New firewall - mini pc

[NoncarbonatedClack]

I'm curios what the reasoning was behind your choice of a NUC over a Lenovo Tiny m720/920/90q?

The limited ports and lack of a PCIe slot has always left me feeling the NUC is cool, but a terrible firewall choice

Well, I wanted to buy new for once. silly reason but there's that. I'll also be using this for other things in the future.

Cost, including byo SSD/RAM, was less (again, new) with a newer cpu that uses less power. Which equals less heat in the enclosure.
Sizing was also important. The tiny's are small, but with the equipment that I already have in this enclosure, I wasn't sure what else would fit (LxW. I have space for height). with the NUC being 4" x 4" square (A little over really, that's motherboard size) so maybe something like 4.2" x 4.2", something like that.

Example of the enclosure, it's not the same and smaller than what I'm working with, but same idea.

As far as performance goes, the lenovo's will beat this chip mostly. Maybe in some specific instances the i5-1135G7 would win, but I'm not sure.

As far as expandability goes, for a firewall, it doesn't matter to me here. I've got two ports, they're 2.5 Gbe, so even not having a port channel to handle VLAN traffic, I'm not worried about saturating anything. 1gig symmetrical internet, and soon to be 2.5 Gbe on the switch side on my LAN.
Previously, I didn't even saturate the 1 gig link when I had a much larger firewall.

If I wanted to expand, I can get/3d print a different case, and get a riser interface to convert m.2 to to PCI-E x4 or something like that. People have done this to get 10 Gb NIC's installed in the NUC, pretty cool.

On limited ports, it's a firewall, shouldn't need a ton of ports lol.

 

[NoncarbonatedClack]

I've now realized that with the price I just paid for all the pieces, I could go for a opnsense dec750. ugh.

 

[kapone]

I keep shaking my head at these kinds of threads. (Sorry OP, it's not about you, it's the philosophy, no offense intended)

800 euros?? For an effin firewall box with a few gbe and 10g ports??

Either I'm too old...and none of this makes sense to me, or...something.

- Who cares about fanless? A decent low speed spinning fan is literally inaudible from a few inches away.
- Tiny boxes/form factor. Again, who cares? It could be 4x as big, still needs to go where the rest of the equipment is (otherwise, why're we buying this in the first place?)
- 256gb storage! For...what??
- 1.2gbps IPSec! umm...a 15 year old CPU could do that with hardware encryption.
- DDR4 RAM!! umm...why?

All this to run OPNsense...which can do all of that on <$100 (I'm being generous, given inflation) worth of hardware. Now, that all being said, the OP's size requirements ARE pretty specific, so maybe it makes sense to him/her, but you could still mount a bigger box on the wall, close to that enclosure and be done.

Are aesthetics THAT important, or am I missing something?

Edit:
For reference - Quoting my own message from a while back. Obviously not the same form factor (this is a 1U chassis), but that's because of my rack configuration, but that i5-3570s/4GB DDR3/something something SSD ~16GB/Mellanox CX3 single port 10gb nic, is still cranking along and I at present is routing two WANs.

Fios - at 1gbps symmetric
Comcast gigabit pro - At ~2-3gbps (A lot of people may not be familiar with this. It's essentially a trunk from Comcast with a fiber drop to the house).

This entire hardware was ~$60 at the time and idles at ~14w, with max 35w that I have seen. With inflation...$100?

Maybe I'm missing something...

I can do any pfSense package you can think of with symmetric gigabit routing, and a tiny system at that, with < $60 worth of hardware. Is it fanless? Nope. So what? It (among other things in my rack) sits in a corner of my basement, away from anything else. Why are we spending 100s if not thousands !! for a router??

The top left board in this system is my pfSense box. Other boards do other things.

 

[rotor]

idles at ~14w

Mmmm I would double-check those figures. I have an i5-3570S in an Intel motherboard (known for being power efficient) and it idles at 18W, and you've got a CX3 with a 10G SFP? Those things get HOT (because they consume lots of power)!

 

[Immortal]

Mmmm I would double-check those figures. I have an i5-3570S in an Intel motherboard (known for being power efficient) and it idles at 18W, and you've got a CX3 with a 10G SFP? Those things get HOT (because they consume lots of power)!

Even if it's a bit more it doesn't change the fact - he's right.

People are going for crazy overkill when it comes to firewall/router hardware. You can easily make do DIY build for 200-300$ or even less which gonna do 10 Gb/s.

 

[kapone]

Mmmm I would double-check those figures. I have an i5-3570S in an Intel motherboard (known for being power efficient) and it idles at 18W, and you've got a CX3 with a 10G SFP? Those things get HOT (because they consume lots of power)!

The difference is...that Gigabyte B75-TN thin mini motherboard. It takes direct 12v in, there's no 20/24 pin connector on it. And SO-DIMMs. And just a single x4 slot, just two four (I misspoke) SATA connectors. Very sparse motherboard.

p.s. no IPMI either. Don't need it for this box. IPMI in general consumes ~4-5w on it's own.

That's the reason I chose that motherboard. And I'm using HP platinum PSUs, those are very efficient at low loads. The one in this chassis is a 460w one.

 

[NoncarbonatedClack]

I keep shaking my head at these kinds of threads. (Sorry OP, it's not about you, it's the philosophy, no offense intended)

800 euros?? For an effin firewall box with a few gbe and 10g ports??

Either I'm too old...and none of this makes sense to me, or...something.

- Who cares about fanless? A decent low speed spinning fan is literally inaudible from a few inches away.
- Tiny boxes/form factor. Again, who cares? It could be 4x as big, still needs to go where the rest of the equipment is (otherwise, why're we buying this in the first place?)
- 256gb storage! For...what??
- 1.2gbps IPSec! umm...a 15 year old CPU could do that with hardware encryption.
- DDR4 RAM!! umm...why?

All this to run OPNsense...which can do all of that on <$100 (I'm being generous, given inflation) worth of hardware. Now, that all being said, the OP's size requirements ARE pretty specific, so maybe it makes sense to him/her, but you could still mount a bigger box on the wall, close to that enclosure and be done.

Are aesthetics THAT important, or am I missing something?

Edit:
For reference - Quoting my own message from a while back. Obviously not the same form factor (this is a 1U chassis), but that's because of my rack configuration, but that i5-3570s/4GB DDR3/something something SSD ~16GB/Mellanox CX3 single port 10gb nic, is still cranking along and I at present is routing two WANs.

Fios - at 1gbps symmetric
Comcast gigabit pro - At ~2-3gbps (A lot of people may not be familiar with this. It's essentially a trunk from Comcast with a fiber drop to the house).

This entire hardware was ~$60 at the time and idles at ~14w, with max 35w that I have seen. With inflation...$100?

Firstly, that's a pretty slick build you linked at the bottom of your post. Do you have a build threat type of post on that, beyond what you linked, that goes over the whole setup?
Also, what's that little breakout-like board just above the PSU?

"I keep shaking my head at these kinds of threads. (Sorry OP, it's not about you, it's the philosophy, no offense intended)" - No worries lmao. I get it.
"Are aesthetics THAT important, or am I missing something?" - Nope, definitely not. Aesthetics aren't at play here.

On fanless, absolutely true.
Tiny form factor is due to a space requirement where I live now. I'm not mounting anything on the wall, won't get the wife approval factor, and that's more holes in the drywall I have to fill when I move. My previous firewall was an HP ML310e gen8 v2, for reference (free from old job). That lived in a 42u rack, with a bunch of other gear. Previously was a VM on an R710.

I'm terminating all of my VLAN's and routing them on the firewall. So, IDS and IPS are in play for some those VLAN's, but not all.

Storage... idk. squid/caching proxy maybe? large pcaps (those could get big, troubleshooting on a 10gig connection for sure)? any number of things I guess, that one I don't any insight to, I don't have a requirement for storage space in my firewall.

IPSec throughput... I really doubt a 15 (or 10) year old CPU can do that. maybe (REALLY BIG MAYBE) if it's 1 client, you'll get... close. ish. I'm open to be proven wrong here, with data.

DDR4.. because that's what the CPU platform uses?

There's also no way a 10-15 year old CPU is keeping up at 10gig with packet inspection. It's also all about doing this at line rate. Once you introduce IDS/IPS, or any kind of DPI, on a firewall like the *sense's, you don't have ASICs that are doing this, you're pulling traffic into the CPU and running through software, rather than hardware doing the job for you.

The cost of that box also includes a year of support, which is nice. I mean also, not for nothing, I can't code, so how else does one support an open-source project that they really like? Given how expensive hardware has gotten, the cost isn't that bad.

Even if it's a bit more it doesn't change the fact - he's right.

People are going for crazy overkill when it comes to firewall/router hardware. You can easily make do DIY build for 200-300$ or even less which gonna do 10 Gb/s.

Right, and wrong, are subjective to each person, and the situation/constraints they're working within.

I've also stated somewhere in this thread that I would like to buy new, specifically. I don't have a lot of time to tinker with hardware and worry about old hardware failing (because it does happen). I've got time to grab a NUC, and pop in RAM and SSD, and install an OS (~15 minutes of time). I don't have time to deal with a hardware failure that takes down my network, wait on eBay shipping for old gen hardware that also may have a higher chance of dying than buying new. Downtime for me = both my spouse and I not being able to work, as we work from home.

Can new hardware fail? Absolutely, I've had it happen recently actually (damn you Samsung and your SSD bs).

" People are going for crazy overkill when it comes to firewall/router hardware. " - If I go crazy overkill, I don't have to mess with it or upgrade it for a longer period of time, and less of a chance of a performance bottleneck.

 

[kapone]

@NoncarbonatedClack - Like I said earlier, to each his/her own. If your constraints dictate that you spend 800 euros for a firewall box, go for it. Don't listen to me (or anybody like me).

However, there is NO use case generally speaking that justifies that cost.

 

[NoncarbonatedClack]

@NoncarbonatedClack - Like I said earlier, to each his/her own. If your constraints dictate that you spend 800 euros for a firewall box, go for it. Don't listen to me (or anybody like me).

However, there is NO use case generally speaking that justifies that cost.

This is 100% home use, but, business/enterprise definitely has the justification.

do you have data for any of your points on performance? I'm genuinely curious, I'm open to being proven incorrect on some of my counterpoints I made to you. If I'm wrong, I'd rather know about it, you know?

Also seriously , do you have a post that showcases your build a little more? A 3-in-1 box like that is pretty sweet, especially custom built.

 

[kapone]

do you have data for any of your points on performance?

Like what?

- Power consumption? - These combinations are well documented all over the interwebs

- Fanless/With Fan - Can't help you there. If you want fanless, you want fanless.

- Tiny form factor - There are many other options for tiny form factors. Some of the Dell thin clients, M90s come to mind, not even looking at Chinese boxes.

- Terminating all your VLANs on the firewall - er...why? For that amount of money you could get a tiny firewall AND a Layer 3 switch (where you terminate your VLANs) and probably take your wife out to a dinner or a few.

- Storage - The firewall distributions themselves are tiny. The packages are tiny. Logs get recycled. Again, a firewall does not need a ton of storage. If you have it, you have it, but it won't get used. At all.

IPSec throughput - 1.2gbps...You think the world didn't have that IPSec throughput until 2023? That throughput with the right algorithm and AES-NI (on CPU) was being done way back. 15 years ago, sounds about right, but I could be off by a year or two.

DDR3/4 - I realize "new" systems today won't come with DDR3, my point was that you don't need DDR4. Again, 15 y/o systems with DDR3 still have more than enough room to spare.

10g packet inspection/IDS/IPS/DPI - Well...that aint gonna happen. Either with 15 year old systems that I was referring to or the OPNSense DEC750. If OPNSense is promising that, I have a bridge somewhere... That said, why would that be important? Do you have 10g internet at home? Will you be using ALL of it on average AND you want deep packet inspection at that line rate?

If that OPNSense box has dedicated ASICs...again, I think I have a bridge somewhere...

You wanna support OPNSense - Go for it. It's a noble thought, and it's your money.

As far as my creative build goes... it's nothing special. That lil breakout box above the PSU is a "miner" type breakout box for HP PSUs. It simply makes the PSU act like a 12v power supply. The 3 motherboards/heatsinks/fans (hacked up Dell fans from their thin clients, 7010s I believe) were simply placed where they would fit, with airflow, in a 1U chassis. Sorry, I didn't think something like that deserved a build thread, never made one.

Edit: Actually, I did post a thread about it, not exactly a build thread, but some more detail.

https://forums.servethehome.com/index.php?threads/umm-high-density.30810/

Edit 2: Well, I actually found time to look at the DEC750 data sheet.

Firewall Throughput 10Gbps 10Gbps
Firewall Packets Per Second 830Kpps 830Kpps
Firewall Port to Port Throughput 8.5Gbps 8.5Gbps
Firewall Port to Port Packets Per Second 719000 719000
Concurrent Sessions 3000000 7000000
Firewall Latency (average) 150us 150us
Firewall Policies (Recommended Maximum)1 10000 10000
IPsec VPN Throughput (AES256GCM16) 1.2Gbps 1.2Gbps
IPsec VPN Packet Per Second (AES256GCM16) 107Kpps 107Kpps
OpeVPN SSL Throughput (AES256GCM16) 500Mbps 500Mbps
OpenVPN Packet Per Second (AES256GCM16) 42Kpps 42Kpps
Threat Protection Throughput Packet Per Second 85Kpps 85Kpps
Threat Protection Throughput ~1Gpbs ~1Gpbs
High Availability with State Synchronisation Requires Two Requires Two

They are using AES 256 GCM algorithm as well, which can be accelerated by on CPU AES-NI (that's how they're doing it as well, no ASICs). These were the numbers for the Ivy Bridge era (the i5-3570s that I use):

# Tests are approximate using memory only (no storage IO).
#  Algorithm | Key |  Encryption |  Decryption    
     aes-cbc   128b   581.3 MiB/s  1961.8 MiB/s    
     aes-cbc   256b   431.4 MiB/s  1503.1 MiB/s    
     aes-xts   256b  1665.6 MiB/s  1642.3 MiB/s    
     aes-xts   512b  1318.3 MiB/s  1282.1 MiB/s

Do AES-NI instructions accelerate both AES-128 and AES-256?

I have a HW-accelerated AES processor. With that in mind, my first question would be: Do AES-NI instructions accelerate both AES-128 and AES-256 encryption / decryption? Secondly, if it is true, ...

security.stackexchange.com

And their OpenVPN performance is worse than my Ivy Bridge CPU. (they have 4 cores at 2.2GHz, the 3570s has 4 cores at 3.3GHz. Core speed is king for OpenVPN)

And their IDS/IPS is specced at 1gbps only.

Like I was saying, other than a nice looking box, I can't see 800 euros worth of benefit here.

 

[Immortal]

Right, and wrong, are subjective to each person, and the situation/constraints they're working within.

I've also stated somewhere in this thread that I would like to buy new, specifically. I don't have a lot of time to tinker with hardware and worry about old hardware failing (because it does happen). I've got time to grab a NUC, and pop in RAM and SSD, and install an OS (~15 minutes of time). I don't have time to deal with a hardware failure that takes down my network, wait on eBay shipping for old gen hardware that also may have a higher chance of dying than buying new. Downtime for me = both my spouse and I not being able to work, as we work from home.

Can new hardware fail? Absolutely, I've had it happen recently actually (damn you Samsung and your SSD bs).

" People are going for crazy overkill when it comes to firewall/router hardware. " - If I go crazy overkill, I don't have to mess with it or upgrade it for a longer period of time, and less of a chance of a performance bottleneck.

Yes, that's true - right and wrong are subjective to each person. Nothing to argue here.

To be precise i should have wrote - from technical standpoint for just a firewall/router you can easily buy DIY hardware for like 200$ or less and it will do 10 Gbit/s easily. That's just a fact.

Is it right or wrong for you - it's an entirely different matter.

 

[Markess]

meh, i went with non vPro. I didn't want to have vPro on a WAN facing NIC.
I'll get a smart plug and reboot it that way if I need to.

Late to the party, but just as an FYI since the question didn't get answered: I've got/had a number of vPro enabled boards/systems with 2+ NICs over the years and in all of them, only one NIC was vPro enabled. I think for the reason you mentioned: not having an upstream NIC vPro accessible. OTOH, I don't have the specific systems you've been looking at.

- Who cares about fanless? A decent low speed spinning fan is literally inaudible from a few inches away.
- Tiny boxes/form factor. Again, who cares? It could be 4x as big, still needs to go where the rest of the equipment is (otherwise, why're we buying this in the first place?)

I think based on an earlier post by the OP, they're trying to fit this into some sort of structured wiring cabinet in their home. And they may be in a situation where significant "reengineering" and rerouting of cabling in the walls isn't possible or allowed.

If their wiring cabinet is anything like mine, it could be a shallow metal box inside the wall with a (poorly) ventillated metal cover. It's may be somewere out of the way (mine is in the master bedroom closet behind a clothes rod), so may NOT be where the rest of the equipment is. I have racks in the home office/guest room and garage, but the wife wasn't going to tolerate a rack in her bedroom closet just because all the ethernet cables in the house, plus the cable from the ISP, terminated there.

So, I have the firewall and a small switch in the bedroom closet, because that's where everything terminates. And those in turn feed dowstream to the racks, PCs, TVs, a more centrally located WiFi AP, and various devices in other rooms. But there's really no other equipment where the firewall is...in a closet...behind a clothes rod.

Its not optimal, but its what the builder did. Every home we looked at back when it was built (2005) was set up that way. So I can see how the OP would either need to go through the time & expense of rewiring his home or opt for a small, low power system that could work inside the existing cabinet.

And sometimes...generally...always: (small + low power) x powerful=cost.

 

[adman_c]

Late to the party, but just as an FYI since the question didn't get answered: I've got/had a number of vPro enabled boards/systems with 2+ NICs over the years and in all of them, only one NIC was vPro enabled. I think for the reason you mentioned: not having an upstream NIC vPro accessible. OTOH, I don't have the specific systems you've been looking at.



I think based on an earlier post by the OP, they're trying to fit this into some sort of structured wiring cabinet in their home. And they may be in a situation where significant "reengineering" and rerouting of cabling in the walls isn't possible or allowed.

If their wiring cabinet is anything like mine, it could be a shallow metal box inside the wall with a (poorly) ventillated metal cover. It's may be somewere out of the way (mine is in the master bedroom closet behind a clothes rod), so may NOT be where the rest of the equipment is. I have racks in the home office/guest room and garage, but the wife wasn't going to tolerate a rack in her bedroom closet just because all the ethernet cables in the house, plus the cable from the ISP, terminated there.

So, I have the firewall and a small switch in the bedroom closet, because that's where everything terminates. And those in turn feed dowstream to the racks, PCs, TVs, a more centrally located WiFi AP, and various devices in other rooms. But there's really no other equipment where the firewall is...in a closet...behind a clothes rod.

Its not optimal, but its what the builder did. Every home we looked at back when it was built (2005) was set up that way. So I can see how the OP would either need to go through the time & expense of rewiring his home or opt for a small, low power system that could work inside the existing cabinet.

And sometimes...generally...always: (small + low power) x powerful=cost.

Similarly, I have a limited space in which to put all of my homelab gear and it's much too shallow for anything other than short-depth networking gear. Compactness is thus a feature that I have sought for many of my lab machines. @kapone is 1000% right that a firewall doesn't require that much horsepower and my Tiny with a i5-8500T is vastly overspecced for the job. Similarly, 10GbE on my firewall makes no sense at all given my relatively limited WAN speeds and the fact that I have a L3 capable switch. But hey, it's a homelab. And it cost me less than half what OPNsense wants for their far more limited box. To each their own.

 

[kapone]

<snip>

@Markess - You've been around long enough here that you know what I'm saying. Just because I put my firewall board in a 1U chassis, is not the point.

The point is that there are far cheaper (and probably more capable) alternatives to what the likes of OPNsense and Netgate want for their hardware. Netgate (ugh!) at least is doing "some" interesting work, like TNSR that "maybe" justifies some of their pricing (it does not). The OPNsense hardware is simply a cute lil box. A nice box, no doubt, but still an overpriced cute box.

We all build/buy what we need, to fit our needs, but overpriced is overpriced. That doesn't mean one shouldn't buy it, it means you choose to buy it by design, not by accident/ignorance.

 

[Markess]

The point is that there are far cheaper (and probably more capable) alternatives to what the likes of OPNsense and Netgate want for their hardware. Netgate (ugh!) at least is doing "some" interesting work, like TNSR that "maybe" justifies some of their pricing (it does not). The OPNsense hardware is simply a cute lil box. A nice box, no doubt, but still an overpriced cute box.

Oh man, I guess I didn't make myself very clear . Sorry.

I'm not necessarily advocating for an OPNsense or Netgate box. What I am saying is that with the OP's situation, ANY solution is probably going to be expensive, and his choices more limited.

The OP needs to fit their firewall inside an actual wall...in a space with little to no airflow. He doesn't necessarily want his various connections to terminate at the firewall's location, but that's where the original builder put them.

Besides probably being too large for the space, even an ITX board with a modest spec CPU would overheat pretty quickly in that situation. Most TMM would also probably be an issue from a heat/airflow standpoint, even if they will otherwise fit. And a two piece solution (firewall + switch) is by necessity going to have to be physically small to fit. And small always seems to mean more $$.

So OP's choices tend to be stuff like a fanless NUC with two NICs...which is expensive. Or a regular NUC with a second add-on NIC...also expensive by the time you get the extra parts. Or, any one of a bunch of N6005/J5005 boxes out there..which tend to be more expensive if you want any kind of support. Anything the OP can stick inside the wall and hope it "just works" without a lot of hand holding or attention is going to be expensive, even if they roll their own. Of course, there may be something else great that would work, but that I'm overlooking?

Personally, I quickly gave up on finding anything affordable that would fit in my wiring box. Because I own my own house, I didn't mind drilling a hole up high on the wall above that box, and pulled all 10 ethernet cables up out of the box and through that hole instead. I put a shelf in to hold an ITX system running pfSense and feeding into a small 10 port L3 switch. Its up high out of the way, and being in the "open air" it stays cool. But all that stuff would never have fit inside the wall, or survived the heat build-up. And it sounds like the OP doesn't want to/can't be drilling holes and pulling cables. So, his choices are more limited.

Sorry if I added confusion to the discussion! Cheers.

 

[NoncarbonatedClack]

I'm still here, I'll get responses out when i can

 

[unmesh]

There have been a few remarks about using L3 switches to do interVLAN routing instead of a router/firewall.

Are there low power L3 switches that I should look at for say 1Gbps interVLAN routing including features like mDNS support for IoT?

And is it true that it is a mess getting one of those to play nicely with the likes of pfSense?

Thanks

 

[kapone]

Are there low power L3 switches

Yes.

say 1Gbps interVLAN routing

Easy

including features like mDNS support for IoT

You'll have to do some digging.

is it true that it is a mess getting one of those to play nicely with the likes of pfSense

No. It just requires networking know how. If you don't have that (for e.g. a CCNA or similar), yeah it could be messy.

 

[NoncarbonatedClack]

There have been a few remarks about using L3 switches to do interVLAN routing instead of a router/firewall.

Are there low power L3 switches that I should look at for say 1Gbps interVLAN routing including features like mDNS support for IoT?

And is it true that it is a mess getting one of those to play nicely with the likes of pfSense?

Thanks

mDNS support would be interesting. If you find something, post it! I haven't seen that but I've mostly looked at older gear (Cisco 3560g, etc)

As far as doing L3 on a switch and getting it to play nice with *sense, you're looking at something called a transit network between your switch and firewall. it's not too hard, but as @kapone said, it can get messy if you're unfamiliar with this stuff.

 

[heromode]

i'm currently running opnsense on a Dell Wyse 5070 extended with a Intel I350-T4V2 nic, and i have nothing to complain about. But if i was shopping for a new small box to run opnsense etc, i'd prolly be looking at assembling it myself, ever since i discovered the products listed on the german minipc.de site:

MiniPC.de - Product finder MOTHERBOARDS

I've wondered how come the Mitac and Jetway motherboards are seldom referenced here..
the huge selection on that site, including casings etc has always made me drool..

Just as an example:

Spoiler: JETWAY MI05-00 THIN-ITX (J6412 INTEL ELKHART LAKE SOC, SIM SLOT, 6X LAN)

• Intel® Elkhart Lake SoC Processor
• 1* DDR4 3200MHz SO-DIMM up to 16GB
• 6* 10/100/1000/2500 Base-TX Ethernet Ports
• 1* USB 3.1 (Gen.2), 3* USB 2.0, 1* HDMI
• 1* EXT RS232 (RJ45 type), 2* INT RS232, 1* INT RS232/4228/485
• 1* M.2 E-key (2230), 1* M.2 B-key (3042), 1* SIM card slot
• 1* M.2 M-key (2242), 1* SATAIII, 1* 32GB eMMC (option)
• 12V DC-in