TinyMiniMicro firewall edition

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
I'm really enjoying my Lenovo m920q TMM system as a Proxmox/firewall host at the edge of my network.

It's about the size of an Intel NUC, can take 64G or ram, and has a PCIe slot, as well as an on board 1G port that has intel vPro so it has ghetto ipmi.
And it even does SR-IOV if you want to do hardware passthrough.

Lenovo M920q - $300
PCie bracket - $25
Mellanox ConnectX-3 10/40/56G dual port , or Intel 82599 10G dual port nic - $40
Total = $365 give or take

Super easy to setup as you just need to install Proxmox, configure a vm firewall like OPNsense, Palo Alto, etc. and give it 2 vcpu's and 4-6G of memory.
I can easily max out my 2G fiber connection :D

1648575290892.png
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
You must've bought that M920q in the "Before Times", because I looked the other day and couldn't find it or anything similar for less that ~$650, used.
The m720q will do just as well (sans vPro) and can be had at $300 or even less :D
 

Soxism

New Member
Mar 8, 2022
2
0
1
These things are bloody awesome as custom Router/Firewall solutions.

Im building out a Lenovo P340 Tiny with a 4 port NIC - Running Proxmox and all the additions for OPNsense. The thing barely peaks above 50% usage.

The ONLY issue ive had, is Australia is a HOT climate, so in summer I have an additional small Fan for air flow to keep it all cool.
 

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
I'm really enjoying my Lenovo m920q TMM system as a Proxmox/firewall host at the edge of my network.

It's about the size of an Intel NUC, can take 64G or ram, and has a PCIe slot, as well as an on board 1G port that has intel vPro so it has ghetto ipmi.
And it even does SR-IOV if you want to do hardware passthrough.

Lenovo M920q - $300
PCie bracket - $25
Mellanox ConnectX-3 10/40/56G dual port , or Intel 82599 10G dual port nic - $40
Total = $365 give or take

Super easy to setup as you just need to install Proxmox, configure a vm firewall like OPNsense, Palo Alto, etc. and give it 2 vcpu's and 4-6G of memory.
I can easily max out my 2G fiber connection :D

View attachment 22250
I’m building something similar with a M720q and Intel 82599 card. Any reason you’re doing proxmox rather than bare metal? And do you have a guide that you used for setting up proxmox as a hypervisor for a firewall? I run proxmox in my lab, but until now I’ve had a fairly strong preference for bare metal firewalls/routers.
 

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
You must've bought that M920q in the "Before Times", because I looked the other day and couldn't find it or anything similar for less that ~$650, used.
As zerosum said, you can find a m720q for less than $300 if you’re a bit patient. I spent a day or two searching before landing one with a 8100t for $250 shipped.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
I’m building something similar with a M720q and Intel 82599 card. Any reason you’re doing proxmox rather than bare metal? And do you have a guide that you used for setting up proxmox as a hypervisor for a firewall? I run proxmox in my lab, but until now I’ve had a fairly strong preference for bare metal firewalls/routers.
I run Proxmox because I have multiple public IP's and run various firewalls and security vm's for testing etc.
There is nothing special really, just make sure your Proxmox and firewall management interfaces are inside your network :p

For an added layer of security you can also use SR-IOV and do hardware pass through of the nic VF's to the virtual machines.

You could also run 2 x Proxmox servers and then setup HA between the firewalls :)
 

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
I run Proxmox because I have multiple public IP's and run various firewalls and security vm's for testing etc.
There is nothing special really, just make sure your Proxmox and firewall management interfaces are inside your network :p

For an added layer of security you can also use SR-IOV and do hardware pass through of the nic VF's to the virtual machines.

You could also run 2 x Proxmox servers and then setup HA between the firewalls :)
Do you have other VMs handling DNS/DHCP tasks or do you handle that on your firewall VM? And do you do passthrough or do youjust hand the firewall VM virtual NICs?
 

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
I run Proxmox because I have multiple public IP's and run various firewalls and security vm's for testing etc.
Since you have multiple IPs I assume you have multiple WAN connections. Do you run those into your L3 switch and then do ROS over a transit VLAN for the multiple WANs? I'm intrigued by virtualizing opnsense on my m720q, but I had been planning to use the onboard 1gb NIC for my second WAN interface. If virtualized I'd need the onboard NIC for the proxmox instance, but I could pass the 10gbe NIC through and use have one port each for LAN/WANs--so long as it's possible to have both WANs on a single physical interface.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Do you have other VMs handling DNS/DHCP tasks or do you handle that on your firewall VM? And do you do passthrough or do you just hand the firewall VM virtual NICs?
DHCP off the firewalls, but DNS from pihole mostly, although sometimes I'll switch to adguard to see if it's changed.

I actually use 2 x Dell Wyse thin clients that cost $15 each and run pihole in HA.
And they are also used as quorom devices for my 2 node proxmox setup so that the cluster can work with one of the nodes down.

Hardware passthrough depends on the firewall operating system. Some of them handle it better than others
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Since you have multiple IPs I assume you have multiple WAN connections. Do you run those into your L3 switch and then do ROS over a transit VLAN for the multiple WANs? I'm intrigued by virtualizing opnsense on my m720q, but I had been planning to use the onboard 1gb NIC for my second WAN interface. If virtualized I'd need the onboard NIC for the proxmox instance, but I could pass the 10gbe NIC through and use have one port each for LAN/WANs--so long as it's possible to have both WANs on a single physical interface.
I have multiple public IP's with just one ISP at the moment. I might add another later, but it's not that critical to me.

If you use SR-IOV you can pass through virtual functions to each VM, and still use the base card, or a vf for Proxmox management as well.
It's sort of like virtualizing your network card :)

If you do straight hardware passthrough of the entire card, then only one VM will be able to use it, but you could always use a simple USB nic for mgmt
 

adman_c

Active Member
Feb 14, 2016
257
135
43
Chicago
I have multiple public IP's with just one ISP at the moment. I might add another later, but it's not that critical to me.

If you use SR-IOV you can pass through virtual functions to each VM, and still use the base card, or a vf for Proxmox management as well.
It's sort of like virtualizing your network card :)

If you do straight hardware passthrough of the entire card, then only one VM will be able to use it, but you could always use a simple USB nic for mgmt
I'm familiar with virtualizing NICs for my VMs inside my firewall--I'm just having difficulty grokking how a virtualized NIC could be on an edge device. But yeah, I suppose if this was the way I decided to go a $10 USB nic for the proxmox interface would work fine.
 

Parallax

Active Member
Nov 8, 2020
417
208
43
London, UK
Love it!

You mention Palo firewalls - I could never find a virtualised version, or at least not at a sensible price. Do you have any advice?

For now I'm trying out a Firewalla Purple (so a real router and not ARP poisoning) and I've been impressed. Even lower power consumption than a Tiny, and the interface via app is surprisingly good. It copes with my ~850-900Mbit 5G connection just fine. Price is about $320.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Love it!

You mention Palo firewalls - I could never find a virtualised version, or at least not at a sensible price. Do you have any advice?

For now I'm trying out a Firewalla Purple (so a real router and not ARP poisoning) and I've been impressed. Even lower power consumption than a Tiny, and the interface via app is surprisingly good. It copes with my ~850-900Mbit 5G connection just fine. Price is about $320.
If you work with a reseller they can get you pricing for a VM50 lab series which should be pretty cheap :D
 

Parallax

Active Member
Nov 8, 2020
417
208
43
London, UK
If you work with a reseller they can get you pricing for a VM50 lab series which should be pretty cheap :D
Yeah, I was afraid you would say that. My employer is all in on Fortinet and F5 unfortunately and we deal direct because we have ~1,000 of them, so I don't have the contacts... also being in the UK the reseller options seem more limited too.

I also wasn't sure if a VM50 would deal with my connection at home (~900Mbps, as I said).
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Yeah, I was afraid you would say that. My employer is all in on Fortinet and F5 unfortunately and we deal direct because we have ~1,000 of them, so I don't have the contacts... also being in the UK the reseller options seem more limited too.

I also wasn't sure if a VM50 would deal with my connection at home (~900Mbps, as I said).
It really just depends on the CPU you give it as it's only 2 cores.
Even my m920q with an i5-8500T can do well over 1Gbps with basic inspection and SSL decryption turned on :D
1649011931282.png
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
I think Palo might be heavier. Are you using two cores?
Yes, 2 cores, but palo, pfsense, etc. will only put that session on one core.

A speed test like this is a single stream and therefore it will only run on a single core, so really you are always limited when using a CPU.
If you want max speed you would have to choose a CPU with the fastest single core performance you could find, like an overclocked 13600/700/800/900K :D
 

zztoper

New Member
Mar 12, 2022
4
0
1
which CPU version do You recommend for 1G/1G fiber with few vlans and wireguard for two remote sites?