A very nice hardware for PfSense and Gigabit WAN
I recentlly upgraded my internet connection from 100 megabits to 1 gigabit. With such a high bandwidth, I started to see the limits of my PFSense router, a PCEngine APU2.
I live in Europe and since July 2021, buying product fom china is limited to 150 euros if you don’t have a company. Unfortunately, finding a gigabit capable PFsense based router is that not easy for such a low budget, and at the time (sept 2021), there were no affordable offer on local shops nor on Amazon.
Actualy after some research, I found a pretty good hardware for cheap !
My initial router was a PcEngine apu2c4 which had 4 Gb of RAM, an AMD GX-412TC cpu running at 1Ghz. This hardware is really capable and I was running 4 vlans, more than 50 firewall rules, suricata and some OpenVPN connections from time to time.
When my internet connection has been upgraded to 1 gigabit, I was not able to saturate the link. My Download speed was maxing out at 570 Mbps and the upload was reaching aroung 680 / 700 Mbps. During such high transfert rates, the CPU usage was 100% and this was with only one machine on the lan.
So I wanted to upgrade the hardware. I know that linux could perform a little bit better that PFSence (FreeBSD) , but I wanted to keep PFSense.
Finding the proper hardware
CPU being the bottle neck, I had to find a router with a better CPU, around 2 times faster. Pretty easy, just check www.cpubenchmark.net … Hmmm well not really.
I had also other requirements :
- At least 3 nics (wan + 2 lan)
- 4Gb of ram or more than 16 Gb disk (more on that below)
- Fanless (silent)
- Maximum 4 centimeters height so I could insert the router in a 1U rack
- Console on Serial port (no display on my rack)
The Right CPU
- Row power over 1065 CPU mark and single thread rating over 412 (see AMD GX-412HC benchmark)
- Low power consumption: the router runs 24/7, it is not conceivable to runs a standard desktop CPU (plus, remember the fanless requirement)
- 4 cores : for better multi-tasking (vlans, mutltiple connections, suricata, VPN, web interface, ntopng…)
- AES-NI for hardware accelerated crypto : it’s mandatory for good performance with VPN connections
Now, looking at available routers, we usualy see the following CPUs:
- Core i5 gen 7 to 10 : usualy the price is too high (x2 regarding a celeron)
- Core i7 gen 7 to 10 : same as i5 CPUs
- Celeron 4205U : only 2 cores and cpu mark to low (1321)
- Celeron J1900 : not powerfull enough (1136)
- Celeron J4125 : pretty good candidate, 4 cores and very nice performance (3041)
- Celeron N2940 : not powerfull enough (1018)
- Celeron 3865U : not powerfull enough (1225)
- Pentium 6405U : good candidate, only 2 cores but 4 threads and performance seems to be fine (2360)
This is, of course, not an exaustive list, but cheapest hardware tend to have one of theses CPUs. So I had 2 candidates : Pentium 6405U or ideally Celeron J4125.
RAM and storage
With the APU2C4, I had a small 16 Gb ssd. So in order reduce wear, I configured a big ramdisk pace (2 Gb). 1Gb should be enough, but using suricata with ramdisk need at least 800 Mb in addition to download and uncompress rules.
With such a large ramdisk, I was using around 75% of the ram and I was not able to safely activate ntopng.
So all in all, the need is either a bigger storage space or more ram… or both 😉
Also, ram and ssd could be purchased in a different package to be under the limit of 150 euros. This is another constraint : finding an appliance which is sold without ram and storage.
Result : the ideal config
Unboxing and boot
I finally found a quite good mini PC under the reference “bkhd g40” on aliexpress :
- May be bought with no ram and no storage for 140 euros
- Available with the Celeron J4125 !!
- Has support for standard msata ssd
- Two DDR4 slots for a maximum of 8 Gb ram
- 4x gigabit intel i211, very well supported by PfSense
- Less than 4 centimeters height
The only missing thing is an external serial port, but a COM port is available on the motherboard, so it is easy to plug a floating rs232 port.
Here is the product as I received it :
With 2×4 Gb ddr4 and 256 Gb storage : plenty of ressources for PfSense !
Booting to the BIOS :
Adding an exteral serial port
I used a RS232 slot plate bracket (brand is “startech”) and 3 dupont wires (male – female).
I juste wired the female dupont wire to the motherboard’s com port, so I could simple get an RS232 using the following schema (RX to TX, TX to RX, ground)
Live, with a RS232 to USB cable :
For a total price of about 250 euros, I have a now a very powerfull PfSense router which fullfill all my needs :
- Can saturate my gigabit connection in both upload and download without saturating the CPU
- Additional services like surricata, ntopng, haproxy
- All logs to disk with no ramdisk
- Compact and fanless
- Hopefully future proof regarding row power !