• I recently started playing with pfSense as an alternative to the Cisco ASA firewalls I have become very tired of using in various business/research installations, etc I maintain. So I decided I'd pick myself up some hardware to play with pfSense at home to see if it's a viable alternative to what I normally purchase for use in production.

    After doing a lot of searching around for various hardware, I decided I wanted something that offered the latest Rangely Atom chips. These chips are designed for server/network processing, support virtualization (VT-X), AES-NI, and even sport QuickAssist crypto accelerators, all with a low power footprint. Unfortunately, finding small, production-level hardware with support for these chips is a little sparse right now.

    Enter the Lanner FW-7551: a purpose-built Rangely box with 6 gigabit NICs - perfect for a pfSense install.

    Full Specs: http://www.lannerinc.com/products/x86-network-appliances/desktop/fw-7551

    Highlights:

    I've spun up the pfSense 2.2 Alpha images on the system, and it seems to cook along quite nicely. All 6 ethernet ports are recognized (recognized as igb0 to igb5), the CF slot works fine, serial console is accessible, etc. I currently only have it running in a fairly basic single-WAN, single-LAN default-NAT/firewall, but that much seems to work well. I'll be expanding it to a more complex setup soon.

    I also tried the pfSense 2.1.1-prerelease image last week, but ran into issues booting to the CF card after the initial USB-based install. The live USB boot image seemed to work fine (again, all 6 ports recognized, etc), but installing to the CF card and rebooting led to a blank console screen after the boot loader ran. It's possible this is just a console issue, as I didn't really dive in to see if the web interface was still working or not. I may try some more 2.1.1 testing depending on how stable the 2.2 Alpha ends up being for my home needs and/or how long it takes to reach a 2.2 beta/release.

    The system ran me ~$350 direct from Lanner (the only way I think you can purchase one of these) and it took a few weeks of lead time to get it here from China, but overall the purchasing was pretty painless. An 8GB ECC RAM DIMM added ~$100, and the 32GB CF card was another $35. Lanner also offers an 2.5" SSD/HDD mounting kit, which I have on order. I'll probably look to switch from the CF card to an old 128GB SSD when that arrives. In total, I would expect to have a pretty slick, full pfSense system for ~$500 (plus the extra $100 I kicked in for pfSense Gold membership and access to the 2.1+ book).

    The main downside to the unit thus far is the fan. It is very loud. Fine for a server room, but lousy for a home setup. Fortunately, it's a standard 40mm fan mount, and I've already replaced it with a much quieter fan with no significant ill effect on system temperature (these are Atom chips, so they run pretty cool). Unfortunately, something happened in the process of me replacing the fan (no idea what), and now the fan runs anytime the system is plugged in, even when it's powered off. Not really a big deal since the unit is pretty much always on anyway, but mildly worrisome from a hardware reliability standpoint.

    I just thought I'd post this to let others know that I've gotten pfSense to run on this box without too much pain. I plan to do a more thorough write up and review at some point once I have the unit vetted out a bit more. I also hope to buy a few more of these to use at various production sites once 2.2 stabilizes (or once I get 2.1.1 to work correctly on the unit). Also, I have no idea if pfSense is taking advantage of the AES-NI instructions for anything at this time, but hopefully those will become useful for VPN acceleration in the near future. It would also be cool to see support for the QuickAssist accelerator at some point, but I guess we'll see.

    I'll shoot to follow up as I gain more time with the system.

    In the meantime, enjoy some pictures:




  • Looks good.  Does that model have bypass ports?  Looks like there may be a riser card option too, looking at the card edge connector next to the LEDs.


  • @charliem:

    Looks good.  Does that model have bypass ports?  Looks like there may be a riser card option too, looking at the card edge connector next to the LEDs.

    Yep, but they're optional. The model I got (FW-7551A-V0.3) has two pairs of bypass ports on the four Marvell ports. There is a slightly cheaper B model that lacks the bypass option. I don't think I'm likely to use them in my home install, but I figured they'd nice to have. You can set them in the BIOS for various failover modes, or disable them altogether.

    The goldfingers by the LEDS are labeled "PCIE1" on the mobo, but I'm not sure what kind of adapter you'd need to use them. It's not really discussed in the Lanner literature. But yes, it appears there is some form of PCIE support if you really wanted it.


  • Can you get a power consumption figure when it is running? Even just when idling along. I am always interested in equipment that takes 12V DC in on an external connector. It is an option to run directly from battery for offices that have solar/battery installations.


  • @phil.davis:

    Can you get a power consumption figure when it is running? Even just when idling along. I am always interested in equipment that takes 12V DC in on an external connector. It is an option to run directly from battery for offices that have solar/battery installations.

    Using the quieter fan (likely lower power than the original loud fan) and running more or less at idle (e.g. the power/traffic load associated with posting this post) I'm seeing about 14 Watts between the wall and the 12V power brick on my P3 Kill-A-Watt. The 12V power adapter supplied with the unit is rated up to 3 Amps output, so a theoretical 36W max. I don't have a DC clamp meter or another good way of measuring the DC load on the 12V side of the power adapter short of hacking up a power cord and using my multimeter inline, but it's got to be 14 Watts or fewer, at least at idle.

    When I get around to benchmarking, etc, I'll try to track power numbers under full load as well.

  • Netgate Administrator

    Interesting that the Marvell NICs are using the igb driver.

    Why were you installing to the CF card from USB rather than writing a Nano image to it directly?

    Steve


  • @stephenw10:

    Interesting that the Marvell NICs are using the igb driver.

    Why were you installing to the CF card from USB rather than writing a Nano image to it directly?

    Steve

    I'm pretty sure this is the same hardware as the SuperMicro boards; it's got i354 NICs with a Marvell PHY.

  • Netgate Administrator

    That would explain it.

    Steve


  • @stephenw10:

    Why were you installing to the CF card from USB rather than writing a Nano image to it directly?

    A few reasons:

    1. Since I wanted to test out the hardware to see if various pfSense versions would even work, the live USB-based install was simplest.
    2. The CF card I'm using is perfectly capable of handling read/write cycles like a regular hard disk over any reasonable lifetime.
    3. I wasn't sure if there were any differences in the nanoBSD versions beyond using ramdisk for logging, etc and the hardware I'm using is closer to a full blown x64 server than an embedded device, so I thought I'd stick with the standard version.
    4. I plan to switch to using an SSD once the mounting kit arrives, so this setup is easier to dd from the CF card to the SSD should I decided to do that instead of a full reinstall.
    5. There aren't any 32GB nanobsd images, and I didn't want to mess with having to expand partitions, etc.


  • @stephenw10:

    Interesting that the Marvell NICs are using the igb driver.

    I had the same thought.

    @Jason:

    I'm pretty sure this is the same hardware as the SuperMicro boards; it's got i354 NICs with a Marvell PHY.

    I can try to interrogate the NICs a little more when I have time, but something along those lines was my assumption as well.


  • should have been better if theres an msata slot…is 350 including shipment?


  • @ozlecz:

    should have been better if theres an msata slot…is 350 including shipment?

    Maybe, but it has a standard SATA slot, and 2.5" SATA drives are easier to come by.

    It was $340 + ~$15 shipping.


  • These Lanner boxes look like they be what ive been looking for.
    asalyer i'm wondering what made you choose the FW-7551 over the FW-7525 as they appear to have the same CPU (however it doesn't look like all the features are exposed) and is fanless


  • @aus_guy:

    asalyer i'm wondering what made you choose the FW-7571 over the FW-7525 as they appear to have the same CPU (however it doesn't look like all the features are exposed) and is fanless

    These are all brand new. I don't think the FW-7525 was available when I made this purchase a month+ ago. At least I didn't see it. But you are correct that it does look similar. And the fanless design would be a nice touch for q quiter system (saving you the trouble of modding the fan like I've had to do).


  • @asayler:

    These are all brand new. I don't think the FW-7525 was available when I made this purchase a month+ ago. At least I didn't see it. But you are correct that it does look similar. And the fanless design would be a nice touch for q quiter system (saving you the trouble of modding the fan like I've had to do).

    might have to get prices on all of these models. how did you place your order? i dont see anywhere on their website to do this.
    looks like the FW7571 uses the 4-core cpu and the FW7573 uses the 8 core both appear to have the PCI-E slot exposed aswell for anyone that needs it. its good to see one manufacturer having a full rage like this.
    assuming the FW7573 is a C2758 cpu i wonder how it would compare to supermicro or the box sold by pfsense


  • @aus_guy:

    assuming the FW7573 is a C2758 cpu i wonder how it would compare to supermicro or the box sold by pfsense

    Because it's not sold by us, it's definitely incomparable.

    1 - Ours is fully-tested hardware that will be comprehensively tested on every future release for the lifetime of the hardware, so you can upgrade with confidence. Also points to a hardware-specific image for upgrade purposes, so you get the best tweaks available for a specific hardware platform.
    2 - Ours includes support, comes pre-installed, and you can buy it on our website right now and it'll ship same or next business day depending on order timing. With Lanner, you're going to be jumping through hoops with a sales person trying to buy a box. Then you get it, have to install it yourself, assign the NICs

    I'm sure it's a cheaper box in the immediate purchase cost, but:

    • what's your time worth?
    • what's that lowered risk of breaking your network worth?
    • what's the potential for increased performance, or at least the assurance of ongoing settings appropriate to maximum performance with that piece of hardware, worth?

    To a home user, maybe not so much. If you're doing anything remotely serious, it's easy to put numbers on it where paying more is ultimately cheaper (unless you consider your time worth $0, and put a $0 cost on downtime).


  • @cmb:

    Because it's not sold by us, it's definitely incomparable.

    1 - Ours is fully-tested hardware that will be comprehensively tested on every future release for the lifetime of the hardware, so you can upgrade with confidence. Also points to a hardware-specific image for upgrade purposes, so you get the best tweaks available for a specific hardware platform.
    2 - Ours includes support, comes pre-installed, and you can buy it on our website right now and it'll ship same or next business day depending on order timing. With Lanner, you're going to be jumping through hoops with a sales person trying to buy a box. Then you get it, have to install it yourself, assign the NICs

    I'm sure it's a cheaper box in the immediate purchase cost, but:

    • what's your time worth?
    • what's that lowered risk of breaking your network worth?
    • what's the potential for increased performance, or at least the assurance of ongoing settings appropriate to maximum performance with that piece of hardware, worth?

    To a home user, maybe not so much. If you're doing anything remotely serious, it's easy to put numbers on it where paying more is ultimately cheaper (unless you consider your time worth $0, and put a $0 cost on downtime).

    for all these reasons and just to support the pfsense project i would much rather buy direct from pfsense/ESF (the form factor looks ideal for me as well) but i can't justify an 8 core system for a firewall at home. If a 2 core box with intel NICs was offered by pfsense/ESF for a reasonable price I would be ordering it straight away.

    The T40E2 looks like step backwards for me as im currently using a microserver N40L.


  • @cmb:

    @aus_guy:

    assuming the FW7573 is a C2758 cpu i wonder how it would compare to supermicro or the box sold by pfsense

    2 - Ours includes support, comes pre-installed, and you can buy it on our website right now and it'll ship same or next business day depending on order timing. With Lanner, you're going to be jumping through hoops with a sales person trying to buy a box. Then you get it, have to install it yourself, assign the NICs

    For what it's worth, I've never had any issues ordering from Lanner, though their shipping is sometimes a bit slow because they rarely have everything I want in stock.  Where they fall short compared to you guys, to your points, is on post-sales support.

    I'd have bought from you guys if you had hardware that would have met my needs.  Instead I'll just have to stick with my support agreement.  Consider this a request to build out the list of supported platforms, both for home and for business uses.


  • @aus_guy:

    might have to get prices on all of these models. how did you place your order? i dont see anywhere on their website to do this.

    You just need to email the Lanner sales address and work directly with a sales person via either email or phone. It was fairly painless, but it does require interacting directly with another human, and tehre lead time is often a few weeks. ;-)

    For future reference, I'd be interested to see prices on the other units as well, so if you get them, can you repost them here?

    You can generally buy the units bare bones (as I did) and then add your own RAM, SSD, etc, or Lanner can ship the unit with the extras pre-installed for additional cost.


  • @cmb:

    Because it's not sold by us, it's definitely incomparable.

    1 - Ours is fully-tested hardware that will be comprehensively tested on every future release for the lifetime of the hardware, so you can upgrade with confidence. Also points to a hardware-specific image for upgrade purposes, so you get the best tweaks available for a specific hardware platform.
    2 - Ours includes support, comes pre-installed, and you can buy it on our website right now and it'll ship same or next business day depending on order timing. With Lanner, you're going to be jumping through hoops with a sales person trying to buy a box. Then you get it, have to install it yourself, assign the NICs

    I'm sure it's a cheaper box in the immediate purchase cost, but:

    • what's your time worth?
    • what's that lowered risk of breaking your network worth?
    • what's the potential for increased performance, or at least the assurance of ongoing settings appropriate to maximum performance with that piece of hardware, worth?

    To a home user, maybe not so much. If you're doing anything remotely serious, it's easy to put numbers on it where paying more is ultimately cheaper (unless you consider your time worth $0, and put a $0 cost on downtime).

    I potentially would have bough directly from pfsense/ESF, but I wanted a Rangeley Atom box for future proofing (and to support non-pfsense uses down the road if need be, the VT-X support, etc makes it a good general purpose microserver if I get to a place where I no longer need it as a firewall). If ESF sold a Rangeley box with 5 to 6 gigabit Ethernet ports in the $400 to $600 range, I probably would have gone for that. But the current ESF/pfsense hardware selections don't really seem all that state of the art or future proofed (e.g. virtualization support, AES-NI, Intel NICs, etc), at least in terms of desktop, non-rack mount hardware.


  • We have one of each internally.  We even have a 7551 with the 8-core CPU internally, and have had for months.  Compared to Supermicro, Lanner ends up being higher cost, and more difficult to deal with.  Their leadtimes are 8-10 weeks.  Oh sure, YOU can get ONE faster than that, so not your problem, right?

    If you ever wonder why I remain reluctant to release AES-NI as part of the generally-available pfSense releases, this thread, and people like "I potentially would have bought" asayler are why.

    aus_guy:  we are more than aware of this platform, and have a plan.  I'm not discussing it in public.


  • @gonzopancho:

    We have one of each internally.  We even have a 7551 with the 8-core CPU internally, and have had for months.  Compared to Supermicro, Lanner ends up being higher cost, and more difficult to deal with.  Their leadtimes are 8-10 weeks.  Oh sure, YOU can get ONE faster than that, so not your problem, right?

    I was just sharing my experience (which others may or may not find relevant) of the Lanner purchasing being not so bad, not trying to claim it was right for everyone. I also never suggested that Lanner was the be all and end all, just that I wanted something with a Rangeley chip and lots of gigabit ports for around $500.

    @gonzopancho:

    If you ever wonder why I remain reluctant to release AES-NI as part of the generally-available pfSense releases, this thread, and people like "I potentially would have bought" asayler are why.

    I don't see what AES-NI support has to do with anything. Is it available in the official pfSense-branded hardware? What do I (and apparently, people like me, whatever that means) have to do with AES-NI support (or lack there of)? Not following you here… Again, I was just mentioning it as a nice feature to have on the hardware side just in case pfSense (or other software that you might want to run) supports it in the future.

    gonzopancho, I only started this thread to offer up my experiences playing around with a potential pfSense platform to the wider community under the assumption that someone might find it helpful. I'm not trying to snipe anyone's business or start an argument. And I was only commenting on the officially available pfSense hardware as a potential buyer explaining why the existing offer's where inadequate for my purposes. Take it or leave it. You may very well have extensive and good reasons for not offering officially branded Rangeley/Lanner/>3 port gigabit hardware. I'm not debating that. Just suggesting how ESF might get my $500 (and, as long as I've been put in charge of a representing a type of person, the $500 of people like me ;) ) instead of Lanner/newegg in the future.

    I'm happy to support the development of pfSense. That's why I purchased a Gold membership when I first started playing around with pfSense a month ago, and why I try to post information here that others might find helpful. I'm hoping to help contribute code, documentation, etc in the future as I become more familiar with the in and outs of the project. I also am in a position to need to purchase network hardware for various organizations on a fairly regular basis. I bought the Lanner board to experiment with one piece of potential hardware (and because I occasionally like the DIY vibe of bare-bones systems). I'm not claiming it's the best solution for large scale production networks, just that it made since for me as I get up to speed with pfSense. If ESF offers similar hardware in the future, I will certainly consider it as well, especially for production deployments.

    I'm not entirety sure what prompted the pigeonholing in your previous post, but it seems unproductive to the wider goal of growing and supporting pfSense and the associated community...  :-\


  • The AES-NI support for AES-GCM (and the associated changes to IPSEC) are currently being developed.

    Sorry, I was just reacting to "potentially" as "possibly, but possibly not".

    Yes, Lanner will sell you one quickly.


  • So I went ahead an put AES-NI (AES-GCM) in pfSense 2.2

    I'm not entirety sure what prompted the pigeonholing in your previous post, but it seems unproductive to the wider goal of growing and supporting pfSense and the associated community…  :-\

    It takes money to run the project.


  • Gonzo - let me just say on behalf of the Home users here - THANKYOU for putting AES-NI in pfsense 2.2


  • @gonzopancho:

    So I went ahead an put AES-NI (AES-GCM) in pfSense 2.2

    Glad to hear it. I look forward to testing it out!

    Also, glad to see the Lanner board made it into the pfSense store: https://www.pfsense.org/hardware/pfsense-store.html#fw-7551. It's a nice option to be able to buy it directly from pfSense.

    I'm working up some benchmarks now on both the Lanner board and the slightly beefier Supermicro A1SRi-2758F. Looking forward to seeing how they compare and what they're both capable of using pfSense 2.2.


  • Beefy?

    You don't know what's coming…


  • Is it something based on the Lanner FW-8894, plus you guys beefing up the load balancing capabilities baked into pfSense?  Please tell me that's the case as I'm really trying to avoid having to buy a pair of NetScalers this year.  :)


  • nope


  • @gonzopancho:

    nope

    Bummer.


  • Better.


  • Redacted.  Sorry for the knee-jerk reaction.


  • replied to your private message.