Fujitsu Futro S920 Thin Client as opnsense firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

yogi_en

New Member
Dec 18, 2019
19
13
3
pfsense is up and running in my S920 now. I used Intel I-340 as quad port NIC. Power consumption is around 15 to 16 Watt for my usage. Hp-620plus power consumption was around 13 to 14 watt with a different Intel I-340 for similar usage.
 
  • Like
Reactions: Samir

Ben.

New Member
Jan 22, 2022
1
1
3
Thanks for the summary about the S920/S930.

I am about to replace my APU1D4 running OPNsense by a S930 and have two thoughts/questions, maybe you can help me:

a) I can either put a 10 GBit card or the Intel Quad 1 GBit card inside. Which one would you choose? I think even the CPU can't handle 10 GBit, maybe it can reach 5, which would be already more than 4x 1 GBit. What do you think?
b) How big should the Riser card be? Is it worth buying the original (around 30 Euros) or "as small as possible" from a retailer for 10 Euros?

Thanks for your experience and feedback.

Sidenote: I am not running IDS/IPS at the moment, but would like to do so maybe in the future.
 
  • Like
Reactions: Samir

infojunky

Member
Mar 14, 2022
24
28
13
Huge warning: Do not attempt to update the bios in Windows PE. I got a bsod midway and the box was temporarily bricked (but fixing it only took 45 minutes!) I read the board manuals beforehand and knew there was a recovery feature so I guessed how it worked. You can find Fujitsu downloads here by plugging in model numbers and hitting the "OS Independent" tab:
https://support.ts.fujitsu.com/IndexDownload.asp?lng=en&OpenTab=

Bricked bios recovery guide:
1. ID the board in your S920. Mine was a D3313-E1x. It's easy to tell if the box is in working condition but otherwise there's an S920 pdf that explains the different board variants. The boards have different components.
https://support.ts.fujitsu.com/indexdownload.asp?Softwareguid=ebc493fd-3eac-44a0-894f-8af8404735a4
2. Download "BIOS Update - Admin Pack for D3313-xyz" and unpack
3. In the same bios tab there's a link to a FreeDOS USB creation tool for Windows:
https://support.ts.fujitsu.com/Inde...wareGUID=4C7EAC35-E4B9-4EB2-B51D-C7AB265A9690
4. Plug in a flash drive you don't care about and provision it with the FreeDOS tool
5. Copy paste the unpacked bios files as-is onto the flash drive
6. Pop open the case on your S920. It's only two screws and it's not completely obvious how it comes apart but it shouldn't be too hard. The part that slides out is connected to the front panel.
7. Your board should have a recovery pinout labeled "RCV" like this, where X should be where the jumpers were located when I opened the box:

- -
X
X -

"RCV" SILKSCREENED UNDERNEATH
arrange the jumpers like this
--
-
X X

"RCV" SILKSCREENED UNDERNEATH
8. Plug your flash drive into the front USB and turn on the S920
9. Your flash drive should light up and the speaker should make a bunch of weird noises. There are multiple tones, do not do anything until the tones change and start repeating.
10. Rearrange recovery jumpers to stock position
11. Reset machine and enjoy your long-winded bios update! Remember to change your power-on settings and decrease APU shared memory to 32 MB.

Note: The latest bios is currently V4.6.5.4 R1.16.0 and it is probably important so do consider flashing it:
- Microcode updates added.

- Memory module frequency limited to maximum
supported speed (1600MHz).


Here's some OPNSense performance off the top of my head with this hardware. Tests all done with NIC accelerations kept enabled except for IPS.
GX-424CC @ 2.4 GHz
4GB DDR3
Dell I350-T4 (T34F4) variant flashed with latest Intel firmware
(don't even ask me how I did this I don't remember I probably flashed it in Linux. claims to support SR-IOV)
Originally came with an AMD FirePro on original riser. This riser variant has a metal support bar that runs down the middle.
Onboard ethernet is some kind of Realtek, have not tried using it yet
Power adapter: Some Lenovo thing I had that happened to fit the specs
(ADP-65YB D, 20V 3.25A 65W, Lenovo P/N 36200337)

iperf3 Loopback (?): 3.43 GB/s
WAN with/without traffic shaping: Enough to saturate 1 gbit
WAN with IPS: 400 MB/s (Suricata seems extremely buggy with this hardware anyways just don't bother)
iperf3 inter-NIC on i350-t4: 400-500 MB/s
(laptop gbit on OptX to firewall on OptY, need to retest with 2 different machines later)


Basically it's fast enough for most homes, a little slow for enthusiasts and I'm happy with my ~$55 box and $50 quad NIC.

P.S Anyone know how to undervolt this CPU on BSD? I was able to take off 100 millivolts in Linux across all pstates. The software reported at one or two watts of savings, would love to have that. I see there's a BSD tool for manipulating MSRs but that's way over my head.

P.P.S My S920 was assembled in Germany (!) and the D3313s are industrial boards made by Kontron. I'm sad I only bought a single one. The quality speaks for itself.

P.P.P.S mSata SSD on mine reports about 3 years of power-on hours despite the unit looking completely spotless. I think these came from healthcare.
 
Last edited:

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,257
1,445
113
49
HSV and SFO
pfsense is up and running in my S920 now. I used Intel I-340 as quad port NIC. Power consumption is around 15 to 16 Watt for my usage. Hp-620plus power consumption was around 13 to 14 watt with a different Intel I-340 for similar usage.
Thank you for the update! I recently connected mine to an epdu and as I'm using it right now (as a thin client), it's using 12.3w according to the epdu. (It's currently got about 20 rdp sessions running and using about 6gb out of 16gb of ram running the factory win10 iot build.)
 

infojunky

Member
Mar 14, 2022
24
28
13
Anyone have too much free time and want to test Windows undervolting? I mentioned getting -100mV in Linux a few posts up.

In the past I used amdmsrtweaker to tweak CPUs in Windows. Looks like that might still work if you turn off virtualization and core security according to a thread I can't link.

I'm using the S920 as a router right now so I can't test anything in Windows. But I welcome people to try.

Edit: Also found ancient ancient abandonware called pumastatectl if anyone wants to mess around with that.
 
  • Like
Reactions: Samir

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,257
1,445
113
49
HSV and SFO
I'm using the S920 as a router right now so I can't test anything in Windows. But I welcome people to try.
As cheap as these are, you should pick up a spare and restore it and go to town. ;) I've considered picking up a third myself.

Edit: Well scratch that--there's not a single one available in the US anymore. :(
 

infojunky

Member
Mar 14, 2022
24
28
13
I compiled the FreshPorts BSD port of amdmsrtweaker, ran "kldload cpuctl" and tried running it.
./amdmsrt
ERROR: unsupported CPU
If it doesn't work in BSD it probably doesn't work in Windows. :(

Edit: I know, I should've bought like 3-5 of them while they were still $55 shipped. Their off-bay website has 25 of them in stock for $100 each. Price is alright I guess.
 
  • Like
Reactions: Samir

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,257
1,445
113
49
HSV and SFO
I compiled the FreshPorts BSD port of amdmsrtweaker, ran "kldload cpuctl" and tried running it.

If it doesn't work in BSD it probably doesn't work in Windows. :(

Edit: I know, I should've bought like 3-5 of them while they were still $55 shipped. Their off-bay website has 25 of them in stock for $100 each. Price is alright I guess.
What cpus is that supposed to support?

Link to off-bay website?
 

infojunky

Member
Mar 14, 2022
24
28
13
What cpus is that supposed to support?

Link to off-bay website?
Not sure, it's quite old software to be honest. I vaguely recall using it for Phenom II and FX-8350.


I wasn't able to get any shipping options to show up so these might be reserved, nonexistent or pickup only.
 
Last edited:
  • Like
Reactions: Samir

Elf

New Member
Mar 28, 2022
4
4
1
Germany
Is the S920 still a good choice for a router with VPN enabled? Internet speed is 50/10. There's an offer for a "Fujitsu Futro S920 ThinClient AMD 1.50GHz 2GB 1,9GB SSD" (without PSU or stand) for 25€ and free shipping, so I'm very tempted.
 
  • Like
Reactions: Samir

infojunky

Member
Mar 14, 2022
24
28
13
Is the S920 still a good choice for a router with VPN enabled? Internet speed is 50/10. There's an offer for a "Fujitsu Futro S920 ThinClient AMD 1.50GHz 2GB 1,9GB SSD" (without PSU or stand) for 25€ and free shipping, so I'm very tempted.
It'll be fine with your slow speeds. Probably don't even need any hardware upgrades, just use the single onboard Realtek and hook it up to a managed switch. :eek:
 
  • Like
Reactions: Samir

Elf

New Member
Mar 28, 2022
4
4
1
Germany
It'll be fine with your slow speeds. Probably don't even need any hardware upgrades, just use the single onboard Realtek and hook it up to a managed switch. :eek:
I still have some 2-Port Intel NICs. From what I've read so far I need some riser cable to use the PCI extension in the case?

The vpn or speed in general will be limited by the CPU only, right? What do you think is the upper limit? 100mbit/s? It's a bit far-fetched but I still hope to be able to upgrade my connection someday :D

Edit: Any idea how it compares to a HP N54L? Got an unused one in the shelve.
Edit 2: Okay, according to Passmark, the N54L is even worse.
 
Last edited:
  • Like
Reactions: Samir

infojunky

Member
Mar 14, 2022
24
28
13
Pretty much. I can get at least 200 MB/s forcing a USB2 ethernet connected client over OpenVPN. I don't have all of my hardware moved yet so unfortunately I can only do hilariously dodgy tests or recall the ones I did months ago. But Wireguard-kmod was about 700 MB/s over LAN iirc. This is with the significantly faster 2.4 GHz GX-424CC in my S920.

You do need a riser if it's one of the cheaper S920s. I looked up the listing you're probably talking about and the back panel is blocked off so you probably need one.

Problem with that cheaper S920 is it'll probably cost 3-4x its value to get miscellaneous parts for it.
 
  • Like
Reactions: Samir

Elf

New Member
Mar 28, 2022
4
4
1
Germany
You do need a riser if it's one of the cheaper S920s. I looked up the listing you're probably talking about and the back panel is blocked off so you probably need one.

Problem with that cheaper S920 is it'll probably cost 3-4x its value to get miscellaneous parts for it.
It's the Fujitsu Futro S920 ThinClient AMD 1.50GHz 2GB 1,9GB SSD ohne Netzteil ohne Fuß | eBay I'm talking about. Glad you reminded me, because that'll add 6€-20€ (depending if x1 or x8/x16 is needed) for the riser card/cable and 15-20€ for a power supply. Still sounds like a good deal if I can get it to 100mbit/s-200mbit/s WireGuard throughput, or am I mistaken here? Note: I got a spare 4GB DDR3-SODIMM module and a 2 port Intel NIC lying around, so I wouldn't need to buy those.

Offers seem scarce in general currently. The S920s in stock (in Germany) are all with the GX-415GA SoC. Other alternatives I looked at,
like the Wyse 5070 or HP T730, cost over 200€. Older Core-i desktops are cheap and easier to get, but they consume a lot more power.

I'm open for other recommendations (like where to ask for advise in my own thread since I don't want to hijack OP's thread any longer, sorry about that.)
 
Last edited:
  • Like
Reactions: Samir

infojunky

Member
Mar 14, 2022
24
28
13
Some interesting tidbits from dmidecode and SMART of my box. It also describes the recovery jumpers, pretty much what I already wrote about earlier. So the pinout would be something like:

1 2
3 4
5 6
RCV

The SSD serial starts with the year 2017, could be a coincidence. Does correspond to the 3 years of power-on hours. So these boxes are only 5 years old and you can probably expect at least 5 more years of lifespan out of them. The DVI port supports digital/analog. It seems like the system expects a max of 8GB memory, but Samir's pointed out they take a lot more so I don't know if that's just a suggestion.
System Configuration Options
Option 1: J3-5: Default position
Option 2: J1-2: Reserved
Option 3: J5-6: Recovery BIOS active

Handle 0x0002, DMI type 2, 15 bytes
Base Board Information
Manufacturer: FUJITSU
Product Name: D3313-E1
Version: S26361-D3313-E1

Handle 0x000F, DMI type 8, 9 bytes
Port Connector Information
Internal Reference Designator: ALC671

Handle 0x000B, DMI type 8, 9 bytes
Port Connector Information
Internal Reference Designator: HD8330E
Internal Connector Type: None
External Reference Designator: DVI-I
External Connector Type: Other
Port Type: Video Port

Handle 0x000D, DMI type 8, 9 bytes
Port Connector Information
Internal Reference Designator: ALC671

Handle 0x001C, DMI type 9, 17 bytes
System Slot Information
Designation: PCIe
Type: x4 PCI Express 2 x16
Current Usage: Unknown
Length: Short
ID: 0
Characteristics:
3.3 V is provided
PME signal is supported
Bus Address: 0000:00:00.0

On Board Device 6 Information
Type: Ethernet
Status: Enabled
Description: Realtek RTL8111G

Memory Device
Array Handle: 0x003C
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 4 GB
Form Factor: SODIMM
Set: None
Locator: DIMM 1
Bank Locator: CHANNEL A
Type: DDR3
Type Detail: Synchronous Unbuffered (Unregistered)
Speed: 1600 MT/s
Manufacturer: Samsung
Serial Number: x
Asset Tag: A1_AssetTagNum1
Part Number: M471B5173EB0-YK0
Rank: 1
Configured Memory Speed: 1600 MT/s
Minimum Voltage: 1.35 V
Maximum Voltage: 1.5 V
Configured Voltage: 1.5 V

Handle 0x0041, DMI type 20, 35 bytes
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x000FFFFFFFF
Range Size: 4 GB
Physical Device Handle: 0x003F
Memory Array Mapped Address Handle: 0x003D
Partition Row Position: Unknown
Interleave Position: Unknown
Interleaved Data Depth: Unknown

Handle 0x001B, DMI type 8, 9 bytes
Port Connector Information
Internal Reference Designator: GX-415GA
Internal Connector Type: Other
External Reference Designator: TPM HDR
External Connector Type: None
Port Type: None

Handle 0x0045, DMI type 4, 42 bytes
Processor Information
Socket Designation: P0
Type: Central Processor
Family: G-Series
Manufacturer: AuthenticAMD
Signature: Family 11, Model 15, Stepping 15
Flags:
FPU (Floating-point unit on-chip)
CX8 (CMPXCHG8 instruction supported)
APIC (On-chip APIC hardware supported)
SEP (Fast system call)
PAT (Page attribute table)
PSE-36 (36-bit page size extension)
DS (Debug store)
ACPI (ACPI supported)
Version: AMD GX-424CC SOC with Radeon(TM) R5E Graphics
Voltage: 1.4 V
External Clock: 100 MHz
Max Speed: 2400 MHz
Current Speed: 2400 MHz
Status: Populated, Enabled
Upgrade: None
L1 Cache Handle: 0x0043
L2 Cache Handle: 0x0044
L3 Cache Handle: Not Provided
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 4
Core Enabled: 4
Thread Count: 4
Characteristics:
64-bit capable

=== START OF INFORMATION SECTION ===
Device Model: Innodisk DEMSR- 32GB mSATA 3ME3
Serial Number: 2017xxxxxxxxxxxxxxxxx
LU WWN Device Id:
Firmware Version: S16425G3
User Capacity: 32,017,047,552 bytes [32.0 GB]
Sector Size: 512 bytes logical/physical
Rotation Rate: Solid State Device
Form Factor: 2.5 inches
TRIM Command: Available
Device is: Not in smartctl database 7.3/5319
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
 
Last edited:
  • Like
Reactions: Samir

zuzuboy981

New Member
Aug 7, 2020
6
4
3
FYI, in case anyone is still interested in buying these:


Seller accepted a best offer of $30 from me. They include the riser and a AMD W series GPU
 
  • Love
Reactions: Samir

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,257
1,445
113
49
HSV and SFO
FYI, in case anyone is still interested in buying these:


Seller accepted a best offer of $30 from me. They include the riser and a AMD W series GPU
Nice! I was looking for these lately and couldn't find any.

The description says 8GB of ram, so is it 4 or 8? Also, for yours was it $30 shipped or was shipping extra?
 

Samir

Post Liker and Deal Hunter Extraordinaire!
Jul 21, 2017
3,257
1,445
113
49
HSV and SFO
The SSD serial starts with the year 2017, could be a coincidence. Does correspond to the 3 years of power-on hours. So these boxes are only 5 years old and you can probably expect at least 5 more years of lifespan out of them. The DVI port supports digital/analog. It seems like the system expects a max of 8GB memory, but Samir's pointed out they take a lot more so I don't know if that's just a suggestion.
In my experience, thin clients in general can easily run for a decade or longer (my neoware units are almost on their second decade), and these are definitely built to a higher standard (das Germany for you!), so I would fully expect one of these to last nearly 20 years running 24x7.

As far as memory, they will easily run 32GB (2x16GB) as I have 16GB (2x8GB) in one of mine and the other has 32GB running one of the factory w10 iot images (forgot which one). Once you shut off defender and ms cloud updates they can have uptimes in months as a regular w10 iot thin client. With pfsense I would expect uptimes in years. Solid little units! And for power supply, I posted a link to a pair of Dell ones I got for $11 or $13 shipped and they work perfect.