pfSense Challenges and pfSense 2.6.0 to the Rescue
On the pfSense side, the big challenge has been Intel i225 support. With pfSense 2.5.2, the out-of-box experience was that the NICs were detected as the Intel PRO/1000 NICs. While these would link up, and one could pass traffic, things like DNS would throw errors and not work.
With pfSense 2.6.0, this has changed and the four Intel i225-V NICs are detected and work out of the box.
The net impact is that we did not have to disable hardware checksum offloading, try to install new drivers or anything like that. Things just worked and we have used a few of these models for several weeks now, and they seem to be stable. The hard part is that currently, the i225 NICs are gaining support, but double-check if you are using an older OS to ensure that they have NIC support or it will be hard to download and install drivers later.
Power and Performance
In terms of power, we had a small 12V adapter that was plenty to power this unit.
In operation, with no network cables connected, idle was around 4.5W. This system does not have a BMC such as an ASPEED AST2500 or AST2600, but if it did, that BMC would use about as much power. Instead, we took the pfSense screenshots via TinyPilots.
Maximum power consumption was around 10W, but realistically, most of our users are going to see daily use below 10W.
In terms of performance, the Intel Celeron J4125 is actually slightly faster than theIntel Atom C3558 but on most benchmarks it is ~8-11% faster so the difference is not large. These are also a fraction of the performance of even the 1L PC TinyMiniMicro nodes that we look at. The net impact is a low power system that can push over 2Gbps in straight NAT mode, but VPN performance we saw in the 400-800Mbps range with OpenVPN being much slower and IPSec being faster. Of course, that was in simple benchtop configurations, not in WAN deployed VPNs, and without firewall rules or other rules. We are working to revamp our firewall testing methodology later this year.
Still, and this is mentioned in the video, the big difference was really the stability. Since the i225’s had been problematic, we stuck one of these in my house with around 10 TinyMiniMicro 1L PCs, a NAS, a Ubiquiti WiFi setup, and a few switches just to test one of my WAN connections, the Spectrum cable. I wanted to see if the ISP-provided router/ WiFi combos have gotten better. What we found is that pushing traffic over pfSense gave us single-digit percentage better latency than going over the ISP-provided box, and it was more reliable, not requiring reboots, nor hitting periods of unacceptable QoS requiring restarts.
Final Words
Of course, for many of our readers, the Netgate 6100 is a better option, and it is not from a rebranded OEM source that does not get things like safety certifications. One can also use pfSense Plus on the Netgate boxes. The extra cost also gets things like 10GbE and SFP(+) interfaces. Still, we recognize that many of our readers like to DIY and may not have the budgets for the branded boxes.
At some point, for $250-380, having a quad 2.5GbE firewall is awesome. This year we are seeing more PCs with 2.5GbE and WiFi 6(E) APs have been adopting 2.5GbE as well. We have also seen more NAS units adopt the standard. The big challenge is still the switch side, but we hope that is getting better soon. Three months ago, we would have recommended the 1GbE version of this inexpensive firewall/ router combo. Now that it works out of the box with pfSense 2.6.0, it seems like this little box may actually be a winner.
Our little fleet of these units is being used as internal VPN endpoints but has been working relatively well thus far to the point we figure we would publish the review. Of course, it is a bit hard to review a product sold basically with either the same or slightly different sheet metal by dozens of companies, but at least that offers some choice. Please do just ensure you are getting units with the newer B3 stepping of the Intel i225-V as generally silicon steppings mean you want the later revisions.
