Found: My ideal small form-factor hardware: Liantec EMB 5842
-
I finally found my ideal small-form-factor firewall platform. I recently purchased the Liantec EMB-5842, from Wim Vandeputte at kd5.com.
NOTE: I am not in any way affiliated with Wim Vandeputte or Liantec.
My requirements were:
- Box must be small form-factor. Ideally no bigger than a Mac Mini.
- Hardware must be pfsense and OpenBSD compatible.
- Box should run quiet
- Had to support running on Compact Flash (or CF Microdrive)
- At least 3 (and ideally 4) Ethernet interfaces. Preferrably Intel NICs.
- At least 85 Mbps throughput interface-to-interface with my pf ruleset enabled.
- Must support serial console and PXE boot
- Enough CPU power to run a couple of apps, like
Spamd, Squid, DJBDNS, possibly Snort.
Ideally the firewall box should also have:
- Low power consumption
- Optional 802.11 capability
- 512 Mb RAM
- Gig-E for increased performance, even on 10/100 links.
Intel Gig-E NICs only, since other Gig-E NICs are either very poor
(e.g., RealTek) or not supported by both OpenBSD and pfsense (e.g., Broadcom)
Soekris and WRAP are popular choices for running small-form-factor firewalls. Both can sustain 25 Mbps throughput – which is more than enough for most home Internet connections. But between computers on my LAN and servers on my DMZ, I wanted more than 25 Mbps throughput. I ruled out the Soekris and WRAP hardware because they're too under-powered for what I want and not very future-proof.
I also considered the Commell LS-570 and LV-674, Nexcom NSA-1042, and various Lex hardware (Neo, Twister, etc).
The Liantec EMB-5842 (http://www.kd85.com/liantec.html) is the only box I found that met most (in fact, all) of the above requirements. Liantec is also coming out with a VIA CPU version -- that would mean hardware support for crypto/VPN acceleration.
My Liantec EMB-5842 has 512 Mb of RAM, 1 Ghz Celeron, four Intel Gig-E NICs, and a 4 Gb Hitachi Microdrive. When idle, the Liantec's temperature hovers around 35C (95F). The Liantec is the size of a trade paperback book and can sustain 395 Mbps throughput (pfsense 1.0.1), even with a relatively complex pf ruleset!
You can see details of my specific throughput tests at:
http://www.kd85.com/liantec.htmlI have no idea how many IPSEC VPNs you can maintain with this hardware. But my guess is: many. The CPU is hardly utilized.
===============
The Liantec EMB 5842 is not a cheap solution when compared to the WRAP or SOEKRIS, but what you're getting is a very high-performance, future-proof firewall in a very small form factor.
If you're looking for a similar solution that fits into a 19" rack, you probably want to look at the Nexcom boxes (or ask Wim to build you a custom 19" case for a Liantec).
I cannot praise Wim Vandeputte enough: he was patient and very helpful in selecting the hardware. He provided a nice case (and fan) for the Liantec board and shipped it to me very quickly in a well-packed box. As far as I know, Wim is the only source for Liantec hardware. Whatever your requirements are, you might have a look at his inventory at http://www.kd85.com.
===============
Using instructions at:
http://wiki.pfsense.com/wikka.php?wakka=FullInstallOnWRAP
http://wiki.pfsense.com/wikka.php?wakka=Nexcom
http://doc.pfsense.org/index.php/Chapter_3:_Installing_pfSenseit was relatively easy to install the full version of pfsense onto a Hitachi 4 Gb Microdrive using a SanDisk ImageMate 12-in-1 and a laptop. Because of compatibility issues between Seagate Microdrives and FreeBSD 6.x, I chose the Hitachi Microdrive (Model HMS360604D5CF00, P/N 0A40241, S/N B4TSGALA 55A.) I've had no problems at all with it.
===============
After working with the hardware for several months, I've come to the conclusion that it's probably even more powerful than I need. If I had to do it over again, I might opt for the 600 Mhz Celeron or the VIA version instead -- to keep the power and heat down even further.
-
what is a price tag on this box?
…nevermind... found it
-
~ $550 (398 Euro) + shipping + $80 for the Hitachi Microdrive.
-
1 euro for every Megabit of speed you can squeeze out of an interface.
-
Sounds pretty neat, but I'm looking for something with more grunt. I'm getting updated to a gig connection to the internet and I'm looking for a small FF box that will keep up. Note, this is purely for bragging rights, as I have no mission-critical need for such a high-speed connection. So I don't want to spend the earth just to get a good download speedtest on DSL Reports.
;) -
Then you're gonna need high-performance Gig-E cards – like the Intel Pro 1000 -- and they'll need to be on a PCI-e bus. I think you can get that in a Nexcom, but it's not a small box in the same way that a Soekris or Liantec is.
-
So I don't want to spend the earth just to get a good download speedtest on DSL Reports.
;)heh… good luck with that. I can't even max my 15 Mb cable modem on any Internet speed test other than the undocumented one my ISP hosts, though if I hit a fast site or a popular torrent I can always hit 15 Mb with ease. Speakeasy's tests are a lot faster, but still don't get 15 Mb on them routinely.
The problem with gig wire speed is it requires something other than a PCI bus, either PCI-X on server class hardware, or PCI-e. So you're going to spend a lot more than this box costs for something that'll do gig wire speed. It's a limitation of PC hardware, not the software.
-
-
Guys you last build is perfect
together with the EMB5842 Box from kd85.com the best combo i ever had !!!Do you see any chance maybe to implement an OpenVPN Wizzard like Zerina for IPCOP ???
Would make life much more easy !Thanks for all the work
-
I got a 1ghz version, but i have problems installing pfsense on it.
BTX Halted error when booting from livecd.
And a / when booting a cf with pfsense on it. When i connect thru the console i don't get any output on my screen.
Is there one of you guys that already got it running, kind enough to explain how you did it?edit: When i am installing with the livecd, i use a external usb cd-rom player.
-
I connected the CD Rom Drive to the internal 40pin IDE Connector and used a Powersupply from my external Hardrive.
You need to disable USB2.0 in BIOS to get pfsense working. -
Got a 4GB Mircodrive and did a full install on it
incl. Snort and SquidWorks like a champ
-
@Rusty64bit:
I connected the CD Rom Drive to the internal 40pin IDE Connector and used a Powersupply from my external Hardrive.
You need to disable USB2.0 in BIOS to get pfsense working.This was the trick…
The usb cdrom method isn't working.
Thank you Rusty64bit. -
LPIC,
I used a separate laptop to write out the pfsense image from a LiveCD onto my Hitachi Microdrive. I mounted the Hitachi Microdrive on the laptop using a SanDisk ImageMate 12-in-1 card-reader.
I then installed pfsense on the 4 Gb Hitachi Microdrive in the SanDisk ImageMate. I knew the device where the Microdrive would be mounted in the Liantec would be different than in the ImageMate, so I made a few adjustments to the OS image on the Microdrive to account for that. Then I put the Microdrive into the Liantec and it booted fine.
=========
I'm glad my review was helpful and that you're pleased with your 5842s. I think it's a sweet box.
-
Couple questions on the Liantec EMB 5842.
Does it have a fan on the CPU? How much power does it take? Can you connect a Kill-a-watt to it and let me know?
Thanks.
Robert -
The CPU does have a fan. I can't tell you how much power it takes.
In other news, my Hitatchi 8 Gb microdrive just developed two unrecoverable errors and I can't mount the root fs. Never having used a microdrive before, I'm wondering whether this is par for the course if the drive is up for months at a time?
Anyway, do any of you that have a Liantec know whether you can hook up an external USB disk to it and boot from that?
-
His pricing is very expensive if buying from the US. If you are planning on buying multiple items, you would be better off buying direct. You could get qty 40 direct for the price you would be paying for qty 20 from him.