Product Selection Guide

Overview

There are several models of Protectli Vaults that have different CPUs, number of ports, console types, and other attributes. In addition, all of the models can be customized for both DRAM and storage. Customers commonly ask how to select the right Vault for their application and network. Due to the many variables and dynamic nature of network traffic, there is no way to definitively select the exact model and configuration for any given network. However, with 1Gbps capability on all ports, robust Intel CPUs and NICs, support for many OS, and other options, there are typically multiple Vaults that will perform well in many different networks. This article will examine the variables of network design, traffic, performance and Vault configurations to serve as a general guide to select the proper Vault.

 

Vault Variables

There are a variety of Protectli Vaults that come with different configurations and features. The Vault variables are:

  • Number of Ethernet Ports
  • CPU
  • Size of Memory (DRAM)
  • Size of Storage (mSATA)
  • Console Interface – VGA or HDMI
  • AES-NI
  • Optional coreboot BIOS
  • Optional SSD connection and mount

These items will be explained below.

Number of Ports

The Vault models come with 2, 4, or 6 Ethernet ports.

CPU

There are different CPUs that come with each Vault. Typically the more ports the more powerful CPU. The FW6 series has three models with increasingly more powerful CPUs as the only differentiator.

Amount of Memory

Each of the Vaults can be customized with different amounts of DRAM. More memory typically leads to better performance and response. The FW1, FW2, FW2B, FW4A, and FW4B can  be 2, 4, or 8 GB. The FW6 can be 4, 8, 16, or 32GB.

Amount of Storage

Each of the Vaults can be customized for different amounts of mSATA. More storage allows more data, logs, configurations, etc. to be saved. The Vault supports any industry standard mSATA up to 1 TB. Q: Do we want to get a 2 TB for testing?

Console Port

Each Vault has either a VGA or HDMI console port.

AES-NI

AES-NI is Intel hardware assist for encryption. It offloads the encryption task from the CPU which is particularly critical for Virtual Private Networks (VPN). AES-NI is built into the CPU on the FW2B, FW4A, FW4B, and FW6. It is not available on the FW1 or FW2.

Coreboot BIOS

Coreboot is an open source alternative to traditional BIOS. It is available as an option on FW2B, FW4B,  and FW6. For more information see this link.

2.5″ SSD SATA Mount and Cables

The FW6 series has an internal mount for a 2.5″ SSD and it ships with SATA data and power cables.

 

Performance Variables

There are many variables when it comes to network performance. One of the main variables is the Operating System (OS) and application that is installed on the Vault. In this article, we will use pfSense® CE configured as a firewall and router as the baseline configuration. Note right away that performance variables and characteristics would differ significantly from a Vault loaded with VMware ESXi acting as a virtual machine (VM) or a Vault loaded with a Linux distribution such as Ubuntu or CentOS.

The key items that affect performance of a firewall/router are:

  • Number of devices/users “behind” the firewall
  • Number of connections from behind the firewall out to the Internet via the WAN port
  • Throughput of the physical interfaces
  • Encryption, particularly VPNs
  • Number of firewall rules
  • Additional packages installed that require more processing power
  • Temporary diagnostics such as packet capture
  • Future Growth and Changes

These items will be explained below.

Number of Devices

The number of devices/users is simply the number of physical devices which are behind the firewall. More devices and users obviously lead to more network traffic.

Number of Connections

The number of connections refers to the IP connections between user machines or devices that traverse the WAN. As an example, if a user has a PC and browses out to the Internet, there will typically be multiple “connections” between the browser and the web site. It is not unusual to have 20 or more connections just from a single visit to a web site due to various content, advertisements, etc. On a firewall, each connection has two “states”. One for entering the firewall through the WAN port and one for exiting the WAN port. Per pfSense® CE documentation, 1K of memory is used for each state. Clearly a larger number of states will require more memory.

Throughput

All of the Vault Ethernet ports can run at 1 Gbps linerate. The WAN port is typically connected to an Internet Service Provider (ISP) with contracted up/down rates. Those rates are typically 10 Mbps to 1 Gbps. Higher throughput rates allow generation of more traffic in the network.

Encryption

Encryption is a resource intensive operation. It is used by Virtual Private Networks (VPN) to encrypt “tunnels”. The Vaults that have AES-NI have built in hardware support for encryption that allows them to maintain high performance with VPNs.

Firewall Rules

Firewall rules can be configured in pfSense® CE that determine how packets are handled. For example, incoming traffic to the WAN port can be configured to block traffic from a specific site. Outgoing traffic through the WAN port can be configured to prohibit visiting specific sites or specific protocols. Multiple rules can be configured on all the ports. When a packet hits an interface, pfSense® CE goes through the rules in sequence until a rule is met and action taken. The more rules that are configured and used to process each packet, more CPU power will be required. In pfSense® CE, firewall state information can be found in Diagnostics->States and Diagnostics->States Summary.

Additional Packages

pfSense® CE allows additional packages to be installed. In pfSense® CE, additional packages can be found in System->Package Manager->Available Packages. Packages range from various monitoring, status, and tool applications to complex packet filtering. Some packages such as Snort, Squid, and Suricata are notable for their use of system CPU and memory resources.

Temporary Diagnostics

During ordinary operation, packets are processed, filtered, forwarded or discarded. Enabling diagnostics such as packet capture can affect performance because in addition to normal processing, this will capture packets and save them to disk.

Future Growth and Changes

Networks continue to evolve and change behavior. Traditionally that has meant growth in traffic and lots of it. This is particularly prevalent in an organization that is adding more users, more applications and transitioning to cloud services. Anticipated future growth, even if difficult to quantify, should be part of the product selection. It is often better to buy more memory and storage than originally thought needed if the price difference is not significant.

 

General Guidelines

The guidelines below are very general, but they are used to highlight the differences among the different Vault platforms. They are not definitive for any specific situation, but they should help users to make a good selection.

FW2

The FW2 is the entry level unit. It is suitable for a very small business or home network with a simple configuration.

The FW2 can be seen at this link.

FW2B

The FW2B has better performance than the FW2 and it has a smaller, compact design. FW2B also has AES-NI, 2 HDMI  console ports and more USB ports than the FW2.

The FW2B can be seen at this link.

FW1

The FW1 is the entry level unit. It is suitable for a small business or home network with a relatively simple configuration. It has 4 Ethernet ports for additional physical network segments.

The FW1 can be seen at this link.

FW4A

The FW4A has slightly better performance than the FW1 and it has AES-NI. It is suitable when a VPN is used or for better performance with encryption.

The FW4A can be seen at this link.

FW4B

The FW4B has similar performance to FW4A, with a small compact design and HDMI ports. The FW4B with 8G memory and 120G storage is the most popular unit and configuration.

The FW4B can be seen at this link.

FW6A

The FW6A is suitable for a medium sized business,  more complex network or more demanding application. It has 6 Ethernet ports for more physical network segments and more AES-NI power for more VPNs.

The FW6A can be seen at this link.

FW6B

The FW6B is the same as the FW6A with more CPU power for more rules, packages, VPNs, VLANs, etc.

The FW6B can be seen at this link.

FW6C

The FW6C is the top of the line unit. It is the same physical configuration as the FW6A and FW6B with even more CPU power.

The FW6C can be seen at this link.

 

Product Comparison Table

The Product Comparison Table comparing all of the models can be found at this link.