Need help to further throttle down my firewall hardware

[jang430]

Hi. I created a firewall box for Sophos Home Firewall, to be used at home. Traditionally, I'm using a repurposed appliance I have,


This box originally had a mini-itx motherboard. I removed it, and used a micro-atx motherboard. I really wanted something passive, and fanless, and removed the PSU as well.

This is what I have now.




Yet, the 35W TDP Intel i3-4160T reached past 80 deg C occasionally, and the alarm sounds. When I leave it, it goes away after a minute or so. I want to achieve passive cooling, and am willing to underclock my processor to bring the heat down further, as I don't maximize the processor anyway. I attached some Bios pics, as I don't know where to further bring down the temp.

I attached some relevant bios pics. Hope someone can help.

Thanks!

 

[Mithril]

So, unless I'm off the mark *passively* cooling a 35W TDP processor in a 1U with NO AIRFLOW at all is... asking for a lot.

I don't see a whole lot of options in the bios for undervolting, you might be able to tweak the max power settings or maybe disable some cores. Going with a *quiet* 1U fan based cooler is going to be far more reasonable with this cpu and bios. Other than that, a different cooler and/or some way to better couple the heat to outside the case. That or finding some quiet 40MM fans to pull some airflow over that decidedly NOT passive heatsink. If you are lucky you might be able to get the the bios or OS to stop the fans below a set temp and get a "mostly silent" setup.

 

[jang430]

a 40mm Noctua fan doesn't have enough clearance as I already used up all the space from the front to the back of the chassis. I do have a Dynatron K199 1U Server CPU Fan, but I'm experimenting with going passive, seems like it won't happen. In the bios, do you see any way to slow down the fan? I don't see any though.

 

[Stephan]

Options

1) Ditch the 1U case, get a case and probably CPU cooler that can use a silent PWM-controlled 1200rpm 120mm fan and temp problem is gone.

2) If this was Linux without any Sophos stuff you could try to set the CPU governor to powersave. This will limit the CPU to lowest possible frequency and prevent any turboing of the cores.

3) As a test try to put the case flat against a wall with the face plate facing down on table and the back with connectors facing straight up. This way convection of hot air can leave the case in thermodynamically advantageous fashion. In your situation imho not good for more than 5-10degC better temps though. Too little headroom imho if Winter goes and Summer comes.

4) Some Intel CPUs can have their TDP controlled using "msr" and "mmio" writes, see here TDP and turbo parameter modification with MSR on non-overclockable Intel CPU (such as Intel i7-8550U) and for Haswell see here src/cpu/intel/haswell/haswell_init.c - chromiumos/third_party/coreboot - Git at Google how that might work. No idea if Sophos allows such deep modifications, or has msr.ko kernel module even.

 

[jang430]

Options

1) Ditch the 1U case, get a case and probably CPU cooler that can use a silent PWM-controlled 1200rpm 120mm fan and temp problem is gone.

- I am organizing it to be all in rackmounts

2) If this was Linux without any Sophos stuff you could try to set the CPU governor to powersave. This will limit the CPU to lowest possible frequency and prevent any turboing of the cores.

3) As a test try to put the case flat against a wall with the face plate facing down on table and the back with connectors facing straight up. This way convection of hot air can leave the case in thermodynamically advantageous fashion. In your situation imho not good for more than 5-10degC better temps though. Too little headroom imho if Winter goes and Summer comes.

- I am organizing it to be all in rackmounts

4) Some Intel CPUs can have their TDP controlled using "msr" and "mmio" writes, see here TDP and turbo parameter modification with MSR on non-overclockable Intel CPU (such as Intel i7-8550U) and for Haswell see here src/cpu/intel/haswell/haswell_init.c - chromiumos/third_party/coreboot - Git at Google how that might work. No idea if Sophos allows such deep modifications, or has msr.ko kernel module even.

-Will check this out

 

[jang430]

This is what I see in my BMC fan controls. Is there any other way to further throttle down my CPU fan? At Optimal speed, fan is running at 4,500 RPM. I'm at 55 degrees. I'd like to further cut the RPM to about 3,000 if possible. Dont' know where to look.

 

[Magic8Ball]

Try adding a case fan at the side as it will push hot air out of the case even if it's not moving air directly over the motherboard and heatsink. You want to avoid a build-up of trapped hot air which can happen quickly in a small 1U case. I added a Noctua NF-A4x20 PWM to my firewall for the same reason and it's very quiet. It's easiest/best to allow the board to control it via PWM but I believe you can also use ipmitools to manually set the speed to any fixed % you want.

 

[Wasmachineman_NL]

Haswell can undervolt quite substantionally with something like ThrottleStop.

 

[lte]

This is what I see in my BMC fan controls. Is there any other way to further throttle down my CPU fan? At Optimal speed, fan is running at 4,500 RPM. I'm at 55 degrees. I'd like to further cut the RPM to about 3,000 if possible. Dont' know where to look

You can always set the thresholds of the fanspeeds using ipmitool
Check the resources here

 

[kapone]

You have a somewhat tricky combination of hardware. That Supermicro heatsink...really isn't designed to be run 100% passive. To give you an idea...I crammed three systems in a 1U chassis. This includes my firewall, my domain controller, and a primary virtual host that runs a few critical VMs.

Yes, there are 3x fans in there, but they are for the Supermicro X9SRL-F motherboard (with an 8 core CPU). The interesting part is the two systems towards the top. These are Gigabyte B75TN thin mini motherboards with a very specific heatsink designed for passive cooling. Note the number of heat pipes and the fin area. And these motherboards take direct 12v in, no need for a picopsu.

I'm using a single HP 460w power supply (with one of those miner breakout boards) to power all 3 systems. I didn't take a screenshot of the temps when things were completely passive for the top 2 systems, but right now my firewall shows these temps. (And it's heavily used).



When things were completely passive, I believe the firewall was running ~45C at idle, which is still completely fine.

So...in summary, right motherboard, right heatsink, right case and passive is certainly possible.

 

[Stephan]

I don't get why people cling to 1U. Are these all machines colocated in a datacenter where the lease is per-1U? Or is it a desire to cram as much hardware as possible into the least possible space? Funny hobby... ;-)

You can't cool passively anything above 10-15 watts very well without big ass heatsinks. OP needs to scale down to Atom, say anything Goldmont Plus or later with really large black heatsink. Black because it radiates slightly more efficiently than shiny. Or scale up the case to anything that can house a pretty much silent Noctua NF-S12A-PWM or NH-U12A.

45degC idle all fine btw @kapone, but how about a single process going nuts in your firewall and CPU stuck at 100%? What would fanless temps be then... with only the tiny PSU fan sucking hot air out. I always push hardware really hard like that before employing it at home. Best case the CPU will throttle heavily to keep temps down and you will notice, mid-worst case the board will shut down on CPU therm-trip (firewall down - great when you're on vacation a 1000 miles away), worst case something will fry, like those caps around the CPU socket.

Oh yeah those caps are usually rated 1000-5000 hrs at 85degC, maybe 105degC for high quality boards. Not frying them in hot air prolongs their life like 10 or 100 fold. Personally, I like gear that works for 20-30 years just like that.

 

[kapone]

45degC idle all fine btw @kapone, but how about a single process going nuts in your firewall and CPU stuck at 100%? What would fanless temps be then...

You're not wrong. When testing the setup, I did run CPU benchmarks that redlined the CPU, and I believe the temps hit ~70 and the CPU did throttle (i5 3570s). However...the two passive systems (in my case) will never do that. The firewall (pfsense with a few packages) never goes above 30% even at full tilt on a 1gb symmetric connection, and the DC, well the DC hardly warms up the CPU so to speak.

I'd never run a heavily used multi core system, passive. That's just asking for trouble. In this case though, given that the primary VM host (the Supermicro SRL motherboard) was going to require fans anyway, and there was empty space in front of it... It did result in a fair bit of power savings. All 3 systems combined at idle use <60w, which is pretty good.

As to rack space...I'm not paying by 1U per se...but I AM kinda low on rack space. Don't wanna get another rack...

 

[jang430]

@Magic8Ball I did add a Noctua case fan on the only side where I can place it. But my unit did alarm twice. I finally put an electric fan in front of it . Though during that time, I forgot to check if I can adjust chassis fan speed? Will adjustment above (shown in my post) be applicable to chassis fan as well?

 

[jang430]

@Wasmachineman_NL As my unit is a firewall, I don't have other os under the firewall, might not be able to do it.

@lte Is it possible to change fan speeds in a firewall os? I don't belive I can run ipmitool. Just to be clear, in case I am able to, this will be to adjust the Noctua chassis fan on the side.

@kapone , I belive the same, should be possible to go totally silent. Though I'd like to use existing hardware first, since existing hardware is already overkill for this application. My chassis is just the right size for my bookshelf. Enough depth.

@Stephan , I guess we each have our own preference how we like our homelab . In my case, it's rackmount 1Us stacked on top of each other, placed on my bookshelf. Compact, and Silent. With lights blinking. Since it's in the bookshelf, I want everything to be passive, not a hissing sound.

 

[lte]

@lte Is it possible to change fan speeds in a firewall os? I don't belive I can run ipmitool. Just to be clear, in case I am able to, this will be to adjust the Noctua chassis fan on the side.

depends on the base OS of your FW.
But in principle it is possible, as your BMC is independent of your host OS.
Downside of the whole fan speed stuff using ipmitool is that you have to set those values again after every reboot - most ppl do it via cronjobs, check the FreeNAS/TrueNAS forums for details.

 

[kapone]

I'm almost out of space in a 42U rack, for my homelab...bookshelf? gulp...

Edit: Although, it runs a number of servers as my "production" area, for my business. So, it's probably not a fair comparison.

 

[jang430]

depends on the base OS of your FW.
But in principle it is possible, as your BMC is independent of your host OS.
Downside of the whole fan speed stuff using ipmitool is that you have to set those values again after every reboot - most ppl do it via cronjobs, check the FreeNAS/TrueNAS forums for details.

I'm using Sophos XG Home firewall. I don't believe this is possible.

 

[warlord1312]

Didn't read the whole thread thoroughly so sorry if someone else mentioned it, but have you considered virtualizing the firewall and using the hypervisor's power saving features? I have my Sophos virtualized with no issues.

Also have you tried to reapply the thermal compound/TIM?

 

[jang430]

@warlord1312 Hi. Thermal compound newly applied. I prefer to keep firewall separate .