Finding the right hardware that fits your needs is one of the most commonly asked questions we get. There are several models of the Protectli Vault which can be easily differentiated by number of ports, CPU and price. In addition, all Vaults can be customized for RAM and storage.
This buyer’s guide will examine the variables of network design, traffic, performance and Vault configurations to serve as a general guide to select the proper Vault.
One of the main variables is the Operating System (OS) and application that is installed on the Vault. In the coming sections we will use pfSense® CE configured as a firewall and router as the baseline configuration. Where applicable, we will reference differences in performance to a Vault running a hypervisor such as VMWare ESXi or a desktop OS such as Ubuntu.
The most important consideration for choosing your hardware is what application it will be used for. The Protectli Vault can be used in a number of different applications. Customers have deployed Vaults as Windows Clients, Linux Desktops and Servers, Hypervisors, and of course firewalls.
Thinking about the requirements for your use case will help to narrow your choice when it comes to picking your Vault.
Our recommendation: Simple client machines will work great on our smaller 2-port Vaults, while you may want to consider a 4-port or 6-port for firewall or hypervisor applications.
The number of ethernet ports you need depends on your application. Firewalls can be configured on as little as a two physical ports, but for simplicity and throughput, consider that you may want multiple physical ports to segment traffic for multiple networks (i.e. a ‘secure’ network, an ‘IoT’ network, a ‘guest’ network, etc).
For hypervisor applications, consider that a physical port can be ‘passed through’ to an individual virtual machine so multiple virtual machines may need more physical ports.
Our recommendation: It is smart to think about future-proofing your Vault from the start, so consider a model with more Ethernet ports and 2.5 G NICs to stay flexible if your needs change.
Note: Every Vault supports virtual LAN networking (802.1q) as long as the software installed also supports the use of VLANs. Every Vault’s network ports are PCIe connected to the CPU.
For firewall applications, the number of connections, commonly called a “state,” refers to the TCP/IP connections between clients that traverse network segments. As an example, if a user has a PC and browses out to the Internet, there will typically be multiple “connections” between the browser and the web site. It is not unusual to have 20 or more connections just from a single visit to a web site due to various content, advertisements, etc. On a firewall, each connection has two “states”. One for entering the firewall through the WAN port and one for exiting the WAN port. More states and therefore more clients will require more memory. As per OPNsense documentation:
…each state table entry requires about 1 kB (kilobytes) of RAM. The average state table, filled with 1000 entries will occupy about ~1 MB (megabytes)…
For hypervisor applications, memory comes at a premium as memory generally needs to be statically allocated to each Virtual Machine (VM) It usually cannot be shared between multiple VM’s like CPU resources can. Memory needs are going to be dictated by the type of VM’s that you are running.
Our recommendation: Many common home or small business firewall applications only require 4GB of RAM, although 8GB is the most popular configuration. If you expect a larger amount of connections, or in depth packet inspection, configure more RAM for your Vault accordingly. For hypervisor applications, consider a Vault that has 2 memory slots (like the VP4600 series) so that you can plan for future expansion.
Most firewall applications require little storage space. OPNsense and pfSense easily fit on drives as small as 32 GB, but 120 GB is the most popular. More storage is only needed for intensive logging.
Hypervisor applications will typically require more storage than a firewall application. This will depend on which hypervisor is used (and whether thin provisioning is supported), as well as how many virtual machines are implemented and for what purpose.
Linux Desktop and Server applications typically require more storage than firewalls, but the amount is highly dependent on the actual use cases.
Our recommendation: We typically recomend a 120GB drive for most firewall applications and from 500GB to 1TB or more for hypervisor applications. Note that for hypervisor applications, the VP4600 Series supports the simultaneous use of both a NVMe/SATA and 2.5″ SATA drive for high data storage use.
5. Throughput Requirements
Every Vault’s Ethernet ports are PCIe connected to the CPU and can run at linerate of either 1 Gbps or 2.5 Gbps.
As a firewall, every Vault has tested at full wire speed between ports using iperf as a synthetic load. As such, for basic routing applications any Vault is capable of gigabit throughput. However, in most firewall application, additional services will be turned on that consume CPU and thus may reduce throughput. These include modest services such as DHCP and DNS or heavy CPU users such as Deep Packet Inspection (DPI). A key consideration is Virtual Private Networking (VPN) support. VPN requires processor intensive encryption.
Our recommendation: With a modest throughput of up to ~300 Mbps, you can run many firewall applications in ‘basic’ routing and firewall mode on any of our 2-Port or 4-Port port models. With increased throughput (especially gigabit service) or if implementing VPN, DPI, IPS/IDS, SNORT, Sensei, or other firewall add-ons, we recommend a Vault with a performant CPU such as the VP4600
For hypervisor applications, the Vault’s multiple gigabit ports are ideal for dedicated physical connections passed through to individual VM’s.
Our recommendation: In most circumstances, using a Vault as a hypervisor means that the user will want to run multiple operating systems, requiring CPU, memory, and network connections. As such, we recommend the FW6 or VP4600 series.
Security is an important consideration for any network or compute appliance. coreboot is available as an open source BIOS on all the Vaults. In addition, the Vault Pro (VP) series have additional security features.
Our recommendation: If security is important, we recommend coreboot in general and the advanced security features available on the Vault Pro Series.
7. Workload and Hardware Requirements by OS
The OS you choose to run can greatly affect the performance requirements of the Vault. Some customers use the Vault to run a basic firewall, while others use it as a hypervisor, desktop, or SD-WAN. Therefore, hardware requirements vary widely. Here are a few examples of usage that typically require a stronger CPU.
- Routing all network traffic through a VPN requires higher CPU clock speeds, especially at higher throughput
- Running add-on packages like pfBlocker (pfSense), SNORT (pfSense), or Sensei (OPNsense)
- Using the Vault to run a hypervisor, and/or having other software running on the same device.
Here are hardware recommendations for common OS’s:
General Guidelines for Picking the Right Vault
In addition to the variables above, you can use the guidelines below and view the key differences between the models of the Vault. They are not definitive for any specific situation, but should help users to make a good selection. Please also consider our Product Comparison for an easy way to see how the Vaults stack up.
FW2B: Small, compact & featuring AES-NI, HDMI, console, additional USB ports, and more.
FW4B: Features a compact design and HDMI ports. The FW4B with 8G memory and 120G storage is the most popular unit and configuration.
FW4C: Features a compact design and HDMI ports. Similar to the FW4B but with 2.5G ports.
VP2410: Powerful 4-Port Vault with up to 16GB DDR RAM, a strong CPU (Intel J4125) and the inclusion of M.2.
VP2420: More powerful CPU (Intel J6412) than VP2410 and has 2.5 G ports.
FW6A: Best for more complex networks. 6 Ethernet ports for more physical network segments and additional AES-NI power for more VPN peformance.
FW6Br2: Same as FW6A but with more CPU power for more rules, packages, VPNs, VLANs, etc. Successor to the previous gen model FW6B.
FW6D: Updated Intel 8th Generation CPU (i5) and new network interfaces. Slightly larger chassis to accommodate the more powerful CPU.
FW6E: Same as FW6D but with an Intel i7-8550U Quad Core CPU with Hyper-threading.
VP4630: Intel 10th Generation CPU (i3-10110U) with 2.5 G ports, M.2 NVMe/SATA. Larger chassis to accommodate the more powerful CPU.
VP4650: Intel 10th Generation CPU (i5-10210U) with 2.5 G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
VP4670: Intel 10th Generation CPU (i7-10810U) with 2.5 G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
Congrats, you’ve made it all the way through this guide and you’re still with us!
Still not sure which Vault you want? Feel free to reach out!