Off the shelf box < $300



  • All
    I currently use VPN client on my windows PC with PPTP protocol as my ISP otherwise throttles Usenet. I am aware that PPTP is not fully secure but it is fine for my purpose. I get 100 mbps  download speed with my windows PC based encryption. I would like to move to a router based solution but if I use my Asus RT68u as PPTP client, speed drops to 20mbps. So I am planning to buy a pfsense box.

    While in the past I have built PCs I couldn’t be bothered any longer.

    What’s the best recommendation for a small, fanless box with AES-NI support. Ideally it is thoroughly user tested, either comes pre-installed with pts ends or installation doesn’t have any quirks.

    I am guessing the setup would be cable modem > wan port of pfsense router | lan port of pfsense router > my wireless router, which will be used as an access point only



  • PPTP is no longer supported. You can't have it. Also, below 300 the SG-1000 works. As do cheap Qotom and MiniSys systems and the APU2.
    Stop using PPTP, the sooner it's dead, the better. pfSense no longer includes server or client components and they will (hopefully) never return :)

    Depending on your provider, you might have IPSec or OpenVPN options.

    If you want true supported and preinstalled hardware, Netgate is your only option. https://store.netgate.com/pfSense/systems.aspx


  • LAYER 8 Global Moderator

    "I am aware that PPTP is not fully secure but it is fine for my purpose"

    This is what is wrong… This mentality... You understand its not secure but continue to use it.. Move to something better vs holding on to old no longer secure protocols... Same goes for ftp - why will it not just die already... It should have been killed off 10 years ago as well..

    That so called "vpn" providers still provide it - WTF??  Just utter nonsense.. There are plenty of easy to use and setup secure options - supporting dead tech doesn't do anyone any favors...  You will have to lookup the different vpn benchmarks for say the sg-1000, from what I recall it won't do anything close to 100mbps currently with openvpn.. But that might change with updated drivers, etc.. But its ipsec performance might be good enough?  If not go with its bigger brothers.. The sg-3100 might be a good fit for you, its a touch over your $300 mark but it does include gold, and has 4 switch ports, etc.  And biggest thing is you would be supporting the cause vs some china box ;)



  • By the way, what ISP is this, and what connection type are we talking about? If it's PPPoE it might require additional power since it's still single-threaded and quite heavy compared to other connection types.



  • I can sympathize with OP's challenge. Why do people think that everything needs to be 100% secure when I recon majority of VPN users only actually need a bit of obfuscation or proxy…

    As for solution - I have been advised to try something different - wireguard (which pfsense unfortunately doesn't support yet). Your router supports LEDE, so you can try wireguard client on that ( if you can find a server). it's supposedly 4-5 times more perfomant than openvpn...



  • ISP: Telstra in Australia. I don’t believe it is PPPoE because my understanding is PPPoE requires you to enter user name and password and I didn’t have to do that. Modem/ Router was provided by Telstra and is Netgear C6300BD. As I mentioned previously I am planning to use this purely as a modem. Anyway for their cable internet connections Telstra doesn’t permit third party modems.

    I find a couple of responses here quite funny - instead of helping me find the best solution to my problem, people think I should just redefine the problem.

    All I said was I want a small off the shelf box which either comes preinstalked with pfsense or pfsense can be installed on without complication and that is fast enough to provide > 70mbps. I am aware that pfsense no longer supports pptp and hence it would have to be openvpn.



  • @someuser08:

    I can sympathize with OP's challenge. Why do people think that everything needs to be 100% secure when I recon majority of VPN users only actually need a bit of obfuscation or proxy…

    As for solution - I have been advised to try something different - wireguard (which pfsense unfortunately doesn't support yet). Your router supports LEDE, so you can try wireguard client on that ( if you can find a server). it's supposedly 4-5 times more perfomant than openvpn...

    If you don't need security, then don't use a VPN.
    If all you need is a normal tunnel, then use one.



  • Since you know you can't have PPTP anymore, let's ditch that discussion. Depending on who/what you are connecting to, you might need beefier hardware than you'd expect since OpenVPN is still single-threaded. You might have some luck trying the OpenVPN client version of whatever service you are using with PPTP at the moment, if the OpenVPN speed is ok and we know your PC specs, we can give you some better suggestions. If it turns out you need i5-level hardware, you'll probably end up with a used office PC or a china box.



  • @johnpoz:

    "I am aware that PPTP is not fully secure but it is fine for my purpose"

    This is what is wrong… This mentality... You understand its not secure but continue to use it.. Move to something better vs holding on to old no longer secure protocols... Same goes for ftp - why will it not just die already... It should have been killed off 10 years ago as well..

    That so called "vpn" providers still provide it - WTF??  Just utter nonsense.. There are plenty of easy to use and setup secure options - supporting dead tech doesn't do anyone any favors...

    whist i totally agree with you, the option should be there to turn on or install manually

    sometimes you may have to work with some old ancient piece of kit or long for this world server that you need to pull legacy data off



  • @andrewjoy:

    @johnpoz:

    "I am aware that PPTP is not fully secure but it is fine for my purpose"

    This is what is wrong… This mentality... You understand its not secure but continue to use it.. Move to something better vs holding on to old no longer secure protocols... Same goes for ftp - why will it not just die already... It should have been killed off 10 years ago as well..

    That so called "vpn" providers still provide it - WTF??  Just utter nonsense.. There are plenty of easy to use and setup secure options - supporting dead tech doesn't do anyone any favors...

    whist i totally agree with you, the option should be there to turn on or install manually

    sometimes you may have to work with some old ancient piece of kit or long for this world server that you need to pull legacy data off

    I'm not sure PPTP has anything to do with that :p



  • @johnkeates:

    Since you know you can't have PPTP anymore, let's ditch that discussion. Depending on who/what you are connecting to, you might need beefier hardware than you'd expect since OpenVPN is still single-threaded. You might have some luck trying the OpenVPN client version of whatever service you are using with PPTP at the moment, if the OpenVPN speed is ok and we know your PC specs, we can give you some better suggestions. If it turns out you need i5-level hardware, you'll probably end up with a used office PC or a china box.

    So I tried using openvpn on my PC, which has Q8200 processor. I was getting about 60 mbps, which is about the same I get using pptp. My cpu usage was about 25%.

    So thoughts on what router/ hardware can I use to get the same speed



  • In that case an APU might do, but an i3-based Qotom or MiniSys will definitely work.



  • Thanks John. I am leaning towards QOTOM with i3 4005u and 4gb ram/32gb ssd


  • Netgate

    I wouldn’t buy a qotom if you’re concerned about security.

    We’ll look at adding wireguard after it runs on FreeBSD.



  • @jwt:

    I wouldn’t buy a qotom if you’re concerned about security.

    Can you expand on this please?



  • @jusjay:

    @jwt:

    I wouldn’t buy a qotom if you’re concerned about security.

    Can you expand on this please?

    He was probably referring to the fact that they are chineese-made. But pretty much everything else is too, so it doesn't really matter as much as people think it does.

    Another angle I find to refer to myself is the fact that due to their location they have no incentive to update their firmwares and microcode or supply post-sales support. In practise, they seem to be reasonable (a few people on this forum had DOAs and got successful RMAs, no failed post-sales support yet) and they do supply dedicated EMEA, North America and BRIC support contacts on their site. It appears they care enough about their brand name to not just drop hardware all over the world and leave it at that.

    Depending on where you are in the world, some other issues might arise like shipping times, taxes and your nation's stance regarding China, but that's just politics and non-product specifics and will very between all countries and vendors all the time. (i.e. the APU2 in the USA is a good choice, but outside it's not that easy to get or cheap at all)

    For home use, the good China ODM/OEM boxes are not a bad choice, for business use you'll probably want to keep a private stock of replacement units or use EU or USA vendors instead. Keep in mind that not all asian sales are equal in quality and finding the good ones isn't very easy. So far, at least on this forum, we have identified Qotom and MiniSys as somewhat 'true' vendors (they make their own stuff instead of rebranding white label crap) but there are a ton of resellers just slapping their own brand name on those boxes and pretending they are the manufacturer instead (while not adding any value and asking 100-400 more for the same stuff).

    Ideally, we'd manage to get one of the good ones from China to get a deal with pfSense/Netgate/whoever to supply cheap non-commercial-use boxes, but so far I have no clue if either party wants that or is looking for that ;-) Since the ARM-based hardware is already in the Netgate store, I'm not so sure they'd be willing to undercut themselves for a possibly inferior (but cheaper) product. At the same time, Qotom is trying to use the pfSense brandname/trademark/whatever-legeal-definition/copyright to sell their hardware faster, which isn't something that netgate/pfSense wants (makes sense, probably something USA law prohibits as well since you have to defend your claim to trademark/copyright in order to retain it). Normally a vendor would make a deal with the owner of the name to be an official vendor, but that isn't likely to happen in China due to cultural and legal differences.

    TL;DR: for home use it likely makes no difference, for business use, you would have to do internal validation before integrating random china hardware.



  • Thank you for the detailed reply John - much appreciated.



  • @Marrduk24:

    I want a small off the shelf box which either comes preinstalked with pfsense or pfsense can be installed on without complication and that is fast enough to provide > 70mbps. I am aware that pfsense no longer supports pptp and hence it would have to be openvpn.

    I'm using the APU2c4 in Australia and get up to 95 Mbps with OpenVPN. I note that one user recently reported some difficulties with pfSense installation - see https://forum.pfsense.org/index.php?topic=141618.msg . That said, I did a fresh installation 2-3 days ago from usb stick with pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img and all went well. My bios details:

    Vendor: coreboot Version: 88a4f96 Release Date: Mon Mar 7 2016

    The APU2c4 with a case (but no SSD) cost about $US 160 delivered to Australia from PCEngines in Europe in 2016.



  • The APU will probably work fine in this case. Only remaining issue is that it would be utilised 100% directly from the start; if the ISP decides to give you more speed in the future, you'd need faster hardware to use it with the VPN. If upgrades are unlikely in the coming 3-4 years, the APU is the way to go.


  • Galactic Empire

    Locking this thread in order to prevent another QOTOM promotion.


  • Netgate

    @johnkeates:

    @jusjay:

    @jwt:

    I wouldn’t buy a qotom if you’re concerned about security.

    Can you expand on this please?

    He was probably referring to the fact that they are chineese-made. But pretty much everything else is too, so it doesn't really matter as much as people think it does.

    Having the board made in China, and having China load the firmware and software present on your machine are different things.

    Are most (volume) CMs based in China: Yes.

    Do you have any assurance of what you purchased: No.

    Qotom doesn't care about after the sale.

    Moreover, the primary means of funding the continued development of pfSense is via appliance sales.


Log in to reply