im curious why you went with that cpu. I have a (i think) 1245L v5 20watt xeon with sm board, im going to build another box or buy one of the qotom prebuilt, the 5200u looked OK except no ecc. I hate choices and wish there was a great qotom with everything i wanted (really love teh size and power usage)
im curious why you went with that cpu. I have a (i think) 1245L v5 20watt xeon with sm board, im going to build another box or buy one of the qotom prebuilt, the 5200u looked OK except no ecc. I hate choices and wish there was a great qotom with everything i wanted (really love teh size and power usage)
TBH I just sorted by price and it was the cheapest option that looks like it would work. Going Xeon/SM route ends up too expensive. Even used, because of shipping. Your paying shipping on each individual item. Ends up cheaper buying new from one source as you're only paying shipping once. In this case I made an exception for the PSU though and that one will be from Amazon as it's a more exotic one.
So I just pulled the trigger on that QOTOM box. Figured it's the cheapest option and I really like the low power usage, and from what I've googled it seems the intel ME threat is really system and config specific. I would hope that because this box's target audience is firewall stuff, that it would not have it. If I hear of anything then I'll deal with it at that point. I may experiment with a USB nic for the WAN port at some point if I feel I want to do more to ensure the ME threat is mitigated, supposedly the backdoor won't work with add-on cards.
1. Great purchase and I wish you the best with it.
2. Please don't buy a USB NIC! From what I've seen, they notoriously don't perform.
I'm in the middle of a Network update myself. I ended up going with 1Gb/1Gb ATT over the 75Mb/15Mb connection. Both were unlimited, but the Gigabit connection is 10 dollars cheaper for a year and 10 dollars more expensive after that. I couldn't say no, lol.
So I'm revamping my Dell R210 ii (16GB and E3-1240 v2 ) to use the 1Gb Intel built in port and a dual 10Gb SFP+ card for the Lan. For a $99 box, I really can't complain. I totally looked into those pre-built boxes and was set on buying one. The real problem is when you start to spend more time of HomeLab, Networking or Datahoarder on Reddit? Oh hell.......
In other words, keep doing what you do, until it doesn't worth. Then I apologize if you go down the rabbit hole.
Jokes aside, I would love to hear your experience.
2. Please don't buy a USB NIC! From what I've seen, they notoriously don't perform.
I'm in the middle of a Network update myself. I ended up going with 1Gb/1Gb ATT over the 75Mb/15Mb connection. Both were unlimited, but the Gigabit connection is 10 dollars cheaper for a year and 10 dollars more expensive after that. I couldn't say no, lol.
So I'm revamping my Dell R210 ii (16GB and E3-1240 v2 ) to use the 1Gb Intel built in port and a dual 10Gb SFP+ card for the Lan. For a $99 box, I really can't complain. I totally looked into those pre-built boxes and was set on buying one. The real problem is when you start to spend more time of HomeLab, Networking or Datahoarder on Reddit? Oh hell.......
In other words, keep doing what you do, until it doesn't worth. Then I apologize if you go down the rabbit hole.
Jokes aside, I would love to hear your experience.Well I got it for $99 shipped and I'm not about to complain. Plus it allowed me to put in a 4 port Intel 1Gbe card and now a dual 10Gb SFP+ card. There are a lot of other people using them.
The CPU that is in it is 65W and is only running 16GB of RAM. Given the versatility, there are not a lot of other firewalls out there that can match it, without paying through the nose.
nycynik
Junior Member
- May 13, 2019
- 1
- 0
- 6
This discussion is great! I've been in the same boat thinking about new hardware for my router, I had been using pfsense and since AES-NI is now a requirement I also need to upgrade it.
The i3/QOTOM looks great, but everyone is worried about heat, and my network area is not cooled, so I was worried about that, especially long term (my old router box is 6 years old, and still works fine, would love to get 5 years out of the new one.)
I've thought about the DIY solution also, but it seems that I will end up with a much higher wattage, and calculated that in my area that could cost me around $200 a year extra! So that really adds up! (assuming avg w and 24/7 use.)
The SuperMicro via Ebay looks really good to me, and I did not recognize that CPU, so checked it here vs the i3. That CPU looks better than the i3! So, I'm still searching on ebay, but I think this is the way to go for me. It's upgradable, no heat issues, and nice form factor. That all adds up to better for me.
The i3/QOTOM looks great, but everyone is worried about heat, and my network area is not cooled, so I was worried about that, especially long term (my old router box is 6 years old, and still works fine, would love to get 5 years out of the new one.)
I've thought about the DIY solution also, but it seems that I will end up with a much higher wattage, and calculated that in my area that could cost me around $200 a year extra! So that really adds up! (assuming avg w and 24/7 use.)
The SuperMicro via Ebay looks really good to me, and I did not recognize that CPU, so checked it here vs the i3. That CPU looks better than the i3! So, I'm still searching on ebay, but I think this is the way to go for me. It's upgradable, no heat issues, and nice form factor. That all adds up to better for me.
Have not gotten around to actually setting this up, but I'll probably do it this week sometime since I have the week off.
I'm not to worried about heat, worse case I will put a 120mm fan on the outside, can probably power it by one of the USB ports. Should be enough air flow. Failing that I'll wire it on the inside to the 12v rail. Of course I'll want to make sure the cpu heat sink is attached to the case in some way or the other, I'll open it up to see how it's made.
At like 10w power rating I don't imagine it's going to get all that hot though, it's not like it will be running at 100% all the time. I'll do some basic thermal testing at 100% though just to see.
I'm not to worried about heat, worse case I will put a 120mm fan on the outside, can probably power it by one of the USB ports. Should be enough air flow. Failing that I'll wire it on the inside to the 12v rail. Of course I'll want to make sure the cpu heat sink is attached to the case in some way or the other, I'll open it up to see how it's made.
At like 10w power rating I don't imagine it's going to get all that hot though, it's not like it will be running at 100% all the time. I'll do some basic thermal testing at 100% though just to see.
Makes no sense to run a firewall in a VM, still need a physical way to attach it to the modem. It's better to have physical isolation between WAN and LAN for security purposes as well. There is too much room for error if you connect the VM server to the internet which could accidentally expose internal VMs if a config issue or vulnerability arises or whatever. I did toy with making a dedicated VM server that is strictly for internet facing stuff, and then putting pfsense on that, but I prefer having a dedicated box for it. Not everything makes sense to virtualize.
sdifox
No Lifer
- Sep 30, 2005
- 99,349
- 17,545
- 126
I don't see a problem running pfsense in vm. You need to be one the console to even have a chance to breach the layers.
Mine has a dedicated nic port for wan.
mxnerd
Diamond Member
- Jul 6, 2007
- 6,799
- 1,103
- 126
Maybe running a pfSense CARP cluster using a physical & a VM make some sense.
Never tried it though.
https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html
Never tried it though.
https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html
Well good news about the particular box I got. The CPU, a celeron j3060 does NOT have vpro according to the Intel site, which means it won't have the ME/AMT backdoor either. So I can rest assured this should be decently secure.
Actually think this cpu is vulnerable to spectre and meltdown... But without AMT, are those vulnerabilities exploitable? If I recall they required AMT as that was the attack vector as the attacker needs a way to connect to the system.
Actually think this cpu is vulnerable to spectre and meltdown... But without AMT, are those vulnerabilities exploitable? If I recall they required AMT as that was the attack vector as the attacker needs a way to connect to the system.
Last edited:
Still don't like the idea of connecting my VM server straight to the internet. Too much room for errors, either my own doing, or some kind of vulnerability, which could cause VMs to accidentally be exposed to the internet.
Though I was toying with the idea of building a separate isolated VM server whose job would be to handle the gateway and internet facing stuff, so that could work. It would be separate from my VM environment and just use local storage, so no risk of exposing the NAS either.
But I still like the idea of a separate device. WAN in, LAN out, KISS approach. No need to have it talk to the NAS or anything internal, it's just stand alone.
sdifox
No Lifer
- Sep 30, 2005
- 99,349
- 17,545
- 126
mxnerd
Diamond Member
- Jul 6, 2007
- 6,799
- 1,103
- 126
Maybe he is referring to this?
https://www.tenable.com/blog/vmware...st-to-host-escape-vulnerability-cve-2018-6981
But I have to say vulnerability happens all the time, on every system.
If you worry too much about it, there is no system in the world without some kind of vulnerabilities that you can run.
When somebody find a new vulnerability, you just have to patch the system, be it Windows/Linux/OSX//Virtual technolgies/routers/smart devices.
sdifox
No Lifer
- Sep 30, 2005
- 99,349
- 17,545
- 126
It's best to design the system in such a way that the vulnerability is not really an issue to begin with. Patching is a cat and mouse game. You patch something, it does not mean all the vulnerabilities are gone, there's still more. The simpler a system is the less chance of issues and anything that sits on the WAN interface needs to be taken extra cautiously.
That said since pfsense is really just routing packets there's probably not a lot of attack vectors to begin with as it's not running any kind of server services, so even in a vm chances are it's fine but I still prefer a physical device with physical separation. It also allows me to be able to turn off the NAS and VM server and still have internet. Ex: in a power outage situation where I want to conserve battery power.
So close!
I installed the latest pfsense, and restored config from existing one. Was having some oddities with vlans and interface assignments and think it had to do with the interface names. On old box they are called bge0 and bge1 and on new box they're called re0 and re1. So I modified it in the config (thankfully its just xml) and then restored again and now it took.
HOWEVER, for whatever reason, I just can't get it to pass any traffic. I do a DHCP release/renew, with proper mac address and get an IP, but still no traffic. I'm now back on the old firewall, I'll have to figure this out tomorrow, getting late. But if anyone has clues on what else I can try I'd be open to it.
I installed the latest pfsense, and restored config from existing one. Was having some oddities with vlans and interface assignments and think it had to do with the interface names. On old box they are called bge0 and bge1 and on new box they're called re0 and re1. So I modified it in the config (thankfully its just xml) and then restored again and now it took.
HOWEVER, for whatever reason, I just can't get it to pass any traffic. I do a DHCP release/renew, with proper mac address and get an IP, but still no traffic. I'm now back on the old firewall, I'll have to figure this out tomorrow, getting late. But if anyone has clues on what else I can try I'd be open to it.
thecoolnessrune
Diamond Member
- Jun 8, 2005
- 9,673
- 583
- 126
For a ruling out, if you have a working config, I'd just reset the system to stock and see if the basic functionality passes traffic. If it does, you know it's still a problem with your current configuration.
You have your Outbound NAT still configured correctly to NAT your traffic to WAN?
You have your Outbound NAT still configured correctly to NAT your traffic to WAN?
re interface names? as in realtek NIC's? that may be your issue, ive had problem with realtek and pfsense in the past, i always stick to intel NIC's now and havent had any issues.
mxnerd
Diamond Member
- Jul 6, 2007
- 6,799
- 1,103
- 126
Acoording to this post,
https://forum.netgate.com/topic/102050/restore-config-to-new-device/5
you should be able to just modify the config.xml file and good to go.
==
another post
https://forum.netgate.com/topic/121268/move-to-new-hardware-but-keep-same-config/4
https://forum.netgate.com/topic/102050/restore-config-to-new-device/5
you should be able to just modify the config.xml file and good to go.
==
another post
https://forum.netgate.com/topic/121268/move-to-new-hardware-but-keep-same-config/4
Last edited:
Yeah I ended up doing that and it worked. Still can't get internet to work, and the GUI is BLOODY SLOW. Like sometimes it's normal then random clicks will take forever. Had to go downstairs and pull the plug on it and restart and now the GUI just died completely. Can't connect to it at all after a restart. Had to pull the box out of the server rack and bring it back on my work bench to troubleshoot/reinstall.
I don't think it's realtek nics. It's whatever the Qotom uses, they're built on, and these devices are known to work with Pfsense.
Going to try to get it working without vlans just to troubelshoot, I imagine I can just treat my network as the internet and then use a laptop in the LAN port. My ISP does not provide more than on IP so I keep having to switch back and forth to test.
I don't think it's realtek nics. It's whatever the Qotom uses, they're built on, and these devices are known to work with Pfsense.
Going to try to get it working without vlans just to troubelshoot, I imagine I can just treat my network as the internet and then use a laptop in the LAN port. My ISP does not provide more than on IP so I keep having to switch back and forth to test.
Yeah web inteface is screwed. I can get to the login page but when I login it just hangs forever. Time for reinstall. This does not bode well if just unplugging/replugging interfaces and basic troubleshooting is enough to screw up the web interface permanently.
I have it setup on my workbench now where I can just go to the patch panel and swap the wan/lan cables to test.
I have it setup on my workbench now where I can just go to the patch panel and swap the wan/lan cables to test.
Probably going to give up and go back to the old box. Wasted an entire day on this crap. Now I'm not even getting an IP. It just goes 0.0.0.0.
I even re-introduced the ISP supplied router to the equation to rule out any funny business with how my ISP handles connectivity. Old firewall plugged into it works fine, new one refuses to get an IP even from the local router. My ISP does some weird stuff with how they present the internet, it's on vlan 35, but they also do some hardware level QoS stuff, I have this Asus router with a custom firmware on it that basically handles all that stuff and gives you a pass through port so that you don't need to do a double NAT like you do with the ISP supplied router. But I took all that stuff out for testing purposes, still nothing. I also have the firewall setup with a factory setting with just a laptop for LAN so no vlans or anything. Still won't pass traffic to the internet. Also tried setting MTU to 1500 on WAN interface.
Was hoping this would mostly be plug and play but it's far from it. Might have to cave and just build a normal PC box. May as well make the power usage worth it and make it a dedicated VM server that has local storage and is self contained, and I can also move all my internet facing VMs to it to split it from my private stuff. I just don't want to run it on my main VM server but I could setup a completely separate one.
I even re-introduced the ISP supplied router to the equation to rule out any funny business with how my ISP handles connectivity. Old firewall plugged into it works fine, new one refuses to get an IP even from the local router. My ISP does some weird stuff with how they present the internet, it's on vlan 35, but they also do some hardware level QoS stuff, I have this Asus router with a custom firmware on it that basically handles all that stuff and gives you a pass through port so that you don't need to do a double NAT like you do with the ISP supplied router. But I took all that stuff out for testing purposes, still nothing. I also have the firewall setup with a factory setting with just a laptop for LAN so no vlans or anything. Still won't pass traffic to the internet. Also tried setting MTU to 1500 on WAN interface.
Was hoping this would mostly be plug and play but it's far from it. Might have to cave and just build a normal PC box. May as well make the power usage worth it and make it a dedicated VM server that has local storage and is self contained, and I can also move all my internet facing VMs to it to split it from my private stuff. I just don't want to run it on my main VM server but I could setup a completely separate one.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter