New firewall - mini pc

[NoncarbonatedClack]

I'm aware of TinyMiniMicro, but this time I'm hoping to purchase new.

I have a small space that I'm fitting this into, it's a structured media cabinet that's mounted in wall.

Use case is opnsense:

-Gigabit Internet (Fios)
-VLAN termination and routing
-IPS
-VPN (client-server, possible site-to-site in the future)
-QoS
-Will be dual-stacking ipv4 and v6, though i doubt that will affect performance at all at the hardware level. worth mentioning.

Right now, I'm looking at either:

NUC11TNHI50L -or- MAYBE Protectli vp4630

I feel like the NUC (wish I could get vPro.. can't find that sku) would be good, even though I need RAM and an SSD (should have a spare NVMe laying around) would make these two pretty comparable in price, I like the option of coreboot for the protectli, but I also like that the NUC has an i5.

I really don't want to have to replace this for a while, I think my biggest concern is running out of CPU. Reason for that concern, is that once I move and get my lab back up again (vSphere cluster, 3-5 nodes) I don't know what my traffic will look like, routing between VLAN's.

I know IPS will take a big chunk out of CPU.

Are there any other units I should consider? Again, would really like new, and not above $600-ish (I know the protecli is more, but coreboot WOULD be nice.. unsure about bios updates). I'm based in the US.

 

[NoncarbonatedClack]

Bump? Any thoughts?

 

[zac1]

All my thoughts are biased like "look at all these neat Supermicro mITX systems with all these ports I have to get rid of."

Have you considered SOC mITX boards from Supermicro? Something from the A2SDI family with a Denverton Atom CPU? Say, a very compact E200-9A or a fanless E302-9A?

Each of these have IPMI and can be had for <$600 on eBay. I think there might even some in the FS forum here.

 

[Tyrant82]

For vPro Models you just need to replace the i in front of the processor to a V, so your search would be this SKU: NUC11TNHV50L.

Edit: Link to the Intel Page added, and under Advanced Technologies you will find the vPro Eligibility.

 

[adman_c]

So your cheapest option is one of the Topton units from Aliexpress. This one has a Pentium N6005 for around $200 shipped (BYO RAM and SSD). If you want US-based for support, this Proctectli is less than $400 (again BYO RAM, SSD). Running OPNSense bare metal, these should have no problem forwarding 1Gb/s between VLANs with some fairly typical firewall rules. I'm not sure how much IPS would slow things down--someone else would have to chime in on that. The NUC looks pretty nice too. I didn't know those came in a dual LAN config!

I'm team TinyMicro though.

 

[zer0sum]

Why not buy a brand new M90q gen 3?
It's arguably better than a NUC as it has the PCIe slot

It costs a bit more, but you can find them cheaper

ThinkCentre M90q Tiny Gen 3

ww-single-model-think-desktops-default

www.lenovo.com

 

[adman_c]

Why not buy a brand new M90q gen 3?
It's arguably better than a NUC as it has the PCIe slot

It costs a bit more, but you can find them cheaper

ThinkCentre M90q Tiny Gen 3

ww-single-model-think-desktops-default

www.lenovo.com

Yeah, if you'd been looking this summer you coulda nabbed a new P350 with an 11th Gen i5 for $500. And if you get a recent enough used Tiny, it could still have some warranty left from Lenovo (which you can then pay to extend).

 

[zac1]

Yeah, if you'd been looking this summer you coulda nabbed a new P350 with an 11th Gen i5 for $500. And if you get a recent enough used Tiny, it could still have some warranty left from Lenovo (which you can then pay to extend).

How would one of those compare to an A2SDI-4C-HLN4F?

 

[adman_c]

How would one of those compare to an A2SDI-4C-HLN4F?

Much smaller form factor, with the attendant expansion limitations, only a single built-in NIC. But much greater CPU power (on the order of 8x single and multicore). Room for a 2x SFP+ NIC, 2x NVME drives, and a small SATA drive if you remove the SATA drive from its case.

 

[zac1]

Much smaller form factor, with the attendant expansion limitations, only a single built-in NIC. But much greater CPU power (on the order of 8x single and multicore). Room for a 2x SFP+ NIC, 2x NVME drives, and a small SATA drive if you remove the SATA drive from its case.

Ah, interesting tradeoffs I could see being advantageous in some situations. Thank you!

 

[NoncarbonatedClack]

All my thoughts are biased like "look at all these neat Supermicro mITX systems with all these ports I have to get rid of."

Have you considered SOC mITX boards from Supermicro? Something from the A2SDI family with a Denverton Atom CPU? Say, a very compact E200-9A or a fanless E302-9A?

Each of these have IPMI and can be had for <$600 on eBay. I think there might even some in the FS forum here.

I had not, but looking at the dimensions i don't think it will fit in the space I have. If my switch wasn't so large, maybe.

For vPro Models you just need to replace the i in front of the processor to a V, so your search would be this SKU: NUC11TNHV50L.

Edit: Link to the Intel Page added, and under Advanced Technologies you will find the vPro Eligibility.

Might drop the vPro idea.
Do you know if vPro is accessible on one nic, or both, in a dual nic situation?

So your cheapest option is one of the Topton units from Aliexpress. This one has a Pentium N6005 for around $200 shipped (BYO RAM and SSD). If you want US-based for support, this Proctectli is less than $400 (again BYO RAM, SSD). Running OPNSense bare metal, these should have no problem forwarding 1Gb/s between VLANs with some fairly typical firewall rules. I'm not sure how much IPS would slow things down--someone else would have to chime in on that. The NUC looks pretty nice too. I didn't know those came in a dual LAN config!

I'm team TinyMicro though.

Between the topton and protectli, i'd go with the latter.
Protectli probably has better support/firmware updates.

I suppose I don't really need IPS, but it's something I'd like. hmm.

 

[NoncarbonatedClack]

Why not buy a brand new M90q gen 3?
It's arguably better than a NUC as it has the PCIe slot

It costs a bit more, but you can find them cheaper

ThinkCentre M90q Tiny Gen 3

ww-single-model-think-desktops-default

www.lenovo.com

Yeah, if you'd been looking this summer you coulda nabbed a new P350 with an 11th Gen i5 for $500. And if you get a recent enough used Tiny, it could still have some warranty left from Lenovo (which you can then pay to extend).

Over the summer, I still had room to run my 48c/96t, 600+ GB RAM lab lolol. so this wasn't an issue then.

Trying to buy new so I have warranty and whatnot, I don't have much time to mess around with fixing things at the moment.

I'm wondering if protectli is in the midst of updating their lineup to 2.5 GBe, seeing as only a few have that.

Also @adman_c, it's a shame that unit you linked only has single channel RAM. boo.


I'm feeling like a NUC 11 pro, or a protectli is my best bet at this point. Sucks I can only find the NUC on CDW though.

 

[adman_c]

I had not, but looking at the dimensions i don't think it will fit in the space I have. If my switch wasn't so large, maybe.



Might drop the vPro idea.
Do you know if vPro is accessible on one nic, or both, in a dual nic situation?



Between the topton and protectli, i'd go with the latter.
Protectli probably has better support/firmware updates.

I suppose I don't really need IPS, but it's something I'd like. hmm.

If you're not worried about routing between VLANs at > 1Gb/s you should have plenty of CPU headroom with the N5105 or J6412 to run IPS. But if lots of CPU power for future uses is a high priority, then the NUC or a Tiny is maybe a better fit.

 

[adman_c]

Over the summer, I still had room to run my 48c/96t, 600+ GB RAM lab lolol. so this wasn't an issue then.

Trying to buy new so I have warranty and whatnot, I don't have much time to mess around with fixing things at the moment.

I'm wondering if protectli is in the midst of updating their lineup to 2.5 GBe, seeing as only a few have that.

Also @adman_c, it's a shame that unit you linked only has single channel RAM. boo.


I'm feeling like a NUC 11 pro, or a protectli is my best bet at this point. Sucks I can only find the NUC on CDW though.

Serious question: how much does dual-channel RAM help with performance in these applications though?

 

[NoncarbonatedClack]

If you're not worried about routing between VLANs at > 1Gb/s you should have plenty of CPU headroom with the N5105 or J6412 to run IPS. But if lots of CPU power for future uses is a high priority, then the NUC or a Tiny is maybe a better fit.

Serious question: how much does dual-channel RAM help with performance in these applications though?

Routing VLANs isn't so much an issue though, and I rarely saturate 1Gb doing that.
I'm thinking about maybe an i3/i5 NUC with 2x 2.5 Gb would be good, but I can't determine if the i225-LM is having the same issues as the i-225-V?

I don't mind BYO SSD/RAM either.

As far as single vs dual channel RAM, i honestly don't know, but I remember what it feels like going from single channel to dual, so I figure that it'd be best to just avoid potential weak points. maybe someday I'll test that out if I get the time.

I know state tables are stored in RAM, but I'm unsure what else is. States are so small, I don't think dual channel would matter unless we're talking a really, really big firewall, 1000+ users.

 

[zer0sum]

Much smaller form factor, with the attendant expansion limitations, only a single built-in NIC. But much greater CPU power (on the order of 8x single and multicore). Room for a 2x SFP+ NIC, 2x NVME drives, and a small SATA drive if you remove the SATA drive from its case.

It also has vPro

 

[NoncarbonatedClack]

Alright, I just ordered:

NUC11TNHi50L
32 GB (2x16) DDR4 Mushkin Redline, 3200MHz CL16
250 GB Samsung 970 Evo Plus


The RAM is overkill, but I really wanted CL16 so, here we are.
Might end up using this for a dev box/hypervisor later on. When I buy a house again, I'll be able to have my lab back and have a big ol firewall again.

I went no vPro, because i couldn't determine the availability of vPro (both nic's, or just one).
Here's to hoping that the i225-LM doesn't have the same issues as the i225-V

 

[Tyrant82]

There is something mentioned in the intel product brief for the nics:

Intel® Ethernet Controller I225-LM - Product Specifications | Intel

Intel® Ethernet Controller I225-LM quick reference with specifications, features, and technologies.

www.intel.com

MANAGEABILITY FEATURES
Intel® Active Management Technology
• Supported on systems enabled with Intel vPro® technology (I225/6-LM/IT only)

So i would say yes, both i225-LM are vPro cabable, but i dont have experience with those nucs

 

[NoncarbonatedClack]

There is something mentioned in the intel product brief for the nics:

Intel® Ethernet Controller I225-LM - Product Specifications | Intel

Intel® Ethernet Controller I225-LM quick reference with specifications, features, and technologies.

www.intel.com

MANAGEABILITY FEATURES
Intel® Active Management Technology
• Supported on systems enabled with Intel vPro® technology (I225/6-LM/IT only)

So i would say yes, both i225-LM are vPro cabable, but i dont have experience with those nucs

meh, i went with non vPro. I didn't want to have vPro on a WAN facing NIC.
I'll get a smart plug and reboot it that way if I need to.

 

[zer0sum]

I'm curios what the reasoning was behind your choice of a NUC over a Lenovo Tiny m720/920/90q?

The limited ports and lack of a PCIe slot has always left me feeling the NUC is cool, but a terrible firewall choice