mitxpc NML-C3558D4I -- Firewall?

Nobu

[H]F Junkie
Joined
Jun 7, 2007
Messages
9,884
Considering this for a home firewall. Uses the asrockrack board with the same model number. Overkill? Yeah. I only have a 20Mbps down link. lol

Question is should I get this, or maybe the netgate 1001/2001? The netgate will be purpose built, but unless I get the 6001 (same cpu) will be way less powerful. The 6001 otoh is way more expensive, even after adding storage and ram.
 
The first device you linked to uses Marvell PHYs. I would personally avoid anything with a Marvell chip in it, they have horrific Linux support, if you plan on using something like PF Sense. Anything with an ARM SoC is also trouble for long term support. It may have firmware/OS support now, but as it ages, it won't have that forever. If it's not open enough to roll your own OS, then you could be left with an expensive paperweight. You'll also have to take into account any future updates slowing the device down with more bloat or security mitigations.

Depending on how you use your router, an Atom/ARM SoC might not cut it. If you plan just to do NAT, DHCP and DNS, it would be fine. But, if you plan on having more advanced network services like packet filtering/inspection, samba, etc. then those chips wouldn't cut it. I have a Ryzen 5 2400G in my router, and it gets a decent workout when doing packet inspection/filtering. I also use it for other things like ssh, http server, databases, etc.

I would suggest just buying a used x86 SFF PC and throwing a dual/quad NIC in it.
 
  • Like
Reactions: Nobu
like this
The first device you linked to uses Marvell PHYs. I would personally avoid anything with a Marvell chip in it, they have horrific Linux support, if you plan on using something like PF Sense. Anything with an ARM SoC is also trouble for long term support. It may have firmware/OS support now, but as it ages, it won't have that forever. If it's not open enough to roll your own OS, then you could be left with an expensive paperweight. You'll also have to take into account any future updates slowing the device down with more bloat or security mitigations.

Depending on how you use your router, an Atom/ARM SoC might not cut it. If you plan just to do NAT, DHCP and DNS, it would be fine. But, if you plan on having more advanced network services like packet filtering/inspection, samba, etc. then those chips wouldn't cut it. I have a Ryzen 5 2400G in my router, and it gets a decent workout when doing packet inspection/filtering. I also use it for other things like ssh, http server, databases, etc.

I would suggest just buying a used x86 SFF PC and throwing a dual/quad NIC in it.
Is ECC a good idea, or totally unnecessary?

I have a few unused apus (some A6's) lying around which I could put into a new board. Would use more power than the atom chip, but I can tame it a bit in bios. Main issues would be no/partial ECC and (now) finding compatible boards. Iirc, the reason I'm not using them is I don't have a board with compatible bios (or they were fake ebay cpus).

There are some xeon-d/pentium-d/epyc embedded boards in the $600-800 range, but my concern with them would be boot time and single-core speed, I guess? Then there are lots of low-power intel/amd embedded boards, too many to choose from. If you have one you like which wasn't too expensive, I guess I could start there.

Edit: there are some c3558 barebones with intel lan, but there's a cost premium which pushes them into the 6001's price range. I guess that's why they're so expensive (well, that and the os/brand name).
 
Last edited:
For just a NAT router, ECC isn't important really. If bits get flipped, hopefully the tcp checksum catches it, or if your traffic is mostly TLS that will catch it. If you get sudden slowness, you might run a ram test on the router to figure it out.

If it's a NAT router / home server / NAS / etc, ECC would be nice to have, but you can live without it.

If you're comfortable with AliExpress, you might check out these kinds of things. I don't have any, but they look about right. The one issue is intel is great at 1G and 10G, but problematic at 2.5G; if you run these at 1G, should be fine though.

I'm pretty sure a 20Mbps connection can be NATed with a pentium 1. So really, specs don't matter. If you did have a fast enough connection that the hardware was taxed, you want to look into making sure the NAT can use muiltiple cores, and the NICs have one receive queue per core (and power of two cores). And not deal with PPPoE which all lands in the same receive queue :( Some older 1G nics only have one or two receive queues, so if you have a slower multi-core cpu with more cores than receive queues, those extra cores don't help with processing. This probably doesn't matter for any recent hardware until maybe 400Mbps though.
 
  • Like
Reactions: Nobu
like this
For just a NAT router, ECC isn't important really. If bits get flipped, hopefully the tcp checksum catches it, or if your traffic is mostly TLS that will catch it. If you get sudden slowness, you might run a ram test on the router to figure it out.

If it's a NAT router / home server / NAS / etc, ECC would be nice to have, but you can live without it.

If you're comfortable with AliExpress, you might check out these kinds of things. I don't have any, but they look about right. The one issue is intel is great at 1G and 10G, but problematic at 2.5G; if you run these at 1G, should be fine though.

I'm pretty sure a 20Mbps connection can be NATed with a pentium 1. So really, specs don't matter. If you did have a fast enough connection that the hardware was taxed, you want to look into making sure the NAT can use muiltiple cores, and the NICs have one receive queue per core (and power of two cores). And not deal with PPPoE which all lands in the same receive queue :( Some older 1G nics only have one or two receive queues, so if you have a slower multi-core cpu with more cores than receive queues, those extra cores don't help with processing. This probably doesn't matter for any recent hardware until maybe 400Mbps though.
Was hoping to avoid wholly china made stuff (even if the cpu...might be legit intel). I understand that it's darn near impossible to avoid chinese stuff in practice, but on my firewall is especially not somewhere I want it.

That said, I'm not totally against the idea...just not gonna trust a "marketplace seller" (amazon or ali) for this.
 
Well, that said, mitxpc does stock some similarly specced machines in the $250-350 range, if you think they'll suffice. Dual or quad gb or 2.5gb.

6412, 3965, 4125.

Edit: wont be doing vpn, just firewall and maybe packet filtering? Not fimilar with other stuff you can do. Oh, and maybe host my own local dns.
 
Yeah, those are all good. I'd lean towards the Kaby Lake personally, but any of them will be more than enough.
 
Is ECC a good idea, or totally unnecessary?

I've been building my own routers for 17+ years and have never used ECC. Haven't had any issues from not using it.

I have a few unused apus (some A6's) lying around which I could put into a new board. Would use more power than the atom chip, but I can tame it a bit in bios. Main issues would be no/partial ECC and (now) finding compatible boards. Iirc, the reason I'm not using them is I don't have a board with compatible bios (or they were fake ebay cpus).

An APU is fine. I used an A8-5600k and later an A10-5800k in my main router for years. Heat is definitely an issue on higher powered APUs, but an A6 should be fine if you use a decent heatsink.

There are some xeon-d/pentium-d/epyc embedded boards in the $600-800 range, but my concern with them would be boot time and single-core speed, I guess? Then there are lots of low-power intel/amd embedded boards, too many to choose from. If you have one you like which wasn't too expensive, I guess I could start there.

I'd avoid Netburst based Intel CPUs. They're really too slow and power hungry to be useful today, especially with the CPU mitigations being enabled. Maybe if you needed a dual purpose heater in the winter time lol.

I'm pretty sure a 20Mbps connection can be NATed with a pentium 1.

A regular Pentium would struggle to push 20 mbit on a modern NIC that didn't have any DSP acceleration on it. The cheap Realtek and Marvells of today usually have the driver on the CPU bit banging data, unlike the 3COM of old that had specialized DSPs to offload some of the work to the network ASIC.

In reality, 20 mbit would be 40 mbit, since it has to take it in from the WAN, figure out what to do with it, and send it back out again on the LAN. The Pentium wouldn't be able to do much else without slowing down.

I briefly ran a router on an AMD K6/2 450 12-14 years ago, and it had trouble with my 12mbit connection. It'd hit 25-50% CPU usage regularly, and go higher if other services in the background were also busy.
 
I'm thinkin' I'll get the hbfbz10-6412. Seems to be powerful enough, inexpensive, and low power. Relly don't wanna mess with eol apus that I can't even get motherboards for. Might throw those up on free stuff later.

Next paycheck I'll decide for sure. Thanks for the advice! ^_^
 
You can get them all day long on Ebay, here's one for $30:
https://www.ebay.com/itm/255971357133

You can get them for as low as $17 if you don't mind rigging up your own power connectors on OEM HP boards.
The ones I have might only work in HP boards anyway. That said, I found one for $60 with the case, cooler, and power supply. I'm asking the seller if it's functional right now. I have some sodimms and drives on hand, so that would work for just getting familiar with it.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
Well 20 people pounced on that before the seller replied, so I got a complete system (minus hdd/ram) for $50 from someone in florida instead:
Screenshot_2023-02-15-08-20-23-69_4d38fce200f96aeac5e860e739312e76.jpg


Not a mini, but that does allow me some more space inside to add a network interface if I want, and a better cpu cooling fan.
 
Well it arrived the other day. Holy shit it's yuge, but I sorta knew that. Just forgot how big desktops were. :p

Inside is actually laid out quite nicely. Came with a dvd drive which is nice. Unfortunately, only has two dp ports and vga, which wouldn't be a problem if the backlight on my 10yo monitor hadn't died just the other day... anyway, popped in some RAM I wasn't using (b/c it doesn't like my other AMD system) and...wrong slots. Move one over, and Bingo! We're in business! Just doing the built-in memory test right now to be sure RAM/cpu are actually compatible.
 
Got the data copied off the drive, burned an opnsense install disk, and off we go! I forgot how f'n slow dvds were...this may take a while. Also, my poor eyes...

IMG20230225163440.jpg


Can't wait until this is done so I can (hopefully) never use this monitor again. D:
Uggh, it didn't update the efi boot menu. :/
Edit: Installed successfully the second go round. Just got to set it up now.
 
Last edited:
Finally got it working, after a bit of fiddling. I suspect I had it all set up correctly before, but I couldn't get an IP on the WAN for some reason. Reset to defaults, and this time after encountering the same issue, I decided to try power cycling my modem, which did the trick.

Running an update now, and then I'll set up the extra stuff (malware/etc filtering, maybe some other stuff as well).

Fast enough for me, and stealth 100%. I'll take it!
Screenshot_2023-03-04-02-55-16-28_4d38fce200f96aeac5e860e739312e76.jpg
 
Last edited:
Have you looked at a PCEngines APU2?

https://pcengines.ch/apu2.htm

I ran one of these for a long time. Finally switched to used Dell SFF because I was pushing the limits of what it could do with my current 800MBit link. But I think my APU2 was only using something like 7W running. IIRC, I got mine up and running with a case, power supply, and SSD for like $250.
 
Have you looked at a PCEngines APU2?

https://pcengines.ch/apu2.htm

I ran one of these for a long time. Finally switched to used Dell SFF because I was pushing the limits of what it could do with my current 800MBit link. But I think my APU2 was only using something like 7W running. IIRC, I got mine up and running with a case, power supply, and SSD for like $250.
I had checked'em out. They're neat, but not too powerful. If all I wanted was a firewall, that's probably what I would have gotten.

I threw one of the 4 core APUs I had laying about into this HP system, and now it's handling the traffic and more, no problem. Need a kill-a-watt to check power draw, but it's probably < 60w.
 
Back
Top