PFSense Dedicated Micro Router

After having some nagging issues with a virtualized instance of PFSense (inconsistent performance and OpenVPN issues), I decided to switch back to a dedicated box. However, I did not want to run a large, power hungry system like I had in the past.

Requirements###

• Minimum 2 x NIC
• Support AES-NI
• Low Power (fanless if applicable)
• Small form factor
• Support OpenVPN near ISP native through-put (100/100)

Hardware###

The Dell R210ii server seems to be a goto option, but wanted to try something a little smaller that I could tuck away as I am trying to downsize my homelab.

The Qotom Q190G4-S01 looked like another popular option. I liked the idea of 4xNIC, however, the J1900 processor does not support Intel AES-NI which is a deal-breaker since I will be hosting an OpenVPN server.

I settled on the Qotom Q150P-S08. While it only had 2xNIC, the Celeron N3150 CPU did support AES-NI.

Setup###

I will not go through all the steps required to isntall PFSense since they are well documented here: https://doc.pfsense.org/index.php/Installing_pfSense

The Qotom-Q150P-S08 had a few quirks while installing PFSense.

• Using Rufus with DD Image select was the only way I was able to get pfsense to boot all the way. (F-7 to get to the boot menu in the bios)

• The initial boots caused sdhci_pci0_slot0: Controller Timeout kernel panics

This issue was easily solved by adding:
hint.sdhci_pci.0.disabled="1" into
/boot/devices.hints

• Enabled BSD cryptodev engine in OpenVPNs settings (make sure you use a supported Encryption Algorithm)
  

Edit:

I tested again with Hardware Crypto set to none and the performance was the same. It seems that pfsense enables available hardware acceleration automatically.

Performance###

The 99% use case will be accessing files remotely. The router was able to saturate my remote connections 50Mbps link while coping a file from the local network. The CPU usage on the router bounced around from 6-18%. I was very happy with this.

Iperf Benchmark

Without OpenVPN

871 Mbps from the LAN to the router.

With OpenVPN

Using AES-256-CBC/SHA1

130 Mbps over the VPN.

Power Consumption

From Kill-A-Watt:
6-8 watts during boot
6.2 - 6.8 watts at idle
7.8 watts while running Iperf over Openvpn

CPU Usage

CPU usage during normal traffic: 2-6%
CPU usage during 100 mbps download: 10-14%
CPU usage with iperf test over vpn: 30-37%

OpenVPN is single threaded so during heavy VPN traffic will drive a single CPU to 100% as seen during the Iperf Test.

Conclusion###

This set up is a very capable small network router. The performance is more than adequate for the use in a homelab.

More testing will be done with some of pfsense's more demanding packages like SNORT but these are beyond the current use case of the lab.

The only downside is the dual NICs. Hopefully there will be some quad NIC boxes with the N3150 processor in the future (and hopefully Intel NICs).