Routers: AliExpress vs. Protectli vs. Netgate vs. OPNsense Hardware

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

bhigh

Member
Oct 5, 2016
40
18
8
49
@Patrick's review of the J4125 and N5095/N5105/N6005 hardware from AliExpress seems to have raised the profile of these little boxes, or at least created some interesting threads in the forums.

The overwhelming theme that I've taken from the threads is that the AliExpress hardware isn't always what you expect and that the quality can be hit or miss. The i5-1135G7 system I ordered was problematic to get set up and died within a few days.

While troubleshooting can be a fun challenge, trying to debug bad hardware is not. Which leads me to my main topic: What are the benefits of going through a VAR such as Protectli, Netgate, or OPNsense/Deciso instead of AliExpress. What's the "V" and VAR?

AliExpress Hardware:
Purchases from AliExpress are a gamble at best. There is limited support from the vendor and they are not often willing to exchange or return faulty hardware. Multiple hardware revisions exist for the "same" hardware so care has to be taken to compare the pictures with what others have had success with. Others have been able to find updated BIOS for some boards.

Hardware is offered from stores such as:
  1. YANLING Official Store,
  2. KingNovy PC Store,
  3. KingNovy 3C Store,
  4. KingNovyPC ComputerStore,
  5. Topton Direct Store,
  6. Topton 3C Store,
  7. Topton Official Store,
  8. Topton Computer Store,
  9. tuofudun Topton Factory Store,
  10. qotom Official Store,
  11. WooYi Store.
Or just search for "pfsense fanless".

I suspect that the sellers have multiple stores so that a problem with one account will not affect listings on other stores. Interpret that as you will.

Shipping is often included in the price. The item description and value is usually fabricated or under declared to slip by customs fees. Interpret that as you will.

Protectli Hardware:

Protectli is one of the easier VARs to determine the added cost since much of their hardware is manufactured by Yanling and sold on AliExpress. Their prices range from $50 - $200 over AliExpress. We can expect that they are purchasing larger quantities and therefore have larger margins on most systems.

Protectli develops and supports the coreboot BIOS on all current devices. I've spoken with one of their support engineers and he told me that the new platforms will be receiving coreboot support as well. Part of their overhead goes to support this development. There are reports that the bios will work on systems from Yanling as well.

Protectli has a 30 day return policy and 1 year warranty. Warranty and Returns - Protectli Speaking from personal experience, they did an advance RMA on a failing SSD without a deposit and were totally cool when it took me about 2 months to ship the failed drive back.

Yanling has a 7 day return policy and a 1 year warranty.

The prices here are for a barebones system, giving the option of using lower priced parts from Newegg, etc. The i5/i7 systems support up to 64GB.
Adding the smallest memory and SSD option adds about $50-$70 to the cost from both Protectli and Yanling.

Yanling shipping costs on AliExpress are all over the place, ranging from $62.21 up to $210.52. The same pieces on Alibaba cost about $60 across the board so it may be possible to get the hardware for slightly less. Yanling says, "About customs fees, we are not responsible for buyer's customs taxes or VAT. We will declare true value by default." There may be some additional costs as a result.
Netgate Hardware:
I'm only listing the fanless desktop units since that's what I'm interested in.

Netgate hardware includes some storage and memory. Memory doesn't appear to be user upgradeable. Storage is upgradeable on all but the 1100.

Netgate appliances include pfSense Plus

Netgate offers a 30 day return policy and a 1 year warranty on all hardware.

Lawrence Systems has reviews of the N1100, N2100, N4100, and N6100.
  • Netgate 1100
    Dual Core Cortex-A53 ARM64 Soc @ 1.2GHz
    3x 1Gbps (Marvell, switched)
    Cost: $189
  • Netgate 2100
    Dual Core Cortex-A53 ARM64 Soc @ 1.2GHz
    1x 1Gbps RJ45/SFP combo (Individual controller)
    4x 1Gbps (Marvell, switched)
    Cost: $349
  • Netgate 4100
    C3338R
    2x 1Gbps RJ45/SFP Combo (Individual controllers)
    4x 2.5 Gbps (Individual controllers)
    Cost: $599
  • Netgate 6100
    C3558
    2x 1Gbps RJ45/SFP Combo (Individual controllers)
    2x 10 Gpbs SFP+
    4x 2.5 Gbps (Intel, individual controllers)
    Cost: $799
OPNsense Hardware:

OPNsense hardware includes storage and memory. The difference between similar models is mostly in storage and memory. Both appear to be user upgradeable.

Netgate hardware includes one year OPNsense Business Edition.
  • DEC675 / DEC695
    AMD G-Series SOC, 4 cores (Most likely GX-416RA)
    4x 1Gbps (Intel, individual controllers)
    Cost: $587.92
  • DEC740 / DEC750
    Embedded Ryzen V1500B
    2x 10 Gbps SFP+ (From SoC)
    3x 1 Gbps (Intel, individual controllers)
    Cost: $748.56
  • DEC840
    Embedded EPYC 3101
    2x 10 Gbps SFP+ (From SoC)
    4x 1 Gbps (Intel, individual controllers)
    Cost: $1176.92
  • DEC850
    Embedded EPYC 3201
    2x 10 Gbps SFP+ (From SoC)
    4x 1 Gbps (Intel, individual controllers)
    Cost: $1391.11
 
Last edited:

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
Not entirely sure what else to add unless we'd take SFF PCs in scope, but at that point it just becomes 'yet another list' :p

I do think that some notes on what you might buy for which reasons could be useful. There are a lot of people who mix things with unrealistic expectations. Getting any of the listed hardware still requires you to know a bit about networking, and while there are technical support options, trying to get a consumer experience where there are no options and thus no things to misconfigure isn't going to work out.

The balance is probably some sort of three-dimensional model:

- DIY vs. Retail
- Pay for raw power vs. paying for fixed results
- Time/Preparedness vs. Money/Turnkey

Someone picking one end of the spectrum might be best serviced with hardware straight from the ODM, while someone on the complete other end might be best served by having someone come over, install, configure and bill for the whole deal and then leave with a service contract. (just to illustrate the extremes)

Right now we also have availability issues, but those are temporary for parts like SoCs, DRAM and Flash as they seem to be recovering right now.
 

bhigh

Member
Oct 5, 2016
40
18
8
49
Good points. I think it's reasonable to limit the discussion to small, fanless systems that can run OPNsense, pfSense, or Sophos Firewall. They can all run on commodity x86 hardware and have a lot of overlap in features.
 

ReturnedSword

Active Member
Jun 15, 2018
526
235
43
Santa Monica, CA
The issue with Supermicro units is that they are quite expensive, or have very limited I/O. Supermicro still insists on using 1 GbE NICs in a world where they need to go with 10 GbE or 2.5 GbE depending on the application. It would be better for Supermicro to just not waste PCIe lanes on integrating quad 1 GbE NICs for example, and expose those lanes in an x4 slot so the customer can choose what AIC NIC to use if Supermicro didn't want to go through the expense of adding an X550 or X710 NIC.
 

i386

Well-Known Member
Mar 18, 2016
4,220
1,540
113
34
Germany
Supermicro still insists on using 1 GbE NICs in a world where they need to go with 10 GbE or 2.5 GbE depending on the application
Personally I think even 100GBE would be too slow, but then I take a look around and the world works with 250MBit/s or even slower...
 

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
The issue with Supermicro units is that they are quite expensive, or have very limited I/O. Supermicro still insists on using 1 GbE NICs in a world where they need to go with 10 GbE or 2.5 GbE depending on the application. It would be better for Supermicro to just not waste PCIe lanes on integrating quad 1 GbE NICs for example, and expose those lanes in an x4 slot so the customer can choose what AIC NIC to use if Supermicro didn't want to go through the expense of adding an X550 or X710 NIC.
Yeah that's a real bummer. A single 1GbE port makes sense for management etc. but putting a ton of PCIe lanes into not-so-useful ports is just weird. You'd also expect with their volume to have a bit more reasonable pricing, but perhaps they are in a position where there aren't a lot of competitors.
 
  • Like
Reactions: ReturnedSword

nabsltd

Active Member
Jan 26, 2022
339
207
43
Supermicro still insists on using 1 GbE NICs in a world where they need to go with 10 GbE or 2.5 GbE depending on the application.
I believe the intended use for these devices is an Internet gateway appliance, so having more than 1Gbit is only useful for a very small user base (those with significantly faster than 1Gbit ISP and light enough actual usage that these small hardware devices can do the job).

Now, jumping to 2.5Gbit seems to be a very smart thing, as that pretty much includes every home user who happens to have an ISP fiber connection faster than 1Gbit. But even a single 10Gbit connection is actually pretty silly on these devices. None of them could likely handle true firewall duties at that kind of speed.
 

ReturnedSword

Active Member
Jun 15, 2018
526
235
43
Santa Monica, CA
Personally I think even 100GBE would be too slow, but then I take a look around and the world works with 250MBit/s or even slower...
In general this is true and you’re quite correct. However symmetrical fiber is increasingly available, and DOCSIS 4.0 is around the corner (in both implementations).

Yeah that's a real bummer. A single 1GbE port makes sense for management etc. but putting a ton of PCIe lanes into not-so-useful ports is just weird. You'd also expect with their volume to have a bit more reasonable pricing, but perhaps they are in a position where there aren't a lot of competitors.
Supermicro is basically the only large volume white box OEM left that has their own in-house ODM, so I’m sure they can more than afford the volume buys. Quad 1 GbE NICs in the I/O made sense… 10 years ago, now I feel like Supermicro is just doing it to cheap out on components but charge more because “NICs.” It’d be much know useful to expose those lanes if a dual 10 GbE NIC would cut into their bottom line too much.

I’ve had a few conversations with a Supermicro rep about this, and their solution is to just LAG the ethernet ports. This is fine and dandy for most purposes but not great if a data stream needs to be more than 1 Gbps. It’s much better to have a multi-gig cable NIC integrated, and if not possible, then expose the lanes as a x4 slot.

I believe the intended use for these devices is an Internet gateway appliance, so having more than 1Gbit is only useful for a very small user base (those with significantly faster than 1Gbit ISP and light enough actual usage that these small hardware devices can do the job).

Now, jumping to 2.5Gbit seems to be a very smart thing, as that pretty much includes every home user who happens to have an ISP fiber connection faster than 1Gbit. But even a single 10Gbit connection is actually pretty silly on these devices. None of them could likely handle true firewall duties at that kind of speed.
In my implementations of these Supermicro appliances yes they can be used as a gateway/firewall appliance but more likely they are edge appliances taking in data and pushing the data down the pipe elsewhere to be ingested. Depending on the use case a 1 Gbps link probably would be adequate, but increasingly there are use cases where massive amounts of data are generated.

That being said, I think this side discussion may be starting to derail this useful thread @bhigh started… We should probably focus on “cheaper” network appliances here :D
 

jdnz

Member
Apr 29, 2021
80
19
8
Supermicro is just doing it to cheap out on components but charge more because “NICs.” It’d be much know useful to expose those lanes if a dual 10 GbE NIC would cut into their bottom line too much.
you seem to be ignoring the fact that they DO have models with dual 10gbe - is it that they're not 'cheap' or that the xeon d-1518 is a bit too low power to keep up with a 10gbe internet connection ( espec if doing any kind of meanigful ids/ips )


they do have some models with slightly gruntier cpus and dual 25gbe

 
Last edited:

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
The problem is mostly the combination of factors:

- Too expensive for 1GbE ethernet routing/basic firewalling, a Skylake can do that
- Too limited for anything more due to the ports
- Get an AIC and now you're limited by the 15xx series Xeon-D which is very expensive when compared to anything else

It seems like they make very capable platforms, but then make them extremely expensive. Most of them would be very capable for edge computing or NFV, but for the first case they aren't powerful enough and for the second case they don't have the networking capabilities. Either case could be fixed, and as a side-effect make them capable IDS/IPS-enabled firewalls. Right now they're essentially overpriced internals for a basic NAS.

The biggest differentiator is not even Supermicro's fault: it's Intel not allowing ECC on anything except Xeon, C-series Atom and a select number of Pentiums. A bunch of 10th gen (or better) cores, ECC, 2xSFP+ with at least 10GbE support, that's all you really need. But all the available systems always lack exactly one of those. (Get everything, except ECC, or get everything except 10GbE is the most common lacking setup)

It's not like it's impossible to build, and most SoCs have this stuff built in. Look at the VEP series from Dell for example.

AMD was supposed to make this all better, but high-volume Ryzen Embedded hasn't materialised yet, and the price for normal Ryzen hasn't exactly dropped to "put it in a firewall" levels.

Here's hoping there will be some RISC-V, ARM or even PowerPC solution that just beats all the others... (well, I can dream)
 
  • Like
Reactions: ReturnedSword

Stephan

Well-Known Member
Apr 21, 2017
920
698
93
Germany
@oneplane With re-tripolarization of the world, actually chances are good, that we will see more competition in the space. Because the non-West will want to be more independant and Mr Xi might just throw silly 100M at the problem to get roughly to the Apple M1 performance level.

I am following Jon Nettleton on Twitter thinking that something by solid-run.com will some day fit the bill. You are right though, wherever you look, always something is missing in terms of features. Proper ECC, SFP+ or faster, seriously low power, runs Linux or BSD, inexpensive, optional PCIe 4.0 x16, small case with low-RPM 120mm cooler option to cool a single 100 Gbps card properly, and so on. But that is a tiny tiny niche. If you found a VAR, chances are high says my gut that there will be no support beyond the sale. Probably worth it to watch Coreboot commits to identify platforms.
 

ReturnedSword

Active Member
Jun 15, 2018
526
235
43
Santa Monica, CA
The problem is mostly the combination of factors:

- Too expensive for 1GbE ethernet routing/basic firewalling, a Skylake can do that
- Too limited for anything more due to the ports
- Get an AIC and now you're limited by the 15xx series Xeon-D which is very expensive when compared to anything else

It seems like they make very capable platforms, but then make them extremely expensive. Most of them would be very capable for edge computing or NFV, but for the first case they aren't powerful enough and for the second case they don't have the networking capabilities. Either case could be fixed, and as a side-effect make them capable IDS/IPS-enabled firewalls. Right now they're essentially overpriced internals for a basic NAS.

The biggest differentiator is not even Supermicro's fault: it's Intel not allowing ECC on anything except Xeon, C-series Atom and a select number of Pentiums. A bunch of 10th gen (or better) cores, ECC, 2xSFP+ with at least 10GbE support, that's all you really need. But all the available systems always lack exactly one of those. (Get everything, except ECC, or get everything except 10GbE is the most common lacking setup)

It's not like it's impossible to build, and most SoCs have this stuff built in. Look at the VEP series from Dell for example.

AMD was supposed to make this all better, but high-volume Ryzen Embedded hasn't materialised yet, and the price for normal Ryzen hasn't exactly dropped to "put it in a firewall" levels.

Here's hoping there will be some RISC-V, ARM or even PowerPC solution that just beats all the others... (well, I can dream)
I suspect Dr. Su had to make some tough choices when she took over to right the sinking ship of AMD. GPUs being the big line item here, which caused an exodus of ex-ATI staff to Intel who felt their chance of recapturing their old hey-days was snatched away being an example. Dr. Su had to focus on core computing, and that paid dividends with big Epyc and Ryzen. I suspect the embedded SoCs were more of “we can do this” but required a volume commitment to bake the silicon. Well, I guess she got the last laugh against Koduri et al as the Intel Arc looks behind and a flop.

Still, I can dream of a day there is a proper alternative to low wattage chips, low end like Atom or Xeon D series or not.
 

unmesh

Active Member
Apr 17, 2017
200
55
28
65
...
Which leads me to my main topic: What are the benefits of going through a VAR such as Protectli, Netgate, or OPNsense/Deciso instead of AliExpress. What's the "V" and VAR?
...
One of the benefits of Protectli's offering is that they support Coreboot. Having frequent "BIOS" updates or even building your own from open source might be a good idea for a device exposed to the Internet.
 

jjacobs

Member
Dec 25, 2020
74
32
18
CO
Can anyone confirm that Protectli sourced units don't have the issues that have been outlined here and in other threads? Things like ES processors, random hardware versions and generaly awful Q/A related problems. If buying a Protectli is ALSO rolling the dice I'll look for some other solution for a simple VYOS installation.

I have a Protectli 2 port that I bought a long time ago, a FW2 model, that is EOL. It's been fine, not the nicest thing I've ever bought but about what I would expect at the price point. It's OK and has been reliable...

Thanks!
 

oneplane

Well-Known Member
Jul 23, 2021
844
484
63
Can anyone confirm that Protectli sourced units don't have the issues that have been outlined here and in other threads? Things like ES processors, random hardware versions and generaly awful Q/A related problems. If buying a Protectli is ALSO rolling the dice I'll look for some other solution for a simple VYOS installation.

I have a Protectli 2 port that I bought a long time ago, a FW2 model, that is EOL. It's been fine, not the nicest thing I've ever bought but about what I would expect at the price point. It's OK and has been reliable...

Thanks!
No strict confirmation, but considering they operate as a 'first party' they likely do in-house validation and testing, and are also likely to respond to retail support requests. Still depends on where you are in the world, they seem to be NA and EU focussed so if you're in SA or Africa it might be a different story.
 
  • Like
Reactions: jjacobs

Peterkal

New Member
Dec 14, 2023
2
1
3
Can you please update the list for December 2023 / January 2024 ??

There is missing Protectli VP2420 which I considering buying.

The most important question is, while these are firewall appliances so they had to be super secure...

In the specs should be few of the most crucial information:
  1. if the device CPU have AES-NI,
  2. if the device have or have ability to have coreboot bios installed,
  3. if the coreboot can switch off Intel Management engine / if the iME can be disabled,
  4. no Chinese or other backdoors in bios.....

The rest of discussion, in mind with these specs above, is just the price/performance.

Can somebody respond to me please ?