Fujitsu Futro S920 Thin Client as opnsense firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

cBorisa

New Member
Sep 30, 2022
12
13
3
I have also built an OpenSENSE router with S920.
My specs:
Futro S920 with GX-415 CPU
I bought the following riser card, which works great: WLGQ PCI-E 8X Male to Female Riser (10€)
Installed 4x1Gb NIC in the riser card
2 x 8Gb DDR3 RAM
256 Gb SSD
(I know it's overprovisioned with memory and SSD, but I had no use for those, so just put them to the device)

I only replaced the thermopaste on CPU (just to make sure). The rest is as is.

The router handles 2 WAN connections ( 1Gbps/50Mbps + 100Mbps/50Mpbs), a network with 3 VLANs and about 30 clients, VPN client for one of the VANs, Wireguard server.

So far the unit runs really smooth and I don't see any issues with the device.
 

Strugus

New Member
Oct 26, 2022
2
2
1
I have also built an OpenSENSE router with S920.

[....]

The router handles 2 WAN connections ( 1Gbps/50Mbps + 100Mbps/50Mpbs), a network with 3 VLANs and about 30 clients, VPN client for one of the VANs, Wireguard server.

So far the unit runs really smooth and I don't see any issues with the device.
Hello cBorisa,

did you set anything special in OPNsense?
I run a similar setup, S920 with GX-415, a Quad Port Intel NIC and 2 WAN connection (1Gbps/50Mbps + 250Mbps/50Mbps).

But my speedtest issued on the S920 is bottlenecked at around 500Mbps. If I connect my laptop to the WAN port, I can get the full ~940Mbps Download speed.
The same applies for a iperf3 test with the S920 as server and my NAS as the client.
Interestingly enough, the other way round (NAS as server, S920 as client) I get the full 940Mbps speed as well.
In the first scenario, the load is split between the 4 cores. When speedtesting or running iperf with the S920 as server, the load is only put on one core at 100%.
I'm not running any additional services like VPN or IDS.

I already tried several tunables, bios changes and enabled/disabled Hardware CRC, LRO and TSO.

Thanks anyone for some help :)
 
  • Like
Reactions: Samir

cBorisa

New Member
Sep 30, 2022
12
13
3
did you set anything special in OPNsense?
I run a similar setup, S920 with GX-415, a Quad Port Intel NIC and 2 WAN connection (1Gbps/50Mbps + 250Mbps/50Mbps).
Hi Strugus!
I didn't do anything special on the box. BIOS settings are standard, Opnsense interfaces are configured as default. And iperf3 both in S920 and a server behind it shows 940-960 Mbps down from Internet.
My CPU also barely exceed 60%.
There was a thread on Intel NICs which caused Opnsense to freeze (not sure where, but I'll look for it). Could be that the network card can't unload a load from it correctly?

P.S.: I set the following tunables:

net.inet.tcp.tsoTCP Offload Engineruntime1
 
Last edited:
  • Like
Reactions: Samir

Strugus

New Member
Oct 26, 2022
2
2
1
There was a thread on Intel NICs which caused Opnsense to freeze (not sure where, but I'll look for it). Could be that the network card can't unload a load from it correctly?
Thank you! I'll look into it.

At least my model (EXPI9404PTBLK) seems generally to be OK, according to this list:

But I may look into getting a I340 card to test against it.

P.S.: I set the following tunables:

net.inet.tcp.tsoTCP Offload Engineruntime1
I added this option (and CRC/LRO) already via the menu at interfaces -> settings
Without these options I cant hit gigabit from client to client. (Only around 800mbps)

I also reset the BIOS and reinstalled opnsense again, but sadly no difference.
 
  • Like
Reactions: Samir

infojunky

Member
Mar 14, 2022
25
30
13
Hello Guys!

What kind of speeds can you expect while using a wireguard vpn?

Thank you
S920 has the wireguard-kmod module loaded and almost symmetrical gigabit. Pi4 has wireguard-dkms, is within a mile away and has a 400 mbit downlink and very bad upload.

[root@S920 ~]# iperf3 -c Pi4
Connecting to host Pi4, port 5201
[ 5] local S920 port 22685 connected to Pi4 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 36.3 MBytes 304 Mbits/sec 0 3.00 MBytes
[ 5] 1.00-2.00 sec 39.2 MBytes 329 Mbits/sec 0 3.00 MBytes
[ 5] 2.00-3.00 sec 39.5 MBytes 331 Mbits/sec 0 3.00 MBytes
[ 5] 3.00-4.00 sec 39.5 MBytes 331 Mbits/sec 0 3.00 MBytes
[ 5] 4.00-5.00 sec 38.2 MBytes 320 Mbits/sec 0 3.00 MBytes
[ 5] 5.00-6.00 sec 38.1 MBytes 320 Mbits/sec 0 3.00 MBytes
[ 5] 6.00-7.00 sec 38.8 MBytes 326 Mbits/sec 0 3.00 MBytes
[ 5] 7.00-8.00 sec 39.0 MBytes 327 Mbits/sec 0 3.00 MBytes
[ 5] 8.00-9.00 sec 39.0 MBytes 326 Mbits/sec 0 3.00 MBytes
[ 5] 9.00-10.00 sec 36.7 MBytes 309 Mbits/sec 1 1.50 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 384 MBytes 322 Mbits/sec 1 sender
[ 5] 0.00-10.02 sec 384 MBytes 321 Mbits/sec receiver

Probably goes higher than these speeds but I don't have anything more realistic to test that goes through the internet. I think I've tested wg across LAN before and got 700 mbit? Need to retest.

See this link about enabling wireguard-kmod:
Now this kernel module isn’t fully production ready and is considered `experimental` but for testing or bleeding edge users, you can install it today! To install it you simply need to SSH or access the console of OPNsense and install the package pkg install wireguard-kmod once installed, simply reboot OPNsense and you’ll now be using the WireGuard kernel module for OPNsense. Note, the wireguard-go service will show as stopped since the go implementation isn’t being used, due to the kernel module, OPNsense will fix this in a later release.
P.S Wireguard has a quirk on opnsense where it can initialize before DNS works and cause all hostname-based tunnels to fail on reboot. You need a oneshot to fix this. I just put everything in one autorun file at /usr/local/etc/rc.syshook.d/start/99-fixwg
#!/bin/sh
sleep 120
/usr/local/etc/rc.d/wireguard restart
sleep 300
/usr/local/etc/rc.d/wireguard start
sleep 300
/usr/local/etc/rc.d/wireguard start
It's been months and I don't remember how or why this works. If you got to this solution from a search engine, hope this helped you. :)
 
Last edited:
  • Like
  • Love
Reactions: Samir and Antonino

tbfutro22

New Member
Nov 14, 2022
14
20
3
Hi folks! o)

I need to ask you S920 pro's for help. I bought a bunch of s920 (GA222) and s720 (GA217)..

I cannot get a picture on display-port or DVI output, if a LAN cable is NOT connected. If I connect LAN cable and turn on/reboot, boot logo, BIOS post, linux console, desktop comes up.
If no LAN cable is connected, unit will boot, but will never activate display outputs, I only get "no signal", black screen. I have a dozen units here, did not check all of them, but it seems to be a generic issue, not unit specific (s720 and s920 affected).

I can even unplug LAN cable to disable the display output.. what is the reason behind this strange behaviour?
Is this the same on your units, is there a BIOS option to fix this (tried nearly all of them now).

Thank you in advance! o)
 
  • Like
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
Hi, just bought a Futro s920 GX-415GA/4GB/8GB SSD version with stand and power brick from a German eBay seller for €40 + €17 shipping.

Initially my plan was to build a standalone router for my 2.5G network (DIY NAS with RTL8125B PCIe NIC + PC with onboard RTL8125 + TP-Link TL-SG105-M2 switch) and using my current TP-Link Archer C9 wireless router as a Wifi AP.

But after watching Wolfgang's video of the Fujitsu thin client router I purchased the S920, and because of my 2.5G network I decided to take the risk and ordered a 4-port 2.5G PCIe 4x ethernet card from Aliexpress (dirt cheap with RTL8125B chips) along with this 90 degree 4x riser.

My question is simple:
Is there a chance that this old little 4 core APU could have the horsepower to serve my network? WAN connection is 1Gbps/40Mbps and I'm looking for no VPN or anything fancy just maybe a little more secure firewall/more expandable routing solution compared to my Archer C9. Did not even decide between OpenWRT, PfSense, OPNsense etc and honestly got not much knowledge about these solutions. I guess just wanted to get into this topic a bit deeper :)
 
  • Like
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
My question is simple:
Is there a chance that this old little 4 core APU could have the horsepower to serve my network? WAN connection is 1Gbps/40Mbps and I'm looking for no VPN or anything fancy just maybe a little more secure firewall/more expandable routing solution compared to my Archer C9. Did not even decide between OpenWRT, PfSense, OPNsense etc and honestly got not much knowledge about these solutions. I guess just wanted to get into this topic a bit deeper :)
Replying to myself:
My unit arrived and got it tested, all seems fine though 8GB mSATA drive does not show up in BIOS (but recognized by Ubuntu live, interesting).

Included OG Fujitsu AC adapter is very nice, energy efficiency category is VI (the best possible):
s920_ac_adpter.jpg
Idle power consumption is 15W for me though (without any OS installed).

About my question regarding routing performance: I guess I will find out myself once riser & 4-port 2.5Gb NIC arrive.

Till then, see my own measurement for riser dimensions (with a Fujitsu 2-port Gigabit NIC lined up properly):
s920_riser_height.jpg
I hope it can help others to choose the most fitting solution.

I also ordered this 5cm ADT-Link Aliexpress riser/ribbon cable for testing, a similar left angled one was used by Wolfgang in his video:
adapter_01.jpg
Will be getting back with my findings.
 
Last edited:

tbfutro22

New Member
Nov 14, 2022
14
20
3
I cannot get a picture on display-port or DVI output, if a LAN cable is NOT connected
I will reply to myself as well, just to add to all the available information about fujitso futro s920 and s720 (and the no display problem).
The issue can be reproduced with certain monitors or displays, some just don't seem to make the Futro give a picture, it might also depend on the cable and adapters used to connect the monitor, although the cables and adapters are not faulty - some kind of EDID thing I guess.

I checked display output with 2 more monitors, 1 works without hassle (DVI->DVI connected LG 20""), the other (an old 15" TV with DVI->HDMI) also yields "no display" on the Futro if no LAN cable is connected. VGA output from the Futro from the DVI port always seem to give a picture on any monitor. In general you seem to be able to help yourself with choosing different cable/adapter/output port and if things get worse, switch monitor temporarily.

My solution for now is to use a DVI to HDMI adapter, then attaching a HDMI "dummy dongle" with pass through, to which I connect my regular HDMI cable. The HDMI "dummy dongle" is a device simulating a display, most of these don't come with pass through, but you obviously need the "pass through" type to still be able to connect a monitor and see what the Futro is doing.
You can find these as "HDMI Sink" on AliExpress e.g. at 2 EUR/piece.

Someone might say, who needs a monitor on these devices anyway if used as firewall, router etc.?! Well I guess for maintenance, bios or OS setup it is surely handy to see some screen!? o) The Futros seems to be good media center or simple emulation consoles as well, so it is nice, if these can be used with WIFI only or no network at all (and thereby no LAN cable, which could yield the "no display output" problem).

That's it, I hope this helps other people out there, thank you and have fun! o)
 

tbfutro22

New Member
Nov 14, 2022
14
20
3
Some info about the little sister or brother of the s920, the Fujitsu Futro s720 with the AMD GX-217GA SOC (DualCore @ 1.66Ghz):
The s720 does not have FAN-Header, PCIe-Slot, Power-Connector on the board, but it is basically the same machine as an s920 (it's a bit slower).
It also only has 1 memory slot, but if you do not plan to attach a lot of stuff to your system, it can be a sensible option for many as well (I think).

The power consumption is only 4.2W @ idle if the OS is properly loaded and power saving features kick in.
I used Win10 pro and Debian 11 and just the mSATA, LAN cable and monitor attached (and the display output got blanked/dpms'ed).
- If you have the 2A power supply with the LED, it will be 0.2W more (I used the 19V 2A without LED and the angled 19V output-cable directly at the PSU).
- If you have an USB stick attached it will be 1W more.
- If you have display output active, it will be 2W more.
- If you put load on this thing, it will be 10-15W+ total.

The pin headers for hd-led, power-led, reset-switch and power-switch are missing on the s720 board, but the board/PCB has them connected, so these can be added with some soldering.
The 5V/12V floppy style power connector found on the S920 is (as mentioned) not present on the s720 mainboard (solder joints only give the 5V). There is no 12V rail on the board it seems. 5V is there, but I guess the s720 come without 12V anywhere, so attaching specific storage/devices which requires 12V like a mechanical 3.5" SATA-HDD requires an external 12V power supply or an added 19V->12V buck converter on the inside. The internal audio output is mono, but if a proper speaker is connected, a s720 is not a bad radio either.. o)

I've been test driving a s720 during the last week with a Debian 11 minimal installation (terminal, xrdp for "Remote Desktop" and XFCE desktop). It's not the fastest computer in the world, especially when browsing the internet, but everything else works just good, local video playback is decent, desktop feels nice, live streamed HD Youtube is kinda okay'ish and does not drop frames a lot. It's a nice little machine for tinkering and office or development work. It feels like a real computer, it has all the IO, the BIOS, the EFI, the battery backed up clock, the SATA. I will replace some Raspberry Pi 3+4 with this new (old) fujitsu hardware.

If you buy smart, you can get a Fujitsu Futro S720 for around 7-10 EUR (in germany at least) incl. PSU, RAM, 2GB-SSD (you might need to buy more than one).. what's not to like? o)
Maybe I post some s920 experiences as well, since I also got some of these laying around now, we will see.. bye for now.
 
  • Love
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
Follow-up to my posts above:
4-port 2.5Gb NIC along with the 90 degree 4x riser arrived.
2.5g_nic.jpg riser_01.jpg

As already mentioned in this thread, this type of angled PCB riser does not fit well :(

See exact dimensions in photos here:
riser_1g_nic.jpg
(presented with 2-port 1Gb Fujitsu Intel NIC properly screwed to the backplate and held in perfectly horizontal position)

riser_2.5g_nic_01.jpgriser_2.5g_nic_02.jpg
(presented with 4-port 2.5Gb Realtek NIC properly fitted into the PCIE slot):


I'm glad I ordered the ADT-Link ribbon cable riser as well, will report back once arrives.

Also looking forward to testing both NICs with OpenWRT, I guess with the mainboard disassembled from the case :p
 
Last edited:

tbfutro22

New Member
Nov 14, 2022
14
20
3
Thank you, I ordered the same riser and some riser cables just like you. To make the 90 degree riser fit, we obviously need to pull out the hack saw.. o) Maybe there is wiggle room and some cheating is possible, I need to look at this on my own with the parts right by my side, but your pictures make it obvious, the generic riser won't do it without doing additional mods to the case (at least if you don't want to start bending and stretching all the electronics). o)
 
  • Like
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
To make the 90 degree riser fit, we obviously need to pull out the hack saw.. o) Maybe there is wiggle room and some cheating is possible, I need to look at this on my own with the parts right by my side, but your pictures make it obvious, the generic riser won't do it without doing additional mods to the case (at least if you don't want to start bending and stretching all the electronics). o)
I also wanted to try it myself first, but now it's really confirmed: these cheap 90 degree risers won't make it, you'd either have to cut&mod backplate or leave half of your NIC hanging outside the PCIE slot. save yourself some time and simply go with a flexible riser if you ask me. price is ~2-3x more but much cleaner and safer solution. the 16x delock riser from first post should work but you have to cut it as well. also its price is around 25-30€ in my region atm, so simply not worth it.

Update with small aesthetic mod:
Did not like the accent color on the bottom of the front, so wrapped the removable red plastic part in black vinyl foil. After seeing that the stealth concept works pretty well sprayed it with matte black paint permanently.

Looks much cleaner if you ask me!

fuji_black.jpg
(wrapped)

plastic_part_painted.jpgfuji_black_paint.jpg
(sprayed)
 
Last edited:

eladamari

New Member
Nov 6, 2022
2
2
1
Hi all,
I just started the journey encouraged by a few reviews.
I struggle (meaning: can't make it work) with opn installation and booting it up afterward. After a successful (?) install, the Bios does not see the drive as bootable. I'm going with the full vga installer.
I'm able to boot up Lubuntu from the same drive.

I have 0 experience with BSD and little with UEFI, can someone advise what to check? My googling skills also are not good enough apparently.
 
  • Like
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
I struggle (meaning: can't make it work) with opn installation and booting it up afterward. After a successful (?) install, the Bios does not see the drive as bootable. I'm going with the full vga installer.
I'm able to boot up Lubuntu from the same drive.
I'm in a quite similar situation trying to install OpenWrt. Downloaded generic-squashfs-combined.img (PC BIOS version) via a live OS, dd-d it to the mSATA disk but can't boot into it. Will try EFI version though I thought that does not work with S920. Got to find a workaround I guess.
 
  • Like
Reactions: Samir

eladamari

New Member
Nov 6, 2022
2
2
1
Hi all,
I just started the journey encouraged by a few reviews.
I struggle (meaning: can't make it work) with opn installation and booting it up afterward. After a successful (?) install, the Bios does not see the drive as bootable. I'm going with the full vga installer.
I'm able to boot up Lubuntu from the same drive.

I have 0 experience with BSD and little with UEFI, can someone advise what to check? My googling skills also are not good enough apparently.
Ok, I started BIOS config from the ground, LD image again, etched it on a new pendrive and something worked out.
 
  • Like
Reactions: Samir

rubicoin

New Member
Nov 14, 2022
8
25
3
Photo update on my build progress:

flex_riser.jpg
(the 5cm flexible ADT riser arrived)

riser_ok.jpg
(fit ok with heavy bending, stiff cable supports the weight of the NIC as well)

copper_imprint.jpg
(disassembled the cooler and re-pasted the CPU, AMD imprint on the copper base is cool)


Also sharing my working method to boot OpenWRT on S920:

Disabled all PXB options and CSM in BIOS.
Flashed generic-squashfs-combined-efi.img.gz (EFI image) to internal mSATA drive and manually created a boot entry via Finnix 1.24 live usb stick:

sudo apt-get update -y
sudo apt-get install -y efibootmgr
sudo efibootmgr -c -l /EFI/BOOT/BOOTx64.EFI -L OpenWRT

After restarting the OpenWRT boot option appears and system starts up as it should.
 
Last edited: