Recommendations for Low-Power, Rack-Mountable Firewalls with 10Gb/2.5Gb Support

[Jznbitz]

Hi everyone,
I’m looking to upgrade my current firewall setup and could use some advice. I’m running an older Intel D525 box with 1Gb copper on OPNsense, but it’s starting to show its age, especially since my ISP now offers 10Gb service that I’d love to take advantage of. My setup serves as a backup site for a few family members and hosts some servers for my kids to play games with their friends.
I’m also interested in setting up my own VPN to manage things remotely, rather than relying on the mix of tools I currently use.
Ideally, I’m looking for a low-power, rack-mountable firewall that supports 10Gb or at least 2.5Gb, and is budget-friendly. I’ve been considering something like a previous-generation HPE low-power server, but I’m open to other suggestions. I know this won’t be free, but I’d like to keep costs reasonable.
Any recommendations or insights would be greatly appreciated! Thanks in advance for your help.

 

[bugacha]

TopTon N305

 

[blunden]

The Qotom C3758R based boxes (one of which is available in a rack mounted case) might be worth looking at. STH made a review of it.

https://www.servethehome.com/everything-homelab-node-goes-1u-rackmount-qotom-intel-review/

https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/

The Minisforum MS-01 is also a little power house.

https://www.servethehome.com/minisforum-ms-01-review-the-10gbe-with-pcie-slot-mini-pc-intel/

 

[Jznbitz]

I

The Qotom C3758R based boxes (one of which is available in a rack mounted case) might be worth looking at. STH made a review of it.

https://www.servethehome.com/everything-homelab-node-goes-1u-rackmount-qotom-intel-review/

https://www.servethehome.com/the-everything-fanless-home-server-firewall-router-and-nas-appliance-qotom-qnap-teamgroup/

The Minisforum MS-01 is also a little power house.

https://www.servethehome.com/minisforum-ms-01-review-the-10gbe-with-pcie-slot-mini-pc-intel/

I had checked out the Qotom C3758R, but it seems like it’s no longer on Amazon, and I’m guessing it might be tough to find in a lot of places, possibly due to China-related import restrictions or supply chain issues.

I think the Minisforum MS-01, which seems like a fantastic alternative, it just isn't rackable,

 

[SlowmoDK]

The new Ubiquiti Cloud Gateway Fiber looks very interesting and basically same price or cheaper than Qotom C3758R with ram and disk

not rackable but maybe worth it anyway

 

[blunden]

The new Ubiquiti Cloud Gateway Fiber looks very interesting and basically same price or cheaper than Qotom C3758R with ram and disk

not rackable but maybe worth it anyway

Yes, if you're already in the Unifi ecosystem or willing get into it, it's great. Just be aware that IPv6 support is still a bit limited in some ways.

 

[SlowmoDK]

Yes, if you're already in the Unifi ecosystem or willing get into it, it's great. Just be aware that IPv6 support is still a bit limited in some ways.

well im still in the camp that disables ipv6 whenever I can ...

But i'm a lucky white dude with a permanent ipv4 address, so I'm very tempted by this .. even Lawrence systems has changed/been paid to switch out his pfsense for Unifi... might mean less than i think hehe

anyone on ipv6 only might not be that impressed

 

[Dennisjr13]

There's also this:

https://www.aliexpress.us/item/3256808277932888.html

N100, 1U, 2 SFP+, 4 2.5G for $270

 

[bugacha]

Hi everyone,
I’m looking to upgrade my current firewall setup and could use some advice. I’m running an older Intel D525 box with 1Gb copper on OPNsense, but it’s starting to show its age, especially since my ISP now offers 10Gb service that I’d love to take advantage of. My setup serves as a backup site for a few family members and hosts some servers for my kids to play games with their friends.
I’m also interested in setting up my own VPN to manage things remotely, rather than relying on the mix of tools I currently use.
Ideally, I’m looking for a low-power, rack-mountable firewall that supports 10Gb or at least 2.5Gb, and is budget-friendly. I’ve been considering something like a previous-generation HPE low-power server, but I’m open to other suggestions. I know this won’t be free, but I’d like to keep costs reasonable.
Any recommendations or insights would be greatly appreciated! Thanks in advance for your help.

Apple Mac Book

 

[matthelm]

How about one of these? I7-13620H

https://www.amazon.com/dp/B0F4D4MBGT/?coliid=I1IZE9DUPTQAVM&colid=3JIGHA3DK585Q&ref_=list_c_wl_lv_ov_lig_dp_it&th=1

 

[BoredSysadmin]

TopTon N305

OP asked for 10gig. N305 comes with SFP ports, not SFP+
This is the TopTon OP would need (not out yet):
X4H N100 N305
aka
TOPTON X4H-XL

 

[bugacha]

OP asked for 10gig. N305 comes with SFP ports, not SFP+
This is the TopTon OP would need (not out yet):
X4H N100 N305
aka
TOPTON X4H-XL

mate, whats the point of your silly post ?

 

[WhiteNoise]

I think the UniFi device is an interesting new addition. I am not UniFI ecosystem and so far I do not intend to join.

One thing that concerns me about the Unifi product is the use of quad core ARM CPU (even though they used a better on in this "fiber" version).
I just don't see these quad core ARM chips being capable of that level of performance they claim doing NAT/routing/firelling/DPI/IDS. They do not claim to have any form of hardware acceleration otherwise.

Many people here have DIY a firewall/router solution with CWWK/Topton boxes based on N100/N300 or using Lenovo Tiny with a Dual 10G Network Card.

If you are looking for ready-made product, perhaps firewalla could fit the bill too

 

[blunden]

well im still in the camp that disables ipv6 whenever I can ...

But i'm a lucky white dude with a permanent ipv4 address, so I'm very tempted by this .. even Lawrence systems has changed/been paid to switch out his pfsense for Unifi... might mean less than i think hehe

anyone on ipv6 only might not be that impressed

Maybe you should try learning it instead. It's actually pretty nice and can simplify some things quite a bit.

There is nothing to suggest that Lawrence was paid to do anything. He simply wanted to get more experience with the latest features now that many of his complaints are supposed to have been addressed. Really, that's a necessary part of his job as a contractor/consultant.

I think the UniFi device is an interesting new addition. I am not UniFI ecosystem and so far I do not intend to join.

One thing that concerns me about the Unifi product is the use of quad core ARM CPU (even though they used a better on in this "fiber" version).
I just don't see these quad core ARM chips being capable of that level of performance they claim doing NAT/routing/firelling/DPI/IDS. They do not claim to have any form of hardware acceleration otherwise.

Not sure why you question the performance claims when reviews and user reports have already confirmed them to be accurate? While I haven't checked the exact Qualcomm SoC they used in this one, I would imagine it has hardware acceleration seeing as it's specifically designed for networking applications as far as I know. Whether Ubiquiti uses that is a different question though.

 

[WhiteNoise]

So I did try to find out which SoC they are using. They are not disclosing it. Some people say it IPQ9574, which should have some hardware acceleration for things like NAT and Switching. Generally, these SOCs not only don't have an acceleration for routing, firewalling, and packet inspection but you have to disable the hardware acceleration that you have enabled otherwise the packages can't be analyzed (because they bypass the OS).

Not sure why you question the performance claims when reviews and user reports

I question everything because I reason from first principles not based on what people say. With these thing it really depends on what kind is going through and going where.

I would imagine it has hardware acceleration seeing as it's specifically designed for networking applications as far as I know. Whether Ubiquiti uses that is a different question though.

Yes, and so were all the previous ones that UniFi sold the last decade. Yet, people say this is the first one with PPPoE accelleration.

 

[hmw]

Hi everyone,
I’m looking to upgrade my current firewall setup and could use some advice. I’m running an older Intel D525 box with 1Gb copper on OPNsense, but it’s starting to show its age, especially since my ISP now offers 10Gb service that I’d love to take advantage of. My setup serves as a backup site for a few family members and hosts some servers for my kids to play games with their friends.
I’m also interested in setting up my own VPN to manage things remotely, rather than relying on the mix of tools I currently use.
Ideally, I’m looking for a low-power, rack-mountable firewall that supports 10Gb or at least 2.5Gb, and is budget-friendly. I’ve been considering something like a previous-generation HPE low-power server, but I’m open to other suggestions. I know this won’t be free, but I’d like to keep costs reasonable.
Any recommendations or insights would be greatly appreciated! Thanks in advance for your help.

It depends on what you have enabled on your OPNsense and what you are using it for. If you are using IDPS - doing that on 10G requires quite a bit of CPU horsepower, due to how OPNsense leverages Suricata. If you're doing routing - folks on the OPNsense forum have said an i5-14600k can do 8 ~ 9 gbit/s of routing between vlans and networks.

Intel CPUs excel at low power when idle and if your firewall is only occasionally loaded, better to go with Intel CPUs. The problem with Intel CPUs is high prices. For example the Xeon E-21xx and E-22xx ones are stupidly expensive but you need them for ECC support (there are some i3 CPUs that also have ECC support).

If you are going to run full tilt all the time then an ASRockRack or Gigabyte mobo like the MC13-LE1 along with a Zen4/Zen5 CPU - would be a better choice. Adding IPMI to a server costs around 10W idle so you're looking at higher idle but IMHO the benefits far outweigh the increased consumption. The AM5 Zen4 and B650 platform will definitely idle at 40 ~ 55W so much higher than Intel

Even on the same CPU, the platform matters a lot. For example:

OPNsense on X11-SCL with Xeon 2136G, 16GB DDR4 and 1 NVMe + 1 M.2 SATA
steady state / idle - 25W
load - 50W ~ 80W

OPNsense on a HPE DL20 Gen10 with Xeon 2136, 16GB HP DDR4, 2 x Micron 5300 SATA
steady state / idle - 53W
load - 70 ~ 100W

Don't go for older Intel NICs and Realtek. The later Intel NICs are good - if you can get the X710 series these idle better than the X550 series AND they perform better under the various Hyperscan/DPDK and other packet processing libraries. (Mellanox CX4 & CX5 cards are really good too). Broadcom NICs are now gaining a lot more support in the industry but they seem to have higher idle than the X710/X550 series

Also, don't mix Ubiquiti and OPNsense/pfSense - either go all in the Unifi ecosystem or then use whatever cheap Ruckus/Cisco/Arista gear + the XXSense firewalls. Ubiquiti makes nice looking boxes but they have their own (non standard) way of doing things - which can (and will) come back to bite you later

And finally - if you're hosting your own servers and services - I do hope you are taking security very seriously. Just turning on OPNsense IDS/IPS is a good start but isn't enough

 

[Jznbitz]

And finally - if you're hosting your own servers and services - I do hope you are taking security very seriously. Just turning on OPNsense IDS/IPS is a good start but isn't enough

What else needs to be looked at? been locking down ports, making sure services are disabled that dont need to be on. And so on.

 

[hmw]

What else needs to be looked at? been locking down ports, making sure services are disabled that dont need to be on. And so on.

I don't know if you already have a segmented network and the internet facing servers are in a DMZ. If not they should be and you can use VLANs or anything else to achieve segmentation.

The thinking should not be:

*if* someone compromises my public facing servers what do I do ?

but rather

*when* my internet facing servers are compromised, how can I reduce the blast radius / how can I isolate them from my internal network ?

Look at using something like CrowdSec to protect yourself and not just IDPS. Also look at using tunnel services to act as a MITM for your game servers

 

[WhiteNoise]

Alternatively to the DMZ, you could try something like tailscale or cloudflare tunnels (DNS with reverse proxy).

 

[blunden]

I question everything because I reason from first principles not based on what people say. With these thing it really depends on what kind is going through and going where.

And yet all the performance numbers we've seen from both reviewers and owners of these back up Ubiquiti's claims.

Yes, the exact thing being tested matters of course, but it seems to suffice for most people with 10 Gbps internet connections. I don't know about PPPoE though, nor do I think any ISP should use that still.