Want to downsize my pfsense box, Netgate SG-1000?

[mxnerd]

Seems the renumbering is a thing of FreeBSD which pfSense based upon.
So probably not a QOTOM issue. (especially if you ever plug in an USB network adapter down the road)

https://lists.freebsd.org/pipermail/freebsd-stable/2016-September/085479.html
https://forums.freebsd.org/threads/re-numbering-network-interfaces.27100/
https://github.com/eborisch/ethname
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212480
https://forum.netgate.com/topic/89311/nic-change-setup-wizard-invoked-on-reboot/2

 

[Rifter]

Seems the renumbering is a thing of FreeBSD which pfSense based upon.
So probably not a QOTOM issue.

https://forums.freebsd.org/threads/re-numbering-network-interfaces.27100/
https://github.com/eborisch/ethname
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212480

Yeah thats what i figured.

I assumed it was kinda like the linux reassigning of hard drive letters sometimes between reboots(the sda, sdb, etc not being reliable between boots, better to use the device ID's)

 

[mxnerd]

Yeah thats what i figured.

I assumed it was kinda like the linux reassigning of hard drive letters sometimes between reboots(the sda, sdb, etc not being reliable between boots, better to use the device ID's)

So a rc.d script offered at https://github.com/eborisch/ethname might just fixed the problem.

 

[Red Squirrel]

Good to know it's just a software issue then. Thought it was maybe hardware related and just the way the bios works or something. I don't know about BSD but I know Linux tends to map by mac address. I guess that's what the fix is doing.

Though I've been thinking more and more about Intel ME mitigation, I should really try to configure this in such a way that the backdoor won't work, considering it's facing the internet directly. Any tips on that? Like is there known info out there on things that make sure the system can't be remoted through the backdoor? Ex: using add-on nics instead of built on etc.

If not enough info is available I might go AMD route, I heard they have a backdoor too but have not found much about it, I wonder if it's FUD.

If I go AMD was thinking something like this: https://www.memoryexpress.com/Products/MX68406 Would that CPU have AES-NI though? Can't find much info online.

And smallest motherboard I can find, and two add-on NICs. (would use riser cables so I can make the case smaller). Would power it by a Pico PSU, and build a custom case.

Won't be as low power as these premade boxes though, but might be more secure than anything Intel?

 

[mxnerd]

All modern AMD CPU supports AES instructions.

https://en.wikipedia.org/wiki/AES_instruction_set#AMD

Bought a used HP NC365T quad port (INTEL 82580 chipset) adapter (5 watts only) for under $30 from eBay (probably 2 years ago) like the following links.

https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04111679.pdf

https://www.ebay.com/itm/HP-NC365T-...pter-Full-Height/292601536945?epid=2196420000

 

[Red Squirrel]

Good to know that seems like it could be an option then. Not planing on doing this that soon anyway so gives me more time to think about my options.

 

[aigomorla]

Sticking to intel NIC's is the best idea.

but those qotom use intel nics as well

• 4 x Intel I211-AT 10/100/1000 GbE Controller; No WiFi

The only problem i had with them is they RUN HOT.
that heat sink fin does absolutely nothing. Its like the fake exhaust ports they put on cars to make the thing look industrial.

This is why i ended up getting rid of mine, and went supermicro.
There is nothing better then supermicro when it comes to applications like this, and it probably only draws 15-20W more then the Qotom.

One option I was considering too is custom build,

im telling you RS, just build that SM i linked you with used parts.
Used SM parts are still rock solid, and will outlast anything we gamers have, and then some.



The 512L chasis is seriously <3 its quiet as well.

The chasis model number is:
https://www.supermicro.com/products/chassis/1U/512/SC512L-200B


You could probably build a used one like this:

Board:
https://www.ebay.com/itm/SuperMicro...set-X9SCM-F-/202335699718?hash=item2f1c25c306

Gut the system out of this:
https://www.ebay.com/itm/SUPERMICRO...h=item1ef254c925:g:7KIAAOSwl7dcN56V:rk:9:pf:0

CPU:
https://www.ebay.com/itm/SR0PH-Inte...h=item2f2c2b700a:g:-mYAAOSwVZ1cb1ky:rk:7:pf:0

https://ark.intel.com/content/www/u...n-processor-e3-1220-v2-8m-cache-3-10-ghz.html
Intel® AES New Instructions Yes

Ram:
https://www.ebay.com/itm/Hynix-8GB-...h=item3648690e08:g:DRIAAOSwEP9ccJvE:rk:8:pf:0

Just remember the Ram is ECC unbuffered... and not Registered.

you can also use a 90 degree riser and drop in a 4 port intel nic, if you need more nic ports.
And its highly serviceable...

You wont regret it... seriously....

 

[mxnerd]

The only problem i had with them is they RUN HOT.
that heat sink fin does absolutely nothing. Its like the fake exhaust ports they put on cars to make the thing look industrial.

Just buy a good USB fan and blow on it, nothing wrong with that. Think Xeon is overkill for a firewall.
https://www.amazon.com/AC-Infinity-MULTIFAN-Receiver-Playstation/dp/B00G059G86

No idea about Intel Manage Engine Vulnerability though. Wouldn't worry about it though.

 

[Red Squirrel]

Is the CPU heat sink connected to the case in any way to conduct heat? If not then yeah I can see it run hot. Would probably need to modify it somewhat and also add a fan.

 

[mxnerd]

Is the CPU heat sink connected to the case in any way to conduct heat? If not then yeah I can see it run hot. Would probably need to modify it somewhat and also add a fan.

You can apply better thermal paste for the CPU if you think it runs too hot.

8:30

 

[aigomorla]

QOTOM with an Atom E3845 will run you 260 dollars without ram or a mSATA.
https://www.amazon.com/Barebone-Ind...50&s=gateway&sprefix=qotom+aes,aps,196&sr=8-5

The SuperMicro Package i listed will run you:
Items (4)$238.94
Total$249.92

That is without making offers, which im sure you can win on a few for even lower.
That is without mSATA, or in that case a SSD which will run you an additional 26 dollars for a 120gb SSD. The SM is also fully serviceble, and parts replaceable, while the QOTOM isnt outside the mSATA, SO-DIMM, and power brick.

Is it overkill? Yea it is, but its overkill at a cheaper price and Red Squirrel has a RACK on top to fit it nicely.
So without even thinking twice, the Supermicro wins unless he wants it really compact and tiny.
Then there is no competition as the QOTOM is really tiny at that.

You can apply better thermal paste for the CPU if you think it runs too hot.

i tried that.. and i still could not get the thing to operate below 60 without adding a fan.
Yes you can add a fan on top, but its ugly... I did that, and i kept breaking the blades by accidentally touching them. Eventually i just got fed up, gave it to my cousin for him to use as a router, and went the SM route.



Well its ultimately up to you.
If you didnt have the rack, and you wanted tiny, i would say go QOTOM.
However since you do have the rack, and your not a novice network user, im telling you get the SM and dont look back.
IPMI is also a god send, well you can always reboot your Pfsense via webgui, but IPMI also lets you monitor the PC in more detail.

 

[Rifter]

Is the CPU heat sink connected to the case in any way to conduct heat? If not then yeah I can see it run hot. Would probably need to modify it somewhat and also add a fan.

It is connected to the case, mine was making good contact from the factory i tore it down to check, i did reapply better thermal compund while i had t apart. Mine never gets over 35C at 80-100% usage.

 

[mxnerd]

QOTOM Q330G4 (8GBRAM+16GMSSD) got very good reviews.

https://www.amazon.ca/pfSense-8GB-R...sitive&pageNumber=1&formatType=current_format

2 ports (8GBRAM+16GMSSD) https://www.amazon.ca/QOTOM-Q106P-S08-Mini-pfSense-Industrial/dp/B07LBB5G8F/ sets him back for 300 CDN$

RS wants to get the box around 10w.

Xeon 1220v2 CPU got a 80w TDP

anyway, it's Red Squirrel's choice.

 

[Red Squirrel]

10w is not really a requirement, it's more of nice perk. Lower the better I guess. Just don't want a 200w+ full blown computer like I have now. I am also debating going AMD route and doing custom build, but doubt I will get that under like 75w or so depending on the motherboard/cpu. Going to go with the smallest one I can find if I go custom route though and use a pico psu.

I'm leaning towards the QOTOM box though. If I'm going to downsize power usage may as well go all the way. $300 for what is essentially a fully functional PC is a pretty awesome deal too. Can't custom build that cheap.

 

[aigomorla]

I'm leaning towards the QOTOM box though. If I'm going to downsize power usage may as well go all the way. $300 for what is essentially a fully functional PC is a pretty awesome deal too. Can't custom build that cheap.

tiny is fun...

personally tho, i think i am going to retire the entire Pfsense soon honestly in lue of Ubiquiti's USG and completely move my network backbone over to there products.

I love Pfsense, but having everything being handled via web portal through cloudkey i feel is much simpler and easier on the back end.

But do follow up on what route you ultimately decide to go with, and your impressions on it.

 

[aigomorla]

Xeon 1220v2 CPU got a 80w TDP

https://ark.intel.com/content/www/u...n-processor-e3-1220-v2-8m-cache-3-10-ghz.html

69W TDP.

TDP is not entirely representative of power draw tho, as i highly doubt Pfsense will load up those cores to 100% unless ur doing some serious snorting... but you do make a point in it being 4x more TDP then a Q330G4

https://ark.intel.com/content/www/u...-8121u-processor-4m-cache-up-to-3-20-ghz.html

 

[LikeLinus]

I picked up a Dell R720ii (1U) from eBay for $99. They come standard with 2 NIC ports and sometimes you get lucky and they'll have an PCIe 4 port nic card. I got one with an E3-1240 v2, 16GB of ram, Intel 80GB SSD, 1TB HGST Dell HDD, and Intel 4 port NIC card. It's virtually silent in my rack and runs like a champ. A lot of people on Homelab using them. The one I got was re-branded "Riverbed Steelhead", but all I had to do was flash the bios back to the Dell and it's just like OEM. I saw that Goodwill Arizona had one for sale a couple of weeks ago for $99. I wanted it very much but didn't have a need for it

 

[Red Squirrel]

That's not exactly downsizing though, that's a full blown server box. Basically what I have now just different brand/model. Also not cheap here to buy stuff like that off Ebay as we get screwed with shipping and customs.

I'm kinda debating between a custom build, or one of those Qotom boxes but think I'll end up going with the Qotom.

 

[LikeLinus]

That's not exactly downsizing though, that's a full blown server box. Basically what I have now just different brand/model. Also not cheap here to buy stuff like that off Ebay as we get screwed with shipping and customs.

I'm kinda debating between a custom build, or one of those Qotom boxes but think I'll end up going with the Qotom.

Ha, that's true, sorry about that. I didn't realize you were in Canada either. I started out with a smaller box like that, a Zotac Zbox CI323, and had great luck with it. It's basically NUC sized and had 2 NICS. I just out grew it and wanted to do some VLANs and have something rack mounted. It took up less space than having a 2U shelf with the box on it. Good luck with the Qotom box!

 

[Red Squirrel]

Yeah that's the only thing with a box like this I'll end up having to use a shelf. I like the idea of the 1U Supermicro half depth boxes too but they end up expensive when all is said and done.

Are these boxes not capable of doing vlans though? I have like 10+ vlans on my network. Will it have issues with that?

My 2nd choice is a custom build based on the AMD "APU" cpus as they and the motherboards that take it are super cheap. I figure I should be able to get the build cost down to around $400-$500. More or less in full blown PC territory as far as power usage though, but probably still less than a server with a higher end CPU.

 

[mxnerd]

pfSense and ZBOX CI323. (with realtek ethernet)

https://forum.netgate.com/topic/92884/zotac-zbox-ci323-nano/39

CPU N3150 does support AES-NI
https://www.intel.com/content/www/us/en/products/processors/celeron/n3150.html

I would rather stick with QOTOM devices that come with INTEL ethernet, however. WiFi part with ZBOX is useless anyway. (Well, none of linux firewall distros work well with wifi)

 

[Red Squirrel]

I'm starting to consider a custom build again. The more I think about that dreaded ME backdoor, the more I want to try my best to mitigate it's presense. Going to go AMD, with add-on non name brand NICs. I figure that is a good chance of mitigating any sort of backdoor, if AMD has one too. But as far as I know they don't. Read some stuff but it sounds like it's only exploitable with actual access to the machine.

So this is what I'm thinking:

CPU: A6-9500 APU, 3.5GHz w/ 1MB Cache

Motherboard: PRIME A320M-K w/ DDR4 2666, 7.1 Audio, M.2, Gigabit LAN, PCI-E x16

Ram: https://www.memoryexpress.com/Products/MX66744

2xNIC: StarTech Gigabit Desktop Network Adapter, PCI-E

SSD: ADATA
Ultimate SU650 Solid State Drive, 2.5in, SATA III, 120GB

PSU: Mini-Box PicoPSU 160-XT, 160w, 12v input DC-DC Power Supply

12v PSU: 100W LRS Meanwell PSU 12v

Ends up more expensive, but still relatively cheap for what is basically an upgradeable PC. Subtotal comes up to a bit over $430 so with tax and shipping I figure around $550 or so when all is said and done. For case, I'll build something custom, probably a 2U short depth case or something. Oh and I'll want fans too, probably ok with a single 80mm one I'd think.

Not dead set on this though, those Qotom boxes sure are attractive, much cheaper, and much lower power usage, and smaller. I have yet to hear of anyone being hacked through Intel ME... so it's probably still considered a low risk thing at this point, until someone figures out how to remotely activate it. (port triggering or something?) then I can act on it at that point.

If I get a 13.5v PSU instead of 12v I could also stick a big battery in the middle and it will essentially have it's own backup power, could also have aux outputs for my ONT and Wifi. Though it probably makes sense to just keep everything on the big UPS.

 

[mxnerd]

Interesting reading

pfSense and Intel AMT vulnurability
https://forum.level1techs.com/t/pfsense-and-intel-amt-vulnurability/115782

 

[Red Squirrel]

Interesting reading

pfSense and Intel AMT vulnurability
https://forum.level1techs.com/t/pfsense-and-intel-amt-vulnurability/115782

I read that too. Seems not using onboard Nics might be the trick. Wonder how the Qotum boxes are setup, like if the NICs are considered "onboard" or not. They are part of the same board I imagine, but maybe it's still just using a pcie lane internally and the same as an addon card.

 

[mxnerd]

I read that too. Seems not using onboard Nics might be the trick. Wonder how the Qotum boxes are setup, like if the NICs are considered "onboard" or not. They are part of the same board I imagine, but maybe it's still just using a pcie lane internally and the same as an addon card.

According to the post, the vulnerability only occurs on some CPUs combined with firmware and motherboard integrated network chips. Don't know if QOTOM implemenst AMT technology in its firmware at all. If not, maybe nothing to worry about. But since we couldn't find any info about it, there might be some risks.

==

https://www.reddit.com/r/PFSENSE/comments/7rzamn