Over the past few weeks, the new pfSense CE 2.6.0 was released and that has allowed us to more directly use a machine we purchased some time ago. There is an inexpensive 4x 2.5GbE Intel i225 (B3) machine out there that now works with pfSense. OS support as a whole is not overly mature, but we have had Ubuntu running on these as well. It seems like now might be the time it is possible to upgrade to an inexpensive 2.5GbE firewall. Let us get into the box, and what it offers.
Inexpensive 4x 2.5GbE Fanless Router Firewall Box Review
We actually have a little video accompanying this one where we go into the experience, as well as discussing how it compares to an ISP-provided router and WiFi unit. You can find the video here:
As always, we suggest opening this in its own YouTube tab, window, or app for a better viewing experience.
The box itself goes by many names. Here is the unit we have on Amazon (affiliate link) and we will note it was quite pricey for the 8GB/ 256GB configuration. We would only recommend getting that much storage and memory if you have a good reason for a box, but since we wanted to use it with Linux as well until pfSense support arrived, we used the extra capacity.
The tricky part is that the same motherboard at the heart of this system gets used in many systems with different exteriors. We ordered the less expensive Topton version with a larger heatsink chassis via AliExpress, but that is making a slow journey being dragged across the Pacific Ocean, seemingly via a lobster.
We also have a few more of these smaller heatsink units, but our best advice is to look at the USB, VGA, and HDMI side to ensure it is this motherboard. Also, you will want to ensure you get the same revision of the Intel i225 NICs and likely the Intel Celeron J4125 as we did. Then it is a matter of cost. Let us now get to that hardware to see what we got.
Inexpensive 4x 2.5GbE Fanless Router Firewall Box Hardware Overview
Let us just start with the star of the show. This palm-sized box (you can see it in my hand in the video) has four ports, ETH0-ETH3. Each is a 2.5GbE port, a big upgrade over the previous generation 1GbE models that many of our STH readers use. We also get status LEDs and a 12V DC input on this side.
The other side has the power button. Our unit was configured to turn on immediately on AC power which is always nice. We also have two USB 3 ports, a HDMI port, and a VGA port. This unit does not have out-of-band management, and that is a good thing.
A quick note is that there is also a reset switch and there are two covers for WiFi antenna holes. We usually would not recommend WiFi in this box, and instead simply tell our readers to use dedicated APs. If you are spending a few hundred dollars on a firewall, then most likely you have dedicated WiFi APs as well.
The chassis is not completely closed, there are actually air vents on the side.
Cooling, however, is provided by the metal chassis with the small heatsink on the top. This unit absolutely sipped power, with most of our usage in the single-digit watts range.
The processor is an Intel Celeron J4125 quad-core CPU with a 2.0GHz base and a 2.7GHz turbo clock. It is part of the Gemini Lake Refresh series of CPUs. Since this is an Atom part, it has a paltry maximum TDP of 10W.
Inside the system, we have a few components. One that we are not going to talk about much is that there is a SATA data and power setup, and one can mount a 2.5″ drive to the lid. We instead have a mSATA drive.
Here is a shot of the inside of the system. The NICs are Intel i225-V SLNMH units and that means they are stepping B3. Earlier steppings of the i225 necessitated new steppings for stability.
Here we can see the single 8GB DDR4 SODIMM and our 256GB SSD. Again, this is overkill for most pfSense or OPNsense appliances, but if you want to run Linux, then it may make sense.
One can also see a SIM card slot and a slot for a WiFi card. Again, we suggest simply just getting external WiFi here.
Next, let us get to the software.
I don’t really care for Netgate or pfSense, is there a chance you can test it with OpnSense or VyOS? Heck, even OpenWRT would do.
What sort of switching speed can it achieve between the ports if they are bridged?
2.5gb switches are nearly as expensive as this box anyway so in the meantime might make a lot of sense for home users that want 2.5gb to run something like this for their router and to plug in a small number of 2.5gb devices until the switches come down in price.
I suspect this would perform better on openwrt than pfsense from my own experience.
Reminder: pfSense is lying about being open source [1]. They also shipped a dumpsterfire wireguard implementation to their customers [2].
Basically, pfsense should not be recommended for anything.
1: https://github.com/rapi3/pfsense-is-closed-source
2: https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
Is the WiFi slot just a normal PCIe slot? Does that mean you could put another NVMe device in there if you didn’t want to use the WiFi?
Another vote for a Linux install – perhaps not a mid-range desktop distribution like Ubuntu but a slower moving server distro like Debian, and a bleeding edge lastest-hardware-supported distro like Arch.
The Debian install would tell you how recently the hardware support was added to the Linux kernel (possibly showing similar problems to those mentioned in the article with the older version of pfSense only detecting the NICs as 1 Gbps) and Arch would tell you what is supported in the latest kernel release, so you know what kind of hardware support will eventually make it to other Linux distributions.
It would also be good to have some hard specifications, like what Mikrotik have on their product spec pages. They list how many packets per second (and MB/sec) their products can push in a handful of configurations – bridging only, with 10 firewall rules, with 25 firewall rules, etc. They don’t include a test with a loopback interface (like localhost) however, which would be useful to know the bandwidth limit of the CPU. For example if you did a test routing through localhost with 25 firewall rules and got 4 Gbps, then that would tell you that with all four 2.5 Gbps ports in active use at full bandwidth, you’d be limited to 1 Gbps of throughput per port because of the CPU. If this were true it could reveal that the device isn’t any better than an existing gigabit router for busy networks, for example.
The article said this was an “inexpensive” unit
Amazin lists the cheapest model at 307. For that price you might as well buy the Netgate 2100
Call me back when someone releases a $150 one with 2.5gb
The AliExpress version is just over $200. For quad 2.5g this isn’t bad at all.
Cheap hardware for running pfSense is scarse. Especially if you need more than 4 ports. Also the netgate solutiins are costly.
I owned an older model that at some point just stopped working as the intel atom processor inside failed to start (clock bug).
I like pfSense but I agree that it is not so open source.
@Paul, the Netgate 2100 has only 1 gigabit WAN port and 4 switched gigabit LAN ports, then it costs 40% more. The specs are very different and as someone who wants multi-WAN and more than gigabit, this is compelling.
I would have loved to see some performance numbers on a stock bare-metal pfSense install.
Just wonder if i shall wait for an Jasper lake based solution? On paper, Jasper lake provides way larger ram support ( 16GB versus 8GB ) and around 30% performance uplift? However if j4125 can handle just fine, then probably spending more won’t justify for slightly more throughput
@Sorin N
You can usually find stuff from ODMs like Yanling and Qotom with 8 Intel NICs on-board. They have started to ship multi-2.5 and multi-5 GbE ports recently, with updated SoCs and mobile CPUs as well.
@Paul
Even if the netgate hardware was good, it takes over a month to get here while any random china box takes less than a week…
Yeah, OPNsense is already at freebsd 13 and on a reliable release plan with scheduled updates monthly, none of that is true with netgate and the latest pfsense CE (dead man walking) or pfsense plus.
Nice to see reasonably priced DIY options as 2Gbps and 5Gbps speed tiers become more available from ISP’s.
I was hoping for a spectacular Patrick Kennedy review of a network device given that his past reviews show more quality than some other STH reviewers (that shall remain nameless).
I was let down by this lackluster review that seemed to be little more than a softball pitch for supporting overseas retailing enterprises based in a certain country (that shall remain nameless).
It would have been nice to see some bandwidth & throughout graphs.
It would be nice to see a PCIe map breaking out how the logical internal architecture of the device is connected.
Even a quick detour of a few paragraphs to discuss the SoC being used based on it’s own Intel ARK datapage would have been appropriate.
It would have been nice if this review did not come across as a homage by Patrick to pfSense, another product that STH has long held in high esteem (and rarely taken any shots at) along with Proxmox and a few others. I wonder what really looks like? Journalistic patronage or preferred vendors? I thought STH was better than that; they have said in the past that they are (unless Winston Smith was ordered to wipe away those webpages).
Next time, how about more in-depth product details: STH is proven they ARE CAPABLE of that, when they want to do the work…loose screws & poorly mounted APs not withstanding.
Save us the trials & tribulations of buying stuff that is being obviously shipped from overseas to the USofA; the entire world knows the legacy supply chain system is b0rked now, it’s old news yet you waste 1/2 a page or so on it.
Seriously, this article impressed me as something that was spun up over your morning crisps and cocoa. Score: 1 out of 5, with 5 being best & no partial points allowed
4 x 2.5GbE is an overkill for such a weak CPU with single memory channel for full blown OPNSense, especially if Zenarmor is deployed. 1gbps version for 120-150$ depending on RAM/SSD will worth it. For over 300$ I will choose second hand Haswell SFF with 2xSFP+ on PCIE everytime. I have no intentions to pay spared money from energy upfront to the manufacturer, only because the CPU is weak and consumes less energy :)
That sleepy person seems sad. This review is fine and I don’t have an issue using pfSense CE as a baseline. Even if it’s starting to fall out of favour it’s still the big project.
If you want to see something trippy though — look at the lower end Untangle boxes. Those are the same front and rear ports almost as this, but they’ve got older CPUs, NICs, and they’ve got bigger heatsink cases, but they’re the same motherboard shop I’d bet.
I run pfSense on a Lanner box albeit with 1G Intel NICs and sometimes get patches that fix BIOS vulnerabilities. I suspect boxes of this type are not similarly supported.
Since they face the open Internet, does the fact that they are not running arbitrary applications make for an adequate mitigation for a BIOS vulnerability?
There is a jasper lake with nvme support as well but China only atm
Untangle won’t run well on this box (yet). The 4 port 2.5GbE Intel chipset needs kernel 4.20 or higher and Untangle is at 4.19.
They are still working their port to Debian Bullseye, once that is out, this will work correctly.
As it stands today, kernel 4.19 will only activate 3 of the NIC’s out of the 4 and they they will only run at 1GbE.
No real depth to the review (throughput testing?!) and the acceptance of pfsense as a viable firewall vendor given its wireguard disaster and its abuse of open source shows a lack of perspective. Pretty much pap.
I mean they covered the wireguard thing and talked about throughput so North I don’t know what you’re talking about. https://www.servethehome.com/pfsense-and-freebsd-pull-back-on-kernel-wireguard-support/
I ordered one of these. I’m just trying to get everything on 2.5g
Superficial article, with many words and not enough testing and useful data.
No test comparing AES performance
No test comparing OpenVPN, IPsec, wireguard.
No performance testing 4 NIC switching capabilities
No performance test with IDS and IPS
And so on…
Basically is completely useless to help for a choice in real case scenario.
I was really expecting multi 10gbe and WiFi 6e to be the normal by now.
The lack of IPMI or VPro, or even a serial interface makes it difficult to like. Yes IPMI will use ~8W but having a TinyPilot will use just as much power which makes the discussion about where you want your out-of-band management, build-in or not build-in.
@Casper: Yes, the beauty of VPro is from a power standpoint: it gives you much of the same OoB management as IPMI but at only ~1W standby power. I actually prefer it over IPMI for this reason. I have no experience with DASH, the AMD equivalent. Anybody using that? Preferably with non-Windows client?
I recently changed Internet provider because my previous provider locked things down quite hard. (no access to sip settings remote management of the router etc)
I replaced it with complete overkill
J4125 based router running proxmox with a pfsense VM and a omada controller lxc
2 ports are dedicated to pfsense (pci passthrough to guest OS)
the other 2 are bonded uplinks for a vlan aware bridge in proxmox
Tplink networking throughout
8 port poe gigabit switching (SG-2008p) 8 port poe smart switch
EAP-615-Wall poe+ powered ap with 3x gigabit ports for my office
EAP-620 as the ‘main’ AP
Seperated vlans for
Device management (ap and switch ip’s),
Wifi (I plan to have multiple essids mapped to vlans for things like IOT lights etc stuff)
Client Machines
There is a N6005 version for +35 USD more, newer generation, dual ram slot, better performance.
I really hate pfSense though, I wonder if this will work with OpenWRT?
Keep in mind that the cost of these generic pfSense boxes inflated a lot during last year.
I bought a dual GbE J4125 box on Jan 2021 and costs me merely over $100, now the same unit is listed almost $200 on AliExpress. Crazy times
@Murat Tosun
It should work with OpenWRT, hardware support may even be better. I’m using openwrt on a Gigabyte BRIX GB-BMPD-6005 (uses Pentium N6005), only needed some Kernel modules for the USB3 Ethernet dongles.
I ordered two of these to try based on this review and neither one worked at all. No video, no POST, nada. The only thing they would do is beep if booted without RAM installed. The power button didn’t even work, just always lit up blue whenever power was plugged in.
UPDATE – Apparently these only work with single-rank RAM. Dual-ranked casues the lack of video mentioned previously. This info is now shown on the product page on Amazon. Also, there is a jumper labeled “AUTO_PWRON” that disables the power button and locks the unit on. It would be great if there was a manual with any of this info in it.
Ordered one from Amazon NL.
Perhaps STH should use affiliate links to more Amazon stores.
Based on the review and price, I ordered one without memory and SSD and sourced 16GB memory and 128GB SSD elsewhere.
Memory and SSD were delivered.
The Hunsn box ships from Shenzhen and is still in the distribution center. I ordered it on the Amazon Hunsn shop.
Expected delivery End of May or June. Except for Amazon DOA ease of send back I could have ordered it on Ali-Express.
Hi. I am just wondering how or I’d the I225V3 NIC’s handle traffic shaping. They show as IGC4 in Pfsense, I have read the following from netgate re hardware limitations. Thsnks. Traffic shaping is performed with the help of ALTQ. Unfortunately, only a subset of all supported network cards are capable of using these features because the drivers must be altered to support ALTQ shaping. The following network cards are capable of using traffic shaping:
So just out of curiosity, i got a N5105 unit with the 4x 2.5Gbe.
But after a minute it gets pretty toasty to the touch. CPU thermal in Pfsense states 71.1 / 55.1 Celsius, which for a 10W TDP looks a bit warm?
Anyone else?
Hello, the models from Topton (aliexpress seller) are know to have energy consumption issues. Some users reported that even their PSU will draw 1w while being not connected to the router. Their N5105 actually consume about 27w instead of 10W. You can try to modify power consumption mode from “adaptive” to “minimal” in PfSense configuration. Also, in BIOS configuration enable power saving options which may help to reduce power consumption and heat. But this will not resolve the hardware issue from Topton (and similar sellers). They need to optimise power consumption if future releases.
Ordered mine from topton on Aliexpress April 22nd and it arrived on June 15th. Perfect timing because the protecli FW4B it replaced was dying. Couldn’t get it to power on until I swapped out NVME storage for SATA. Could be the stick I bought or the device. For now it’s running PFSense and since it was the last link in the chain upgrading my comcast internet connection to all 2.5 gigabit / 10 gigabit devices, speed test at a downstream desktop with a 2.5gbe NIC went from 920 Mbps to 1.4 Gbps, so that’s a welcome uplift until I invest in the $300/mo Gigabit Pro package.
That’s worth it right there David. You got 50% better download speeds for $350? Better than a new xfinity or comcast modem.
Like @Funda, I am concerned about BIOS support. Does anyone know if a system like this can get BIOS updates? Can it be trusted for as a gateway?
Just purchased this myself and am also interested in availability of bios updates (and a manual!)
@Mike or @Funda have you learned anything on that front?
Can this be used as a WiFi access point? (I understand the suggestion is to use a separate access point) I see that it has the 2 slots for Wifi antenna, but what all would need to be done to enable these as access points? What parts need to be bought and can it be setup in pfSense to manage it?
My guess is that you’d need to buy a Wifi card, and the 2 antenna (as they do not come pre-standard in the box). But is this just a normal Wifi card or do you need something special for using as an access point? Is there any suggestion on antenna that should be bought?
And finally what needs to be done in pfSense to get it working as a wireless access point?
Any guide/youtube video that you can point me to would be much appreciated.
been curious about their larger variant. the sfp+ interface is fairly critical for edge ports wether 1 or 10G
joel – we have a review of that one coming, hopefully this week.
Which firewall appliances of the many you have reviewed support Coreboot? Seems an essential element to me for water-tight security, for those that really care. Thanks!