Good router firewall appliance/PC

[Inxider]

Hi,

I was considering getting the SG-5100 from netgate but it seem that if VPN or QoS is On it Cap at 300-400Mbps or lower.
Other I looked like the protectli FW6C with Intel i5 7200U Dual Core seem to Cap at 880 or 580 on VPN OpenVPN Performance on The Vault – Protectli

Anyone know what would be a good CPU to know I would have as much speed as I can.
Would a i7-8700t be overkill or just about right?

I prefer a fanless chassis.
I considering https://www.logicsupply.com/computers/industrial/fanless/ they have some cool chassis but it seem that their dual LAN model have one Intel one Realtek.
And Pfsense work better with Intel LANs.

Zotac,supermicro,mitxpc.com, build my own? The empty chassis I seen are semi big.

I want to eliminate bottle neck as much as I can.
Would like to have QoS, Suricata, possible open VPN and maybe other add Ons.

Thanks.

 

[Stephan]

Couple of points here:

- Please define first, how much performance you want or need. Then look for hardware to reach that.

- Fanless _and_ (I presume) 1 Gbps VPN throughput with AES256 and suitable HMAC will really be pushing it. Quite recent 6 watt TDP Atoms like Geminilake have AES and SHA acceleration in the CPU, that will help. I just measured such an Atom (Intel Pentium Silver N5000, 6w TDP) with "openssl speed sha1" vs. a Xeon E3-1275v6 (73w TDP): at 1024 byte chunks the Atom is still 30% faster than the Xeon, at only 1/12th the TDP. It's the first Atom that you can run fanless and that would probably approach raw 1 GBps OpenVPN. There is one board that has this, the ASRock J5005-ITX.

- Do not go astray too much with specialty hardware, stick to professional or consumer volume products. I.e. no Protectli or other hardware that has been sold only a 1000 times, if at all that much. You will incur multiple headaches because of hardware imperfections, outright hardware bugs, replaceability (lightning strikes), weak driver support, weak community support because few have it and are at a level of expertise to really work things out for your firewall to run smoothly for years without a hiccup. The utmost I could recommend with regard to specialty hardware would be something from PCEngines like their APU series. The engineer doing those has been doing x86 for 30 years and is a meticulous designer. Fanless, but not super cheap.

- HP T620 Plus was reviewed on STH by Patrick. Cheap, together with a non-fake quad-gigabit-ethernet card maybe good enough?

- If you aren't stuck with OpenVPN, which is a good solution, consider Wireguard. It will deliver 4x the performance on the same hardware. I.e. slower fanless systems might reach your envisioned 1 Gbps, but only with Wireguard.

- If you think Intel networking chips are the shit, meet the e1000e Linux driver. Up to this day (2019) some Yandex folks and others are trying hard to work around bugs of this p-o-s silicon on the driver side. And after many years it looks like that chip could even be stable. Provided you turn off hardware offloading, otherwise you will wonder why your machine only does 3/4 of 1 Gbps . You can find it in a billion intel chipset motherboards as I219-LM and similar. Frankly, if I get to choose, I might as well pick a recent Realtek. Or indestructable Broadcom, but those are more power hungry and have gotten a bit old in the tooth.

- Using a <=95watts i5 or i7 even from the Nehalem architecture days on some schmoe DDR3 intel board in a cheap ATX case all from ebay for 20 bucks but with a top notch CPU fan like a Noctua NH-U12S and a quiet PSU might even be a solution here, if space is not a constraint. It is not fanless at all (its a big ass tower cooler), but you won't hear a thing. All while being as reliable and noiseless as a fanless solution, because the fans will not break down first, usually its the PSU or something else electronic.

Ok, hth. Let us know what you bought.

 

[BoredSysadmin]

1. Wireguard is indeed very fast, but support is still limited. I recommend to look at IPSec instead - it should be much faster than OpenVPN.
2. Suricata - is the 800lbs gorilla in the room. Depends on config even top o' line dual sockets 64 core Epyc system could not be fast enough for it.
Every single added ontop security feature will slow the firewall traffic thru-put - it's the reality of life and you'd have to live with it.
How much exactly hardware is enough to run all that you asked full speed at 1gig, I'm not sure, but no Atom CPU won't cut if you like to have IDS/IPS enabled.
Bear mind, should you reduce your asks to a simple 1gig IPSec speed, nat, and some basic firewall rules, that Atom just might do the trick.

 

[zer0sum]

Switch to OPNsense firewall and you get built-in Wireguard and Zerotier

I have tried a lot of different fanless hardware, and T620 etc. and now just run my firewalls virtualized on a bare metal hypervisor like ESXi or Proxmox.

 

[Inxider]

Thanks,

Stephan- I mentioned the Intel LAN only because I read that they are more compatible with pfSense. It seem that Realtek have some issues not sure if that have been fixed.

I should have mentioned that I am using OpenVPN with NordVPN I think that have to do with the output depend on their servers.
Quick search it seem they just came out with a Linux version NordLynx for WireGuard.

I could go either way, pfSense or OPNsense.

At 1st I was considering a 8 LAN ASUS WiFi router but it seem that it would cap at around 250-350Mbps with VPN.

Then I considered the Ubiquiti Edgerouter but it seem that it would be about the same

SG-5100 about the same or higher at this price I figure might as well get a fanless PC.

T620 look good, and here I was looking at mini PC costing 5 times more.
Review mention is about 30Mbps faster than the Protectli FW4A that one measured about 160Mbps. So the T620 is about 190Mbps.

Pcengines have not seen those much before.

So many option but no guarantees on output.

Don’t know what to do. There no easy chart with hardware to see what to expect with X feature On.