Finding the right hardware that fits your needs is one of the most commonly asked questions we get. There are several models of the Protectli Vault which can be easily differentiated by number of ports, CPU and price. In addition, all Vaults can be customized for RAM and storage.
This buyer’s guide will examine the variables of network design, traffic, performance and Vault configurations to serve as a general guide to select the proper Vault.
One of the main variables is the Operating System (OS) and application that is installed on the Vault. In the coming sections we will use pfSense® CE configured as a firewall and router as the baseline configuration. Where applicable, we will reference differences in performance to a Vault running VMWare ESXi or Ubuntu for example.
1. Use Case
The most important consideration for choosing your hardware is what application it will be used for. The Protectli Vault can be used in a number of different applications. Customers have deployed Vaults as Windows Clients, roll-your-own Linux desktops, hypervisors, and of course firewalls.
Thinking about the requirements for your use case will help to narrow your choice when it comes to picking your Vault.
Our recommendation: Simple client machines will work great on our smaller 2-port Vaults, while you may want to consider a 4-port or 6-port for firewall or hypervisor applications.
The number of ethernet ports you need depends on your application. Firewalls can be configured on as little as a single physical port, but for simplicity and throughput, consider that you may want multiple physical ports to segment traffic for multiple networks (i.e. a ‘secure’ network, an ‘IoT’ network, a ‘guest’ network, etc).
For hypervisor applications, consider that a physical port can be ‘passed through’ to an individual virtual machine so multiple virtual machines may need more physical ports.
Our recommendation: It is smart to think about future-proofing your Vault from the start, so consider a model with more Ethernet ports to stay flexible if your needs change.
Note: Every Vault supports virtual LAN networking (802.1q) as long as the software installed also supports the use of VLANs. Every Vault’s network ports are gigabit PCIe connected to the CPU.
For firewall applications, the number of connections, commonly called a “state,” refers to the TCP/IP connections between clients that traverse network segments. As an example, if a user has a PC and browses out to the Internet, there will typically be multiple “connections” between the browser and the web site. It is not unusual to have 20 or more connections just from a single visit to a web site due to various content, advertisements, etc. On a firewall, each connection has two “states”. One for entering the firewall through the WAN port and one for exiting the WAN port. More states and therefore more clients will require more memory. As per OPNsense documentation:
…each state table entry requires about 1 kB (kilobytes) of RAM. The average state table, filled with 1000 entries will occupy about ~10 MB (megabytes)…
For hypervisor applications, memory comes at a premium as memory generally needs to be statically allocated to each VM (it usually cannot be shared between multiple VM’s like CPU resources can). Memory needs are going to be dictated by the type of VM’s that you are running.
Our recommendation: Many common home or small business firewall applications only require 4GB of RAM. Requirements for every operating system are different. If you expect a larger amount of connections, configure more RAM for your Vault accordingly. For hypervisor applications, consider a Vault that has 2 memory slots (like the FW6 series) so that you can plan for future expansion.
Most firewall applications require little storage space. OPNsense and pfSense easily fit on drives as small as 8GB. Further, many firewall applications run in memory and only use storage for booting and logging.
Hypervisor applications will typically need more storage than a firewall application. This will depend on which hypervisor is used (and whether thin provisioning is supported), as well as how many virtual machines are implemented and for what purpose.
Our recommendation: We typically recomend a 32GB drive for most firewall applications and from 500GB to 1TB or more for hypervisor applications. Note that for hypervisor applications, the FW6 Series supports the simultaneous use of both an mSATA AND 2.5″ SATA drive for high data storage use.
5. Throughput Requirements
Every Vault’s Ethernet ports are PCIe connected to the CPU and can run at 1 Gbps (hardware connection speed).
As a firewall, every Vault has tested at full wire speed (~940Mbps) between ports using iperf as a synthetic load. As such, for basic routing applications any Vault is capable of gigabit throughput. However, in most firewall application, additional services will be turned on that consume CPU and thus may reduce throughput. These include modest services such as DHCP and DNS or heavy CPU users such as VPN or Deep Packet Inspection (DPI).
Our recommendation: With a modest throughput of up to ~300 Mbps, you can run many firewall applications in ‘basic’ routing and firewall mode on any of our FW2 or FW4 port models. With increased throughput (especially gigabit service) or if implementing VPN, DPI, IPS/IDS, SNORT, Sensei, or other firewall add-ons, we recommend a Vault with a performant CPU such as an FW6B or FW6C.
For hypervisor applications, the Vault’s multiple gigabit ports are ideal for dedicated physical connections passed through to individual VM’s.
Our recommendation: In most circumstances, using a Vault as a hypervisor means that the user will want to run multiple operating systems, requiring CPU, memory, and network connections. As such, we recommend either the FW6A, FW6B or the FW6C.
AES-NI is a feature included with many common Intel CPU’s which helps offload cryptographic functions to dedicated hardware within the CPU. AES-NI is particularly useful for accelerating Virtual Private Networks (VPN).
AES-NI is built into the CPU on the FW2B, FW4A, FW4B, and FW6 series. It is not available on the FW1 or FW2.
Our recommendation:If you plan on running a VPN or other encryption related operations, we recommend selecting one of the Vaults with AES-NI built in hardware support for encryption that allows them to maintain high performance with VPNs.
7. Workload and Hardware Requirements by OS
The OS you choose to run can greatly affect the performance requirements of the Vault. Some customers use the Vault to run a basic firewall, while others use it as a hypervisor. Therefore, hardware requirements vary widely. Here are a few examples of usage that typically require a stronger CPU.
- Routing all network traffic through a VPN requires higher CPU clock speeds, especially at higher throughput
- Running add-on packages like pfBlocker (pfSense), SNORT (pfSense), or Sensei (OPNsense)
- Using the Vault to run a hypervisor, and/or having other software running on the same device.
Here are hardware recommendations for common OS’s:
General Guidelines for Picking the Right Vault
In addition to the variables above, you can use the guidelines below and view the key differences between the models of the Vault. They are not definitive for any specific situation, but should help users to make a good selection. Please also consider our Product Comparison for an easy way to see how the Vaults stack up.
FW2: Entry level, best suited for home networks or very small businesses with a simple configuration.
FW2B: Better performance than FW2 with a smaller, more compact design. The FW2B has AES-NI, HDMI, console and more USB ports than the FW2.
FW1: Entry level, small business or home network, relatively simple configuration, with 4 ports for additional physical network segments.
FW4A: Slightly better performance than FW1, plus features AES-NI.
FW4B: Similar performance to FW4A, with a compact design and HDMI ports. The FW4B with 8G memory and 120G storage is the most popular unit and configuration.
FW6A: Best for more complex networks. 6 Ethernet ports for more physical network segments and additional AES-NI power for more VPN peformance.
FW6B: Same as FW6A but with more CPU power for more rules, packages, VPNs, VLANs, etc.
FW6C: Same as FW6A and FW6B but with even more CPU power.
Congrats, you’ve made it all the way though this guide and you’re still with us!
Still not sure which Vault you want? Feel free to reach out!