Intel Celeron J6413 Powered 6x i226 2.5GbE Fanless Firewall Internal Hardware Overview
We ordered this unit with memory and storage, which takes the form of a 16GB 2666 DDR4 VASEKY SODIMM, and a 256GB VASEKY SSD. Here is a picture with the slots populated.
The motherboard itself has two DIMM slots:
Usually, vendors of these systems only configure memory modules in one of these two slots to save on cost and power/ heat. Here is the actual VASEKY 16GB DDR4 SODIMM that we received.
The SSD situation was a bit different. In most of the recent N5105/ N6005 units we have reviewed, we have seen M.2 NVMe SSDs as the standard. In this system, the SSD solution is instead a mSATA drive. That is a shame since M.2 SSDs (especially NVMe) have become the industry de-facto standard at this point.
Still, the Intel J6413/ J6412 only has eight PCIe lanes, so using six for NICs means that there are only two available for the rest of the system. That is our best guess as to why this system does not have a M.2 NVMe slot, even a x2 one.
Here you can see the mSATA slot with what appears to be a mPCIe slot under it. Also pictured is the SIM slot, which is supposed to be used with 4G modems. We did not get a 4G modem with this unit since we have heard they are hit-or-miss.
It is important to note that we could not find a 3 or 4-pin PWM fan header on the motherboard. Therefore, adding a fan may be more complicated than on other units.
One pattern we have seen in more recent iterations of these low-cost firewalls is placing NICs on the other side of the motherboard from the storage and memory. This system follows that trend. This unit has thermal pads and then a transfer block to thee chassis from the six Intel i226-V NICs.
This system utilizes a low power Intel Celeron J6413 processor and one of the larger cases for this type of system. There is a copper block between the chassis and the SoC. In our samples, these were making contact with a fairly thick helping of thermal interface material. Some of the units our readers have seen on AliExpress do not have contact between the chassis and the SoC, and others have no TIM. This was at least executed properly.
Overall, this is a nice little package.
Next, let us get to the performance.
Is the Bios or UEFI accessible without a Monitor and Keyboard?
Ok so please don’t hate. This is an honest question which I posted on Redditt and I did get feedback but I am starting to see so many units in use by STH so I have to ask those of you here on your experience. I am not looking for controversy. I am not paranoid. I am trying to be as safe as possible. I am leaning towards protectli units with core boot. The ali express units seems way cheaper but, would I be opening myself up to something bad? I can’t verify the BIOS (as far as I know) and that is what I am most concerned about. I would load pfsense on it from scratch but my weakest link would be the BIOS. Anyone have experience on it? ran packet capture on the WAN side of the low-cost Ali Express boxes? Your help is appreciated.
@Charlie: I wouldn’t trust the site. These look like knock-offs from the actual protectli (near identical) there’s no telling the quality of components or failure rate. If you don’t have a large (less than 30) network I’d go with a Vilfo otherwise if you’d like to future proof it’s expensive (but with many options that are VERY~ customizable), I’d go the protectli route. Happy New Year
Also if you’ve got the space, consider the Dell small form factor machines. There are plenty around second hand after having had an easy life in an office. I put a 100G PCIe x16 card in an Optiplex 7040 SFF to see what it could do, and it reached just over 60 Gbps with pretty much 100% CPU use (across all cores). Given how cheap multi-port 10G cards are now, I’m thinking an old Dell with a few 10G links is a better option than these multi-port 2.5G units of unknown origin and questionable longevity. Dell might not be very exciting but they are pretty robust.
Of course it won’t alleviate your spying concerns, but I’d rather have the Americans spying on me than some other governments…
How are you not getting a kernel panic on IGC with OpenWRT??? Pass some traffic and pull the cable, share what happens.
Does anyone know why this unit would have gone with mSATA rather than m.2 with the typical keying for SATA(B and M, I think)?
I can see why you’d go with SATA in the context, the Celerons are relatively PCIe starved and this design is one where I/O means networking rather than storage, aside from boot and maybe some light logging; but at this point getting mSATA drives is markedly more irksome than getting SATA m.2 drives.
Prevents user confusion? mSATA connectors/drives still cheaper in aliexpress world?
@malvineous: I obviously wouldn’t bet against an adversary who owns the firmware; between everything UEFI can do and everything SMM can do there’s plenty of room for concern; but using expansion card NICs might incidentally provide some protection. It’s typical though not universal for a board’s UEFI to include drivers for onboard NICs(at least enough to do PXE and HTTP/HTTPS boot on the low end, iSCSI for nicer NICs; sometimes a standalone firmware update feature) plus, at least in business stuff, a few external NICs(vendor’s particular blessed USB dongle, dock NICs, etc.); but they rarely include much general-purpose support; so the odds of the firmware being able to do sneaky network stuff behind your back go down significantly if you are using expansion NICs based on a totally different chipset(and even class of chipsets) than the ones on the motherboard.
I certainly wouldn’t use that as a security feature, since it’s not; but the odds that some random desktop motherboard has firmware support to interact with any 100GbE chipset are way, way, lower than the odds that it can chatter merrily away on an i219 or some realtek thing
We’ve got like 50+ of the various versions including 2 of these now that we’ve installed. We used to be a protectli shop.
We haven’t seen any strange packets from these letting them sit and just sniffing.
In terms of quality, some of the protectli units we’ve had are almost just like these. The newer coreboot is nice. I’m thinking that protectli used to just oem units like these
We’ve switched because these are so much cheaper that we can buy spares. These are cheaper than the 6 port 1G Celerons by more than half so you get 3 of these for 2 of the celeron protectli’s and they’re faster.
@fuzzyfuzzyfungus
I’d imagine that mSATA drives are indeed less expensive for the sellers. The relative scarcity of lanes on these CPUs is also likely to be a factor. While mSATA drives of decent brands are getting kind of scarce in the US, I’m sure there are still tons of little unknown-brand ones floating around in Huaqiangbei market.
It’s also possible that small mSATA drives tend to produce less heat than NVMe drives can. That could well be a factor in a small fanless box like these. I also don’t know that an NVMe drive would even add anything over an mSATA drive in terms of performance for this class of box. The larger capacities of NVMe drives may also not be that useful for the average customer of these.
I have one of those unit and I am pretty happy with it. My first home server experience, so still learning, but really positive so far.
Do you know if the mini PCI-E port could be used to connect a mini PCI-E to SATA RAID controller? I would like to expand storage in this way and use it as a NAS.
Also, there is a 3-pin fan socket on the other side of the board which can be accessed from on of the sides. Is in a pretty weird and uncomfortable position and the board needs to be removed in order to access it… but is there! :)
I am so out of the game. But are these celerons better now? I remember the old celerons, Atoms from Intel were pure trash performance wise, and other issues.
Intel Celeron J6413 Underpowered 6x i226 2.5GbE Fanless Firewall Review
As for the paranoid people, if you look at the protectli FW4C then it’s basically the same model, just with a slightly better CPU. They probably are made by the same production company as where the protectli comes from.
I as an European is also slightly hesitant by US made products as I do not know if one of the US agencies have “requested” a backdoor into their products.
This is an intersting box.
I bought this one when trying to find a N5105 with a good price including SSD and Ram the price is not very different from the latest J6413
thanks.
I’ve been through the article twice, but I can’t seem to see anywhere how much traffic can this thing haul? One reason I can think of for buyng a 6-port machine is to avoid having an extra switch. Now, I don’t expect it to hold 30Gbps sustained traffic, but still, how much can it hold?
These units are terrible! I grabbed a VNOPN (cheap china crap) from Amazon and it kernel panicked like crazy and failed memtest. Now I can’t get it to post at all. I wish I went with protectli to begin with, now I’m paying double what it should have cost me to upgrade my home router. You should either test these units longer term and only promote them if they’ve been stable for a good long while, or just stop. Setting people up for a bad time with these cheap knockoffs.
I was just coming back to say that we’ve now got 38 of these units running for a few months now and they’re surprisingly stable.
I don’t understand why @Adam is sayin’ this unit’s bad when they bought a different model with a different chip from a different no-name vendor. Is it even the same chassis and chip? I looked because we have so many and I don’t see a VNOPN version of this.