Low power options for firewall / pfsense / opnsense

[Mithril]

Needs/requirements:
Low power at idle (lets say 20w or less, lower is better) as the highest priority
Not a vendor locked platform, so either x86 or something that could run a hypervisor.
2+ Gigabit ports (not realtek, or troublesome) and/or at least one PCIe slot
Either ATX power or NON proprietary DC power (nothing that must have a specific OEM power brick).
Cost, Under 200. Cheaper is better. I prioritize this over max performance.

The intended use is as a backup firewall for extended power outages so it will be running on solar/generator/battery. Thus passing traffic at 1G is nice to have but if not thats fine. I already have cases, power supplies, ram, NICs etc so a bare board or barebones option is fine.

I've looked at the tiny mini micro thread and it seems like the ones with 2+ ports or pcie lanes are both higher performance and higher cost than I need.
Yes, I am looking at more batteries etc, but all of that adds up too

 

[RedX1]

Hello



For really low power requirements, PC Engines have some appealing offerings.

PC Engines apu2 system boards

This is their 4-port version.

Available in the USA from. ALIX/APU Mainboards


They also offer dedicated enclosures for these boards.




I hope this helps.





RedX1

 

[Stephan]

I run APU 4D4 with kernel 5.4 and BIOS 4.16.0.1 on Arch with some custom patches to keep LEDs working through ACPI, but also make the front button (and GPIO, untested) perform a reboot using the pcengines-apuv2.c driver. There has been a BIOS fix for CPU RNG a few months ago, so start with 4.16.0.1 and rng-tools and e.g. this:

/etc/udev/rules.d/50-hwrng.rules:
ACTION!="add", GOTO="hwrng_end"
KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
LABEL="hwrng_end"

and /etc/conf.d/rngd:
RNGD_OPTS="-x rdrand -x pkcs11 -x rtlsdr -x jitter"

Hardware will then be working 100% including ECC (ras-daemon can report errors). On picture above you can add mSATA SSD on left, 4G card middle slot and wifi card on right slot. There is a 6-hole red case from a German company (two left, two right, two backside) which is what I am using for 3x wifi, 1x GPS, 2x 4G. Also as backup firewall with VPN over 4G.

If you want to go such a hardcore DIY route, too, here are the patches for Arch kernel lts 5.4: Index of /files/linux-5.4/

There is a long-standing i2c module loading race condition in the kernel which can be fixed by adding CONFIG_PINCTRL_AMD=y to the config before compilation.

For 4G wwan I wrote a (so far) ~500 line watchdog, because at least in Germany, or with my Sierra Wireless MC7455 I don't know, data link will go away after 6 hours:

Jun 25 07:23:44 m1 wwan-watchdog[676]: Registered on network TDG: 45% [##### ], Rx 15-25 MBit/s Tx 4-7 MBit/s
Jun 25 10:54:39 m1 wwan-watchdog[676]: Data link not connected, resetting

If you can live with "only" 4 GB RAM, its hands-down the best x86 low-power platform you can buy. Company even publishes the schematics. But chip shortage hit them too, so you might have to look hard to find them for sale anywhere right now.

 

[Mithril]

Hello



For really low power requirements, PC Engines have some appealing offerings.

PC Engines apu2 system boardsView attachment 23318

This is their 4-port version.

Available in the USA from. ALIX/APU Mainboards


They also offer dedicated enclosures for these boards.




I hope this helps.





RedX1

Interesting option. A bit more than I had in mind for the multiple lan, I don't have any mini-pci NICs (plus the memory on those is real low). These look like that could run standard linux/bsd, is that accurate?

 

[Mithril]

I run APU 4D4 with kernel 5.4 and BIOS 4.16.0.1 on Arch with some custom patches to keep LEDs working through ACPI, but also make the front button (and GPIO, untested) perform a reboot using the pcengines-apuv2.c driver. There has been a BIOS fix for CPU RNG a few months ago, so start with 4.16.0.1 and rng-tools and e.g. this:

/etc/udev/rules.d/50-hwrng.rules:
ACTION!="add", GOTO="hwrng_end"
KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
LABEL="hwrng_end"

and /etc/conf.d/rngd:
RNGD_OPTS="-x rdrand -x pkcs11 -x rtlsdr -x jitter"

Hardware will then be working 100% including ECC (ras-daemon can report errors). On picture above you can add mSATA SSD on left, 4G card middle slot and wifi card on right slot. There is a 6-hole red case from a German company (two left, two right, two backside) which is what I am using for 3x wifi, 1x GPS, 2x 4G. Also as backup firewall with VPN over 4G.

If you want to go such a hardcore DIY route, too, here are the patches for Arch kernel lts 5.4: Index of /files/linux-5.4/

There is a long-standing i2c module loading race condition in the kernel which can be fixed by adding CONFIG_PINCTRL_AMD=y to the config before compilation.

For 4G wwan I wrote a (so far) ~500 line watchdog, because at least in Germany, or with my Sierra Wireless MC7455 I don't know, data link will go away after 6 hours:

Jun 25 07:23:44 m1 wwan-watchdog[676]: Registered on network TDG: 45% [##### ], Rx 15-25 MBit/s Tx 4-7 MBit/s
Jun 25 10:54:39 m1 wwan-watchdog[676]: Data link not connected, resetting

If you can live with "only" 4 GB RAM, its hands-down the best x86 low-power platform you can buy. Company even publishes the schematics. But chip shortage hit them too, so you might have to look hard to find them for sale anywhere right now.

I've tended to run more "out of the box" distros/products for firewalls; how well does everything work on Arch compared to [pf|opn]sense running on the same hardware?
I'm not super concerned about VPN inbound speeds (as this will be the backup box), more stability/security.
I'd somewhat prefer to run a hypervisor for the "on metal" as that allows me to "fake" interfaces and roll a HA config where both machines think they have the same network layout.

Interesting option, but the comment about even finding one right now seems too accurate

 

[Stephan]

Since I do strictly DIY for firewalls because I mistrust all those *sense and S*phos solutions, I can't really comment on how well suited they are, much less for your purpose. For me, I get optimum performance because I know how to write iptables and ipset rules which are 99% optimized for my use. Everything works as it should, even within a complicated setup. Performance is as good as a modern Linux allows for this hardware. I don't believe in deep packet inspection but I run a sort of Pihole. I only bought the official PCengines stuff like the recommended power supply and even fully loaded with cards (mSATA, PCIe Atheros wifi, 4G card, SD card, SIM card), can't provoke a crash.

 

[zer0sum]

You can find Lenovo m720q tiny systems for around $200 or sometimes less if you're lucky/patient
It does have a little 65W power brick though, but power draw is very low

They can take 2x 32GB DDR4 sticks, have 1 x PCIe 3.0 x8 slots, 1x built in Intel I219-V port, and storage is 1x m.2 nvme drive.

You can use a quad port network card, or I like to use a dual port 10G card in the PCIe slot, then use the I219 port as out of band management.
They run Proxmox flawlessly and will even do SR-IOV if you want to do hardware passthrough to your firewall virtual machines.

 

[Mithril]

You can find Lenovo m720q tiny systems for around $200 or sometimes less if you're lucky/patient
It does have a little 65W power brick though, but power draw is very low

They can take 2x 32GB DDR4 sticks, have 1 x PCIe 3.0 x8 slots, 1x built in Intel I219-V port, and storage is 1x m.2 nvme drive.

You can use a quad port network card, or I like to use a dual port 10G card in the PCIe slot, then use the I219 port as out of band management.
They run Proxmox flawlessly and will even do SR-IOV if you want to do hardware passthrough to your firewall virtual machines.

Do those work with any power brick as long as it is the correct voltage and polarity? I thought they needed OEM or knockoffs like the HPs t series.
I also don't remotely need something that new really, as it's going to be 100% idle 99.9% of the time (being a backup).

 

[zer0sum]

Do those work with any power brick as long as it is the correct voltage and polarity? I thought they needed OEM or knockoffs like the HPs t series.
I also don't remotely need something that new really, as it's going to be 100% idle 99.9% of the time (being a backup).

They can but the end that connects to the M720q is a proprietary square plug.

You could also look at the Wyse 5070 extended or Fujitsu S920 if you wanted lower power tiny clients with PCIe slots

 

[Mithril]

A lot of these options are interesting, but quite frankly far to expensive for the intended usecase. Despite shipping from Germany to the US doubling the cost it feels like a Fujitsu Futro S920 makes more sense. As long as a HH-HL Pcie card will do, the machine itself is claimed to idle at ~5w, it's got 2 DDR3 sodimm slots so even if all you have left are cheap 2G thats 4G which is plenty for a firewall IMHO. And it is as far as I can tell just DC in.

There are some potential other low cost options depending on how much you'd want to tinker. Some of the non "extended" thin clients do have an internal mini-pcie which you could add a flex riser to and run a card.

So it feels like 100 bucks at lets say "less than 10w" with the ability to have 4GB or more of ram is the mark to beat here. As my priorities are power, then cost, then performance.

Edit: Looks like it's closer to 15w with a card.

Other potential options I need to confirm A) Idle/average power and Non vendor locked power: T610 plus/T620plus and Wyse 5070 extended


Are there non plus/extended options that are fairly straightforward to mod (has a mini-pcie/M.2 + sata; and cooling solution would survive case modification)?

 

[Sean Ho]

The m720q, like most uSFF/TMM and laptops, uses 20v DC. Although the rectangular plug is Lenovo-specific, you can get very cheap adapters to standard DC barrel plugs, if you wanted to power it from solar/battery using DCDC rather than invert to 120v and rectify.

 

[Mithril]

What about itx boards with integrated low power CPUs? I have a small case on hand and a pico psu. I don't have a specific need for this to be super small honestly so if I can slam it into a SFF case or a 2U/1U case that would be fine.

 

[msg7086]

I have a pair of Dell 7010 SFF with i5-3470. Idles at about 16w at Linux shell prompt doing absolutely nothing. Comes with 2 low profile PCIe slots (1x 16 (blue), 1x 16 (black)).

 

[adman_c]

Do you want 2.5GbE+? Or do you mean 2+ ports running at 1GbE? If it's the latter, any of the multi-intel-nic mini pcs from Aliexpress released in the past few years will be great. My prior firewall was a Qotom Celeron J3160 mini pc with 4 intel GbE ports. Idled at 6-7w and would route at gigabit speed all day. Also uses a bog-standard 12v barrel connector. In fact, I'm looking to sell it, so hit me up if you want it.

If you're looking for 2.5GbE+, the easiest/cheapest are the Celeron J4125 or Pentium N5105 mini pcs, as reviewed on the main site. If you want 10GbE, it's a little more complicated. I went with 10GbE in a Lenovo Tiny because my core switch doesn't speak nbase-T. And also because I wanted something a bit more powerful so I could virtualize the firewall. That said, even with a 2x SFP+ card in it, my M720q firewalls (I've built a couple) idle at 12-14w running pfsense on top of proxmox. And as Sean Ho said above, you can buy a barrel plug to Lenovo adapter from ebay for a couple of bucks if you need to run directly off DC power.

 

[Mithril]

Do you want 2.5GbE+? Or do you mean 2+ ports running at 1GbE? If it's the latter, any of the multi-intel-nic mini pcs from Aliexpress released in the past few years will be great. My prior firewall was a Qotom Celeron J3160 mini pc with 4 intel GbE ports. Idled at 6-7w and would route at gigabit speed all day. Also uses a bog-standard 12v barrel connector. In fact, I'm looking to sell it, so hit me up if you want it.

If you're looking for 2.5GbE+, the easiest/cheapest are the Celeron J4125 or Pentium N5105 mini pcs, as reviewed on the main site. If you want 10GbE, it's a little more complicated. I went with 10GbE in a Lenovo Tiny because my core switch doesn't speak nbase-T. And also because I wanted something a bit more powerful so I could virtualize the firewall. That said, even with a 2x SFP+ card in it, my M720q firewalls (I've built a couple) idle at 12-14w running pfsense on top of proxmox. And as Sean Ho said above, you can buy a barrel plug to Lenovo adapter from ebay for a couple of bucks if you need to run directly off DC power.

No, this will be for backup only, either in case of hardware failure or extended power outages. No need for itto even hit gigabit routing to be honest, it's more of a "stay on the grid on a bad day" thing.
Is it possible to run something like proxmox on those mini pcs, and how long do they tend to last?
Running it as a VM platform allows for ability to "fake" the NIC layout for easier failover between heterogeneous hardware.

For the one you have is this the right product? Amazon.com: Qotom Mini Desktop PC CPU Celeron J3160 Quad Core 1.6 GHz-8GB RAM 256GB SSD Windows 10-for Office Use : Everything Else

 

[Mithril]

I have a pair of Dell 7010 SFF with i5-3470. Idles at about 16w at Linux shell prompt doing absolutely nothing. Comes with 2 low profile PCIe slots (1x 16, 1x 1).

Ah, thanks for the info on the power use. I'd really like lower, but that's an option thanks!

 

[adman_c]

The one I have has 4x GbE, so it's more or less this one, right down to the chrome trim. I bought direct from Aliexpress, so I did not pay anywhere near Protectli's prices. The Celeron J3160 in my unit is, to be kind, not fast. Plenty fast to route at gigabit speeds on pfsense running bare metal, but I'm really not sure I'd want to run it virtually. OTOH, if it's purely for backup you never know! The N5105 models reviewed here are plenty fast though and only burn a few watts more than mine. If it were me, that's what I'd do. No wait, if it were me, I'd put a pair of M720qs with 10GbE in a Proxmox HA cluster. But that does not necessarily check the "low power" box.

 

[Mithril]

The one I have has 4x GbE, so it's more or less this one, right down to the chrome trim. I bought direct from Aliexpress, so I did not pay anywhere near Protectli's prices. The Celeron J3160 in my unit is, to be kind, not fast. Plenty fast to route at gigabit speeds on pfsense running bare metal, but I'm really not sure I'd want to run it virtually. OTOH, if it's purely for backup you never know! The N5105 models reviewed here are plenty fast though and only burn a few watts more than mine. If it were me, that's what I'd do. No wait, if it were me, I'd put a pair of M720qs with 10GbE in a Proxmox HA cluster. But that does not necessarily check the "low power" box.

Looks like some others have managed to run virtualization on them OK, sure it might struggle with wirespeed but thats not my goal so thats fine. I think 6-7W idle is going to be tough to beat.

 

[Sean Ho]

I'm not sure I understand the motivation to virtualize. You can run two instances of PFSense/OPNSense on bare-metal (or have your primary instance be virtualized if you like) with virtual IPs and CARP syncing.

 

[Mithril]

I'm not sure I understand the motivation to virtualize. You can run two instances of PFSense/OPNSense on bare-metal (or have your primary instance be virtualized if you like) with virtual IPs and CARP syncing.

It allows for creating 2 instances on different hardware that seem to be the same configuration for HA setups. Not, perhaps, a valid reason for "production" use; but very useful for homelab. It also lets you do better snapshotting/backup that might be available natively within the OS and/or filesystem of the firewall distro. Plus it makes it *much* easier to try out other firewall distros or complete DIY.