at the same price point?
Besides, I’m yet to see any open source routing software that’s half usable as a complete package. With the sole exception of VyOS, it’s all hot garbage, OpenWRT and pfSense included.
When somebody in this context is asking for similar hardware, it's reasonable to assume that OpenWRT support would still be considered important, or at least worth mentioning.
https://mikrotik.com/products/group/routerboard
https://www.olimex.com/
https://fcc.report/FCC-ID/2AFIW-XE300C4G/7058909.pdf
What I personally would have liked to see was an EU based entity overseeing and taking responsibility for the project since neither US nor China really should be trusted with privacy these days.
Thanks be to karmic disclaiming transparency.
I'm on a GL.iNet MT-6000 right now, and it's a great router. The stock firmware is based on openwrt, and they make it very easy to upgrade to an official openwrt release. I bought it before the OpenWRT One became available, but I probably would have gone with it anyways because it has two 2.5gb ports whereas the OpenWRT One only has a single 2.5gb port. I'm on 1gb internet right now, so that would be fine for the moment, my ISP has already been advertising 2gb service coming soon, and I'd like to upgrade once it's available.
It looks like the MT7988 chip they chose for the OpenWRT Two supports either two 10gb ports or one 10gb and a bunch of other ports, so I think they made the right call. It should be capable of handling up to 5gb internet service, so it'd be a better fit for someone like me.
I imagine it'll also be one of the first and likely best OpenWRT devices to support Wi-Fi 7.
If you vote no, you'll basically be seen as the stickler person without a good reason.
18 people are missing (abstained?), so could that be interpreted as an ambiguous "no"?
OpenWRT One Released: First Router Designed Specifically for OpenWrt - https://news.ycombinator.com/item?id=42285689 - Dec 2024 (144 comments)
[0] https://www.socallinuxexpo.org/scale/22x
[1] https://www.socallinuxexpo.org/scale/22x/sponsor/software-fr...
What does that mean ?
I search and looked at that router.... I wish someone from Eero or Ubnt hardware team would lend them a hand.
The full sentence:
> "Two" will (hopefully) be in the 250$ region with yet again a portion of that being donated to the project.
It’s a wonderful time to be into free software and free hardware. Thank you folks!
The polish I'm missing on supposed premium products.
- bugs are ignored,
- bug fixes ignored,
- improvements to core OpenWrt are ignored (although package PRs are still accepted somehow),
- almost no new documentation,
- no reply for documentation clarifications on the forum,
- significant parts of OpenWrt are not accessible for PRs or bug reports: fstools, procd, ubus, etc.
- no improvements to critical routing features, such as hardware acceleration,
- routers abandoned left and right (kernel no longer fits in the factory partition) and absolutely no support for older kernels,
But now they have video acceleration, mesa, X, wayland, Doom, etc.
With OpenWrt Two, I bet they're going to make the same mistakes as OpenWrt One: not enough memory and not upgradable, wifi not replaceable, no usable expansion slots (mini-PCI, M.2) and, of course, no (e)SATA. Another e-waste product that will be obsolete even before it's available to buy.
I wish they got back to routing.
Those are only mistakes if you ignore the realities of what hardware is available. A highly-integrated SoC designed specifically for wireless router usage is a more cost-effective platform than a generic x86 PC. Basing OpenWRT One and Two on such hardware means work to improve support for those systems is more likely to benefit OpenWRT support for mainstream consumer networking equipment that also uses purpose-built SoCs.
OpenWRT is not yet in a position to influence the hardware design decisions made by companies like Mediatek, Qualcomm, Broadcom for their consumer WiFi product families. Those chips are still designed around what's best for the big brands that are the primary customers: Netgear, Linksys, TP-Link, etc. Adding SATA controllers to a WiFi router SoC does not benefit Netgear, et al., nor does splitting out all the radios to separate chips that could be installed onto M.2 cards (miniPCI and miniPCIe being long obsolete and bandwidth-starved). Asking for eSATA is laughably unrealistic.
A focus on the kind of modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs) is what leads to the distractions you're complaining about: "video acceleration, mesa, X, wayland, Doom, etc."
> OpenWRT is not yet in a position to influence the hardware design decisions made by companies like Mediatek, Qualcomm, Broadcom for their consumer WiFi product families.
Perhaps I'm biased, but I do believe DENT is in much better position and has more chance of influencing the white-box networking vendor than OpenWRT with regards to their design decisions.
From the website:
"As a Linux Foundation project, DENT utilizes the Linux Kernel, Switchdev, and other Linux based projects as the basis for building a new standardized network operating system without abstractions or overhead. All underlying infrastructure — including ASIC and Silicon for networking and datapath — is treated equally; while existing abstractions, APIs, drivers, low-level overhead, and other open software are simplified. DENT unites silicon vendors, ODMs, SIs, OEMs, and end users across all verticals to enable the transition to disaggregated networks."
[1] DENT:
https://dent.dev/
Don't be too pessimistic, anything that can contribute to the disaggregation of networking technology will be good for the consumer markets since the companies producing these networking SoC namely Qualcomm, Mediatek, etc should care about their downstream revenues. By adopting the open eco-system champion by SONiC and DENT for networking technology disaggregation, it will definitely spill over to the consumer networking as well since these are the very same companies that design and manufacture the networking pervasive consumer networking SoC.
There are too many and numerous examples of Linux enterprise features that are spilling over to consumer Linux, and the latest is the real-time Linux kernel extensions although it did take like forever (i.e 20 years) to be adopted by the main line Linux kernel.
If you think the focus should be on what hardware is available, then why make a OpenWrt Two instead of buying the existing hardware?
> A highly-integrated SoC designed specifically for wireless router usage is a more cost-effective platform than a generic x86 PC.
This is exactly why OpenWrt One and probably Two too is just e-waste - because those cheap integrated hardware platforms are e-waste to begin with. They are indeed cost-effective, but only for a brief moment in time.
Wifi drivers are one of the most problematic part of linux kernel. Also, wifi standards are still changing very fast. Non-replaceable wifi is one of the things that's going to kill these boards.
OpenWrt One can only be used as a wireless router. There's no storage, no expansion slots, not even USB3. It can't be repurposed, can't be upgraded, can't even be used as an ordinary ethernet router because there's no switch. In less than a year, OpenWrt Two makes it obsolete. OpenWrt Two won't be any different, so why make it at all? What will that improve? There's tons of boards better than that (BananaPi R-series, GLinet routers).
So that's basically my argument.
(I didn't complain about the CPU. The CPU is probably the most future-proof component in there. Using x86 CPU is probably the worst design decision they could make.)
> Adding SATA controllers to a WiFi router SoC does not benefit Netgear, et al.
So what? That's what PCIe is for (and expansion slots).
Turris Omnia is almost 10 YEARS old and it's still being sold, and at outrageous prices, mind you, even second-hand. It's CPU is obsolete, it's miniPCIe slots are obsolete, it's ethernet is (almost) obsolete, it's memory is barely sufficient, and yet it's still usable as a home router, personal web server, file server, NAS, torrent client, remote download manager, TOR node, proxy, etc. etc. after 9 years! Why is that? Because Wifi was replaceable and it had 2GB RAM at a time when most routers only had 32MB.
Beat that, OpenWrt One&Two!
> A focus on the kind of modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs) is what leads to the distractions you're complaining about: "video acceleration, mesa, X, wayland, Doom, etc."
No, that's not it. A mini-PCIe / M.2 slot won't fit a GPU (well, it could, but...). A SO-DIMM slot instead of soldered memory also won't change anything. Meanwhile, GPUs are already there in most SoCs supported by OpenWrt, not just x86: Rockchip, Mediatek, Broadcom/RaspberryPi, you name it.
If devs were interested in GPU support, they could have contributed to Buildroot instead. Why did they add it to OpenWrt instead of Buildroot? Probably because it was easy: they're the main devs of OpenWrt with commit privileges. I'm not saying that they abused those privileges. I'm saying that their interest doesn't seem aligned with what OpenWrt is: an OS for routers.
> modular, expandable and upgradable hardware platforms that actually currently exist (namely, PCs)
And this is the second problem with OpenWrt One/Two. If an OpenWrt dev wanted to have an OpenWrt NAS, or an OpenWrt server of some kind, anythining other than (just) a router, only PCs fit the requirements. Not even Rockchip/BananaPi SBCs. Of course that dev is going to contribute with support for PCs in OpenWrt.
> I wish they got back to routing.
I feel like you are contradicting yourself.
1) router
2) smart tv (airplay, chromecast, miracast)
3) smart speaker
4) smart home gateway (matter)
5) wireless charging pad
6) private cloud (nextcloud)
7) private backup (removable nvm)
8) private vpn / dns / pihole / adguard
9) mini server
Everything in a nice package and preconfigure and ideally modular (upgradable ssd, wifi).
UmbrelOS [0] is interesting but its quite expensive and its only for home server (no router, no smart speaker, smart tv, wireless charging pad). Apple TV has a great hardware and cheap but so limited for 3rd party. Wish they made it modular that you could attach magnetic speaker, wireless charging pad and had some usb for attaching 4g modem.
[0] https://umbrel.com/
[1] Synology Products A - Z: Applications:
https://www.synology.com/en-global/products-a-z
[2] Synology:
https://en.wikipedia.org/wiki/Synology
Yes there are very few switches with 5Gbe. But I'd be open to that changing!
Sure, but if you include another SFP+ port, you can run that at 1, 2.5, 5, or 10gbit. Another SFP+ port gives you a BUNCH of options (including the "copper, fiber, or twinax?" option). A 5Gbit copper port locks you in to just that one configuration.
As for the expense of SFP+ modules, go check out the 10Gtek company. The optical ones are very inexpensive [0], and I've had eight of their optical SFP+ modules in my home networking hardware for many, many years with no problems whatsoever. I expect the copper ones to be just as reliable.
[0] And their copper ones are on the low side of average price
5GBASE-T can run on Cat5e/Cat6 cabling which people probably already have. This makes the router a viable product, which can improve your home network performance with minimal investment, just by swapping out your old router.
OTOH, the dual SFP+ configuration is more on the exotic side. It may make sense on some professional setting (or some outlier home network configurations - like yours), but I guess this is not the intended market.
The operator of the device. Who were you thinking of?
> 5GBASE-T can run on Cat5e/Cat6 cabling which people probably already have.
There are SFP and SFP+ modules that will do 1, 2.5, 5, and 10GBASE-T just fine. If the operator wants to run 1GBASE-T, they can. If the operator wants to run 10GBASE-[SL]R, they can do that, too. Options.
> The dual SFP+ configuration is more on the exotic side.
1) Used to be that having a gigabit Ethernet port was on the exotic side, too. (If we go far enough back, 10mbit was hella fancy.) Times change.
2) Here are two SFP+ ports for ~140 USD. [0] Here are four for 150USD. [1] Times change, man.
[0] <https://mikrotik.com/product/css318_16g_2s_in>
[1] <https://mikrotik.com/product/crs305_1g_4s_in>
I can plug that port into an existing 10G switch and get 5G over that link, which can be a nice sweetspot (10G can be excessive in terms of power/heat) while we can fully saturate one of the 2.5G ports routed over it without saturating the uplink.
And if not it will still play nice at 2.5.
https://lists.openwrt.org/pipermail/openwrt-devel/2025-Febru...
[1] https://github.com/openwrt/openwrt/pull/14950
> * 5G copper
> * 4 port 2.5G copper
> * 1-2 port 1G copper
Should've gone for at least two 10G ports and dropped the extra two 1G ports...
You would have to drop the other ports instead, and then you would just have 2x 10G SFP and a gigabit switch. Which is exactly how the BPi R4 is configured.