Protectli appliances have been a topic on the STH forums recently. Today we have a review of the Protectli FW4A-0-4-32 or Protectli FW4A. The Protectli FW4A is designed with a simple mission: be a low cost and silent firewall appliance. The unit we tested with an Intel Atom E3845, 4GB of RAM and a 32GB mSATA drive was around $340. That is a good price if you are looking for a completely silent system. We purchased our review unit on Amazon and it arrived the next day with Prime shipping.
Protectli FW4A (FW4A-0-4-32) Hardware
Looking at the physical unit, it is simply a small hunk of metal. It is slightly larger than a classic Intel NUC at 5.3 x 4.9 x 1.4 in and 1.25lb. Overall, this is a great dimension for a remote branch office since it is small. While it is a desktop form factor, one could use it on a shelf for small retail locations or offices. We really like that the chassis is all metal. It feels extremely durable as the metal pieces are thicker than one would expect. No cheap plastic here.
The front of the unit has an interesting array of ports. There is a VGA port, a USB 3.0 port, and a USB 2.0 port along with a power button. One can also find a serial COM port via RJ-45.
The rear of the unit has the power in via an external 12V power adapter that is included. There are simple LED lights and then the big feature, four Intel-based 1GbE LAN ports.
The LAN ports use the Intel 82583V gigabit NICs. This solution still gets you a well supported Intel NIC, but it is not a high-end buffered quad port NIC like the Intel i350-AM4. Here is the FreeBSD view of the 1GbE NICs that we had enumerated as em0-em3.
em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em1@pci0:2:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em2@pci0:3:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em3@pci0:4:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet
Inside the unit, it is a tale of two sides. One side with the Intel Atom E3845 has thermal adhesive to keep the top of the unit affixed to the top of the chassis. The top of the chassis is a metal heatsink. This is important because it allows the unit to run cool. It also makes the CPU side virtually inaccessible but the Protectli FW4A is designed well so all serviceable parts are on the other side.
On the other side, we find the opposite. The case breaks away after it is unscrewed and we have easy to service ports. There is a mSATA slot, a DIMM slot, and a mPCIe slot. The mSATA slot is used for a boot device. You can order the unit as a barebones or with pre-installed parts. We ordered a unit with a 32GB mSATA SSD. The DIMM slot uses DDR3 SODIMMs which are easy to source, our unit has a 4GB SODIMM. The mPCIe slot is for wireless cards and the unit has cutouts for mounting WiFi antennae.
Power is external and uses a relatively large 12V power brick which is easy enough to replace.
There is a VESA bracket and serial console port available as well. It would have been nice to get a CAT5 or CAT6 short run cable, but we understand why one was not included.
Protectli FW4A (FW4A-0-4-32) Performance
We see this as an appliance designed for relatively lightweight edge connectivity duties. If you want to do things like packet inspection at 1Gbps wire speeds, there are other options available. Given this product segmentation, we tried two easy pfSense scenarios: NAT performance with basic firewall rules blocking lists of IP ranges and OpenVPN performance. We used iperf3 to measure performance.
In the basic NAT example, we see the expected performance on a 1Gbps network. The use case where you have this appliance as your local firewall translating internal IP requests to external IP ranges and blocking IP ranges based on lists in the process seems to work well.
The OpenVPN case we were nowhere near wire speed since scaling is CPU limited. Being fair here, many users do not have a link capable of saturating 100mbps even. Also, many times this is fine for site-to-site connectivity or remote access. If you want faster speeds, IPsec offers more performance.
pfSense loading performance is something that we know our readers are interested in. Power on to pfSense being fully online at the console screen and the web UI working takes about 90 seconds.
Protectli FW4A (FW4A-0-4-32) Power Consumption
Power consumption is great. The unit uses 12W in typical operation. The specs say a maximum of 18W but we never pulled over 15W at the wall in our testing.
- Idle: 11.8W
- Max: 15.3W
That is a solid result for this class of firewall and yields low annual power costs. Using a newer SoC package may help slightly, along with lower power DDR4 memory, but saving 3-5W is not going to have an appreciable impact on power costs in most scenarios.
Market Discussion
There are a lot of options for low-end firewall appliances on the market. We like this over some of the Xeon D solutions since it is fanless and therefore quiet. It also has no moving parts with its SSD so, versus units with hard drives, we generally prefer SSDs for reliability purposes. It is easy to service so if something goes poorly, at least a fix is simple.
If you are using this for a distribution like pfSense, then it works well. Compared to a less expensive Netgate SG-1000, this is a much better option. Even the UI is considerably more responsive.
The systems themselves seem to be lightly customized versions of the Minisys 4 LAN machines. A benefit is getting the units shipped directly from a US seller or Amazon but they cost more than getting the units directly from China.
We still think supporting pfSense by getting an officially branded product makes sense but there are alternatives out there, and that is important for an open source project.
So Why Not the Protectli FW6A-0-4-32?
The Protectli FW6A-0-4-32 has a number of notable upgrades over the unit FW4A-0-4-32. Perhaps the biggest is a Kaby Lake Celeron CPU. These are much newer cores. Beyond that, there are six 1GbE ports which provide a solid upgrade over the FW4A’s quad port LAN.
The FW6A also has an HDMI port. If you are a home user, HDMI can be convenient. If you run in a more traditional data center environment, VGA can be easier to use.
You pay more for the upgrade. We did not have the Protectli FW6A to compare but from specs and our experience, we expect it to be a case of pay more, get something better.
Final Words
Overall, this unit does what it says. It is completely silent. Performance is good enough for just about any home or small business cable modem or DSL connection. If you are running a gigabit or higher connection, you probably want to look elsewhere. We really liked how quickly the unit gets through the POST and into the OS. It is better than many devices from firewall companies themselves like the pfSense SG-4860 in that regard. The unit has a reasonable price and you can get them on Amazon for quick shipping. Since it does not come installed with software and it has barebones options, it is a more DIY solution than some others on the market. At the same time, the selection of good hardware and the silent operation makes this a gentle introduction to the DIY firewall appliance.
Since many of our readers work as managed service providers, there is another aspect that we wanted to highlight. These units would be trivially easy to externally brand and the smooth metal surfaces make labeling easy. After two months of zero reboot uptime, we like this solution a lot.
No ECC RAM? For way much less money one can get PC Engines’ APUx with 4GB ECC, you can mount your mSATA and off you go. 4NICs are supported by APU4B4 btw. Also I would expect a little bit less power consumption.
KarelG, that’s a pretty good solution! For U.S. market maybe look over at Mini-Box. Dogfish 60gb mSata can be found for cheap.
Or. Get a used laptop. I overpayed at $100, but got 3 times the compute (albeit double power consumption). Yes, it has a fan, but it doesn’t run too much, even with lots of pfSense bells and whistles turned on.
@KarelG, the ECC feature of the APU2 does not work. The AMD BIOS microcode for ECC was never stable. If you go to the PC Engines support forums you can find the discussons where they have been trying to resolve this issue for sometime and have not been successful. Currently the RAM runs without the ECC features enabled.
Also, the AMD Jaguar CPU in the APU2 is underclocked and has a lower passmark score. Using pfSense or OPNsense (i.e. FreeBSD) I can only NAT route at around 600-650mbits when tested with iperf3. I have not tested OpenVPN because I have a more powerful server handle VPN.
Under Linux the APU2 can NAT route at gigabit line speeds, but for some reasons the network stack in FreeBSD is just less performant on the APU2. Using OpenWRT or another Linux based router distro can get you faster speeds.
This review failed to mention that dimensions are 5.3 x 5.5 x 1.5 in, 134 x 130 x 39 mm. That’s smaller than a mitx motherboard even including the case.
The APU4D4 is really $254 if you get it kitted out with a 32gb drive, case + PSU. For $75 having it all put together and having VGA out to make OS install easier than serial isn’t too bad. That 1.91GHz is why this is able to 1G NAT and ok OpenVPN.
@Eduardo: I find apu4d4 a little more versatile. It has 3x miniPCIe, and supports not only wifi, but also 3G/LTE modems (with 2x sim in failover configuration). In addition to one miniPCIe/mSATA combo, it also has native sata-port (so you can use 2x sata for raid1), and 2x usb3 (+header for 2x usb2). Another killer-feature is coreboot. And if you need vga, you can still attach gfx using miniPCIe->PCIe riser-card. I got it for 155€ (mobo, case, psu) and I think it is better value for money…
@Steven: thanks for the advice, I’ve looked into the pc-engines forum and found out that ECC is enabled and well detected by Linux: http://www.pcengines.info/forums/?page=post&id=E35B5D34-262B-480E-9887-F7F2A292E02F&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A&cachecommand=bypass&pageindex=2 — search for post by kmalkki nearly on the bottom of the page. Perhaps the fix for ECC is finally in?
This design, usually with a J1900 SoC (lamentably no AES-NI and with the lousy Bay Trail cstate bug) has been available for a couple of years from China direct sellers such as those found on AliExpress; and one branded “Qotom” sold well on Amazon for a year or two.
The thing that bugs me about them is the single SO-DIMM, making Dual Channel memory access impossible. Without a unit to bench it’s hard to say which part defines the performance ceiling on a gigabit-capped network appliance, but OpenSSL (the basis of OpenVPN) has been shown to benefit by around 30% from dual channel memory in abstract tests.