In 2022, we started a mini-series that we intended to be a single review. That was a Fanless Intel J4125 4x i225 system. Then the AliExpress vendors iterated, systems got better, more ports, and so forth. During most of the series, we instead looked at the N5105/ N6005 systems, but the J series has a newer part that has made it into these systems, the Intel Celeron J6413. This new system also uses six of the newer Intel i226 2.5GbE NICs, but it is a lower-end platform, so we wanted to see how it compares. With that, let us get to the review.
Intel Celeron J6413 Powered 6x i226 2.5GbE Fanless Firewall Overview
With these, we have been doing a video review to accompany all of the systems. You can find that video here:
As always, we suggest opening the video in its own window or tab for the best viewing experience.
These units can be bought for about $225 barebones on AliExpress. However, we chose to buy ours with RAM and SSD.
We normally do not suggest buying with memory and storage since the brands are often unknown in the bundles. Also, it is often less expensive to purchase memory and storage locally from a bigger brand than to get them via AliExpress. Still, we did that just to see what we got.
We also purchased the Intel Celeron J6412 version. These units took over six weeks from order to shipment, to the point that when they shipped the seller told us that they upgraded our J6412 to a J6413 to make up for the difference. Sadly, that means we do not have a J6412, but they are fairly similar. Given the often $5-10 difference, we would probably end up recommending the J6413 anyway.
Our best sense of why we ordered these in early September, but they arrived in mid-November, is because the sellers sometimes list new boxes before they are available. That is something we were less accustomed to before starting this mini-series.
With that, let us get to the hardware.
Intel Celeron J6413 Powered 6x i226 2.5GbE Fanless Firewall Hardware Overview
The front of the unit has 2x USB 3 Type-A and 2x USB 2 Type-A ports. It also has a console port. Many prefer the console over IPMI in these devices to lower power consumption since a BMC uses 4-5W these days. There is also a HDMI port for local access.
There are a few other features worth mentioning on the front. First, on the right side, the power button was delivered upside down, which was a bit funny. On the left side, there is an on/off switch. Here is a closer view of that switch that we had:
On the other side of the system, we have our status LEDs, and a 12V DC input. There are also now six Ethernet ports. Each is a 2.5GbE port. That is a major upgrade over the J4125 where we had four NICs.
There is also a grounding point, and two covered holes that one could use for antennas if needed.
The bottom of the case has space for a 40mm fan and a 2.5″ SSD or HDD. Usually, in these we suggest skipping the 2.5″ drive to keep airflow through the vents.
Getting inside the unit only takes four screws, and the bottom panel pops off easily.
With that, let us get inside.
Is the Bios or UEFI accessible without a Monitor and Keyboard?
Ok so please don’t hate. This is an honest question which I posted on Redditt and I did get feedback but I am starting to see so many units in use by STH so I have to ask those of you here on your experience. I am not looking for controversy. I am not paranoid. I am trying to be as safe as possible. I am leaning towards protectli units with core boot. The ali express units seems way cheaper but, would I be opening myself up to something bad? I can’t verify the BIOS (as far as I know) and that is what I am most concerned about. I would load pfsense on it from scratch but my weakest link would be the BIOS. Anyone have experience on it? ran packet capture on the WAN side of the low-cost Ali Express boxes? Your help is appreciated.
@Charlie: I wouldn’t trust the site. These look like knock-offs from the actual protectli (near identical) there’s no telling the quality of components or failure rate. If you don’t have a large (less than 30) network I’d go with a Vilfo otherwise if you’d like to future proof it’s expensive (but with many options that are VERY~ customizable), I’d go the protectli route. Happy New Year
Also if you’ve got the space, consider the Dell small form factor machines. There are plenty around second hand after having had an easy life in an office. I put a 100G PCIe x16 card in an Optiplex 7040 SFF to see what it could do, and it reached just over 60 Gbps with pretty much 100% CPU use (across all cores). Given how cheap multi-port 10G cards are now, I’m thinking an old Dell with a few 10G links is a better option than these multi-port 2.5G units of unknown origin and questionable longevity. Dell might not be very exciting but they are pretty robust.
Of course it won’t alleviate your spying concerns, but I’d rather have the Americans spying on me than some other governments…
How are you not getting a kernel panic on IGC with OpenWRT??? Pass some traffic and pull the cable, share what happens.
Does anyone know why this unit would have gone with mSATA rather than m.2 with the typical keying for SATA(B and M, I think)?
I can see why you’d go with SATA in the context, the Celerons are relatively PCIe starved and this design is one where I/O means networking rather than storage, aside from boot and maybe some light logging; but at this point getting mSATA drives is markedly more irksome than getting SATA m.2 drives.
Prevents user confusion? mSATA connectors/drives still cheaper in aliexpress world?
@malvineous: I obviously wouldn’t bet against an adversary who owns the firmware; between everything UEFI can do and everything SMM can do there’s plenty of room for concern; but using expansion card NICs might incidentally provide some protection. It’s typical though not universal for a board’s UEFI to include drivers for onboard NICs(at least enough to do PXE and HTTP/HTTPS boot on the low end, iSCSI for nicer NICs; sometimes a standalone firmware update feature) plus, at least in business stuff, a few external NICs(vendor’s particular blessed USB dongle, dock NICs, etc.); but they rarely include much general-purpose support; so the odds of the firmware being able to do sneaky network stuff behind your back go down significantly if you are using expansion NICs based on a totally different chipset(and even class of chipsets) than the ones on the motherboard.
I certainly wouldn’t use that as a security feature, since it’s not; but the odds that some random desktop motherboard has firmware support to interact with any 100GbE chipset are way, way, lower than the odds that it can chatter merrily away on an i219 or some realtek thing
We’ve got like 50+ of the various versions including 2 of these now that we’ve installed. We used to be a protectli shop.
We haven’t seen any strange packets from these letting them sit and just sniffing.
In terms of quality, some of the protectli units we’ve had are almost just like these. The newer coreboot is nice. I’m thinking that protectli used to just oem units like these
We’ve switched because these are so much cheaper that we can buy spares. These are cheaper than the 6 port 1G Celerons by more than half so you get 3 of these for 2 of the celeron protectli’s and they’re faster.
I’d imagine that mSATA drives are indeed less expensive for the sellers. The relative scarcity of lanes on these CPUs is also likely to be a factor. While mSATA drives of decent brands are getting kind of scarce in the US, I’m sure there are still tons of little unknown-brand ones floating around in Huaqiangbei market.
It’s also possible that small mSATA drives tend to produce less heat than NVMe drives can. That could well be a factor in a small fanless box like these. I also don’t know that an NVMe drive would even add anything over an mSATA drive in terms of performance for this class of box. The larger capacities of NVMe drives may also not be that useful for the average customer of these.
I have one of those unit and I am pretty happy with it. My first home server experience, so still learning, but really positive so far.
Do you know if the mini PCI-E port could be used to connect a mini PCI-E to SATA RAID controller? I would like to expand storage in this way and use it as a NAS.
Also, there is a 3-pin fan socket on the other side of the board which can be accessed from on of the sides. Is in a pretty weird and uncomfortable position and the board needs to be removed in order to access it… but is there! 🙂
I am so out of the game. But are these celerons better now? I remember the old celerons, Atoms from Intel were pure trash performance wise, and other issues.
Intel Celeron J6413 Underpowered 6x i226 2.5GbE Fanless Firewall Review
As for the paranoid people, if you look at the protectli FW4C then it’s basically the same model, just with a slightly better CPU. They probably are made by the same production company as where the protectli comes from.
I as an European is also slightly hesitant by US made products as I do not know if one of the US agencies have “requested” a backdoor into their products.
This is an intersting box.
I bought this one when trying to find a N5105 with a good price including SSD and Ram the price is not very different from the latest J6413
I’ve been through the article twice, but I can’t seem to see anywhere how much traffic can this thing haul? One reason I can think of for buyng a 6-port machine is to avoid having an extra switch. Now, I don’t expect it to hold 30Gbps sustained traffic, but still, how much can it hold?
These units are terrible! I grabbed a VNOPN (cheap china crap) from Amazon and it kernel panicked like crazy and failed memtest. Now I can’t get it to post at all. I wish I went with protectli to begin with, now I’m paying double what it should have cost me to upgrade my home router. You should either test these units longer term and only promote them if they’ve been stable for a good long while, or just stop. Setting people up for a bad time with these cheap knockoffs.
I was just coming back to say that we’ve now got 38 of these units running for a few months now and they’re surprisingly stable.
I don’t understand why @Adam is sayin’ this unit’s bad when they bought a different model with a different chip from a different no-name vendor. Is it even the same chassis and chip? I looked because we have so many and I don’t see a VNOPN version of this.