A very nice hardware for PfSense and Gigabit WAN

I recentlly upgraded my internet connection from 100 megabits to 1 gigabit. With such a high bandwidth, I started to see the limits of my PFSense router, a PCEngine APU2.
I live in Europe and since July 2021, buying product fom china is limited to 150 euros if you don’t have a company. Unfortunately, finding a gigabit capable PFsense based router is that not easy for such a low budget, and at the time (sept 2021), there were no affordable offer on local shops nor on Amazon.

Actualy after some research, I found a pretty good hardware for cheap !

The problem

Pcengine APU2c4

Pcengine APU2c4

My initial router was a PcEngine apu2c4 which had 4 Gb of RAM, an AMD GX-412TC cpu running at 1Ghz. This hardware is really capable and I was running 4 vlans, more than 50 firewall rules, suricata and some OpenVPN connections from time to time.

When my internet connection has been upgraded to 1 gigabit, I was not able to saturate the link. My Download speed was maxing out at 570 Mbps and the upload was reaching aroung 680 / 700 Mbps. During such high transfert rates, the CPU usage was 100% and this was with only one machine on the lan.

So I wanted to upgrade the hardware. I know that linux could perform a little bit better that PFSence (FreeBSD) , but I wanted to keep PFSense.

Finding the proper hardware

CPU being the bottle neck, I had to find a router with a better CPU, around 2 times faster. Pretty easy, just check www.cpubenchmark.net … Hmmm well not really.

I had also other requirements : 

  • At least 3 nics (wan + 2 lan)
  • 4Gb of ram or more than 16 Gb disk (more on that below)
  • Fanless (silent)
  • Maximum 4 centimeters height so I could insert the router in a 1U rack
  • Console on Serial port (no display on my rack)

The Right CPU

There are some constraints regarding the cpu :

  • Row power over 1065 CPU mark and single thread rating over 412 (see AMD GX-412HC benchmark)
  • Low power consumption: the router runs 24/7, it is not conceivable to runs a standard desktop CPU  (plus, remember the fanless requirement)
  • 4 cores : for better multi-tasking (vlans, mutltiple connections, suricata, VPN, web interface, ntopng…) 
  • AES-NI for hardware accelerated crypto : it’s mandatory for good performance with VPN connections

Now, looking at available routers, we usualy see the following CPUs:

  • Core i5 gen 7 to 10 : usualy the price is too high (x2 regarding a celeron)
  • Core i7 gen 7 to 10 : same as i5 CPUs
  • Celeron 4205U : only 2 cores and cpu mark to low (1321)
  • Celeron J1900 : not powerfull enough (1136)
  • Celeron J4125 : pretty good candidate, 4 cores and very nice performance (3041)
  • Celeron N2940 : not powerfull enough (1018)
  • Celeron 3865U : not powerfull enough (1225)
  • Pentium 6405U : good candidate, only 2 cores but 4 threads and performance seems to be fine (2360)

This is, of course, not an exaustive list, but cheapest hardware tend to have one of theses CPUs. So I had 2 candidates : Pentium 6405U or ideally Celeron J4125.

RAM and storage

With the APU2C4, I had a small 16 Gb ssd. So in order reduce wear, I configured a big ramdisk pace (2 Gb). 1Gb should be enough, but using suricata with ramdisk need at least 800 Mb in addition to download and uncompress rules.

With such a large ramdisk, I was using around 75% of the ram and I was not able to safely activate ntopng.

So all in all, the need is either a bigger storage space or more ram… or both 😉

Also, ram and ssd could be purchased in a different package to be under the limit of 150 euros. This is another constraint : finding an appliance which is sold without ram and storage.

Result : the ideal config

Unboxing and boot

I finally found a quite good mini PC under the reference “bkhd g40” on aliexpress :

  • May be bought with no ram and no storage for 140 euros
  • Available with the Celeron J4125 !!
  • Has support for standard msata ssd
  • Two DDR4 slots for a maximum of 8 Gb ram
  • 4x gigabit intel i211, very well supported by PfSense
  • Less than 4 centimeters height

The only missing thing is an external serial port, but a COM port is available on the motherboard, so it is easy to plug a floating rs232 port.

Here is the product as I received it :

Inside :

With 2×4 Gb ddr4 and 256 Gb storage : plenty of ressources for PfSense !

Booting to the BIOS :

Adding an exteral serial port

I used a RS232 slot plate bracket (brand is “startech”) and 3 dupont wires (male – female).

I juste wired the female dupont wire to the motherboard’s com port, so I could simple get an RS232 using the following schema (RX to TX, TX to RX, ground)

Live, with a RS232 to USB cable :

Conclusion

For a total price of about 250 euros, I have a now a very powerfull PfSense router which fullfill all my needs :

  • Can saturate my gigabit connection in both upload and download without saturating the CPU
  • Additional services like surricata, ntopng, haproxy
  • All logs to disk with no ramdisk
  • Compact and fanless
  • Hopefully future proof regarding row power !

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.