First off, I concur with the Intel NIC recommendations for anything over a few hundred Mbps. The on-board Realtek NICs have all kinds of problems when you push them hard, even with a robust OS. Intel makes some dual-channel server boards that can be had for ~$30 in OEM pack. There are a couple of generations of PCIe ones, and I don't recall which is which any more. They are great on a miniATX or larger board. It can be a challenge, especially with the older series, to find a microITX board that supports them.
For raw CPU, I can't speak for OpenWRT/LEDE, but I've been running GigE full speed through FreeBSD with more sophisticated firewalling and flow shaping than LEDE/OpenWRT is capable of on hardware as slow as an Atom D330. Those eventually were retired, not because of speed, but because of RAM limitations with the advent of ZFS as my preferred file system. I've been running Celeron J1900 and 1037U for several years now with "full" bandwidth on multiple adapters and very low latency.
Which comes to the final point. Look, LEDE is great for embedded devices, but with 1 Gbps of bandwidth, you're a significant hacking target. OpenWRT sucked for even keeping up with kernel and security patches. You couldn't even get the source for years-outdated, security-related ports to compile your own in many cases. LEDE is marginally better, but I wouldn't trust either with network security, especially with such an attractive target. Busybox and all the works-alike software that you need for trying to run in a tiny memory footprint with limited disk space are nowhere near as robust as their regularly tested and updated originals. Not to mention a royal pain when it comes to sysadmin, when you find out that less is really less than you expected, or that you have to install diff to do something that should be simple.
With an x86-class system, do yourself a favor and run a regularly updated, secure operating system. Yes, I prefer FreeBSD from both a performance and security standpoint, but you can lock down Debian/Ubuntu/RedHat pretty well.
Edit: Regrettably, the moderately priced 1037U motherboards with a PCIe slots able to handle dual-port adapters don't seem to be available any more. I've been looking at the Gigabyte GA-H270N-WIFI as a possible alternative, but the cost goes up once you need to add something like an Intel G4600 and a cooler. At least it comes with dual Intel GbE. I have not tried this combo (yet).
Depends on who they are getting their bandwidth from and what netblock. Much more interesting to scan moderate- or high- bandwidth netblocks for the telltale signs of weak security than it is a 56k modem pool.
I don't consider LEDE/OpenWRT to be secure or reliable enough to be the only firewall in place, at any speed. I have always run a more secure firewall behind the OpenWRT/LEDE devices on an OS that is better vetted for security and has patched software that is readily available in a timely manner.
On the other hand, OpenWRT/LEDE was adopted by a large number of ISPs and hundred of thousands of people are using it. Take the example of SFR box in France, it is running OpenWRT. So OpenWRT/LEDE is probably quite secure, otherwize all those routers would already be hacked.
I agree a problem comes when you install tons of software on the main firewalling router. Installing dozen of sofwares on a firewall is crazy. A firewall should always be minimal...
Jeff, I used to run a Debian box with minimal kernel compiled staticly. What is nice in Debian, is that when you are happy with a kernel compilation, you can recompile it staticly using two commands. It then becomes way more difficult to hack Don't you think?
On the converse, I don't like the idea that upon a zero-day hack, LEDE/OpenWRT is wide open and the hacker can install easily any package/kernel mod. Security agencies (I mean "foreign", not your own country) probably have ready-made toolkits for OpenWRT/LEDE. There should be a way to "lock-down" LEDE completely, like I used to do it with a Debian distro. We should be able to recompile the kernel staticly and replace current kernel, using one or two command lines, like in Debian.
Also, with LEDE, serial console is not protected, boot is not signed, etc ... It makes a lot of small glitches, but we can fix them in the future. What is important in a short future for security is: secure boot with/without console, static kernel on demand (by the way, it is always "leaner", etc ...
Dear Jeff. I did not find the right words. LEDE is a great advance compared to embedded devices with no to little upgrades. Think about my D-Link 1210-P, which was apparently compiled under Fedora Core 3 back in 2004. It is probably plenty of security holes. If all those hardware were running LEDE, the world would be more secure, because LEDE can be upgrade easily and maintained.
@ffries Yes, I agree, OpenWRT/LEDE is worlds better than the firmware installed by most manufacturers! At least when it's installed, it is reasonably current with updates. I agree also that there should be a way to lock it down even further. My own preferences would to have a filesystem that was effectively immutable without physical access to the device. I'm used to FreeBSD where the immutable and append-only flags can't even be written by root once the kern.securelevel is raised. But we're drifting off topic. Perhaps worth discussing on another part of the forum.
Back on topic, while not an x86 machine and not "turn-key" for LEDE, I've had initial good indications from an Odriod-XU4(Q). With a Plugable-branded ASIX AX88179 USB 3 dongle, I can get "1 Gbps" through both the adapters. It runs a Samsung Exynos5422 which should have plenty or processing power with four of the A15, 2.1 GHz cores (and then four of the "little" ones). Linux kernel 4.9 is available for it. Under $100 with the USB dongle, power supply, and case.
I still run two layers with two different technologies, nftables on Linux and ipfw on FreeBSD. I do not run pf/OpenSense at all. Once it is straightforward to use nftables under OpenWrt without the mess of iptables present1, I will reconsider the Linux-based OS. Linux, unfortunately, still does not offer true immutability that I am aware of, either for the file system or for the firewall rules.
1 I have not been successful in stripping all of iptables out of an OpenWrt build, even without LuCI.
