Physical or Virtual? A Silent 4x 2.5GbE Proxmox VE pfSense and OPNsense Box

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys this is patrick from sth today we're going to talk about that thing that we definitely don't talk about enough but we probably should talk about more and this happens to me all the time i'm in bed and all i can think is am i doing this right now of course what i'm thinking about is should i have a physical firewall in router or should i virtualize and that brings us to the topic of today's video the little topton unit now you may have seen that we recently did a video with a very similar hudson unit and that one we really did a just physical firewall now we've installed a whole bunch of different things we did pfsense we did opncents we did a bunch of different things on there but today what i want to focus on is a well clearly a cousin of that one but really looking at it from the other perspective of what happens if you go and virtualize your entire firewall solution and then add a couple of extra interesting services and if you think that the reason that we're doing that is because exactly on the day that we published that video this unit just happened to arrive instead of coming early enough where we could have actually put that in this video you'd be right on that too basic game plan let's do a quick overview of the hardware and then what we're going to do is we're going to talk about setting up this solution and why this actually works pretty darn well as a virtualized router solution using proxmox so we're using all open source tools and so i guess let's just get to it okay so let's just start with the overview and let's just start with the big features right this is a pretty small box and you can see that it is passively cooled we have another unit that we're going to have that's a little bit bigger that looks like it's passively cooled but it's actually not but this one is completely passively cooled so there's no fan in there which means there's one less component to fail and also you're not going to get noise from a fan running around it's also pretty small so you can stick it in a lot of places what you're going to notice of this top 10 unit versus the hudson unit that we reviewed previously is the fact that on the side of the unit you're going to see that we actually have some heatsinks where this was a flat side on the hudson unit we also have a much more elaborate and ornate heatsink solution on the top of this and i will say that just i just had them like just before recording this video it's about 11 10 at night and uh i just had them running next to each other put my hand on both of them and i do think that this one felt a little bit cooler neither of them get particularly warm because they don't release that much power and we'll talk about power in a little bit but at the same time i think maybe this case actually does dissipate a little bit more heat the one disadvantage though is the fact that this is a rounded edge and because it is a little bit rounded it doesn't like to sit up on its edge really well like you're pretty much just gonna be putting it down like this or a little rubber feet on the bottom which you can see but you're basically just going to have it down like this the entire time that's the chassis and that is probably the biggest difference between this version and the previous version until we get a little bit inside and so what you're actually going to see here is that we have a total of four rj45 ports and these are actually 2.5 gigabit ethernet ports now this 2.5 gigabit ethernet ports are provided by the intel i225v and like the previous unit these are slnm h nix which means that they're actually the little chips are the b3 stepping you do not want to get the b1 or b2 stepping of the 2.5 gigabit ethernet next you definitely want the third generation or b3 stepping and that's what these have the other thing that you're going to see is that we get a 12 volt dc input which basically means it's super easy to get a power supply for these things we haven't had any issue we've had i actually have a couple of these uh between rohit and i and we haven't had any issue just swapping in other 12 volt power supplies this really doesn't use that much power so i think you basically just put almost whatever you want in it although we did get a power adapter with the unit flipping around to the other side what you're going to see is that we get usb 3 ports we also get an hdmi port and a vga port and basically you do set this thing up and you can set this thing up using either a ikvm or you could just hook it up to a tv with a keyboard a mouse or something like that we actually use tiny pilots and they work great on these units so frankly the tiny pilot i think did a really good job there we also can use like a lantronic spider with that vga no problem there's a bunch of different remote manageability options but you don't have remote manageability in this one this does not have something like ipmi or anything like that you also get power and reset buttons and then these two little nubs right here are actually for wi-fi antennas they're a little bit different spot than the other version but they're overall pretty similar i do want to know just one thing i got this unit on aliexpress and it was i think like 298 dollars with all the little coupons that i could get you might be able to get better deals and i think they actually used to be a little bit less expensive but that's kind of what i was paying this thing took just forever to get here and i selected an expedited shipping method and then it took like two weeks i don't know it took forever to ship so i don't know but the other thing that i think is kind of interesting on this particular one is the fact that it is definitely silver i don't know if you guys can see that uh because the lighting's a little bit bright but this is a silver unit and i definitely selected the black color one so um i don't know you just kind of get whatever you get and i'm not setting this back because i don't i don't really want to even try doing that um but it's it's it's silver so it looks ugly i don't i don't know um but it's okay we'll deal with that okay now getting inside the unit you just basically pop off this bottom panel and when you pop off this bottom panel there's only four screws that keep it in so it's not really that hard to go uh pull out and then also you do definitely have some other mounting options here with different holes as well as the rubber feet and what you basically see inside is you see a little tiny motherboard inside we get a 16 gigabyte dim i actually ordered this specifically because i knew that we were going to do the virtualization on it so i ordered it with a little bit more memory you can see things like opns and stuff like that when you go fire up the vms those vms will actually just go and consume eight gigabytes of memory no problem they probably don't need all that but they will consume it no problem and so what i personally like to do is always get a little bit more than i think i'm going to need and specifically here i got 16 gigabytes because i think that's a pretty good number now there were a couple people on the previous video that were like patrick why didn't you mention the fact that there's actually two sodim slots and i just wanted to pull the sodium out so i can show you guys that there's not a second so dim slot now some of these units actually they're all basically based on this motherboard some of these units say that they have two eso dimms and i think previous generations may have had two eso dimms but this one there's only one slot there guys it's just one slot so thank you for the comments but physically there is one slot and it's the same on the one that we did before the sodium that comes in this unit is from a no-name brand so if you are kind of picky and you're kind of worried about no-name brand ram then well that might be concerned for you and so the previous one that we got that actually had an sk hynix dim which is a pretty big brand but this is definitely looking to save a couple cents or bucks or whatever on that and then the other thing is that i did get a 256 gigabyte ssd i wanted something that you know you could say well you only need like 8 gigabytes 16 gigabytes for firewall but i want to get something that was big enough that we could do virtualization we can actually put some other things on there and that was a like a specific consideration that i had so i got a 256 gig ssd and you can see that here and you can see that this thing doesn't even have a label facing us i mean it is just basically a little cheapo 256 gig ssd frankly uh if i were installing this unit remotely if this is in your home okay if you're installing this remotely i would probably not actually use that ssd i would just order this with no ssd and what i would do is that this unit actually comes with this little cable and you're gonna see that we actually have a little sata port on the motherboard and this little cable that has both power as well as the sata connector so basically what you would do is you use the cable and then you would get another ssd and this this just happens to be a one terabyte sk hynix ssd which is way too big for a little box like this like you definitely don't need a one terabyte box there you probably don't but you could put it if you wanted to and you basically just plug this in plug it into the motherboard and you're off and running it actually mounts to the bottom part of the chassis now i'm sure that the ssd that this comes with is reliable and it's a great ssd but on the other hand i personally would not feel comfortable like as a home unit sure if i had a like a small office maybe but if it was something that i had like you know that i was not going to be at that location like every day i would not probably trust my firewall to a ssd that i don't like really know if it's a good ssd or not and so just personally i like the idea of putting my own ssd in there instead of getting one you also save a couple bucks you're gonna probably pay a little bit more by getting a quality ssd but i think that's something that is definitely money well spent and you may also want to do that for the so dim so i also do think that just getting the bare bones option is totally valid and so just talking about power consumption real quick this one actually used about half a lot more than the hudson unit and they're the same motherboard so the only thing i can guess is that the reason that this one was using about a half a lot more and by the way that's that's talking about like maybe five and a half to six watts like so it is like on a percentage basis actually quite a bit but it's also not really that much nominal power side by side you can see this one uses just a little bit more power and on top end you know you're getting into the low you know double digits in terms of power consumption but you're not like at like 20 watts or anything like that like these are relatively low power devices and that's why you can run them passively okay now let's get to that question of software and like should you virtualize or not now i'll just tell you that personally i have done both i've gone through periods of time where i said i need to virtualize i've done things right no i'm absolutely not going to go virtualize at one point i even had my home pf sense running off of a hyper vvm which i don't really know what the heck i was thinking but it worked actually pretty well until i was traveling and then it had to get reset remotely and it was a total pain to go do so what i would personally say is always think about manageability when you do these things there are pluses and minuses to doing virtualization we'll talk about those in a second so of course with this unit we did exactly what you would expect we installed both pfsense as well as opn sense because you know we had some comments about that and both of them worked no problem so long as you know you're on the newest versions if you're on older versions they may not have support for the intel i225 nick and it took a long time to get the intel i225 nick into freebsd and the reason for that i think is that like intel was really focusing more on the consumer motherboard market so they really cared about like windows definitely linux yeah of course we'll go do that too but then by the time they got to freebsd they're like meh and i think it was actually the netgate guys that you do pf sense that did a lot of the lift to get the driver actually into freebsd so you know we actually have it now but it definitely did take a lot longer than if intel came out on release day and they actually had drivers for everything but that actually brings us to the other point which is if you have a virtualized solution based on proxmox on linux well you know linux has supported the intel i225 for quite a while now and so it's actually just installs no problem and everything actually works out of the box like super easy and so um you know that that's actually a great experience so let's talk about virtualizing a firewall pfsense opn sense either one works we're just gonna say just firewall in general and one of the things that this little unit actually does pretty well is it has a couple of features that are important not only does it have vtx so it does virtualization but it also supports intel vtd and that basically allows you to do pcie passthrough of devices from you know the physical hardware to a vm directly instead of having to do like a virtualized or power virtualized nic or something like that you can do pass-through now oftentimes everything just kind of works but especially sometimes you know when you have different types of hardware and stuff sometimes you run into things where you have to do things like you know disable offload offloading of like checksums or something like that and you just have to like do something to be able to get the virtualized nick to work and depends on how you set it up and it's a little bit more finicky if you actually do the virtualized one but the advantage of having a virtualized and not doing pcie password by the way is the fact that you could potentially do live migration if you wanted to do that but that isn't definitely an option now in this part of the video we actually had an entire guide on like how to go and set up uh like pcie passthrough and then i was like wow that is horrible and anybody that actually wants to go do that they're just going to want to copy and paste stuff anyway and so why in the heck would we go do a like 10 minute video on that why don't we just go put that on the main site so we actually have an article that we will link in the description that has everything you need to go do to copy and paste if you want to go do pcie passthrough on a device like this or even an amd version or anything like that we totally have that all covered and we're just going to link in description so it's super easy for you to just go cut and paste now there is a little bit of a difference between how i would set up this unit if it's a physical firewall versus if it's a virtual firewall in terms of the ports and i want to talk you through the logic here because this is like something that um i have developed having done this for like a decade um you know i definitely have done this enough that i kind of have some sense on what i want to do in fact when did the first sth co-location we actually had proxmox ve and i think we had pfsense virtualized and that was our uh that was our solution i think at the like very beginning of our first co-location like i was probably eight or nine years ago when we had to move off of aws onto our own colocation and so that was just kind of like you know i've definitely done this enough that i have a little methodology whether it's the best who knows okay so basically here's the deal this is eth0 and so this is the first ethernet port it's zero this is three and then basically if i use this as a physical firewall i will actually use this one as my lan port i'll use eth1 which is the second port as my lan port and then i'll use these two as the optional just kind of extra ports now a lot of the firewall solutions will actually default to putting this one that's at the very end and making that the lan and then this one which is the second one as the wan connection and then you have two optional ones but these optional ones usually go put to my lan anyway in some you know some shape or form and so i don't really like to have like land wan land land i like it to be wan land land land right so that's basically kind of just a way to think about going through and actually doing this in the physical model now in the virtualized model there's way more that you have to take care of and so i think that it takes a little bit more thought in terms of what you want to do and so specifically what i did when i did the pass-through when i do a pass-through on something like this i'll actually use this first port as my proxmox port instead of my wan port so this is the one that we can go manage everything so if some vm crashes or something like that that gives you your manageability out of this port second port i actually use for the proxmox server itself for this thing this to actually go and access the lan assuming i'm doing pass-through on my pfsense or opn sense firewall so this one becomes my like like virtual machine lan connection and then these two ports what i actually do is just kind of use the default then right so the first one becomes the lan port the second one becomes the wamport so virtualized i actually have the win on this side whereas physical i actually have the win on that side it's just a little different but keeping these ports together makes life way easier when you forget to label something that you should have labeled but you ended up not labeling because you thought oh no i'll definitely remember it and then you have to go troubleshoot later it just keeps life way easy but that also means that we are going to be using an external switch to go from proxmox out to the firewall and then out to the wind so now we've had a couple generations of these boxes and something i'll definitely say is that when we run our firewalls i think they're like on the zeon d series like if you have a 2100 series even the 1500 series xeon d or the nude 1700 or 2700 if you don't know about those we have a video on that those things have definitely enough power no problem if you want to go virtualize just have fun at it now on the atom c3000 series i think that if you're at the higher end like eight cores four cores more i think i think you're definitely fine when you're at the like two core c33 38 that one um i think that's more of like physical not a virtualized firewall option so just kind of throwing the the spectrum out there and on previous generations of these you know you could virtualize it but you started to like you just didn't have that much cpu with 16 gigabytes of memory for course and the intel j4125 this one actually has enough performance that we can actually go and virtualize and when we did virtualize both pfsense and opncents i think we got somewhere in like the like 2.1 to 2.3 gigabits per second range just doing that and pretty simple nat uh across from the wan to the lan so just kind of traversing the firewall we had a couple little rules just to go block couple things but nothing you know spectacular anything like that and it totally worked no problem and so just the base thing having a virtualized solution means that you get a couple things that are actually really nice you can do snapshots of your firewall so if you do an upgrade and something goes wrong well instead of having to fail over to another unit you can literally just go log into proxmox restore your snapshot and you're basically up and running in you know 15 seconds or something like that it is definitely a much preferable thing to like hitting upgrade on your firewall and then finding out like oh nothing works and we can't get out to the internet so this is terrible so just personally i think that that is one very big reason that i like the idea of virtualizing now of course when you virtualize you can actually go and you have enough performance with this thing that you can actually go and put a couple of other apps on there like i wouldn't definitely run a desktop on there along with your firewall but at the same time like if you have a couple little apps that you want to run you can definitely go do that one that is pretty common is people run something like pie hole or something like that now of course when you do pie hole part of your configuration should always be to make sure that you unblock ads on sth because well frankly we i definitely have said like i do not want like crazy ads or anything like that we basically only have like static images that we serve from uh you know like server vendors so it's all relevant to the sdh main site that's like a big thing i don't want like all kinds of crazy bad ads and so um i just had a letter from the editor where i talked about this but that is something that i've been working on for a long time we're still working on it but we literally like if we don't have an ad to go serve we don't go out to like get a cheap ad from somewhere we literally just don't serve anything so that's uh kind of i want the site the main site to always be something that i would want to go visit without adblock instead of being like some of the other hardware sites that are horrible and so that's what we do so of course if you do decide to do a pie hole you know please unblock us the other one though that is like super exciting that i really like and i'll just kind of show you this this we actually have this one um running at a different location on one of these but what basically has is we have virtualized pfcents on proxmox and then we're running a guacamole server and if you don't know what guacamole is it basically allows you to do remote uh you know you can do like remote desktop and stuff all through an html5 browser so i can be on my ipad and i can go log into boxes no problem and what we specifically have that there is to go get into a farm of project tiny mini micro nodes just a couple of them but we basically have the ability to go get into those nodes and then go do whatever we want to go do on the project tiny micro nodes and then we use aj proxy to basically go and terminate our ssl and we do that and then we can push a you know ssl connection all the way to guacamole and then out to our clients so while a lot of people talk about having vpns and stuff like that sometimes you just want like a really easy remote desktop solution and that is something that you can potentially use and while this unit is definitely faster it's not the fastest one that you could potentially get today there's also the newer generation of atom that is the next gen beyond the j4125 and so we actually do have a uh n6005 i think unit that's actually coming allegedly it's been on order for like over a month i think and i don't even know if it's shipped yet like it probably has shipped i don't know i don't know where the heck it is but maybe a mouse is like rowing it across the ocean i have no idea where the heck that thing is so when we get that unit we'll do another article and probably a video on that one as well um the the newer chips do definitely have more performance but you know you can actually do a lot with this thing without even going to the new version and you can get these faster so that's also kind of nice as well but i definitely saw a lot of people comment about that on the last video i'm totally aware we just it's taking forever to get them so that's just the deal and so getting back to our key question of this entire video which is should you virtualize or should you run a bare metal firewall and my personal opinion has always been at least recent in recent times to actually go and do a bare metal install the performance is generally a little bit better um than if you had the you know power virtualized knicks and stuff like that so i generally like to go and do bare metal but i will say that these little units as long as you go and you do the pcie passenger they actually perform darn well i mean we're getting basically line rate speeds through them even through the nat which i thought is awesome and so just my personal thought is not only do i get the speed that i would get with a normal vienna vm if i had a kind of bare metal host but i'm not really losing the ability to live migrate because you can't live migrate a bare metal host anyway and then the other thing is just the fact that you can go run other apps on it you can go run a guacamole server or something else on that little box and so you can run just kind of that extra little server i also know people i think rohit has like a pixie boot server that runs off of his as well i mean you know all kinds of different little things on it and it just you know for those little tasks it's a nice little home server and so with this journey of discovery i hope that when you are up at night in your bed thinking do i know what i'm doing you will now have the answer or at least a guide to say do i feel comfortable doing a virtualized model or should i just stick to bare metal firewalls personally seeing these little units i do think it is time that you can actually go and start to virtualize now if you do have a very heavy solution or something like that where you're doing a lot of like ids and like you're really going to just hammer these things maybe you need more performance and maybe you need something more than the 300 box and maybe you just need a bigger cpu and you don't want to virtualize cool but if you're just kind of running like a kind of lower end solution well then i think that this thing is actually nice i have to say i totally am impressed and i really like these little boxes and so you know they're not perfect they have sometimes components that i don't know if they're going to be reliable i think the motherboard is probably fine but the ssd scares the heck out of me but at the same time i'm actually kind of happy with my purchase and with that if you like this video why don't you give it a like click subscribe and turn on those notifications we have a whole bunch of great new videos coming and a new series on mini pcs so with that thanks for watching and have an awesome day
Info
Channel: ServeTheHome
Views: 121,300
Rating: undefined out of 5
Keywords: pfsense, opnsense, 2.5gbe, 2.5g, intel i225, intel i225-v, 2.5gb router, 2.5gb firewall, 2.5gbe firewall, 2.5gbe router, pfsense i225, pfsense 2.5gbe, pfsense build, i225 firewall, intel, intel j4125, quad nic, mini pc, mini pc firewall, mini pc pfsense, pfsense firewall, pfsense setup, fanless pfsense, proxmox, proxmox ve, virtualization, pfsense proxmox, opnsense proxmox, opnsense firewall, guacamole
Id: IJhlqb4iGn4
Channel Id: undefined
Length: 22min 7sec (1327 seconds)
Published: Fri Apr 15 2022
Related Videos
The BEST 2.5GbE AMD Ryzen Firewall-Virtualization Host-Desktop Box?
ServeTheHome
73K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
2.2M
XCP NG VS Proxmox 2022 And Why I Chose...
Lawrence Systems
76K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
581K
Finally "Cheap" 2.5GbE Unmanaged Switches From TRENDnet
ServeTheHome
78K
THIS is Dell's 1L TinyMiniMicro Scorcher
ServeTheHome
140K
Qotom Q750G5 - Hardware Overview, OPNSense Install, and Performance Testing
0x2142 - Networking Nonsense
7.7K
NEW 2.5GbE Fanless Router Firewall Virtualization Hosts
ServeTheHome
66K
1L BEAST! A 35W 64GB AMD Ryzen Powered Proxmox TMM Node
ServeTheHome
144K
Home Network Setup - pfSense, VLANs, VPN, HAProxy, 10G, and more
Raid Owl
61K
How to Virtualize Your Home Router / Firewall Using pfSense
Techno Tim
184K
New Fanless 4x 2 5GbE Virtualization and Firewall Appliances
ServeTheHome
79K
Ultimate Homelab Revolution Unreal 2.5-10GbE Mini PC
ServeTheHome
199K
$299 2.5GbE Mini PC The Cheap Topton M6
ServeTheHome
37K
pfSense on Proxmox installation and configuration - Step-by-step
VirtualizationHowto
10K
pfsense VS OPNSense
Lawrence Systems
211K
DO NOT Build Your Own Router! Get This $50 Thin Client Instead...
Wolfgang's Channel
259K
Why our Screwdriver took 3 YEARS
Linus Tech Tips
3.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.