pfSense Challenges and pfSense 2.6.0 to the Rescue
On the pfSense side, the big challenge has been Intel i225 support. With pfSense 2.5.2, the out-of-box experience was that the NICs were detected as the Intel PRO/1000 NICs. While these would link up, and one could pass traffic, things like DNS would throw errors and not work.
With pfSense 2.6.0, this has changed and the four Intel i225-V NICs are detected and work out of the box.
The net impact is that we did not have to disable hardware checksum offloading, try to install new drivers or anything like that. Things just worked and we have used a few of these models for several weeks now, and they seem to be stable. The hard part is that currently, the i225 NICs are gaining support, but double-check if you are using an older OS to ensure that they have NIC support or it will be hard to download and install drivers later.
Power and Performance
In terms of power, we had a small 12V adapter that was plenty to power this unit.
In operation, with no network cables connected, idle was around 4.5W. This system does not have a BMC such as an ASPEED AST2500 or AST2600, but if it did, that BMC would use about as much power. Instead, we took the pfSense screenshots via TinyPilots.
Maximum power consumption was around 10W, but realistically, most of our users are going to see daily use below 10W.
In terms of performance, the Intel Celeron J4125 is actually slightly faster than the Intel Atom C3558 but on most benchmarks it is ~8-11% faster so the difference is not large. These are also a fraction of the performance of even the 1L PC TinyMiniMicro nodes that we look at. The net impact is a low power system that can push over 2Gbps in straight NAT mode, but VPN performance we saw in the 400-800Mbps range with OpenVPN being much slower and IPSec being faster. Of course, that was in simple benchtop configurations, not in WAN deployed VPNs, and without firewall rules or other rules. We are working to revamp our firewall testing methodology later this year.
Still, and this is mentioned in the video, the big difference was really the stability. Since the i225’s had been problematic, we stuck one of these in my house with around 10 TinyMiniMicro 1L PCs, a NAS, a Ubiquiti WiFi setup, and a few switches just to test one of my WAN connections, the Spectrum cable. I wanted to see if the ISP-provided router/ WiFi combos have gotten better. What we found is that pushing traffic over pfSense gave us single-digit percentage better latency than going over the ISP-provided box, and it was more reliable, not requiring reboots, nor hitting periods of unacceptable QoS requiring restarts.
Final Words
Of course, for many of our readers, the Netgate 6100 is a better option, and it is not from a rebranded OEM source that does not get things like safety certifications. One can also use pfSense Plus on the Netgate boxes. The extra cost also gets things like 10GbE and SFP(+) interfaces. Still, we recognize that many of our readers like to DIY and may not have the budgets for the branded boxes.
At some point, for $250-380, having a quad 2.5GbE firewall is awesome. This year we are seeing more PCs with 2.5GbE and WiFi 6(E) APs have been adopting 2.5GbE as well. We have also seen more NAS units adopt the standard. The big challenge is still the switch side, but we hope that is getting better soon. Three months ago, we would have recommended the 1GbE version of this inexpensive firewall/ router combo. Now that it works out of the box with pfSense 2.6.0, it seems like this little box may actually be a winner.
Our little fleet of these units is being used as internal VPN endpoints but has been working relatively well thus far to the point we figure we would publish the review. Of course, it is a bit hard to review a product sold basically with either the same or slightly different sheet metal by dozens of companies, but at least that offers some choice. Please do just ensure you are getting units with the newer B3 stepping of the Intel i225-V as generally silicon steppings mean you want the later revisions.
I don’t really care for Netgate or pfSense, is there a chance you can test it with OpnSense or VyOS? Heck, even OpenWRT would do.
What sort of switching speed can it achieve between the ports if they are bridged?
2.5gb switches are nearly as expensive as this box anyway so in the meantime might make a lot of sense for home users that want 2.5gb to run something like this for their router and to plug in a small number of 2.5gb devices until the switches come down in price.
I suspect this would perform better on openwrt than pfsense from my own experience.
Reminder: pfSense is lying about being open source [1]. They also shipped a dumpsterfire wireguard implementation to their customers [2].
Basically, pfsense should not be recommended for anything.
1: https://github.com/rapi3/pfsense-is-closed-source
2: https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
Is the WiFi slot just a normal PCIe slot? Does that mean you could put another NVMe device in there if you didn’t want to use the WiFi?
Another vote for a Linux install – perhaps not a mid-range desktop distribution like Ubuntu but a slower moving server distro like Debian, and a bleeding edge lastest-hardware-supported distro like Arch.
The Debian install would tell you how recently the hardware support was added to the Linux kernel (possibly showing similar problems to those mentioned in the article with the older version of pfSense only detecting the NICs as 1 Gbps) and Arch would tell you what is supported in the latest kernel release, so you know what kind of hardware support will eventually make it to other Linux distributions.
It would also be good to have some hard specifications, like what Mikrotik have on their product spec pages. They list how many packets per second (and MB/sec) their products can push in a handful of configurations – bridging only, with 10 firewall rules, with 25 firewall rules, etc. They don’t include a test with a loopback interface (like localhost) however, which would be useful to know the bandwidth limit of the CPU. For example if you did a test routing through localhost with 25 firewall rules and got 4 Gbps, then that would tell you that with all four 2.5 Gbps ports in active use at full bandwidth, you’d be limited to 1 Gbps of throughput per port because of the CPU. If this were true it could reveal that the device isn’t any better than an existing gigabit router for busy networks, for example.
The article said this was an “inexpensive” unit
Amazin lists the cheapest model at 307. For that price you might as well buy the Netgate 2100
Call me back when someone releases a $150 one with 2.5gb
The AliExpress version is just over $200. For quad 2.5g this isn’t bad at all.
Cheap hardware for running pfSense is scarse. Especially if you need more than 4 ports. Also the netgate solutiins are costly.
I owned an older model that at some point just stopped working as the intel atom processor inside failed to start (clock bug).
I like pfSense but I agree that it is not so open source.
@Paul, the Netgate 2100 has only 1 gigabit WAN port and 4 switched gigabit LAN ports, then it costs 40% more. The specs are very different and as someone who wants multi-WAN and more than gigabit, this is compelling.
I would have loved to see some performance numbers on a stock bare-metal pfSense install.
Just wonder if i shall wait for an Jasper lake based solution? On paper, Jasper lake provides way larger ram support ( 16GB versus 8GB ) and around 30% performance uplift? However if j4125 can handle just fine, then probably spending more won’t justify for slightly more throughput
@Sorin N
You can usually find stuff from ODMs like Yanling and Qotom with 8 Intel NICs on-board. They have started to ship multi-2.5 and multi-5 GbE ports recently, with updated SoCs and mobile CPUs as well.
@Paul
Even if the netgate hardware was good, it takes over a month to get here while any random china box takes less than a week…
Yeah, OPNsense is already at freebsd 13 and on a reliable release plan with scheduled updates monthly, none of that is true with netgate and the latest pfsense CE (dead man walking) or pfsense plus.
Nice to see reasonably priced DIY options as 2Gbps and 5Gbps speed tiers become more available from ISP’s.
I was hoping for a spectacular Patrick Kennedy review of a network device given that his past reviews show more quality than some other STH reviewers (that shall remain nameless).
I was let down by this lackluster review that seemed to be little more than a softball pitch for supporting overseas retailing enterprises based in a certain country (that shall remain nameless).
It would have been nice to see some bandwidth & throughout graphs.
It would be nice to see a PCIe map breaking out how the logical internal architecture of the device is connected.
Even a quick detour of a few paragraphs to discuss the SoC being used based on it’s own Intel ARK datapage would have been appropriate.
It would have been nice if this review did not come across as a homage by Patrick to pfSense, another product that STH has long held in high esteem (and rarely taken any shots at) along with Proxmox and a few others. I wonder what really looks like? Journalistic patronage or preferred vendors? I thought STH was better than that; they have said in the past that they are (unless Winston Smith was ordered to wipe away those webpages).
Next time, how about more in-depth product details: STH is proven they ARE CAPABLE of that, when they want to do the work…loose screws & poorly mounted APs not withstanding.
Save us the trials & tribulations of buying stuff that is being obviously shipped from overseas to the USofA; the entire world knows the legacy supply chain system is b0rked now, it’s old news yet you waste 1/2 a page or so on it.
Seriously, this article impressed me as something that was spun up over your morning crisps and cocoa. Score: 1 out of 5, with 5 being best & no partial points allowed
4 x 2.5GbE is an overkill for such a weak CPU with single memory channel for full blown OPNSense, especially if Zenarmor is deployed. 1gbps version for 120-150$ depending on RAM/SSD will worth it. For over 300$ I will choose second hand Haswell SFF with 2xSFP+ on PCIE everytime. I have no intentions to pay spared money from energy upfront to the manufacturer, only because the CPU is weak and consumes less energy :)
That sleepy person seems sad. This review is fine and I don’t have an issue using pfSense CE as a baseline. Even if it’s starting to fall out of favour it’s still the big project.
If you want to see something trippy though — look at the lower end Untangle boxes. Those are the same front and rear ports almost as this, but they’ve got older CPUs, NICs, and they’ve got bigger heatsink cases, but they’re the same motherboard shop I’d bet.
I run pfSense on a Lanner box albeit with 1G Intel NICs and sometimes get patches that fix BIOS vulnerabilities. I suspect boxes of this type are not similarly supported.
Since they face the open Internet, does the fact that they are not running arbitrary applications make for an adequate mitigation for a BIOS vulnerability?
There is a jasper lake with nvme support as well but China only atm
Untangle won’t run well on this box (yet). The 4 port 2.5GbE Intel chipset needs kernel 4.20 or higher and Untangle is at 4.19.
They are still working their port to Debian Bullseye, once that is out, this will work correctly.
As it stands today, kernel 4.19 will only activate 3 of the NIC’s out of the 4 and they they will only run at 1GbE.
No real depth to the review (throughput testing?!) and the acceptance of pfsense as a viable firewall vendor given its wireguard disaster and its abuse of open source shows a lack of perspective. Pretty much pap.
I mean they covered the wireguard thing and talked about throughput so North I don’t know what you’re talking about. https://www.servethehome.com/pfsense-and-freebsd-pull-back-on-kernel-wireguard-support/
I ordered one of these. I’m just trying to get everything on 2.5g
Superficial article, with many words and not enough testing and useful data.
No test comparing AES performance
No test comparing OpenVPN, IPsec, wireguard.
No performance testing 4 NIC switching capabilities
No performance test with IDS and IPS
And so on…
Basically is completely useless to help for a choice in real case scenario.
I was really expecting multi 10gbe and WiFi 6e to be the normal by now.
The lack of IPMI or VPro, or even a serial interface makes it difficult to like. Yes IPMI will use ~8W but having a TinyPilot will use just as much power which makes the discussion about where you want your out-of-band management, build-in or not build-in.
@Casper: Yes, the beauty of VPro is from a power standpoint: it gives you much of the same OoB management as IPMI but at only ~1W standby power. I actually prefer it over IPMI for this reason. I have no experience with DASH, the AMD equivalent. Anybody using that? Preferably with non-Windows client?
I recently changed Internet provider because my previous provider locked things down quite hard. (no access to sip settings remote management of the router etc)
I replaced it with complete overkill
J4125 based router running proxmox with a pfsense VM and a omada controller lxc
2 ports are dedicated to pfsense (pci passthrough to guest OS)
the other 2 are bonded uplinks for a vlan aware bridge in proxmox
Tplink networking throughout
8 port poe gigabit switching (SG-2008p) 8 port poe smart switch
EAP-615-Wall poe+ powered ap with 3x gigabit ports for my office
EAP-620 as the ‘main’ AP
Seperated vlans for
Device management (ap and switch ip’s),
Wifi (I plan to have multiple essids mapped to vlans for things like IOT lights etc stuff)
Client Machines
There is a N6005 version for +35 USD more, newer generation, dual ram slot, better performance.
I really hate pfSense though, I wonder if this will work with OpenWRT?
Keep in mind that the cost of these generic pfSense boxes inflated a lot during last year.
I bought a dual GbE J4125 box on Jan 2021 and costs me merely over $100, now the same unit is listed almost $200 on AliExpress. Crazy times
@Murat Tosun
It should work with OpenWRT, hardware support may even be better. I’m using openwrt on a Gigabyte BRIX GB-BMPD-6005 (uses Pentium N6005), only needed some Kernel modules for the USB3 Ethernet dongles.
I ordered two of these to try based on this review and neither one worked at all. No video, no POST, nada. The only thing they would do is beep if booted without RAM installed. The power button didn’t even work, just always lit up blue whenever power was plugged in.
UPDATE – Apparently these only work with single-rank RAM. Dual-ranked casues the lack of video mentioned previously. This info is now shown on the product page on Amazon. Also, there is a jumper labeled “AUTO_PWRON” that disables the power button and locks the unit on. It would be great if there was a manual with any of this info in it.
Ordered one from Amazon NL.
Perhaps STH should use affiliate links to more Amazon stores.
Based on the review and price, I ordered one without memory and SSD and sourced 16GB memory and 128GB SSD elsewhere.
Memory and SSD were delivered.
The Hunsn box ships from Shenzhen and is still in the distribution center. I ordered it on the Amazon Hunsn shop.
Expected delivery End of May or June. Except for Amazon DOA ease of send back I could have ordered it on Ali-Express.
Hi. I am just wondering how or I’d the I225V3 NIC’s handle traffic shaping. They show as IGC4 in Pfsense, I have read the following from netgate re hardware limitations. Thsnks. Traffic shaping is performed with the help of ALTQ. Unfortunately, only a subset of all supported network cards are capable of using these features because the drivers must be altered to support ALTQ shaping. The following network cards are capable of using traffic shaping:
So just out of curiosity, i got a N5105 unit with the 4x 2.5Gbe.
But after a minute it gets pretty toasty to the touch. CPU thermal in Pfsense states 71.1 / 55.1 Celsius, which for a 10W TDP looks a bit warm?
Anyone else?
Hello, the models from Topton (aliexpress seller) are know to have energy consumption issues. Some users reported that even their PSU will draw 1w while being not connected to the router. Their N5105 actually consume about 27w instead of 10W. You can try to modify power consumption mode from “adaptive” to “minimal” in PfSense configuration. Also, in BIOS configuration enable power saving options which may help to reduce power consumption and heat. But this will not resolve the hardware issue from Topton (and similar sellers). They need to optimise power consumption if future releases.
Ordered mine from topton on Aliexpress April 22nd and it arrived on June 15th. Perfect timing because the protecli FW4B it replaced was dying. Couldn’t get it to power on until I swapped out NVME storage for SATA. Could be the stick I bought or the device. For now it’s running PFSense and since it was the last link in the chain upgrading my comcast internet connection to all 2.5 gigabit / 10 gigabit devices, speed test at a downstream desktop with a 2.5gbe NIC went from 920 Mbps to 1.4 Gbps, so that’s a welcome uplift until I invest in the $300/mo Gigabit Pro package.
That’s worth it right there David. You got 50% better download speeds for $350? Better than a new xfinity or comcast modem.
Like @Funda, I am concerned about BIOS support. Does anyone know if a system like this can get BIOS updates? Can it be trusted for as a gateway?
Just purchased this myself and am also interested in availability of bios updates (and a manual!)
@Mike or @Funda have you learned anything on that front?
Can this be used as a WiFi access point? (I understand the suggestion is to use a separate access point) I see that it has the 2 slots for Wifi antenna, but what all would need to be done to enable these as access points? What parts need to be bought and can it be setup in pfSense to manage it?
My guess is that you’d need to buy a Wifi card, and the 2 antenna (as they do not come pre-standard in the box). But is this just a normal Wifi card or do you need something special for using as an access point? Is there any suggestion on antenna that should be bought?
And finally what needs to be done in pfSense to get it working as a wireless access point?
Any guide/youtube video that you can point me to would be much appreciated.
been curious about their larger variant. the sfp+ interface is fairly critical for edge ports wether 1 or 10G
joel – we have a review of that one coming, hopefully this week.
Which firewall appliances of the many you have reviewed support Coreboot? Seems an essential element to me for water-tight security, for those that really care. Thanks!