I like learning about the latest and greatest developments in these compact, fanless router boxes. But, so many are only available through seemingly random AliExpress sellers. Maybe this is being overly cautious, but I would never trust my home and small business networking duties to off-brand hardware like this. I worry about poor QC, nonexistent customer support and nonstandard/undocumented gotchas. This is not even considering outright malicious behavior by one of these storefronts.
I've used Protectli and PC Engines boxes before, which have been great. I'm definitely leaving some value/performance on the table compared to the hardware described in this article. I also know that Protectli hardware in particular is supposed to be identical to some of the Aliexpress boxes, at a higher price. But at least I have some assurance that the company behind the hardware has a reputation at stake and will hopefully stand behind their products.
Recently I picked up their fairly high-end DEC750 which is based on their Netboard A10 Gen 3 board, which uses an AMD Ryzen Embdedded V1500B, VLP LPDDR4 unregistered ECC memory, has an M.2 socket with a PCIe x4 NVMe SSD, three Intel i210 ports and two SFP+ ports.
Idles at 8W, about 16-17W at full tilt either pushing 10Gbps through it, or nearly 2Gbps of IPSec traffic. With much lower latency (54us) than the 150us they provide in the specs. Once Wireguard is in kernel space, I'd expect around 2Gbps using Wireguard as well (more around 900Mbps right now with it in userspace). Barely gets warm to the touch.
The DEC700 series are meant to be on a desktop or shelf, but they make a rackmount version as well. There's also older devices using AMD EPYC Embedded. Nothing they make is cheap, but it's very high quality, very high performance kit coming from an organization I trust. With my DEC750, I figure I'm good until 203x.
This hardware looks great... is it possible to run a custom OS? I currently run exclusively NixOS in my homelab because of its great reproducibility and deployment story, but this hardware looks very nice and surprisingly affordable as well.
Should be able to no problem, though if you just want a router appliance OPNSense is similar to PfSense in that it also forked off of Monowall. PfSense appliances by Netgate are very common to see in datacenter racks hosting Amazon, Google Cloud and Microsoft Azure equipment, though OPNSense is starting to show up as well.
I feel slightly bad for saying this but the Deciso OPNSense hardware is just so much more aesthetically appealing to me compared to Netgate. I want my rack to look as good as folks running Ubiquity gear :’)
NixOS is a hard requirement in my lab, so no plans to use OPNSense or any other BSD at this time. The Deciso hardware page says that “Linux” is supported so I might give it a try.
Intel really makes it hard to know where products fit in their low end stack. J4125 sounds like something I'd find in a ten year old netbook. Apparently it's semi modern though, and quite a bit faster than the old wimpy atoms.
"Any of you that have the N6005 model and tried to use 32GB+, I would be curious to know if your unit can successfully complete a full pass of memtest86+. I have the N6005 Topton model and it will recognize and boot with 2x16GB modules, but it will not complete a pass of memtest86+."
Uh oh.
Also, if you need that much memory in a firewall, its queues are too big and you're adding substantial latency.
FWIW, I'm not using it as bare OS firewall. Instead, it's running Debian with pfSense in a VM with 2 passthrough NICs (though I'm considering replacing Debian with Proxmox).
Very often for the lower end consumer CPUs those spec sheet max RAM numbers are just what they've validated works reliably with most RAM modules not the actual limit. Oftentimes it works fine with the right modules, other times it says it works but if you test it it won't, and other times it's the actual hard cap of what it can support in which case you'll get something from works but doesn't recognize the second module to doesn't boot at all.
It sounds like this one might fall into either the "doesn't work right" case or the "only works right with certain modules" case. It could also just be strain on the memory controller and need to be either slower RAM or ultra fast RAM that will cap out at a much lower than rated speed in the box instead of middle rung RAM which doesn't handle being run in strained scenarios at full speed well.
I don't usually go out of my way to stick more in than is supported unless I can find reliable reports from others that get it working or just happen to have the sticks sitting next to me but I have been very successful going over the spec sheet limits and still passing a day of memtesting (and then years of use). Particularly for laptops and embedded class CPUs, not so much in desktop or server CPUs.
> Also, if you need that much memory in a firewall, its queues are too big and you're adding substantial latency.
Maybe it's stateful and you've got a whole lot of connections? Or in this case, they're planning to run VMs and things on the box, so might need more ram for that.
I have a very similar unit from Protectli running an OpenWrt x86 build. It's the best router/firewall I can think of for home/small business.
It replaced an enterprise-grade Mikrotik router, which while no doubt being more performant (it has hardware offload for routing/firewall), was a pain to configure and certain scenarios are almost impossible to implement (WAN failover where one of the WAN interfaces is a PPPoE link) on it where as in OpenWrt they work out of the box.
The lack of hardware offloading for firewall/routing doesn't seem to be an issue in practice for gigabit links.
Especially when using Mikrotik or Ubiquiti routers where you have to be very careful to not select an option that disabled hardware offload. Last I checked enabling bandwidth logging, various firewall rules, or QoS disabled the hardware offload.
Generally CPU is more about PPS than bandwidth, any of this 4000 or 6000 series intel chips seem plenty for a few Gbit of home network loads that are generally gaming (FPS or minecraft), streaming (youtube, amazon, netflix), browser traffic, or plex.
Sure if you ran a game server with 10Gbit + and 100s or 1000s of clients it might die, but that's not a normal home traffic load.
I ordered one of the N6005 models off AliExpress about 2 weeks ago, it should be an upgrade from some of the older network test boxes I'm using. I wouldn't really recommend the J4125 version when the price difference was so small, I guess if you need it to arrive ASAP that might be the only case. Also they sell barebones versions, I'd recommend that and just bringing your own RAM/SSD instead.
> One major advantage of virtualizing the firewall in this way is the ability to take snapshots. Not only do we get fast VM reboots after a firmware upgrade,
I'm kinda skeptical, unless I'm missing something. How much time does it take for a VM host to reboot and resume firewall guest vs reboot firewall on metal?
I think there is a terminology divide here. OPNsense being more an "appliance" type solution calls the system software firmware, a bit like Android. It's not firmware in the traditional sense like updating motherboard firmware.
In that context the quote is about rebooting the firewall VM after an OPNsense update not about rebooting the host.
> Updates can be installed from the web interface, by going to System ‣ Firmware ‣ Updates. On this page, you can click Check for updates to search for updates. If they are available, a button will appear to install them.
Usually the time to pause the guest (ie halt it and dump memory to the disk) and resume exceeds standard shutdown/startup times.
Though in this case I think they treat a router OS update as a firmware.
I didn't saw a Linux based OS on a hardware for a long time, but at least in VMs current distros start up pretty fast, while *BSD based VMs take a little more time to init, though everything start in less than a minute.
I have a virtualized openwrt router for some VPN functions. Full boot of the guest OS to routing traffic over the WireGuard tunnel is under 10 seconds from the time I hit reboot.
Edit: I see you were referring to the host boot times plus the VM boot times, which I am not and neither is the article.
why does hd15 persist? I wont buy an embedded system with it. DVI, ok but supporting analog and ps2 is just bad design. Nobody still breathing has a ps2 keyboard
I like learning about the latest and greatest developments in these compact, fanless router boxes. But, so many are only available through seemingly random AliExpress sellers. Maybe this is being overly cautious, but I would never trust my home and small business networking duties to off-brand hardware like this. I worry about poor QC, nonexistent customer support and nonstandard/undocumented gotchas. This is not even considering outright malicious behavior by one of these storefronts.
I've used Protectli and PC Engines boxes before, which have been great. I'm definitely leaving some value/performance on the table compared to the hardware described in this article. I also know that Protectli hardware in particular is supposed to be identical to some of the Aliexpress boxes, at a higher price. But at least I have some assurance that the company behind the hardware has a reputation at stake and will hopefully stand behind their products.
The stewards of the OPNSense project, Deciso B.V. in The Netherlands, currently sells some of their own designed hardware to help support the OPNSense project on the OPNSense Shop: https://shop.opnsense.com/product-categorie/hardware-applian...
Recently I picked up their fairly high-end DEC750 which is based on their Netboard A10 Gen 3 board, which uses an AMD Ryzen Embdedded V1500B, VLP LPDDR4 unregistered ECC memory, has an M.2 socket with a PCIe x4 NVMe SSD, three Intel i210 ports and two SFP+ ports.
Idles at 8W, about 16-17W at full tilt either pushing 10Gbps through it, or nearly 2Gbps of IPSec traffic. With much lower latency (54us) than the 150us they provide in the specs. Once Wireguard is in kernel space, I'd expect around 2Gbps using Wireguard as well (more around 900Mbps right now with it in userspace). Barely gets warm to the touch.
The DEC700 series are meant to be on a desktop or shelf, but they make a rackmount version as well. There's also older devices using AMD EPYC Embedded. Nothing they make is cheap, but it's very high quality, very high performance kit coming from an organization I trust. With my DEC750, I figure I'm good until 203x.
That's a nice fanless Ryzen Embedded. Does the BIOS receive security updates?
ASRock has a Ryzen Embedded NUC, but with Realtek NICs, questionable BIOS and not much of a focus on Linux/BSD.
HP t740 thin client with Ryzen Embedded is closer to Mac Mini size, with PCIe slot for low-profile NIC.
This hardware looks great... is it possible to run a custom OS? I currently run exclusively NixOS in my homelab because of its great reproducibility and deployment story, but this hardware looks very nice and surprisingly affordable as well.
Should be able to no problem, though if you just want a router appliance OPNSense is similar to PfSense in that it also forked off of Monowall. PfSense appliances by Netgate are very common to see in datacenter racks hosting Amazon, Google Cloud and Microsoft Azure equipment, though OPNSense is starting to show up as well.
You can read more about that specific Netboard here: https://www.deciso.com/netboard-a10-gen3/
> optional PCIe x4 Edge Connector
Do they mean an extra M.2 slot?
> 2x integrated 10Gbps SFP+
A rare usage of Ryzen's 10Gbps IP block, https://en.wikichip.org/wiki/amd/ryzen_embedded/v1500b#Netwo...
Their previous generation hardware looks like an upscale version of PC Engines APU2, similar CPU, more RAM, better case. Does it support coreboot? https://shop.opnsense.com/product/dec695-opnsense-desktop-se...
I feel slightly bad for saying this but the Deciso OPNSense hardware is just so much more aesthetically appealing to me compared to Netgate. I want my rack to look as good as folks running Ubiquity gear :’)
NixOS is a hard requirement in my lab, so no plans to use OPNSense or any other BSD at this time. The Deciso hardware page says that “Linux” is supported so I might give it a try.
Intel really makes it hard to know where products fit in their low end stack. J4125 sounds like something I'd find in a ten year old netbook. Apparently it's semi modern though, and quite a bit faster than the old wimpy atoms.
"Any of you that have the N6005 model and tried to use 32GB+, I would be curious to know if your unit can successfully complete a full pass of memtest86+. I have the N6005 Topton model and it will recognize and boot with 2x16GB modules, but it will not complete a pass of memtest86+."
Uh oh.
Also, if you need that much memory in a firewall, its queues are too big and you're adding substantial latency.
These appliances can also be caching load balancers or caching reverse proxies. Which can make very good use of ram.
I have the N6005 variant but haven't tried with 32Gb, because Intel specifically lists 16Gb as the maximum memory in the processor specifications: https://ark.intel.com/content/www/us/en/ark/products/212327/...
FWIW, I'm not using it as bare OS firewall. Instead, it's running Debian with pfSense in a VM with 2 passthrough NICs (though I'm considering replacing Debian with Proxmox).
Very often for the lower end consumer CPUs those spec sheet max RAM numbers are just what they've validated works reliably with most RAM modules not the actual limit. Oftentimes it works fine with the right modules, other times it says it works but if you test it it won't, and other times it's the actual hard cap of what it can support in which case you'll get something from works but doesn't recognize the second module to doesn't boot at all.
It sounds like this one might fall into either the "doesn't work right" case or the "only works right with certain modules" case. It could also just be strain on the memory controller and need to be either slower RAM or ultra fast RAM that will cap out at a much lower than rated speed in the box instead of middle rung RAM which doesn't handle being run in strained scenarios at full speed well.
I don't usually go out of my way to stick more in than is supported unless I can find reliable reports from others that get it working or just happen to have the sticks sitting next to me but I have been very successful going over the spec sheet limits and still passing a day of memtesting (and then years of use). Particularly for laptops and embedded class CPUs, not so much in desktop or server CPUs.
> Also, if you need that much memory in a firewall, its queues are too big and you're adding substantial latency.
Maybe it's stateful and you've got a whole lot of connections? Or in this case, they're planning to run VMs and things on the box, so might need more ram for that.
Maybe I want to run `ntopng` and also caching nginx on it.
I have a very similar unit from Protectli running an OpenWrt x86 build. It's the best router/firewall I can think of for home/small business.
It replaced an enterprise-grade Mikrotik router, which while no doubt being more performant (it has hardware offload for routing/firewall), was a pain to configure and certain scenarios are almost impossible to implement (WAN failover where one of the WAN interfaces is a PPPoE link) on it where as in OpenWrt they work out of the box.
The lack of hardware offloading for firewall/routing doesn't seem to be an issue in practice for gigabit links.
Especially when using Mikrotik or Ubiquiti routers where you have to be very careful to not select an option that disabled hardware offload. Last I checked enabling bandwidth logging, various firewall rules, or QoS disabled the hardware offload.
Generally CPU is more about PPS than bandwidth, any of this 4000 or 6000 series intel chips seem plenty for a few Gbit of home network loads that are generally gaming (FPS or minecraft), streaming (youtube, amazon, netflix), browser traffic, or plex.
Sure if you ran a game server with 10Gbit + and 100s or 1000s of clients it might die, but that's not a normal home traffic load.
I've got a reliable scripted implementation for the WAN failover including a pppoe WAN
Can you link to a gist please? I'd love to see it.
I ordered one of the N6005 models off AliExpress about 2 weeks ago, it should be an upgrade from some of the older network test boxes I'm using. I wouldn't really recommend the J4125 version when the price difference was so small, I guess if you need it to arrive ASAP that might be the only case. Also they sell barebones versions, I'd recommend that and just bringing your own RAM/SSD instead.
> One major advantage of virtualizing the firewall in this way is the ability to take snapshots. Not only do we get fast VM reboots after a firmware upgrade,
I'm kinda skeptical, unless I'm missing something. How much time does it take for a VM host to reboot and resume firewall guest vs reboot firewall on metal?
I think there is a terminology divide here. OPNsense being more an "appliance" type solution calls the system software firmware, a bit like Android. It's not firmware in the traditional sense like updating motherboard firmware.
In that context the quote is about rebooting the firewall VM after an OPNsense update not about rebooting the host.
I think I considered that possibility, then rejected it due to the incongruence of firmware and VM guest.
https://docs.opnsense.org/manual/updates.html
> Installing updates
> Updates can be installed from the web interface, by going to System ‣ Firmware ‣ Updates. On this page, you can click Check for updates to search for updates. If they are available, a button will appear to install them.
Time to reboot the host and power-up the VM.
Usually the time to pause the guest (ie halt it and dump memory to the disk) and resume exceeds standard shutdown/startup times.
Though in this case I think they treat a router OS update as a firmware.
I didn't saw a Linux based OS on a hardware for a long time, but at least in VMs current distros start up pretty fast, while *BSD based VMs take a little more time to init, though everything start in less than a minute.
I have a virtualized openwrt router for some VPN functions. Full boot of the guest OS to routing traffic over the WireGuard tunnel is under 10 seconds from the time I hit reboot.
Edit: I see you were referring to the host boot times plus the VM boot times, which I am not and neither is the article.
What firmware are we updating that does not require a host reboot?
"Firmware" as in "router OS image" I guess.
why does hd15 persist? I wont buy an embedded system with it. DVI, ok but supporting analog and ps2 is just bad design. Nobody still breathing has a ps2 keyboard
What’s the reason these are fanless? Low/no noise for home and office use?
Yes. Without any active cooling, it also places a limit on power consumption so it advertises it should be cost efficient to operate it at home.