Messages

In that case something like this : https://www.igorslab.de/en/thermal-grizzly-phase-sheet-ptm-test-how-good-is-the-honeywell-alternative-really-in-reality/ :)

Its seem like you dont know the difference between thermal sheet and thermal pad.

I dont want to get my hands dirty with thermal paste.

'Special for you my friend' : https://duckduckgo.com/?q=zalman+stg1+paste&ia=images&iax=images

No need to get messy with that good old paste! :P

Thank you my friend. But as you probably dont know, high end mini pcs are using thermal pads instead of thermal paste. Thats a permanent solution.

Is there any fanless hardware that has no holes to let in air & to let out hot air?

Yes.

Set It and Forget It ?

Yes. I dont want to open my device just so i can remove dust carpets. I dont want to lubricate or replace failing/dead fans. I dont want to get my hands dirty with thermal paste.

That's like speaking for every end-user who plugs anything in and wants it to work 100% w/o ever having an issue. Never gonna happen.

Its already happening for me, and im happy.

Plus, with OPNsense you'll be updating frequently, no real way around that if you wish to maintain security posture.

I have no problem with that. However, my set it and forget it statement was referring to hardware, not the software.

That's something to dig into then when considering one of their products. Thnx! :)

You are welcome.

This is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

Coreboot for Protectli devices is outsourced to a well known and reputable open source firmware company 3mdeb. https://3mdeb.com/

- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!

They have dedicated team(s) for this. And all their work is hosted on github. You can find it here https://github.com/protectli-root/protectli-firmware-updater

- If it's someone who you could consider to be on the same level as any random Custom Android ROM developer for example then things get different...

These people are not some random basement dwellers from XDA forums. This is official Protecli firmware that was outsourced to 3mdeb.

IMHO he is fully in his right to think that way if there is not enough clarity about the whole thing!

There is enough clarity for those who want to know. Everything im saying here is publicly available information combined with personal experience. Im not talking out of my ass nor im shilling for Protectli or any other brand. Stop playing detective. If you live in US, get Protecli. If you live in EU, get Deciso or Thomas Krenn. It is that simple.

Any kind of software in general is never finished so that's a very bold claim you are doing there! ;)

By that logic, life is not worth living.

That's the other extreme side of the story which should be avoided too ofcourse!

And how do you avoid it if the ME/PSP or CPU uCode has known critical vulnerabilities and only way to fix them is to flash latest BIOS ? Your reply makes no sense.

If I am perfectly honest : It all went wrong the moment you have chosen for ASUS hardware...

Please stop embarrassing yourself. 

I think we need a timeframe for that data :
- When was the model released ?
- When did you buy it ?
- How many updates/upgrades were there in total so far ?
- Do they consider the model to be a current one or is it close to it's EOL date ?
- etc.

I... i just cant...

I feel like your claims/advice isn't perfectly neutral either to be honest...

Talking about neutrality with TopTon signature.

There's nothing wrong with a good passive system. It just costs money. (Note the "good".)

If money is issue, go for Qotom. If you cheap out, eventually, its going to cost you more.

(And, going off-topic a bit, it's particularly hard to passively cool a 100+W CPU in an 86+F (30+C) environment.)

100W is overkill for bare metal opnsense machine. If you are running virtualizied with bunch of other stuff, thats a different story.  We talk bare metal machines.

Understandable. A tradeoff I wasn't willing to make. My firewall is not my loudest device, but even if it was, I'd still make the same choice.

We are talking normal home use. Not the rack filled with enterprise grade arista quad  power redundant switches and 1kW rack mounted pc monsters running hypervisors. Please stay on track.

Speaking of thermal testing, mprime is generally more appropriate than memtest, but I don't know of a bootable package that contains a newer version (the UBCD's is a bit old). It's easy enough to fire up a live Linux or FreeBSD image and execute it - it just takes a bit more effort than a bootable package.

Going way of topic dude.

Is the device overheating on cpu core?

Its normal for CPU to run hot, but its the heat sinks job to take that heat away from CPU and then dissipate it. These units are not doing that because they have crappy metal case with terrible thermal conductivity. The CPU gets hot, starts to throttle, it heats everything inside the unit, and then that heat from the inside is radiating on the aluminum case through your storage, memory modules and PCB. This is why on passive Toptons people are forced to install additional fans, not to keep the unit cool, but to keep CPU from thermal throttling and premature damage. It is that bad. The unit with same specs from either Protectli or Thomas Krenn costs 3 times more. Ask yourself why.

Most cpu's will try and protect themselves from overheating.

CPU will almost never die on these units because it has mechanisms to protect itself. It does that with thermal throttling or simply shutting down. Its the other components in that tiny case that will suffer and die eventually. Your storage, your memory modules and worst of all, motherboard.

The cheap N150 device I have for OPNsense is sinked at the case, but has an integrated ext fan to keep the aluminum cool. It is not doing a lot of work, but so far it's been stable.
see https://forum.opnsense.org/index.php?topic=48166.0

Thats not a good solution either. Opnsense appliances should always be passive machines with no moving parts. If you have a tiny fan inside, that thing is piling up the dust as we speak. If you dont clean it regularly, it can die in a few years. Even if its not spinning all the time. I dont want to think about this. I want to setup my firewall and forget that its there.

They have appliances with two 10G pors like this one https://protectli.com/news/vp2440-launch/

I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.

The options aren't exactly excellent but some are better than others.

Completely wrong way of thinking. Absence of updates means that there is nothing to fix or add. And thats a good thing. Saying that appliance sucks because it doesnt get its BIOS updated every month is just silly. My Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones. Same goes with Intel platforms. Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

As for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times. So please, do not spread false information. And lack of customization on coreboot BIOS is a feature. Thats how the firmware is designed. This is why you have a choice with Protectli. You can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.

Topton is just unreliable cheap garbage. There is a good reason why Deciso, Thomas Krenn and Protecli cost that much. Ive seen people buy Toptons like crazy, and then mount a fan on them because their aluminum case can not dissipate heat properly because they use the worst quality materials. It complete defeats the purpose because this is advertised as passively cooled unit. Worst of all, their quality is so inconsistent, that some units can work reliably for years, and some die for no reason after few months. And thats the exact reason why you should avoid them. Especially when people that have these units start to recommend them and claim that they have it for X amount of years, and they are working just fine. If you are on a tight budget, go for Quotom. But dont be a cheap ass and go below that. It will cost you more in a long run.

Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

Protectli is the way to go. They have open source coreboot BIOS for their entire line. Check out their 4 ports offers here: https://eu.protectli.com/vault-4-port/

In your case, i would go with FW4B model. Thomas Krenn and Deciso also have some nice units, but they are a bit pricier because they are in EU.. I know that Thomas Krenn used to have coreboot BIOS on their older models, but i dont see it in as an offer on new units. Worth checking out:

https://www.thomas-krenn.com/en/products/low-energy-systems
https://shop.opnsense.com/product-categorie/hardware-appliances/

With Deciso hardware you are directly supporting OPNSense project.

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

It no longer makes sense to keep those separated for home use.

Welcome to 2026.

I have from Qotom the Q11032H6, which is a N355 system, bough it during black Friday for a very good price.
https://www.qotom.com/products/show/Mini-PC-Q10900H6-S13-Series

Thats exactly the device i was talking about. They had issues where port numbers have been mixed up and they provided updated front panels with correct numbers. See attached.

Solid and pretty stable at least that is my experience with the AQC113C.

As mentioned I didn't had any problems since I put it into PROD so since 24th Feb.
The AQC113C and as well the Driver is working on OPNsense/FBSD seamlessly, honestly its hard to believe at first. But after months running these and not hitting any problems its just amazing.

Also this potentially unlocks 2nd option for NICs as to the Intel ones. AQC113C for me performs way better than any realtek NIC on OPNsense/FBSD.

Regards,
S.

This is very good to hear. There are some very nice mini pcs out there that have combination of 2.5G Intel 226 NICs along with Aquantia 10G NICs. I was hesitant to buy them because i had terrible experience with everything not Intel. Thank you very much for sharing this information. I appreciate first hand experience.

How are these Aquantia chips when it comes to stability and reliability ?