Budget entry-level router for 2023?

[Whattteva]

What's the best pfSense/OPNsense box to get in 2023 around ~$150 these days?

My requirements are:

• Fanless preferrably, but I can live with a little quiet fan.
• 1G basic routing/firewall and maybe around 700 Mbps VPN. I don't need SNORT/Suricata, fancy rules, etc.
• Used gear is fine.
• 2x Intel NIC, preferrably 3/4.

Things I've found from research:

• HP T620 Plus (Overpriced for what it offers, also not fanless).
• HP T730 (need to buy NIC separately, additional $25), not fanless I think? Also, can HP T730 do the basic firewall/VPN that I mentioned above?
• Protectli (bit out of the budget).
• Aliexpress J4125 box. These are priced well, but not sure about the quality of the RAM/SSD in them? Will they last for years? Same with HPT730 question, does it have enough horsepower to do the basic firewall/VPN?

Many thanks for feedback.

 

[newabc]

aliexpress j4125 boxes have a barebone option which comes without RAM/SSD.

Wyse 5070 extended(the fat version) and HP T730 have similar CPU performance. The former one is newer. And I think openwrt has better VPN performance than pfSense/OPNSense.

 

[Whattteva]

aliexpress j4125 boxes have a barebone option which comes without RAM/SSD.

I'm not familiar with these small systems. Do they take DDR4 SODIMM? Also, what kind of SSD does it take? Is it one of those M.2 NVMe SSD's?

Wyse 5070 extended(the fat version) and HP T730 have similar CPU performance. The former one is newer. And I think openwrt has better VPN performance than pfSense/OPNSense.

Doesn't the Wyse 5070 come with Realtek NIC? Does it have a PCIe slot for an add-on card?
Also, I'm not familiar with OpenWRT. My last experience was over a decade ago with Tomato and DD-WRT. Is it similar? Why exactly is the VPN performance better? And does that apply to both OpenVPN and Wireguard or just OpenVPN? I probably only really care about Wireguard.

 

[sko]

I'm not familiar with these small systems. Do they take DDR4 SODIMM? Also, what kind of SSD does it take? Is it one of those M.2 NVMe SSD's?

Those are practically the same as what protectli sells (minus coreboot). Although those old J4125 are rather scarce now, so I'd just go for the newer generation N5105 variants from topton (there's a huge thread about those).
They have 2x SODIMM slots as well as M.2 for storage and mPCIe for wireless/LTE.


Another option if you can find a used one might be an EdgeRouter4 (not the 'light' crap) which can run OpenBSD (octeon build). I've used that as a backup router at home for several years now. Might be a bit undepowered to do full Gbit routing/NAT and especially VPN, but only draws ~7W and for that it's "good enough" IMHO.

 

[Whattteva]

Those are practically the same as what protectli sells (minus coreboot). Although those old J4125 are rather scarce now, so I'd just go for the newer generation N5105 variants from topton (there's a huge thread about those).
They have 2x SODIMM slots as well as M.2 for storage and mPCIe for wireless/LTE.

Ah thank you for the clarification. Is Topton a better brand than the random non-branded ones?

Another option if you can find a used one might be an EdgeRouter4 (not the 'light' crap) which can run OpenBSD (octeon build). I've used that as a backup router at home for several years now. Might be a bit undepowered to do full Gbit routing/NAT and especially VPN, but only draws ~7W and for that it's "good enough" IMHO.

Ah, I think I don't need 1G with VPN as long as it does basic routing/firewall at 1G, that's enough for me. Especially with 7W power draw.

 

[sko]

Is Topton a better brand than the random non-branded ones?

Topton seems to be the ODM for those network appliances. They are re-sold under other brands though and the PCBs are manufactured by other companies (IIRC in that topton thread someone found out the OEM for some of the variants).

Ah, I think I don't need 1G with VPN as long as it does basic routing/firewall at 1G, that's enough for me. Especially with 7W power draw.

I wasn't talking about VPN - there you might get ~300MBit IPSec. I tested that long ago, but never had any use case where I needed IPSec on that box and there have been several improvements for octeon since then (IIRC I tested with OpenBSD 6.8 back then...). You could get basic routing with a few rules close to GBit, but NAT and VLANs might drop that to ~800Mbit or less.
I'm using my switches for the most common and simple local routing rules (especially because of 10GBit links), so only the ingress/egress routing and more complex (e.g. DMZ) rules are handled at the edge. So I couldn't give exact numbers for high loads because most of my local traffic doesn't touch the router at all.

 

[sic0048]

FYI - the T620 Plus isn't fanless either.....

That being said, I don't know why fanless is such a big deal. There is zero reason to have these units sitting out on a desk and I can assure you that any network switch with a fan is going to be much louder than these thin clients.

 

[Whattteva]

FYI - the T620 Plus isn't fanless either.....

Ah yeah forgot about that. Thanks for pointing that out.

That being said, I don't know why fanless is such a big deal. There is zero reason to have these units sitting out on a desk and I can assure you that any network switch with a fan is going to be much louder than these thin clients.

The rest of my gear is also fanless (old Asus routers repurposed to access points/switches). I'm not one of those people that have enterprise 48-port switches and have no need/want for those either. Just want a simple (fast enough) no-frills reliable router/NAT/firewall with a little Wireguard support.

 

[bigtroutpa]

I have 2 wyse 5070, an extended with the pcie slot and a slim. I have tested both as routers and both will do what you are asking no problem.

The regular 5070 has 8gb ram, a celeron j4105, fanless, silent. It has a built in realtek 8111 and i added a second 8111 in the m2 a+e slot. It ran opnsense just fine no hiccups, but i did add the realtek plugin. It routed at 1g speed, and wireguard at 750mbps. Power draw routing a normal household(streaming 2 tv, bunch of browsing, 30 iot devices) was around 7watts

The extended 5070 has 8gb ram, a penium silver j5005, does have a small 40mm fan but is still silent, i used an i350 2 portt card in the pcie slot. No hiccups routed 1g with plenty of cpu to spare, wireguard tests 800mbps. Power draw at normal household load was 9 watts.

Both machines ran opnsense just fine with plenty of cpu power to spare, and in a 2 week test as my main router. I had no problems with either one.

With a little fleabay sesrching, the slim 5070 can be had for around 60-80, the extended for 100,-120.

 

[Whattteva]

I have 2 wyse 5070, an extended with the pcie slot and a slim. I have tested both as routers and both will do what you are asking no problem.

The regular 5070 has 8gb ram, a celeron j4105, fanless, silent. It has a built in realtek 8111 and i added a second 8111 in the m2 a+e slot. It ran opnsense just fine no hiccups, but i did add the realtek plugin. It routed at 1g speed, and wireguard at 750mbps. Power draw routing a normal household(streaming 2 tv, bunch of browsing, 30 iot devices) was around 7watts

The extended 5070 has 8gb ram, a penium silver j5005, does have a small 40mm fan but is still silent, i used an i350 2 portt card in the pcie slot. No hiccups routed 1g with plenty of cpu to spare, wireguard tests 800mbps. Power draw at normal household load was 9 watts.

Both machines ran opnsense just fine with plenty of cpu power to spare, and in a 2 week test as my main router. I had no problems with either one.

With a little fleabay sesrching, the slim 5070 can be had for around 60-80, the extended for 100,-120.

Thanks! That sounds exactly like what I'm looking for! I would probably get the extended since I like to have the flexibility to add in a PCIe card if need be.

 

[bigtroutpa]

Id recommend the extended just because of the pcie slot and ability to use intel nics. Although i have not any problem with the realtek 8111s in the slim, if you plan on pfsense or opnsense others have had problems with them. The other plus is the extended always has the pentium silver j5005 as its cpu, which is a 10-15 percent boost over the j4105 that most slims have

 

[unmesh]

I have 2 wyse 5070, an extended with the pcie slot and a slim. I have tested both as routers and both will do what you are asking no problem.

The regular 5070 has 8gb ram, a celeron j4105, fanless, silent. It has a built in realtek 8111 and i added a second 8111 in the m2 a+e slot.
...

I could use a backup *sense box. For the second 8111, does the RJ45 jack attach neatly to the rear I/O panel?

 

[bigtroutpa]

The ethernet card and jack i used was a copy of the dfrobot fit0798. There are copies on ebay, which is what i used the card goes in the m2 slot that the wifi card would go in and connects to the mini rj45 connector board with a cable. Somewhere if you google the wyse 5070 someone made a 3d printable plastic adapter to mount it cleanly.

I, however, wasnt patient enough to wait for a plastic bracket, and my wyse came with a vga port in the extra slot, and the screw spacing on the rj45 board was the same as the vga connector. So i removed the vga board, and mounted the rj45 on the metal bracket that the vga board was mounted to so it was a clean install.

If you add the second rj 45, make sure u enable wifi in bios, or the card wont be recognized.

 

[zer0sum]

You can get Lenovo m720q tiny systems under $100 off ebay and I think they are pretty hard to beat.

• Intel CPU
• PCIe slot - can use quad 1G or dual 10G network card
• 1 x Intel 1G network card
• 1 x nvme
• 1 x sata
• vPro for ghetto IPMI
• tiny and silent

Not sure you can find anything better for the money, unless you go for a big old desktop setup

 

[oneplane]

If you don't mind eBay (lots of new/OBO): https://forums.servethehome.com/ind...ual-core-intel-6x1gbe-2x1gbsfp-100-ebay.39176

Also Intel CPU, comes with 2x SFP and 6x copper 1G, either eMMC or SSD, tiny and silent, serial console with boot/bios support (so no monitor/keyboard required). Can easily be found below $100, often around $60 (details in the thread). Downside is you can often only replace the mSATA SSD, add 1 stick of SO-DIMM RAM and mPCIe BT/WiFi card. Versions were the SFP+ ports are 10G also available but you're going to have to spend at least $200 more; does automatically come with more CPU cores and RAM as a bonus tho.

 

[Whattteva]

You can get Lenovo m720q tiny systems under $100 off ebay and I think they are pretty hard to beat.

• Intel CPU
• PCIe slot - can use quad 1G or dual 10G network card
• 1 x Intel 1G network card
• 1 x nvme
• 1 x sata
• vPro for ghetto IPMI
• tiny and silent

Not sure you can find anything better for the money, unless you go for a big old desktop setup

Oh wow, this is even better.

Question on the vPro since I've never used it before. How is that different from regular IPMI?

 

[oneplane]

Oh wow, this is even better.

Question on the vPro since I've never used it before. How is that different from regular IPMI?

It's half-baked IPMI, a bit like a watery blend of CompuTrace, Zero-touch provisioning and NAC. It does usually do the following:

- Remote power control
- Remote serial console
- KVM
- Storage

AMD's version is called DASH. Instead of having a BMC they are usually embedded in the normal chipset, and some share a network interface (so they intercept all traffic that matches their IP ports), while others have a dedicated network interface.

The biggest issue is the accessing the firewall remotely over out of band management, because usually you do that when you have a problem, but when you have a problem that usually means you have no network and want to investigate why. A little more practical (and still cheap) would be a device that is set to auto power-on all the time, and also have a watchdog timer to reset it if the OS goes bad. This doesn't help with storage corruption or "oops I disabled my WAN interface", but remote control usually doesn't fix that either.

 

[unmesh]

You can get Lenovo m720q tiny systems under $100 off ebay and I think they are pretty hard to beat.

• Intel CPU
• PCIe slot - can use quad 1G or dual 10G network card
• 1 x Intel 1G network card
• 1 x nvme
• 1 x sata
• vPro for ghetto IPMI
• tiny and silent

Not sure you can find anything better for the money, unless you go for a big old desktop setup

Price in the mid one-hundreds at this time though I thought one needed the 920q for vPro. The CPU stickers on the few items I looked at did not say vPro on the 720q but did on the 920q

 

[unmesh]

If you don't mind eBay (lots of new/OBO): https://forums.servethehome.com/ind...ual-core-intel-6x1gbe-2x1gbsfp-100-ebay.39176

Also Intel CPU, comes with 2x SFP and 6x copper 1G, either eMMC or SSD, tiny and silent, serial console with boot/bios support (so no monitor/keyboard required). Can easily be found below $100, often around $60 (details in the thread). Downside is you can often only replace the mSATA SSD, add 1 stick of SO-DIMM RAM and mPCIe BT/WiFi card. Versions were the SFP+ ports are 10G also available but you're going to have to spend at least $200 more; does automatically come with more CPU cores and RAM as a bonus tho.

These look interesting though I'm torn about going up the learning curve on one of these vs a TMM or Thin Client with a graphics port

 

[oneplane]

These look interesting though I'm torn about going up the learning curve on one of these vs a TMM or Thin Client with a graphics port

The learning curve is practically non-existent, the main difference is that the installer and UEFI would normally render text and then serve that over VGA, but now they still render text, but send it over a USB connection. Everything else is the same (well, no graphics, but opnsense/pfsense/openwrt don't do graphics anyway).