Quad-core Intel Goldmont/Apollo Lake (Pentium N4200, Atom E3940)
-
Hey,
I hope this is the right place to ask (forgive me if it's not, this is my first post here).
After years of relying on my internet provider's hardware (mostly FRITZ!Box – very popular here in Germany) I decided to build my own router/firewall. Almost 4 years ago I build my NAS on Intel C2750 and FreeNAS, which serves me well until this day. That was fun and now I'd like to build my own router (and hopefully learn something new on the way).
I'll start with my use case -- I have a 200Mb/s (down) & 12Mb/s (up) internet connection. I plan to use firewall + ad blocker + a lot of OpenVPN (clients & server). I need something completely quiet (fanless), small (no bigger that Mini-ITX, half-height, so no expansion slots) and reliable. It should also be a bit more powerful than what I need now as I'd like to run it for years, even after I upgrade my internet.
So I've read a bit and I found that I need CPU with AES and Intel NIC. I thought about Rangeley C2558, but:
-
these boards are surprisingly expensive (for such old hardware), almost as expensive as at their launch date 4 years ago (at least here in Germany)
-
C2000 got some bad press due to some bug (which I personally haven't experienced and people claim is not present in boards made after 12/2016)
-
lack of Quick Assist support (at least v1.5 present in Rangeley) in FreeBSD is really disappointing :(
I've read a lot of positive reviews of the new Atom C3000 (Denverton) but I don't know if it makes sense to wait until first boards with C3558 show up.
Next thing I looked at was Apollo Lake line. Pentium J4205 seems to be the most powerful one (by looking at no. of cores & burst frequency) but I couldn't find any boards with dual Intel LAN. I could find some of its "smaller" (6W TDP, mobile) brother, N4200 though:
-
MITAC PD10AI-N4200 (Mini-ITX)
-
Supermicro X11SAA (Mini-ITX) - I don't see it listed on Supermicro website, is it discontinued?
-
Supermicro X11SAN (3.5" SBC) – this one is available in SuperServer E100-9APP barebone and IMHO looks super cool.
Does anyone own N4200 based pfSense build (preferably on one of the mentioned boards)? Did you experience any issues with it? Would that be a good build for my use case?
-
-
I would highly recommend you take a look at the Xeon D processors. SoC, fanless, low TDP and very powerful. Install vmWare ESXi on it and you can consolidate a lot of systems.
-
How much OpenVPN will you be needing?
N4200 is a really bad pick for OpenVPN, very low clock speed and OpenVPN is single threaded.
I would suggest you get a J3355B and an i340t2 NIC, there is no advantage to on board NICs in day to day use other than form factor.
Check out this case:
http://www.mini-box.com/M300-Enclosure-w-Bootable-CF-Reader_2
http://www.mini-box.com/picoPSU-80-60W-power-kit
- a riser card for your NIC
http://www.ebay.com/itm/IBM-49Y4232-INTEL-I340-T2-DUAL-PORT-ETHERNET-ADAPTER-49Y4231-/252932840321?epid=1295151135&hash=item3ae3f8db81:g:nb0AAOSwlMFZFIvg
That case measures 7.9"w x 3.1"h x 9.5" long.
- a riser card for your NIC
-
I would highly recommend you take a look at the Xeon D processors. SoC, fanless, low TDP and very powerful. Install vmWare ESXi on it and you can consolidate a lot of systems.
I don't think I like the idea of consolidating my systems – I'd like to upgrade them one by one, when there's a need. Otherwise I could probably run pfSense in bhyve on my FreeNAS box (no ESXi as C2750 does not support VT-d).
-
How much OpenVPN will you be needing?
I don't know how to solve it yet (no experience with pfSense) but I'd like to run multiple OpenVPN clients:
-
one for my TV and set-top boxes to workaround geo blocking
-
one for my guest network
-
(maybe one for my torrent client – but I can run OpenVPN client for this in VM on my FreeNAS box as well)
-
(I'm not sure whether I want my main network to go through VPN yet)
I plan to buy switch with VLAN support so as I understand I don't need more than 2 LAN ports on my router.
Oh, and I also plan to run VPN server (I hope that's possible).N4200 is a really bad pick for OpenVPN, very low clock speed and OpenVPN is single threaded.
I would suggest you get a J3355B and an i340t2 NIC
I see that J3355 has higher base frequency, but burst one is the same. They seem to have very similar single core performance. And as I plan to use multiple VPN connections (they might be idle most of the time though) I though more cores would be helpful.
there is no advantage to on board NICs in day to day use other than form factor.
You're right. But smaller Mini-ITX enclosures look way cooler if you ask me :)
-
-
You can definitely do everything you want with OpenVPN on pfSense, no problem!
You're right, each OpenVPN instance you run will be it's own process and will be able to utilize multiple cores.
I would still be wary of the N4200, don't rely on any speed except the base speed - especially - when you're planning on running a fanless unit in a small enclosure. It is pretty likely that it will rapidly get too warm in there for the CPU to give you burst frequencies, then you're stuck with 1.1GHz.
I wouldn't trust those passmark results, especially with that low number of samples. Both the N4200 & J3355 are Goldmont architecture with all of the same features enabled. N4200 is a mobile parts and J3355B is Desktop part, 900MHz is going to make a notable difference in single-thread performance and thus OpenVPN throughput.
I would say at least search around the forums and see if anyone else has tested OpenVPN throughput on an N4200 before you buy the part, and see if it will be fast enough for you. It would suck to find out it doesn't meet your needs after you bought and build the system.
-
I would still be wary of the N4200, don't rely on any speed except the base speed - especially - when you're planning on running a fanless unit in a small enclosure. It is pretty likely that it will rapidly get too warm in there for the CPU to give you burst frequencies, then you're stuck with 1.1GHz.
Well, if one can not rely on burst frequency in fanless build then E3940 gives 500MHz extra of base frequency.
Supermicro has that on its A2SAN-E 3.5" SBC (available in SuperServer E100-9AP barebone) as well as on A2SAV-L Mini-ITX board.I would say at least search around the forums and see if anyone else has tested OpenVPN throughput on an N4200 before you buy the part, and see if it will be fast enough for you. It would suck to find out it doesn't meet your needs after you bought and build the system.
Yeah, I'll do that (for N4200 and E3940).
Performance wise I would be fine with 100Mbps from single OpenVPN client (AES-256-CBC). 200Mbps would be great.
I'll spend some time and try to find that out.(I need to also rethink if I'll be running more than 2 VPN clients at the same time).
-
J3355 can certainly get you those speeds, I'd recommend AES-128, 256 provides no additional protection.
-
I found a couple of people mentioning these boards (although I'm not sure if they have them) and messaged them.
If J3355 can push 293 Mbps of VPN traffic then (by comparing base frequencies):
- N4200 should be able to push 161 Mbps
- E3940 should be able to push 234 Mbps
If burst mode works (to full extent), then:
- N4200 should be able to push 293 Mbps (same as J3355)
- E3940 should be able to push 211 Mbps.
I guess the true value is somewhere in between.
Now I lean toward E3940 as it's cheaper and has a faster base clock. I'll wait a bit (giving others a chance to chime in) and probably order some Supermicro board based on this chip.
-
Wow, that E100-9AP is very nice.
That blows the SG-2440 out of the water in terms of CPU, price and form factor!
That might be just the thing for you if the OpenVPN speeds match up with what you want, it should come close to 200Mbps even if it doesn't quite hit it.
-
FYI, I ordered E100-9AP + 8GB of RAM + 64GB SSD (m.2).
As soon as I have it up and running (which might take me some time as I've never done it before) I'll test it and share the results.(This thing lacks IPMI and I don't own any display/keyboard so I'll either install it at work or learn how to use serial port console…)
-
The UP Squared board can run pfSense 2.4.
- Pentium N4200
- Dual Reltek NICs
- Up to 8 GB of ram
- Up to 128 GB of storage
- 1x mSATA/mPCIe slot
- 1x M2 2230 slot (non SSDs, only PCIe devices)
- 1x 6Gbps SATA3
- Rapsberry Pi form factor w/GPIO pins (though there are no kernel drivers in FreeBSD 11)
Though FreeBSD 11 (which pfSense 2.4 uses) is limited in that it doesn't fully support the Intel eMMC 5.0 specifications. I'll later test pfSense 2.5 w/FreeBSD 12 when it matures a bit to see if they included the drivers there.
I'm personally running Xen on ArchLinux on my UP^2 to gain access to its GPIO and eMMC 5.0 storage, with pfSense running within Xen.
The Reltek NICs handle my 500 Mbps up/down Verizon FiOS connection just fine. As a matter fact, I stress tested the UP^2 with this setup and achieved 890 Mbps UP and Down simultaneously. OpenVPN I haven't finished setting up yet though.
http://www.up-board.org/upsquared/
Link to pfSense on UP Squared: https://up-community.org/wiki/PfSense