Protectli appliances have been a topic on the STH forums recently. Today we have a review of the Protectli FW4A-0-4-32 or Protectli FW4A. The Protectli FW4A is designed with a simple mission: be a low cost and silent firewall appliance. The unit we tested with an Intel Atom E3845, 4GB of RAM and a 32GB mSATA drive was around $340. That is a good price if you are looking for a completely silent system. We purchased our review unit on Amazon and it arrived the next day with Prime shipping.
Protectli FW4A (FW4A-0-4-32) Hardware
Looking at the physical unit, it is simply a small hunk of metal. It is slightly larger than a classic Intel NUC at 5.3 x 4.9 x 1.4 in and 1.25lb. Overall, this is a great dimension for a remote branch office since it is small. While it is a desktop form factor, one could use it on a shelf for small retail locations or offices. We really like that the chassis is all metal. It feels extremely durable as the metal pieces are thicker than one would expect. No cheap plastic here.
The front of the unit has an interesting array of ports. There is a VGA port, a USB 3.0 port, and a USB 2.0 port along with a power button. One can also find a serial COM port via RJ-45.
The rear of the unit has the power in via an external 12V power adapter that is included. There are simple LED lights and then the big feature, four Intel-based 1GbE LAN ports.
The LAN ports use the Intel 82583V gigabit NICs. This solution still gets you a well supported Intel NIC, but it is not a high-end buffered quad port NIC like the Intel i350-AM4. Here is the FreeBSD view of the 1GbE NICs that we had enumerated as em0-em3.
em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em1@pci0:2:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em2@pci0:3:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em3@pci0:4:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet
Inside the unit, it is a tale of two sides. One side with the Intel Atom E3845 has thermal adhesive to keep the top of the unit affixed to the top of the chassis. The top of the chassis is a metal heatsink. This is important because it allows the unit to run cool. It also makes the CPU side virtually inaccessible but the Protectli FW4A is designed well so all serviceable parts are on the other side.
On the other side, we find the opposite. The case breaks away after it is unscrewed and we have easy to service ports. There is a mSATA slot, a DIMM slot, and a mPCIe slot. The mSATA slot is used for a boot device. You can order the unit as a barebones or with pre-installed parts. We ordered a unit with a 32GB mSATA SSD. The DIMM slot uses DDR3 SODIMMs which are easy to source, our unit has a 4GB SODIMM. The mPCIe slot is for wireless cards and the unit has cutouts for mounting WiFi antennae.
Power is external and uses a relatively large 12V power brick which is easy enough to replace.
There is a VESA bracket and serial console port available as well. It would have been nice to get a CAT5 or CAT6 short run cable, but we understand why one was not included.
Protectli FW4A (FW4A-0-4-32) Performance
We see this as an appliance designed for relatively lightweight edge connectivity duties. If you want to do things like packet inspection at 1Gbps wire speeds, there are other options available. Given this product segmentation, we tried two easy pfSense scenarios: NAT performance with basic firewall rules blocking lists of IP ranges and OpenVPN performance. We used iperf3 to measure performance.
In the basic NAT example, we see the expected performance on a 1Gbps network. The use case where you have this appliance as your local firewall translating internal IP requests to external IP ranges and blocking IP ranges based on lists in the process seems to work well.
The OpenVPN case we were nowhere near wire speed since scaling is CPU limited. Being fair here, many users do not have a link capable of saturating 100mbps even. Also, many times this is fine for site-to-site connectivity or remote access. If you want faster speeds, IPsec offers more performance.
pfSense loading performance is something that we know our readers are interested in. Power on to pfSense being fully online at the console screen and the web UI working takes about 90 seconds.
Protectli FW4A (FW4A-0-4-32) Power Consumption
Power consumption is great. The unit uses 12W in typical operation. The specs say a maximum of 18W but we never pulled over 15W at the wall in our testing.
- Idle: 11.8W
- Max: 15.3W
That is a solid result for this class of firewall and yields low annual power costs. Using a newer SoC package may help slightly, along with lower power DDR4 memory, but saving 3-5W is not going to have an appreciable impact on power costs in most scenarios.
There are a lot of options for low-end firewall appliances on the market. We like this over some of the Xeon D solutions since it is fanless and therefore quiet. It also has no moving parts with its SSD so, versus units with hard drives, we generally prefer SSDs for reliability purposes. It is easy to service so if something goes poorly, at least a fix is simple.
If you are using this for a distribution like pfSense, then it works well. Compared to a less expensive Netgate SG-1000, this is a much better option. Even the UI is considerably more responsive.
The systems themselves seem to be lightly customized versions of the Minisys 4 LAN machines. A benefit is getting the units shipped directly from a US seller or Amazon but they cost more than getting the units directly from China.
We still think supporting pfSense by getting an officially branded product makes sense but there are alternatives out there, and that is important for an open source project.
So Why Not the Protectli FW6A-0-4-32?
The Protectli FW6A-0-4-32 has a number of notable upgrades over the unit FW4A-0-4-32. Perhaps the biggest is a Kaby Lake Celeron CPU. These are much newer cores. Beyond that, there are six 1GbE ports which provide a solid upgrade over the FW4A’s quad port LAN.
The FW6A also has an HDMI port. If you are a home user, HDMI can be convenient. If you run in a more traditional data center environment, VGA can be easier to use.
You pay more for the upgrade. We did not have the Protectli FW6A to compare but from specs and our experience, we expect it to be a case of pay more, get something better.
Overall, this unit does what it says. It is completely silent. Performance is good enough for just about any home or small business cable modem or DSL connection. If you are running a gigabit or higher connection, you probably want to look elsewhere. We really liked how quickly the unit gets through the POST and into the OS. It is better than many devices from firewall companies themselves like the pfSense SG-4860 in that regard. The unit has a reasonable price and you can get them on Amazon for quick shipping. Since it does not come installed with software and it has barebones options, it is a more DIY solution than some others on the market. At the same time, the selection of good hardware and the silent operation makes this a gentle introduction to the DIY firewall appliance.
Since many of our readers work as managed service providers, there is another aspect that we wanted to highlight. These units would be trivially easy to externally brand and the smooth metal surfaces make labeling easy. After two months of zero reboot uptime, we like this solution a lot.