Background
My local ISP has some pretty attractive deals on 1.5 Gb/s Fibre and they have also made 3Gb/s available in my area. Unfortunately, my LAN is still on 1 Gb/s.
My current setup is a Synology RT2600ac as my gateway and my home server has an integrated 2.5 Gb/s ethernet port. I have been very happy with Synology router over the past 6 years but the latest offering, the RT6600ax, only provides a single 2.5 Gb/s port which can be configured as WAN or LAN. Unfortunately, this doesn’t suit my needs because I would like at least 2.5 Gb/s WAN and 2.5 Gb/s LAN and would really prefer 10 Gb/s WAN and LAN ports so my firewall is useful for the foreseeable future.
Prebuilt options
Online, it seems like many people are moving to these relatively inexpensive N100 based mini PCs with 4x Intel i226 2.5G LAN ports. These PCs are available on AliExpress and have been covered extensively by Serve The Home. Although these look like great options, I am reluctant to purchase one knowing that residential speeds greater than 2.5 Gb/s are already available in my area.
When I started looking for 10 Gb/s options, the most interesting to me was the Qotom Q20321G9 C3558R. Seve The Home reviewed a similar unit. This unit seems to tick all the boxes for me but at around $450 CAD, I found it a bit too expensive to justify. There are many more options for devices in this category but the prices were just too expensive. For example, a Protectli VP6650 is around $1300 CAD.
| PC | 2.5G | 10G | Cost |
|---|---|---|---|
| N100 Mini PC | 4x | - | $300 |
| Qotom Mini PC | 4x | 2x SFP+ | $450 |
| Protectli VP6650 | 4x | 2x SFP+ | $1300 |
Searching the used market
Another common recommendation is getting a Lenovo M720q and using a PCIe riser with your own network card. This seemed really attractive to me but unfortunately, an M720q was actually pretty expensive. I couldn’t find any locally (closest was an M920 for $300) and on eBay, an M720q was around $200. I think the M720q is popular because of the tiny micro size with PCIe expansion but the size of the computer isn’t that important to me. The firewall is going to sit on a shelf in my utility room anyway. So instead, I started searching the local classified sites (Facebook Marketplace and Kijiji) for the cheapest computers I could find. I saw a listing for a Lenovo ThinkCentre M700 Small Form Factor for $80 or best offer. I offered $60 and the seller accepted.
This M700 (type 10GT) came with an Intel Core i5-6400, a single 8 GB stick of Samsung DDR4 memory, and a 1 TB hard drive (yuck). For expansion, the motherboard has a PCIe Gen 3 x16, and two 1x slots. After updating the BIOS to the latest version and enabling C-states, I booted into Debian for some testing. Using powertop’s auto tune, the idle power consumption of the machine was around 12-15 W. This is pretty favourable compared to the 10.5 - 12 W Serve the Home measured on their N100 machine (although that has 4 NICs and I’m not sure if any tuning was done).
Upgrading the machine
I forgot how insanely slow mechanical drives are for running an operating system on. I purchased a cheap SATA SSD (no m.2 on this motherboard) to eventually install Proxmox on. Then it was time to shop for a 10 GB/s network card.
There are a lot of options when it comes to 10 Gb/s networks cards. Although I considered the SFP+ options, the additional cost (and complexity) of the transceivers made them pretty unattractive. My WAN will be RJ45 and my existing home server is also RJ45. I eventually decided on a Silicom PE310G2I50-T Intel X550-T2 from eBay for $90 USD. I chose the X550 because it’s reasonably modern, supports Active State Power Management (ASPM), and uses about half the power of the older X540. I chose the Silicom version because, based on what I’ve read, there doesn’t seem to be any fakes of this card on the market.
I also have a spare PCIe 1x 1 GB/s network card that I will use to connect the firewall to my existing 1 Gb/s switch. I plan on using the integrated NIC as the Proxmox management port.
Conclusions
My total cost of the firewall is about $200 CAD. I think I got lucky on the price of the M700 SFF but I think there are likely similar deals available if you expand your search criteria. Now that I have the machine, I need to migrate my network, which includes a few VLANs, from Synology Router Manager (SRM) to whatever software I chose. I’m still deciding between OPNsense and pfSense but in my limited testing, I’ve had more luck with OPNsense.