I’m using a Celeron J3455 (more specifically, an AsRock J3455M mobo) with pfSense (and AES-NI enabled for OpenVPN) and a speed test on my 1 Gbps FTTH connection doesn’t even move the CPU past 15% to at most 20% spike utilization (just ran a test to confirm and my ISP is throttling me to 515 Mbps down and 486 Mbps up, although I don’t even make use of more than 100 Mbps, I’m just paying not very much for a service that I don’t use to its fullest potential).
Edit: just did an iperf3 between my PC and a VM on different VLANs in my home network. Got 932 Mbps and the Celeron spiked to 23% utilization (mostly at 17%). I guess if you want more than 3 LANS + 1 WAN, you will be in trouble with the Celeron, but otherwise, it should be good enough.
Avoid the j1900 boxes. Lack of aes-ni is not a big deal anymore but the j1900 has the cache bug that ruins that cpu quick. My j1900 lasted about a year I think before the kernel panics started happening.
I will not get any Atom based unit now, just way too many horror stories out there of a large part of the line up.
The advice I read a lot is get intel NICs. I can’t speak from experience other than this is commonly stated much like TrueNAS and lack of ECC causes Reeee.
And not all intel NICs are created equal. My eBay pfSense box with intel NICs still could not support the newer “inline” IPS mode so I have to use legacy. It looks like a few select intel NICs are supported in the freeBSD kernel for this.
It is about frequency and memory. Celeron today is more than enough for a medium size solution (SOHO). If you are going for large scale - you might want to optimize further.
It is getting more common with Intel CPUs. I would not buy HW with less than 3 ports.
This one can handle backups with USV BIC at least.
rpi4 doesn’t have hardware aes support, so you’ll probably have to run wireguard to get gigabit vpn speeds, … other things on this list have hardware aes.
There’s also a great RK3399 based solution: NanoPi R4S
you can add more network ports via usb, or add a 5T 2.5" HDD and run torrents off of it, or do other stuff - plenty of oomph.
Odroid H2+ - dual 2.5Gbps ports, pfsense will work on this x86 board, but won’t support network - linux/windows on this board will work just fine: ODROID-H2+ – ODROID
Odroid N2+ - very fast arm cpu : ODROID-N2+ with 4GByte RAM – ODROID
connect to your TV to play 4k hdr from kodi, while routing and nat-ing gigabit on the side, use the same tp-link ue-300 adapter for an additional interface.
Take a look at PC Engines APU2 system boards. They make a great pfSense firewall for around $200 USD (board+case). I’ve been running one for the last couple of years.
So I checked out pc engines, but they’re out of stock on some units until May, and some they are not sure when they’ll be in. @oO.o 's suggestion of a used thin client has some appeal, but I’m not sure where to find such boxes. Is eBay the best place to go?
I just moved and had to shed a lot of obsolete hardware in the process, so I don’t have a whole lot of spare PCs. In fact the only one I have just sitting around is an old Dell T5500. But it is a monster among power guzzlers, with 2x130w CPUs (X5687), so I’m not sure its the most economical choice for the role of firewall, either running on bare metal or in a VM.
I’ve got one of those and it’s been doing the job just fine. You won’t be able to run more intensive stuff like suricata on it, but for a simple setup it can work out pretty well.
Ironically the the dual port version has better NICs. The i210 NICs are 4 queues per port whereas the i211 is only 2 per port. There is a 3 port version with the i210. It probably doesn’t matter toooo much unless you have a complicated config or are willing to tune settings.
No experience with neither this kind of hardware, nor the sites. Check if it has Intel NIC or something else. Usually Intel network cards have the least problems in both Linux and BSD (pfSense runs on top of FreeBSD).