OPNsense DEC840/850 fanless firewall devices

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

RTM

Well-Known Member
Jan 26, 2014
956
359
63
So it seems to have flown under the radar here, but apparently (as I recently was made aware of) the OPNsense people has released some very interesting firewall devices recently.

Highlights:
  1. 4 or 8 core AMD EPYC (3101 and 3201 respectively for DEC840 and DEC850).
  2. 8/16 GB DDR4 (again respectively)
  3. 2x 10G SFP+ (the documents specify them as "integrated", so it seems we are finally seeing someone using the builtin AMD NICs)
  4. 4x 1G (Intel i210)
  5. Fanless
  6. 999 and 1299 EUR respectively (VAT exclusive)
  7. RAM and SSD appears to be in slots so perhaps they can be upgraded
  8. Designed and built in the Netherlands, this is a definite plus in my book.

@Patrick, can we please get a review? :)
 
Last edited:

Stephan

Well-Known Member
Apr 21, 2017
920
698
93
Germany
I see a bunch of talking points... to curb your enthusiasm ;-)

Cooling 30W TDP passively is imho pushing physics too hard, by a factor of 3 or more too much. Is the cooling solution validated for 40 or 50degC ambient? The case is one giant heatsink. Does the CPU throttle and if so, when and by how much?

Why are there only renderings not photos of the board? New product I presume. Seen many such things come and go, with even less support like a simple bugfix BIOS than a Shenzhen Android phone for 50 bucks.

Is the product mildly bug free? I have seen so many implementations of boards with serious flaws. You can knock PC Engines for their older/low power/lower performance designs but anything from them works really well, with years of uptime, and very few bugs. Can't say that from alot of vendors. So careful with that missing track record, at EUR 999/1299 this could be an expensive, unsupported, worst-case useless and un-resellable toy.

I really want IPMI-capable machines at that price point to diagnose problems. And I want serious volume in a product to not be the only one finding out all its bugs and quirks. This is why Raspberry Pis are so popular, even though the SoC is custom and ARM: The ecosystem is huge and Linux has a lot of adaptations to run nicely on the quirky hardware.

Another item that goes through my mind when looking at this product is the use case for this much CPU horsepower. It's the wrong machine if you want to route more than 1 GBit/s. You'd want specialized network cards with super-solid (!) drivers and like a 70-90W TDP CPU to keep up.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
@RTM request noted. Looks like back in stock in late June.

@Stephan I actually spoke to the Marvell Octeon folks that make those cards yesterday afternoon.
 
  • Like
Reactions: RTM

tjk

Active Member
Mar 3, 2013
481
199
43
So, I got 2 of these units...DEC850's.

I can't get more then ~2.75Gb/s on the 10G interfaces using iperf3, even with multiple streams (tested up to 8). CPU sits about 35-40% during iperf3 testing, temps on the cores about 113f.

Latest opnsense OS loaded on them, pass rules/no filtering.

With the Intel i210's bonded together and load sharing, I can get ~3GB/s thruput on the same iperf3 testing.

Tested back to back and through a Brocade ICX 7750 switch. Tested stand alone, lagg, etc.

Not sure if bad drivers or something else.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
What is the CPU load like per core, is the 35-40% total load? Maybe you are hitting a per core limit somewhere?
 
  • Like
Reactions: tjk

tjk

Active Member
Mar 3, 2013
481
199
43
Top shows all cores 0 or 1% for user, and for system a couple cores bounce around 50 to 100%, rest at 0% on system.
 

rootwyrm

Member
Mar 25, 2017
74
93
18
www.rootwyrm.com
Not sure if bad drivers or something else.
It's very annoying that they don't explicitly say they're using the EPYC SoC interfaces. I had to go digging. And they're definitely not what I'd have preferred - too BIOS sensitive.
However, I suspect that you're hitting a switch interaction problem with the Brocade.
Do you have any other 10GbE devices you can link to and repeat the test with? Setting up a trombone test on the SoCs is a real migraine (needs MAC spoof and filtering.)
 

nerdalertdk

Fleet Admiral
Mar 9, 2017
228
118
43
::1
It's very annoying that they don't explicitly say they're using the EPYC SoC interfaces. I had to go digging. And they're definitely not what I'd have preferred - too BIOS sensitive.
However, I suspect that you're hitting a switch interaction problem with the Brocade.
Do you have any other 10GbE devices you can link to and repeat the test with? Setting up a trombone test on the SoCs is a real migraine (needs MAC spoof and filtering.)

Dont Think its a switch problem with that switch