Intel-based, 4-port firewall/router for less than $200

NOTE:-  This article was originally written mid 2019, but was never posted (it seems that I received a non-maskable interrupt in mid sentence and never got back to it).  Prices quoted are probably no longer valid, but I note that the systems themselves are still available from the supplier linked-to below.

---

As noted a couple of months back in the Odd Bargains post, I’ve been experimenting with some low-cost Celeron-based systems (in addition to the original Z8350, Atom-based unit, which started me along this particular track) as cheap, complete servers for our home network.  The main advantages for me are good OS support for most (but definitely not all) peripherals, RTC and battery as standard and they all come complete with a case and power-supply included in the up-front price.  They are a lot cheaper to run too, as these low-end processors were originally intended for laptops and tablets rather than full blown PCs.  While there’s no denying that the CPU performance is generally nothing to get too excited about, they (the quad-core units, especially) still work remarkably well as 24/7 infrastructure servers for services such as DNS, NTP, DHCP, low volume web servers and reverse proxies.  Most ,but not all,  come with a GbE port and are quite capable of handling significant amounts of traffic (…watch out  for the low-end “ACE PC” branded models though, as they only have a 100Mb port), but all GbE chipsets are not created equal and my tests with a cheap, external USB-3 to GbE dongle (as a super-budget firewall) were a resounding failure (the internal port on the Celeron box could handle the traffic, but the dongle would give up the ghost after 2 or 3 hours).

I found along the way that there are quite a few, virtually identical systems in this price range which have completely different chipsets.  Most of the very low cost machines come with Realtek chips, which research on the ‘net shows to be less than ideal for a firewall (the symptoms reported are similar to my own experience with the USB-3 dongle).  This isn’t to say that the Realtek chips are to blame (there are lots of other variables in the mix), but it is fairly common to see posts recommending Intel chipsets for long term reliability under heavy load.  So, after playing around with a couple of systems that I actually have and taking into account reviews and research, I eventually came down to the choice of a J3160 based system with four, Intel-based GbE ports (the J3160 because it’s a quad-core chip with slightly better performance than the Z8350 and (importantly) with AES-NI hardware cryptography support and four ports because I need to provide for a couple of “guest” networks, firewalled off from the main, home network).

I found a reputable looking supplier on Alibaba who had a lot of good feedback and decent prices (they sell under the names of “Yanling”, “Minisys” and “iWill”).  The model I chose was their Nuc-C3L4.  In addition to the four (Intel) GbE ports, it also comes with dual-HDMI, 2x USB-3.0 and an RS232 console port.  The cost for the bare-bones unit is was $142.60, but that doesn’t include shipping (which was an additional $20 for my location).  This vendor does accept PayPal, but only from a limited range of countries (and mine wasn’t one of them).  Depending upon where and how you’re shopping, you can probably get 4GB of memory and a 64GB eMMC card for an additional $30, or so.  And yes, because I have used this supplier and had a good experience with them and their products, I do recommend them.  Communications with them (in English) were easy, fast and friendly.  Their shipping was also fast and their packing is excellent (the boxes are sturdy and the units are completely surrounded by a custom, expanded polystyrene foam cushion …which may not be very environmentally friendly, but certainly is effective).  The power supply, mains lead and included VESA mounting plate are separated from the system itself by a cardboard divider and all of the individual parts (including the system) are enclosed in their own plastic bags to keep moisture at bay.  Once out of the bag, the unit proved to be very black, very shiny and of all metal construction (unlike the Beelink AP35 which I wrote about a couple of weeks back).  It looks very nicely made and well put together and it’s obvious that someone put more than a couple of minutes of thought into this very compact design (for instance, the bottom of the unit has ventilation slots and it is secured to the body with four, asymmetrically offset screws, so that it’s actually impossible to attach it in a way which would block those slots).

I ordered memory and an mSATA SSD module from Amazon here in Japan and actually got a pretty good deal.  If you do buy one of these units, it’s important that you only use the low-voltage (1.35v) variants of the DDR3 SODIMM, though; this system won’t work with higher voltage rated memory.

Here’s where I hit a very small speed-bump in the road to getting it all working.  It turns out that the motherboard slots are not identical.  You have a 50/50 chance of getting it right when installing the mSATA  …and I got it 100% wrong.

Nope, not this way!

This way!!

As you can see, the mSATA module needs to be plugged into  the right-hand socket to be correctly recognized by the system.

Take another look at that “This way!!” photograph again.  The first point of note is the RTC battery (the yellow blob in the bottom, left-hand corner).  This system comes with an RTC and battery, which means any Unix-based OS works right out of the box; just tell the OS what timezone you’re in and you’re done.  Notice also the row of RJ45 sockets at the L/H side.  If you click on the image to get the full-sized version (it will open in a new tab), you can easily read the MAC address assigned to each port.  It’s probably worthwhile making a note of those (they’re sequential) while you have the bottom off, to help with identification later.

You can also see there’s  a SATA port available on the motherboard, but with this particular model there’s no space available to fit an internal drive.

Here’s a partial dmesg output from the machine once FreeBSD was loaded, showing the CPU features for the J3160:-

Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 12.0-RELEASE-p4 b0ff15badd(RELENG_2_5) GENERIC amd64
FreeBSD clang version 6.0.1 (tags/RELEASE_601/final) (based on LLVM 6.0.1)
VT(vga): resolution 640×480
CPU: Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (1600.05-MHz K8-class CPU)
Origin=”GenuineIntel” Id=0x406c4 Family=0x6 Model=0x4c Stepping=4
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x43d8e3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3, CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,RDRAND>
AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
AMD Features2=0x101<LAHF,Prefetch>
Structured Extended Features=0x2282<TSCADJ,SMEP,ERMS,NFPUSG>
Structured Extended Features3=0xc000000<IBPB,STIBP>
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics
real memory = 4294967296 (4096 MB)
avail memory = 4002127872 (3816 MB)
Event timer “LAPIC” quality 600
ACPI APIC Table:
WARNING: L1 data cache covers fewer APIC IDs than a core (0 < 1)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)

Close to the end of the “Features2” line, you’ll see “AESNI” included.  These are Intel’s “Advanced Encryption Standard – New Instructions” which enable faster, hardware-assisted  encryption and decryption.  Although this technology is now available on some other processors (including ARM), older Intel processors don’t have it (for instance, the predecessor to this mini-pc system had a Celeron J1900 processor, which doesn’t have AES-NI), so a J3160 is worth the extra few dollars if you’re planning on a VPN server, for instance.

Last words

I actually got two of these systems, one for my own use (to replace an ancient firewall box) and one for a remote site.  They’ve now been running for almost exactly a year (since I began this article in early August, 2019) and have been totally reliable during that time.  I did think that the heat-sink was running a little bit on the hot side when I first installed them, but the “touch test” is deceptive and even during the mid-summer heat, the processors barely register 50°C.

The systems handle the traffic we pull through them without any problem and can handle multiple firewalled VLANs, encrypted VPN traffic and multiple physical networks with ease (as well as handling the normal associated processes — NAT, DHCP, DNS, NTP, etc).  I’d like to emphasize what good value these little systems are.  Not only is the initial purchase price very low, but the lack of fans and the 6W (avg TDP) processor mean the power requirements (and hence the monthly electricity bill) are low, too.  I was also very impressed with the quality of the (all metal) case, the general design and workmanship, as well as the packing and delivery from the vendor.  They may not be as cheap as a Raspberry Pi, but the quality of the case, included PSU, cables and accessories, as well as the RTC (and battery) and four GbE ports more than make up for that.  You won’t be running a 20TB database with 200 concurrent users on one of these machines, but for moderately light 24/7 operations for a good sized household or small business, I don’t thing you can go far wrong.