OPNsense Forum
English Forums => Hardware and Performance => Topic started by: Solid-Profession on August 14, 2020, 08:55:56 pm
-
Hi,
I've looked here:
https://forum.opnsense.org/index.php?topic=14360.0
But not sure if the Qotom-Q555G6-S05 is still a good shout?
I'm currently playing with a Fortinet 60e which is costing me the Earth, given I'm a home user, and I therefore require something that's fanless and low power.
I'd like to have a "sort of" UTM, where it has AES-NI enabled too, just in case I like the look of something else, so I don't have to buy twice
Currently on the Fortinet, with only me connected to it, apparently it's using 56% RAM with 86 sessions and 14.1% load on the SPU
The maximum amount of people connected to it would be maybe ten. 20 at a push. On the Fortinet I've VLANd off one of the interfaces and made that my interface for my downlink to my switch, and I've got a WAN interface out. It doesn't seem like there's a noticeable difference when adding the firewall. The speed of my broadband is 350Mb/s (down)
I also want to make sure that I don't use Intel 219 NICs because they're not supported with another vendor should I choose to reflash the firmware.
I live in the UK too, but I'm fine with purchasing something say from aliexpress, or Europe. Any help would be much appreciated!
-
I buy my hardware from https://www.varia-store.com/ currently. I have two proposals:
1. "high end"
4 cores
4 G RAM
4 Intel network interfaces
128 G SSD
Select the PCengines APU4D4 with case, power supply (pick the PCengines one), and a Transcend 128 G SSD.
Add the APUFIX1A for your first build, only need this once.
About 300€.
2. "average"
4 cores
2 G RAM
2 Intel network interfaces
32 G SSD
Select the PCengins APU2E0 with case, power supply (pick the PCengines one), and a Transcend 32 G SSD.
Add the APUFIX1A for your first build, only need this once.
About 150€.
Both are great high quality long lasting devices.
3. "cheap"
To get to a two-figures amount I learned that the Rock Pi E was the hot stuff today, but I cannot recommend a supplier. System is about 50€ for 2 network interfaces, WiFi and 1 G of RAM, need to add a passive cooler, case, power supply and MMC storage - well below 100€.
4. "dirt cheap"
Sorry, switch to OpenWRT on a Raspberry Pi or similar ...
-
I buy my hardware from https://www.varia-store.com/ currently. I have two proposals:
1. "high end"
4 cores
4 G RAM
4 Intel network interfaces
128 G SSD
Select the PCengines APU4D4 with case, power supply (pick the PCengines one), and a Transcend 128 G SSD.
Add the APUFIX1A for your first build, only need this once.
About 300€.
2. "average"
4 cores
2 G RAM
2 Intel network interfaces
32 G SSD
Select the PCengins APU2E0 with case, power supply (pick the PCengines one), and a Transcend 32 G SSD.
Add the APUFIX1A for your first build, only need this once.
About 150€.
Both are great high quality long lasting devices.
3. "cheap"
To get to a two-figures amount I learned that the Rock Pi E was the hot stuff today, but I cannot recommend a supplier. System is about 50€ for 2 network interfaces, WiFi and 1 G of RAM, need to add a passive cooler, case, power supply and MMC storage - well below 100€.
4. "dirt cheap"
Sorry, switch to OpenWRT on a Raspberry Pi or similar ...
Terribly sorry but I wasn't alerted to this from emails. Only seen it as I logged in
What's best for me? I have maybe a maximum of 15 users, typically 5 users. I don't want to get something high end if I don't need it. I essentially want it to "act like" a UTM device but also be rather.. small. I don't care about HA too as it's in the home
The broadband connection is also 350Mb/s
-
If your connection is between 100 M and 1 G/s the one I labelled "high end" will be just sufficient.
It's a small router like device with passive cooling, I like it very much.
But: it will not be able to run Sensei and other advanced IDS/IPS modules at your uplink speed. If you want to use that, someone else needs to step in with a proper sizing.
After all, 4 G memory is small today. I just provisioned two new hosting servers with 192 G each.
HTH,
Patrick
-
...find a decent used Dell Optiplex SFF (small form factor, important!) and up to 2x2 Intel networking cards. About 200.- all in all if you look in the right places. Plenty of power and will run your stuff for years...
-
...find a decent used Dell Optiplex SFF (small form factor, important!) and up to 2x2 Intel networking cards. About 200.- all in all if you look in the right places. Plenty of power and will run your stuff for years...
Sorry but I'd rather keep things as small as possible. A Qotom box instead then?
-
If your connection is between 100 M and 1 G/s the one I labelled "high end" will be just sufficient.
It's a small router like device with passive cooling, I like it very much.
But: it will not be able to run Sensei and other advanced IDS/IPS modules at your uplink speed. If you want to use that, someone else needs to step in with a proper sizing.
After all, 4 G memory is small today. I just provisioned two new hosting servers with 192 G each.
HTH,
Patrick
Hi,
My uplink speed isn't as high as my download speed. Even with 512Mb/s the upload speed is just 36Mb/s. Would it still be an issue?
-
The PCengines box will get you 512 Mbit/s throughput but not with additional services. Most people want IDS/IPS for ingress ;)
The Qotom boxes do look like a cheaper rip-off of the Protectli Devices to me. I have experience with neither, sorry.
-
I'm using the Qotom you mention. I like it alot, just remeber to move the jumper for boot on power (if you like, after power failure I like autorestart). Are there bettwr solutions? Maybe but so far I have seen none. And it is not using alot of power either, nor.does it get hot. As I wrote above, I like it alot, and it is perfect for me (that I am having config challenges has nothing to do with the hardware). From my perspective: go for it!
-
I'm using the Qotom you mention. I like it alot, just remeber to move the jumper for boot on power (if you like, after power failure I like autorestart). Are there bettwr solutions? Maybe but so far I have seen none. And it is not using alot of power either, nor.does it get hot. As I wrote above, I like it alot, and it is perfect for me (that I am having config challenges has nothing to do with the hardware). From my perspective: go for it!
Thanks. Which one do you have? How exactly do you move the jumper? Do you unscrew it, move the little blue thing from one pin to another pin?
-
I have:
Qotom-Q555G6-S05 Qotom Mini PC Intel Core i5 7200U Industrial Micro PC Barebone System Dual Core Desktop Small Computer with 6 Gigabit Ethernet NIC
to be exact.
The jumper that needs to be moved, if one need/wish autostart on power return, is just a small jumper (you lift it and move it one pin so to speak. There are a few YoutUbe videos on that, for example: https://www.youtube.com/watch?v=-2pZi3hf2f4 (https://www.youtube.com/watch?v=-2pZi3hf2f4)
-
I have:
Qotom-Q555G6-S05 Qotom Mini PC Intel Core i5 7200U Industrial Micro PC Barebone System Dual Core Desktop Small Computer with 6 Gigabit Ethernet NIC
to be exact.
The jumper that needs to be moved, if one need/wish autostart on power return, is just a small jumper (you lift it and move it one pin so to speak. There are a few YoutUbe videos on that, for example: https://www.youtube.com/watch?v=-2pZi3hf2f4 (https://www.youtube.com/watch?v=-2pZi3hf2f4)
Thanks. It's a but weird that you have to do that
-
I've been running the "software-that-OpnSense-came-from-that-cannot-be-named-less-it-notice-us-and-be-summoned" for about 10 (?) years now on old PC's.
I came here to update myself on the state of OPNSense. I tried it when it was first released but Suricata was not working very well at all. I would like to try OPNSense but not at the expense of productivity for my work from home wife.
I started with an Old Dell XPS 630i Core2 DUO 4GB ram (non-AES capable) - retired -R.I.P - blown daughter board after 12 years of service as 1st my desktop, (free +$29.00 = ADATA 120 SSD from this point as I would dispose of it or do the following) then to firewall, then to Linux Web Server.
Currently running Old Dell Inspiron i3 6GB Ram (non-AES capable) my father-in-law hand me down (free +$49.00 = Kingston 120 SSD)
Am planning on swapping out to an OLD Dell XPS 8700 Studio 16GB RAM (AES capable) as soon as I find the time (been waiting for 1yr now) (free +$49.00 = Kingston 120 SSD) (another family member hand me down)
I guess what I am saying is it might be cheaper if you want to transfer an image of your existing firewall to a cheap'ish SSD and use an old PC.
I only pay for 150/15 Mbps so I am good. 20 odd devices in the house with 7 of them being desktops/laptops that are regularity used, the rest are a mix of WIFI routers (x2) and cell phones, hand held gaming consoles, Xbox etc....
No one ever complains about speed in my house unless the ISP is having issues or unless a piece of hardware has blown out - usually the crappy cable modems - is there such a thing as a non-crappy cable modem - you know, one that will last longer than 3 or 4 years?
Anyways, I realize there are many reason to NOT use an old PC but if you're not affected by any of those, I have found it to be pretty cheap while still getting a "corporate-like firewall.
With ALL the above systems I have never seen the "software-that-OpnSense-came-from-that-cannot-be-named-less-it-notice-us-and-be-summoned" use more than 40% RAM at it's busiest and normally runs at %20 or less. CPU has never gone over 5 or 6% that I've noticed.
Cheers.
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-) (or even for asking heretical questions)
I still have to use one install of this piece of software, as I want to use IPS on a PPPoE WAN interface. Not a problem, really.
Fully support your "old hardware rulez", but the young guys always have a look at the electricity bill. But on the other hand: what you spent for electricity you safe for the warming of the house in winter time :-D
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-)
Qotom is also a non-topic there. There are not a few people here rather than there as a result of their behavior.
Worth checking out Fitlet2 with J3455 at https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ (https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/).
Fanless and low power but not sure it meets all the requirements of OP. Same company has a new series of devices coming out called Tensor-PC. Details are a bit sketchy at the moment but looks interesting.
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-)
Qotom is also a non-topic there. There are not a few people here rather than there as a result of their behavior.
Worth checking out Fitlet2 with J3455 at https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ (https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/).
Fanless and low power but not sure it meets all the requirements of OP. Same company has a new series of devices coming out called Tensor-PC. Details are a bit sketchy at the moment but looks interesting.
pmhausen said that a low power Apu board wouldnt cut it because
"The PCengines box will get you 512 Mbit/s throughput but not with additional services. Most people want IDS/IPS for ingress ;)"
Would I not run into the same problems here?
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-) (or even for asking heretical questions)
I still have to use one install of this piece of software, as I want to use IPS on a PPPoE WAN interface. Not a problem, really.
Fully support your "old hardware rulez", but the young guys always have a look at the electricity bill. But on the other hand: what you spent for electricity you safe for the warming of the house in winter time :-D
Electricity costs AND a lack of space lol. If the old hardware consumed less AND was as small then that'd be fantastic
-
An Optiplex SFF is not really "big". And if you have old hardware lying around, you safe some 100 bucks that you can invest in electricity...
-
An Optiplex SFF is not really "big". And if you have old hardware lying around, you safe some 100 bucks that you can invest in electricity...
Perhaps but I've only got a small rack. Also tbh I've always been a fan of "small" The smaller something is the better for me. It's an aesthetic thing. I slowly want to replace my NAS with something that's tiny too
-
NAS? I built some in mini-ITX enclosures with an odroid xu4 and 2x 2.5" SSDs/HDDs...
-
NAS? I built some in mini-ITX enclosures with an odroid xu4 and 2x 2.5" SSDs/HDDs...
I'll probably replace that with something raspberry pi... sized but not quite pi
-
The odroid xu4 is pi-sized, but with GBit ethernet, 2x USB3, fast processors and solid OS support. :-D
-
The odroid xu4 is pi-sized, but with GBit ethernet, 2x USB3, fast processors and solid OS support. :-D
Someone told me to go with the nanopi instead. Is the odroid better?
-
What is "better"? :-D
Have only raspberries (10-20) and some XU4. NAS is stable and performant...
-
What is "better"? :-D
Have only raspberries (10-20) and some XU4. NAS is stable and performant...
[/quote
Faster, easier to use, has real boards?
-
pmhausen said that a low power Apu board wouldnt cut it because
"The PCengines box will get you 512 Mbit/s throughput but not with additional services. Most people want IDS/IPS for ingress ;)"
Would I not run into the same problems here?
I don't know as I am not running IDS/IPS on mine at the moment but see https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744 (https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744) and other discussion on the same board. You will need to use Google translate unless you read Finnish.
-
pmhausen said that a low power Apu board wouldnt cut it because
"The PCengines box will get you 512 Mbit/s throughput but not with additional services. Most people want IDS/IPS for ingress ;)"
Would I not run into the same problems here?
I don't know as I am not running IDS/IPS on mine at the moment but see https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744 (https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744) and other discussion on the same board. You will need to use Google translate unless you read Finnish.
Thanks. I guess the other issue is that it uses i211 Intel stuff, which means that if I want to move to Sophos, I'd have to buy new hardware?
-
pmhausen said that a low power Apu board wouldnt cut it because
"The PCengines box will get you 512 Mbit/s throughput but not with additional services. Most people want IDS/IPS for ingress ;)"
Would I not run into the same problems here?
I don't know as I am not running IDS/IPS on mine at the moment but see https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744 (https://bbs.io-tech.fi/threads/palomuuri-1gbit-kuituliittymaelle.74958/#post-2855744) and other discussion on the same board. You will need to use Google translate unless you read Finnish.
So near 1 gigabit for opnsense? I dunno if it supports AES-NI too? Sure it might not be needed now, but may be required in the future
Should I get this?
Atom x7-E3950 [CE3950
8 GB [D8]
M.2 SATA 64 GB [M64S]
No OS
Which Facet card?
FC-OPLN 1x SFP+ Gbit Ethernet optical [FOPLN]?
I don't know about the interfaces, given that I honestly want it to last. If I have 10Gb infrastructure in the future I'd want this firewall to handle that too. Ideally both WAN and LAN could be SFPs? So I could stick in a module that connects to another device?
And leave everything else as standard?
You can customise the order here
https://fit-iot.com/web/product/fitlet2-build-to-order/
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-)
Qotom is also a non-topic there. There are not a few people here rather than there as a result of their behavior.
eets all the requirements of OP. Same company has a new series of devices coming out called Tensor-PC. Details are a bit sketchy at the moment but looks interesting.
And I am one of them... jumped ship before they could ban me!
I have Two Qotom's ( one for dev/test ) and never had an issue with them. First one I got I originally installed ESXi on with Opnsense as a VM, it worked perfectly fine except I was getting no thermal info from the CPU; great little devices.
-
While we are on the subject of Qotom - does anyone know if there is a 8-port ethernet version around? I have the 6-port version, and would not say no to a 8-port version....
-
nobody has a problem with pfsense over here, only the other way around, you get banned in the forums for mentioning OPNsense. ;-)
Qotom is also a non-topic there. There are not a few people here rather than there as a result of their behavior.
eets all the requirements of OP. Same company has a new series of devices coming out called Tensor-PC. Details are a bit sketchy at the moment but looks interesting.
And I am one of them... jumped ship before they could ban me!
I have Two Qotom's ( one for dev/test ) and never had an issue with them. First one I got I originally installed ESXi on with Opnsense as a VM, it worked perfectly fine except I was getting no thermal info from the CPU; great little devices.
Out of interest, how much power do they consume?
-
While we are on the subject of Qotom - does anyone know if there is a 8-port ethernet version around? I have the 6-port version, and would not say no to a 8-port version....
Why don't you just VLAN it off?
-
Why don't you just VLAN it off?
Two reasons:
1) VLAN does not give you more physical ethernet ports
2) I am trying to reduce the power consumption here, and running a managed ethernet switch to get more ports does not seem to save power
-
Why don't you just VLAN it off?
Two reasons:
1) VLAN does not give you more physical ethernet ports
2) I am trying to reduce the power consumption here, and running a managed ethernet switch to get more ports does not seem to save power
Ahh. I've got mine already connected to a switch and that has PoE too.. I wouldn't be saving electricity that way myself. That makes sense
-
Out of interest, how much power do they consume?
TDP is 15W according to the specs.
-
Out of interest, how much power do they consume?
TDP is 15W according to the specs.
Thanks. Was thinking more about the real world consumption but thanks anyway
-
Nothing on the spec sheet, but the PSU is a 60W block, runs cold.
-
Nothing on the spec sheet, but the PSU is a 60W block, runs cold.
Thanks. I guess I'd have to put a watt meter to it lol!
-
I would, but the one I have is in the office and I've not been there since March!
-
Nothing on the spec sheet, but the PSU is a 60W block, runs cold.
Thanks. I guess I'd have to put a watt meter to it lol!
Someone has done it, found this on Amazon:
"I have tested the unit on a power consumption meter and it idles at 14.8w and max 17.6w. This will save money in the long run instead of using an old PC for pfSense."
Of course, that doesn't tell us what was running at the time of the max reading, I suspect mine is somewhat higher under full load.
-
Nothing on the spec sheet, but the PSU is a 60W block, runs cold.
Thanks. I guess I'd have to put a watt meter to it lol!
Someone has done it, found this on Amazon:
"I have tested the unit on a power consumption meter and it idles at 14.8w and max 17.6w. This will save money in the long run instead of using an old PC for pfSense."
Of course, that doesn't tell us what was running at the time of the max reading, I suspect mine is somewhat higher under full load.
Thanks for that. The main reason for buying one of those is the leccy bill. That and it being smaller. This being said, now that I've had a look see, I may end up buying the fitlet2 because it's way smaller, about as powerful and you can power it by PoE which is pretty cool
-
And I am one of them... jumped ship before they could ban me!
I think we may have jumped at around the same time. I remember there was a huge long thread with lots of information on using Qotoms and they just deleted it all. I reckon they they did me a favor.
-
Thanks for that. The main reason for buying one of those is the leccy bill. That and it being smaller. This being said, now that I've had a look see, I may end up buying the fitlet2 because it's way smaller, about as powerful and you can power it by PoE which is pretty cool
Completely different generation to the Qotoms' I have and gave the power specs on, so I would hope it is more efficient. ;)
Looks very nice too, but don't mention it on the pf***** forum!
-
And I am one of them... jumped ship before they could ban me!
I think we may have jumped at around the same time. I remember there was a huge long thread with lots of information on using Qotoms and they just deleted it all. I reckon they they did me a favor.
Cannot remember when I jumped ship now, late 2017 I think...( checks his inbox )... nope, December 2016, tempus fugit!
-
Thanks. I guess the other issue is that it uses i211 Intel stuff, which means that if I want to move to Sophos, I'd have to buy new hardware?
There is some discussion of the Fitlet2 on the Sophos Community boards (I was originally going to run XG after I gave up on my original idea of using pfSense):
https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/109125/qotom-protectli-fw2b-appliance-fitlet2-j3455-purchased?pi2353=1 (https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/109125/qotom-protectli-fw2b-appliance-fitlet2-j3455-purchased?pi2353=1)
There is also a long discussion in this thread on the Finnish board I referenced before that discusses different devices and software configurations. At least one user had Sophos XG running on the Fitlet2:
https://bbs.io-tech.fi/threads/tee-se-itse-rautapalomuurit-pfsense-sophos-utm-mitae-kaeytaette-ja-miksi-juuri-se-vaihtoehto.14625/page-8#post-3615316 (https://bbs.io-tech.fi/threads/tee-se-itse-rautapalomuurit-pfsense-sophos-utm-mitae-kaeytaette-ja-miksi-juuri-se-vaihtoehto.14625/page-8#post-3615316)
https://bbs.io-tech.fi/threads/tee-se-itse-rautapalomuurit-pfsense-sophos-utm-mitae-kaeytaette-ja-miksi-juuri-se-vaihtoehto.14625/page-10#post-4370713 (https://bbs.io-tech.fi/threads/tee-se-itse-rautapalomuurit-pfsense-sophos-utm-mitae-kaeytaette-ja-miksi-juuri-se-vaihtoehto.14625/page-10#post-4370713)
-
Cannot remember when I jumped ship now, late 2017 I think...( checks his inbox )... nope, December 2016, tempus fugit!
I must have followed you later. I remember finding your posts very useful and then they deleted them all.
-
And I am one of them... jumped ship before they could ban me!
I think we may have jumped at around the same time. I remember there was a huge long thread with lots of information on using Qotoms and they just deleted it all. I reckon they they did me a favor.
Even on reddit, on r/pfsense it's not great in terms of how their mods and "wannabe mods" operate
-
I don't know about the interfaces, given that I honestly want it to last. If I have 10Gb infrastructure in the future I'd want this firewall to handle that too. Ideally both WAN and LAN could be SFPs?
I have no idea. I imagine you'd need a much more powerful CPU to handle 10Gb. Some of the higher-end Qotom boxes might make more sense or wait for an appropriate Tensor-PC.
https://linuxgizmos.com/compulabs-embedded-tensor-pcs-take-modularity-to-the-extreme/ (https://linuxgizmos.com/compulabs-embedded-tensor-pcs-take-modularity-to-the-extreme/)
-
I don't know about the interfaces, given that I honestly want it to last. If I have 10Gb infrastructure in the future I'd want this firewall to handle that too. Ideally both WAN and LAN could be SFPs?
I have no idea. I imagine you'd need a much more powerful CPU to handle 10Gb. Some of the higher-end Qotom boxes might make more sense or wait for an appropriate Tensor-PC.
https://linuxgizmos.com/compulabs-embedded-tensor-pcs-take-modularity-to-the-extreme/ (https://linuxgizmos.com/compulabs-embedded-tensor-pcs-take-modularity-to-the-extreme/)
Thanks. I guess when the time comes, I could just export the config out and then re import it?
-
I'm using the Qotom you mention. I like it alot, just remeber to move the jumper for boot on power (if you like, after power failure I like autorestart). Are there bettwr solutions? Maybe but so far I have seen none. And it is not using alot of power either, nor.does it get hot. As I wrote above, I like it alot, and it is perfect for me (that I am having config challenges has nothing to do with the hardware). From my perspective: go for it!
Thanks. Which one do you have? How exactly do you move the jumper? Do you unscrew it, move the little blue thing from one pin to another pin?
My Qotom box has arrived now. Could I ask where I should move the jumper to? Do you want photos?