Want to downsize my pfsense box, Netgate SG-1000?

[Red Squirrel]

Anyone use these little boxes, how well do they work? Is the performance ok?

https://www.amazon.ca/SG-1000-micro...e=UTF8&qid=1550976915&sr=8-3&keywords=netgate

Looking at places in my server rack where I can save a bit of power just to have longer UPS run time during outages, and my pfsense box is definitely a place I can do that. I currently have a 1U server box with a core2duo or similar cpu.

Open to other suggestions too. Even toying with building a new machine and just use low power hardware, but probably won't get nowhere near as low as an embeded box like this one and it will end up costing quite a lot more.

If I do build, any specific hardware/config I should ensure to have in order to not be vulnerable to the Intel ME backdoor? Ex: not using Intel nics?

Also toying with just building a new VM server that is separate from my main one, and then virtualizing it. Bonus is I could use it for any other VMs that are facing the internet, and separate it from the main VM server, to secure from any VM escape type vulnerabilities should one of the internet facing VMs get hacked. (torrent client etc)

But think I will stick to having a dedicated hardware psense setup.

 

[mxnerd]

SG-1000 (ARM 600MHz, 512MB) has been discontinued.
https://store.netgate.com/SG-1000.aspx

Mini PCs from QOTOM might be better choices.
https://www.amazon.ca/s/ref=nb_sb_noss?url=search-alias=aps&field-keywords=pfsense+aes-ni+mini-pc

pfSense 2.5 requires AES-NI capable CPU.

 

[Red Squirrel]

Saw those too, more expensive, but did not know Pfsense needed anything special like AES on the cpu. Guess it's something to consider if I go a custom build too, need to get a cpu that has it, not sure how common that is? Those boxes are still cheaper than anything I could build and will be much smaller and lower power though.

 

[mxnerd]

AES-NI seems available on SG-1000

https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html

pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI. On ARM-based systems, the additional load from AES operations will be offloaded to on-die cryptographic accelerators, such as the one found on our SG-1000

Don't know if that mean Netgate will still support SG-1000 above 2.5 even it stop selling the device or it means it will continue to support their devices with AES-NI capability or if you pay subscription?

https://en.wikipedia.org/wiki/AES_instruction_set#Supporting_x86_CPUs

https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_AESTech=True

Better email Netgate for clarification.

 

[mxnerd]

https://protectli.com/ may be another vendor to consider.

https://www.amazon.com/stores/Protectli/node/14854310011

Reviews
https://www.youtube.com/results?search_query=protectli

==
SG-1000 review.

 

[Red Squirrel]

Is the AES-NI thing something new? Never heard of that requirement before and I doubt the current box (core2duo E4500) has that. What is the main reason for that requirement does it just improve packet routing performance or something? Like does it use encryption in the back end to process data?

I was actually able to put together a system on memoryexpress.com for $300 before taxes using the AMD APU platform, and I would get a picopsu off Amazon for around $100. So I figure I could use commodity hardware and get something going for around $500 when all is said and done . Would involve a custom case so I can keep things smaller. This is the CPU I'd be using: https://www.memoryexpress.com/Products/MX68406

I don't think it has AES-NI though, is that really needed or just a good thing to have?
EDIT: Actually maybe it does, found a review site saying it has "AES" I assume they mean AES-NI or is that something else?

Those QOTOM boxes do look nice too though and do have it. so kinda leaning towards that, or custom build. My only worry with the embeded boxes is if you brick it, I think you're done for. With commodity hardware, it's just a PC, you can reload the OS etc or use it for something else.

 

[aigomorla]

nm... they all disappeared on ebay... :T

The QOTOM boxes are alright, i had a chance to use one, but i replaced it with a half depth SM as i wanted everything consolidated to a single rack.

However they run a bit hot, and i had to put a fan over it. I dont like seeing temps in the 60's which PFSense was reporting.

 

[Red Squirrel]

Supermicro is another route I considered as I like their 1U boxes, but $$$. Nearly a grand when all is said and done. Though I could move my home automation stuff to a RPI then use the automation server (A SM half depth box) for pfsense. it's an older Atom chip though, so not sure if it will even have AES-NI.

Lots of different options I guess, just have to decide.

 

[mxnerd]

You can replace QOTOM/Protectli components if needed.

AES-NI helps calculation like SSL, OpenVPN, IPsec encryption.

Protectli shows network performance between its models that supports AES-NI
https://protectli.com/kb/openvpn-performance/

https://www.reddit.com/r/linux/comments/79vnf9/the_difference_intels_aesni_make_surprised_me/

 

[Rifter]

I use a celeron dualcore QOTOM box, works fine. But now that im up to gigabit internet its running close to 80% sometimes with IPS/IDS enabled, so im going to upgrade it to a quadcore soon to give me some breathing room.

 

[thecoolnessrune]

The SG-1100 is out which replaces the SG-1000. It's the same price, but much better performance.

https://store.netgate.com/pfSense/SG-1100.aspx

 

[aigomorla]

Supermicro is another route I considered as I like their 1U boxes, but $$$

sigh.. yeah for a new box...
i got mine used on ebay with a x9 chipset for about 250 dollars. It only had 4GB of DDR3 ECC and a E3-1220V2.

So i upgraded the ram to 16GB for the hell of it since it was cheap, and threw pfsense on that and never looked back.

Im fairly sure if you keep an eye out you can find one used for cheap.

The chasis model number is:
https://www.supermicro.com/products/chassis/1U/512/SC512L-200B


You could probably build a used one like this:

Board:
https://www.ebay.com/itm/SuperMicro...set-X9SCM-F-/202335699718?hash=item2f1c25c306

Gut the system out of this:
https://www.ebay.com/itm/SUPERMICRO...h=item1ef254c925:g:7KIAAOSwl7dcN56V:rk:9:pf:0

CPU:
https://www.ebay.com/itm/SR0PH-Inte...h=item2f2c2b700a:g:-mYAAOSwVZ1cb1ky:rk:7:pf:0

https://ark.intel.com/content/www/u...n-processor-e3-1220-v2-8m-cache-3-10-ghz.html
Intel® AES New Instructions Yes

Ram:
https://www.ebay.com/itm/Hynix-8GB-...h=item3648690e08:g:DRIAAOSwEP9ccJvE:rk:8:pf:0

Well you can use non ECC ram if you like.
But if you do use ECC make sure its not Reg.
The board will not take ECC Reg.

 

[Red Squirrel]

sigh.. yeah for a new box...
i got mine used on ebay with a x9 chipset for about 250 dollars. It only had 4GB of DDR3 ECC and a E3-1220V2.

So i upgraded the ram to 16GB for the hell of it since it was cheap, and threw pfsense on that and never looked back.

Im fairly sure if you keep an eye out you can find one used for cheap.

The chasis model number is:
https://www.supermicro.com/products/chassis/1U/512/SC512L-200B


You could probably build a used one like this:

Board:
https://www.ebay.com/itm/SuperMicro...set-X9SCM-F-/202335699718?hash=item2f1c25c306

Gut the system out of this:
https://www.ebay.com/itm/SUPERMICRO...h=item1ef254c925:g:7KIAAOSwl7dcN56V:rk:9:pf:0

CPU:
https://www.ebay.com/itm/SR0PH-Inte...h=item2f2c2b700a:g:-mYAAOSwVZ1cb1ky:rk:7:pf:0

https://ark.intel.com/content/www/u...n-processor-e3-1220-v2-8m-cache-3-10-ghz.html
Intel® AES New Instructions Yes

Ram:
https://www.ebay.com/itm/Hynix-16GB...=item2ac51a0f67:g:UFoAAOSwlINcTKHS:rk:13:pf:0

Well you can use non ECC ram if you like.
But if you do use ECC make sure its not Reg.
The board will not take ECC Reg.

We get screwed on shipping here. Those particular links won't even ship to Canada but often times when stuff does ship here, the cost is through the roof. Any time I try to look for used server stuff it ends up not being that much cheaper than new as shipping alone adds about $100 for each part.

I think I'm going to lean towards the QOTOM or SG boxes though as it's cheaper. The QOTOM ones are on Amazon.ca. The new SG-1100 is not but maybe they'll show up eventually. I'm not keen on ordering from a US site directly because of customs. The custom build route also seems a bit appealing if I just build a custom rackmount case, I was surprised at how long I could bring the price of a system down if I go with an AMD APU based platform. Not sure if they have the AES-NI though. Can't seem to find much info on full instruction set.

 

[Red Squirrel]

Been pondering and think I'm going to go with this:

https://www.amazon.ca/QOTOM-Q106P-S...+mini-pc&qid=1551158853&s=gateway&sr=8-1&th=1

Those really look like nice little boxes, with lot of different uses. Tempting to get two.

Just notice these have a VGA port, so I assume it can act as a normal computer, so if I wanted to install something completely different, it would probably work too. I also don't have to worry about accidentally bricking it or something, can just reinstall pfsense as I would on a normal PC.

As much as something rackmount is nice, what I may actually do given it's size, is to put it where my ONT is on the wall, and provide a UPS power feed to that wall mount area for it. Been wanting to provide UPS power to the ONT anyway, as it kills the internet after 1 hour, by design, to prioritize POTS, which I don't have anymore.

I decommissioned an old core2quad server recently, and now if I decommission my pfsense box for one of these, I'm really going to start saving on power usage. Of course it's a drop in the bucket given I have a mining rig, but I'm more doing this to extend my UPS run time, and the mining rig is on a different UPS and is set to shut down right away as it's not critical.

 

[mxnerd]

If you ever to get QOTOM Q330G4 version
https://www.amazon.ca/QOTOM-Q330G4-Mini-Barebone-pfSense/dp/B073R2SY9G

be aware that NIC's are labelled 1, 2, 3, 4 on the back, but are actually 0, 3 , 2, 1 in pfsense.
according to this thread.

https://www.reddit.com/r/PFSENSE/comments/8u199z/_/e1f3rdb

 

[Red Squirrel]

Good to know. The 2 port version is probably fine for my needs though as the LAN port is just a trunk going to my switch and I do all my intervlan routing at the pfsense level.

 

[Rifter]

If you ever to get QOTOM Q330G4 version
https://www.amazon.ca/QOTOM-Q330G4-Mini-Barebone-pfSense/dp/B073R2SY9G

be aware that NIC's are labelled 1, 2, 3, 4 on the back, but are actually 0, 3 , 2, 1 in pfsense.
according to this thread.

https://www.reddit.com/r/PFSENSE/comments/8u199z/_/e1f3rdb

I have a 4 port one as well, not that specific model, but the port numbers change sometimes when you remove power they are not always the same.

This is a non issue because you can go into the bios and blink the ethernet lights to figure out which port is which number.

 

[mxnerd]

I have a 4 port one as well, not that specific model, but the port numbers change sometimes when you remove power they are not always the same.

This is a non issue because you can go into the bios and blink the ethernet lights to figure out which port is which number.

Saw your post here
https://forums.anandtech.com/threads/psa-to-anyone-using-qotom-box-for-router.2497348/

So is this a pfSense/FreeBSD problem? An OS update / power outage could disrupt the numbering order of ethernet?

Never heard of that.

==

By the way, just found that there is a pfSense fork called OPNSense. Might worth a try.

https://opnsense.org/

http://opnsense.firewallhardware.it/en/pfsense_vs_opnsense.html

 

[Rifter]

Saw your post here
https://forums.anandtech.com/threads/psa-to-anyone-using-qotom-box-for-router.2497348/

So is this a pfSense/FreeBSD problem? An OS update / power outage could disrupt the numbering order of ethernet?

Never heard of that.

==

By the way, just found that there is a pfSense fork called OPNSense. Might worth a try.

https://opnsense.org/

http://opnsense.firewallhardware.it/en/pfsense_vs_opnsense.html

Yeah it took me a while after the power outage to figure it out, but the ports did change, it also wiped the bios settings so maybe the board saw a little surge not sure, it was hooked up to a UPS and a surge protector though. Either way as soon as i figured out you can flash the ports in the bios it wasnt really an issue.

And yes i will likely transistion over to OPNSense, the way pfsense is going lately its becoming more and more obvious they are trying to just get people to buy their box's, hence the mandatory AES instructions for version 2.5, and the dropping of 32 bit CPU's, even though their own SG-1000 hardware has neither a 64 bit CPU or built in AES instructions(it does contain a seperate hardware encoder chip to add AES, something they will not allow/support you to do with your own hardware). Funny how they force everyone else to upgrade their hardware but still support non AES CPU's and non 64 bit CPU's with their own hardware.

 

[Red Squirrel]

Wait they will switch around even after it's setup? This could be bad, like if your LAN port changes to WAN or something, it means your network will be down until you can manually fiddle around with it to get the ports right. And it may be hard to remote into it as well if the ports mess up especially if the LAN port is actually a trunk port you can't just plug a laptop into each port until you find the one that works.

 

[Rifter]

Wait they will switch around even after it's setup? This could be bad, like if your LAN port changes to WAN or something, it means your network will be down until you can manually fiddle around with it to get the ports right. And it may be hard to remote into it as well if the ports mess up especially if the LAN port is actually a trunk port you can't just plug a laptop into each port until you find the one that works.

Yeah thats what happened, thats how i noticed it was an issue, I use 3 of the 4 ports and the one i have for my guest wifi turned into my main LAN port and my WAN port turned into the one that was not being used. Was tons of fun to troubleshoot... lol. It was a blessing in disguise that my BIOS reset to defaults for some reason at the same time so i noticed when in the bios that you can blink the ethernet LED's to identify ports.

 

[mxnerd]

Don't think the 2 ports version will do that. That will totally unthinkable.

But if you are in doubt, probably dual port mini-pcs / motherboards from other vendors will be better options.

No matter which vendor you choose, make sure the network adapter/interface is supported by FreeBSD.

http://www.si.freebsd.org/relnotes/CURRENT/hardware/support.htm

Section 3.2. Ethernet Interfaces

 

[Rifter]

Don't think the 2 ports version will do that. That will totally unthinkable.

But if you are in doubt, probably dual port mini-pcs / motherboards from other vendors will be better options.

No matter which vendor you choose, make sure the network adapter/interface is supported by FreeBSD.

http://www.si.freebsd.org/relnotes/CURRENT/hardware/support.htm

Section 3.2. Ethernet Interfaces

Sticking to intel NIC's is the best idea.

 

[Red Squirrel]

One option I was considering too is custom build, with external nics. Dlinks or something like that (guess I'd have to make sure they are supported though). My train of thought is by doing that, it MIGHT break the Intel ME, as maybe ME only works for Intel or built on nics. Is there any known info on this? Trying to do something that breaks the ME backdoor might be a good plan while I'm at it, it's just there's not much info out there yet. There's some effort to disable it, but it's quite involved still.

Downside of a custom build is that it's still a full blown PC at that point, so I'm never going to get down to the 10w range of these little boxes.

 

[mxnerd]

External USB NICs never worked well with pfSense according to web articles/blogs.

They are not built for long term use and their performance suck.

DIY build is hard to get under 20w.