¶ Cyber Gateway Deployment on NanoPi R5S
The NanoPi R5S (as “R5S”) is an open-sourced gateway device with two 2.5G and one Gbps Ethernet ports, designed and developed by FriendlyElec, 2GB or 4GB LPDDR4X RAM, and 8GB or 16GB eMMC flash. It has one microSD, one M.2 NVME, two USB 3.0, and USB Type-C power delivery. It uses Rockchip RK3568 chip, which is a high-range general-purpose SoC, made in 22nm process technology, integrated 4-core ARM architecture A55 processor.
¶ Hardware Checklist
Before deployment, make sure you have everything in the checklist below.
|
Number |
Item |
Quantity |
Remarks |
|
1 |
1 (2) |
2 for HA (high availability deployment) |
|
|
2 |
1 (2) |
2 for HA |
|
|
3 |
SanDisk 64GB Ultra microSDXC Memory Card |
1 (2) |
2 for HA |
|
4 |
1 |
To burn image on the SD card |
|
|
5 |
3 (6) |
Each NanoPi R5S box requires 3 LAN/ WAN cables |
¶ Common Deployment Architecture
A common deployment scenario for the NanoPi R5S deployment is to replace the Firewall as well as address the WAN Aggregation and Failover use case as shown below. However, you can also use it with a single WAN. In this case, plug in the WAN cable into the WAN port. You can pick one of the LAN ports for the LAN network.
¶ Deploying Cyber Gateway on NanoPi R5S
To deploy Cyber Gateway on NanoPi R5S. follow the instructions below:
¶ Step 1: Download the cyber gateway image file
- Download the image in gz file format from Exium downloads page here.
- Insert the SD card in the SD card reader and plug the reader in the USB port of a Windows (or Mac) machine.
¶ Step 2: Burn the image on to the SD card
- Download and launch balenaEtcher software on your windows (or Mac) machine: https://www.balena.io/etcher
- Unzip the OS image file that you downloaded in your file folder, and then select the unzipped OS image (Disk image file format) in the balenaEtcher and flash onto the SD card. You may also directly import the gz file without unzipping.
¶ Step 3: Insert the SD card, and power on the NanoPi R5S
- When flash is completed, remove the SD card from the SD card reader.
- Power off your NanoPi R5S, insert the SD card and power it back on
¶ Step 4: Login to the NanoPi R5S box
- Find the local IP address by following the instructions in here, SSH using the local IP. Alternatively, you can access console via a Monitor plugged into the HDMI port on the NanoPi R5S
- Login with username:
piand password:pi. We recommend that you change the default password immediately before deploying the cyber gateway.
To change password, at the command prompt, type “sudo passwd pi” and press Enter. Enter the root user password (which is also pi). Enter the new user password. Retype the new password a second time.
¶ Step 5: Deploy the Cyber gateway on the NanoPi R5S
- Follow the instructions for Multiple interface Cyber Gateway deployment or the Single interface Cyber Gateway deployment.
¶ What Performance to expect on NanoPi R5S?
In the Multiple Interface cyber gateway, security controls such as Firewall and Web security is provided locally in the CGW. Therefore, we recommend that only the Secure Private Access (SPA) traffic goes to the Mesh while the Secure Internet Access (SIA) traffic that has already gone through advanced security controls in the CGW itself can exit locally.
¶ WAN Throughput
See below result of a Speedtest for the SIA traffic exiting locally, where the ISP speed is 1.0Gb/s. We can see that the Cyber gateway can support network speeds matching to the ISP speed of about 1.0 Gb/s.
¶ LAN Throughput
The two LAN ports on NanoPi R5S are rated for 2.5 Gb/s while the port labeled WAN is rated at 1.0 Gb/s. For the lateral East-West traffic that stays local to the site and does not exit towards WAN, NanoPi R5S can support higher network speeds. The results of an iperf Throughput test on the LAN network are provided below. We can see that the Cyber gateway can support LAN network speeds of about 2.0 Gb/s.
Accepted connection from 192.168.9.5, port 53024
[ 5] local 192.168.9.251 port 5201 connected to 192.168.9.5 port 53028
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.01 sec 212 MBytes 1.76 Gbits/sec 17 512 KBytes
[ 5] 1.01-2.01 sec 255 MBytes 2.14 Gbits/sec 0 571 KBytes
[ 5] 2.01-3.01 sec 264 MBytes 2.22 Gbits/sec 0 609 KBytes
[ 5] 3.01-4.00 sec 249 MBytes 2.09 Gbits/sec 0 618 KBytes
[ 5] 4.00-5.01 sec 256 MBytes 2.14 Gbits/sec 0 621 KBytes
[ 5] 5.01-6.01 sec 256 MBytes 2.15 Gbits/sec 0 624 KBytes
[ 5] 6.01-7.01 sec 235 MBytes 1.97 Gbits/sec 0 628 KBytes
[ 5] 7.01-8.01 sec 236 MBytes 1.98 Gbits/sec 0 636 KBytes
[ 5] 8.01-9.01 sec 232 MBytes 1.95 Gbits/sec 0 641 KBytes
[ 5] 9.01-10.01 sec 236 MBytes 1.98 Gbits/sec 0 641 KBytes
[ 5] 10.01-10.04 sec 6.25 MBytes 1.92 Gbits/sec 0 641 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.04 sec 2.38 GBytes 2.04 Gbits/sec 17 sender
-----------------------------------------------------------
Server listening on 5201To learn more about implementing SASE for your organization and explore tailored solutions that meet your unique requirements, contact Exium at partners@exium.net for a consultation or demonstration. If you are ready to get started, check out our testing and onboarding process.