Hello, I'm thinking of buying some hardware to run pfsense for home use and would welcome opinions on the following options. The main requirements are: it must be quiet (or nearly quiet) and it should be capable of forwarding at >1Gbit/s, since I don't want to buy into a solution that will be obsolete in a couple of years. A rack-based solution isn't going to fly...I don't have the space. I need to forward between internal VLANs and internal/internet but I don't need IPSEC. Suricata would be a nice-to-have, so it would be good to have the option of extending RAM above 8GB.
1. Kettop Home Router I5 Mi7200L6 Core I5-7200U (16Gb Ddr4 Ram 256Gb Ssd Wifi) Aes-Ni,2.5Ghz Dual Core Fanless,6 Intel Gigabit Ethernet. It's the cheap option at $550 (£395 here in the UK). Fails the >1G requirement so it's probably a stopgap solution at best. On the plus side, it has a 60W PSU and is fanless. Other downside: Chinese manufacturer website has nothing in the way of documentation and presumably no support will be forthcoming if it ever has a fault. There are a number of very similar offerings from other vendors (protectli, andaqi and more).
2. Netgate 6100. $699, but many netizens say it is underpowered. Passmark gives it a score of 2360 which is actually worse than the CPU score of the cheaper Kettop box which scores 3403. On the plus side, it does 10G of firewall-only forwarding according to Netgate ("10.1 Gbps firewall performance, 7.9 Gbps NAT handling, or 2.1 Gbps of AES-GCM IPsec VPN"), which is pretty much my use case. Also on the plus side, it will run pfsense+... not sure if that makes much of a difference. Support is available. The 8GB of memory might be a bit too small to run Suricata ?
3. Roll-your own based on the EPYC 3101 (or a similar solution in the 30W TDP range). I like the look of the Asrock EPYC3101D4I-2T:
"Supports 4x DDR4 ECC UDIMM, RDIMM, LRDIMM up to 2666MT/s (2DPC)
Supports up to 1 x OCulinks (PCIe3.0x4 or 4x SATAIII 6Gb/s)
1 x PCIe x 16 slot
Integrated IPMI 2.0 with KVM and Dedicated LAN (RTL8211E)
2 x RJ45 10GLAN by Intel® X550-AT2"
but there are only two 10G ports on board, apart from the IPMI port, so I'd need to buy a separate managed 10G switch to break out some VLANs (or, as a compromise, there are 4-port 2.5G PCIe cards available, but they seem pricey). The motherboard is $700 (£500 here) so by the time I've added memory, SSD, power supply and case, I won't have much change from $1000. Passmark doesn't seem to have a score for the 3101, but it got good reviews here on STH.
Another roll-your-own would be the Supermicro M11SDV-4CT-LN4F. It has 4 x 1G built in but could be upgraded with a 10G NIC. Cost $577 (£417) plus case, RAM, SSD, 10G NIC, etc. Unfortunately, the Supermicro ready-built version (AS-E301-9D-8CN4) is too loud for a desk, according to the STH review, which is a shame.
4. OpnSense DEC840. "8GB DDR4 RAM, 256GB M.2. Solid State Flash and can handle upto 14.6Gbps Firewall & 2.3Gbps IPsec". It's an Epyc 3101 board but at $1176 ( €999.00 ), it's the most expensive option so far - the performance is in the same ballpark as the Netgate 6100 but it's twice the price. Having said which, I don't think the roll-your-own option #3 would end up being as small and quiet as this option - it is fanless. Will the 8GB of RAM be too small for Suricata ? If so, then #3 wins. Is OpnSense worth the extra cost, compared to pfsense+ on the Netgate 6100 ?
5. I could run pfsense CE on a VM on my home server (ESXi). Upside: cost $0. Downside: I'm very reluctant to connect the public internet directly to my server. It completely breaks the concept of defence in depth by putting my "core" compute asset directly on the public internet. Plus, this is an all-eggs-in-one-basket solution - if I have to rebuild my server for any reason, internet access will be down until I get it going again. So, this doesn't feel like a safe option.
6. Xeon-D boards like the X10SDV-7TP8F run to $3500 here (£2537). That's the bare board, not a server. Not happening...
Any thoughts, please let me know below.
1. Kettop Home Router I5 Mi7200L6 Core I5-7200U (16Gb Ddr4 Ram 256Gb Ssd Wifi) Aes-Ni,2.5Ghz Dual Core Fanless,6 Intel Gigabit Ethernet. It's the cheap option at $550 (£395 here in the UK). Fails the >1G requirement so it's probably a stopgap solution at best. On the plus side, it has a 60W PSU and is fanless. Other downside: Chinese manufacturer website has nothing in the way of documentation and presumably no support will be forthcoming if it ever has a fault. There are a number of very similar offerings from other vendors (protectli, andaqi and more).
2. Netgate 6100. $699, but many netizens say it is underpowered. Passmark gives it a score of 2360 which is actually worse than the CPU score of the cheaper Kettop box which scores 3403. On the plus side, it does 10G of firewall-only forwarding according to Netgate ("10.1 Gbps firewall performance, 7.9 Gbps NAT handling, or 2.1 Gbps of AES-GCM IPsec VPN"), which is pretty much my use case. Also on the plus side, it will run pfsense+... not sure if that makes much of a difference. Support is available. The 8GB of memory might be a bit too small to run Suricata ?
3. Roll-your own based on the EPYC 3101 (or a similar solution in the 30W TDP range). I like the look of the Asrock EPYC3101D4I-2T:
"Supports 4x DDR4 ECC UDIMM, RDIMM, LRDIMM up to 2666MT/s (2DPC)
Supports up to 1 x OCulinks (PCIe3.0x4 or 4x SATAIII 6Gb/s)
1 x PCIe x 16 slot
Integrated IPMI 2.0 with KVM and Dedicated LAN (RTL8211E)
2 x RJ45 10GLAN by Intel® X550-AT2"
but there are only two 10G ports on board, apart from the IPMI port, so I'd need to buy a separate managed 10G switch to break out some VLANs (or, as a compromise, there are 4-port 2.5G PCIe cards available, but they seem pricey). The motherboard is $700 (£500 here) so by the time I've added memory, SSD, power supply and case, I won't have much change from $1000. Passmark doesn't seem to have a score for the 3101, but it got good reviews here on STH.
Another roll-your-own would be the Supermicro M11SDV-4CT-LN4F. It has 4 x 1G built in but could be upgraded with a 10G NIC. Cost $577 (£417) plus case, RAM, SSD, 10G NIC, etc. Unfortunately, the Supermicro ready-built version (AS-E301-9D-8CN4) is too loud for a desk, according to the STH review, which is a shame.
4. OpnSense DEC840. "8GB DDR4 RAM, 256GB M.2. Solid State Flash and can handle upto 14.6Gbps Firewall & 2.3Gbps IPsec". It's an Epyc 3101 board but at $1176 ( €999.00 ), it's the most expensive option so far - the performance is in the same ballpark as the Netgate 6100 but it's twice the price. Having said which, I don't think the roll-your-own option #3 would end up being as small and quiet as this option - it is fanless. Will the 8GB of RAM be too small for Suricata ? If so, then #3 wins. Is OpnSense worth the extra cost, compared to pfsense+ on the Netgate 6100 ?
5. I could run pfsense CE on a VM on my home server (ESXi). Upside: cost $0. Downside: I'm very reluctant to connect the public internet directly to my server. It completely breaks the concept of defence in depth by putting my "core" compute asset directly on the public internet. Plus, this is an all-eggs-in-one-basket solution - if I have to rebuild my server for any reason, internet access will be down until I get it going again. So, this doesn't feel like a safe option.
6. Xeon-D boards like the X10SDV-7TP8F run to $3500 here (£2537). That's the bare board, not a server. Not happening...
Any thoughts, please let me know below.