If you follow The Geek Pub regularly, then you know we are a huge fan of pfSense. We’ve been running it our environment(s) for several years and its just rock solid and reliable. The biggest issue we have is that although pfSense is community based and open sourced, it is ultimately still owned by Netgate and they are pushing their hardware to pfSense users at what I feel is a steep premium (and unnecessary). The goal of this recommendation article is to help the community find the best pfSense box for the money!
Updated: We update this article quarterly to make sure the latest and greatest hardware is reflected!
What is the Best pfSense Box?
We’re going to assume for the purposes of this article that we’re talking about home networking. If you’re interested in a business pfSense box check out our article on enterprise pfSense boxes.
NOTE: We actually use these boxes in our home, our families’ homes, and production small business environments. We have detailed hands on experience with them.Mike Murray – Founder, The Geek Pub
A quick technical detail we need to cover. There are a lot of boxes out there that claim to be pfSense compatible (and they technically are). Any x86 device or PC is generally compatible with the pfSense firewall software. And though they are compatible, they may not be the best pfSense box if they lack support for AES-NI. Simply put AES-NI is encryption service that are included in the die of most new processors. This functionality drastically speeds up cryptography processes for SSL and VPN services.
Indeed, pfSense has considered at least once requiring AES-NI for pfSense compatibility, and then reversed course at the last minute. If future proofing your box is important, this is another reason to look for boxes that have AES-NI support.
In this rundown we will only included boxes that support AES-NI.
THE BEST PFSENSE BOX WITHOUT AES-NI SUPPORT
So… you don’t care. You just want a box without AES-NI support? Then we’d definitely recommend the Protectli. It’s not going to run lots of VPNs or do SSL decryption/encryption for squid proxy or anything else. But if you just want a solid little firewall to protect your family this one should check most people’s boxes… minus AES-NI.
This box does have some nice features even without AES-NI! First, it is super affordable at less than $200. Second it packs a dual-core Celeron J1800 running at 2.4Ghz. Plenty of horsepower for fiber connections such as ATT Fiber or Verizon FiOS.
OK. Now let’s move on to our recommendations for the best pfSense Box that does support AES-NI.
Additional Import Features to Consider
In addition to our notes above, there are some other features you should consider when selecting the best pfSense box for your home.
This is a feature that is often overlooked. Many pfSense boxes don’t even have a video output, instead coming with only a serial port. This can be very frustrating when installing and troubleshooting the box! Some boxes included VGA, HDMI, or both. We highly recommend that you get a pfSense box that has a video output, and HDMI if possible as many modern monitors are no longer shipping with VGA ports. You can disconnect the monitor for normal use.
NUMBER NETWORK PORTS
You can get pfSense appliances with just two ports, or as many as 10 or 12. Most people will only ever need two ports. A WAN port and a LAN port. The WAN port connects to your ISP’s MODEM (or ethernet handoff from the fiber gateway). The LAN port connects to a switch in your home that all of your devices connect to.
More experienced users may want additional ports to support a DMZ for a server, or for VLANs to support guest networks or other private networks.
COOLING AND POWER SUPPLY
Cooling may not sound all that important, but if your firewall is in your bedroom or where you watch your favorite movies, a fanless appliance could be a must. All of our recommendations for the best pfSense box are fanless.
Additionally, some units have internal power supplies, while others have a external power bricks. This could be important depending on how you plan to mount the box or otherwise store it while in use.
HARD DISK TYPE AND CAPACITY
For most people the hard disk type and capacity are going to be somewhat irrelevant. However, if you prefer a silent box and one that is less likely to fail, the solid state is the way to go.
For size, unless you plan to use your pfSense box for caching or serving data then the smallest size mSATA drive should be plenty. Generally the smallest capacity is 32GB. However, some boxes still ship with 16GB. Either (or more) should work fine.
pfSense Minimum Requirements
Of course, if you’re on the lookout for the best pfSense box, it is also important to understand the minimum requirements for running pfSense in the first place. If you don’t meet those it is likely pfSense will still run, but it will be very slow and likely unstable. The following reflect the pfSense developer’s minimum requirements:
- A CPU speed of at least 600 MHz
- Memory capacity of at lease 512 MB
- Minimum of 4GB hard drive
- A network card with two ports, or two separate network cards.
- A USB port that supports booting from the BIOS/EFI or a CD/DVD ROM drive.
You’ll want to keep in mind that these are the minimum requirements and will not perform well. For example, the minimum requirements only support a 100Mb connection. If you want to support higher bandwidth such as fiber connections the minimum won’t work.
#1 – The Protectli Vault FW4B Firewall Appliance
We’ve deployed many of these little boxes for friends and family and they work excellent. It’s got all the specs where it counts. It is ideal for Gigabit and Fiber ISPs because it packs the horsepower to route and filter on the fastest networks, along with full support for AES-NI. Something every pfSense box should have.
For 2022 we feel this is the best little pfSense box you can get for the money. Hands down. These boxes work great. They are highly reliable, and they are silent. We’ve deployed at least 30 of these over the last two years and they have worked flawlessly. And the Amazon reviews show the same, over 90% positive feedback. You can’t go wrong with this box.
They include the following specifications:
- Intel Quad Core Celeron Celeron J3160, 64 bit, 2.2GHz, 2MB L2 Cache
- Full AES-NI hardware support
- 4x Intel Gigabit Ethernet NIC ports
- 4GB DDR3L RAM
- 32GB mSATA SSD
- 1x USB 2.0
- 1x USB 3.0
- 1x RJ-45 COM (serial)
- 1x HDMI
Our favorite thing about this little box is that it is 100% solid state… No fans!!! It doesn’t make even a tiniest noise during operations. It’s perfect for home use and very affordable.
#2 – The Qotom ITX Appliance
The Qotom ITX appliance is slightly larger than some of our other pics. But that’s because it’s based on an actual ITX board. This is the box Mike recently chose for an AirBNB and supplies gigabit internet for guests of the property It’s connected to a Ubiquity NanoBeam for getting WiFi down to the boat dock. In addition a managed VPN between this property and his commercial building for managing the home remotely. This box is snappy, quiet (fanless), and has all the futures most people will need.
- Intel Core I3-4005U @ 1.7GHz
- 8GB of RAM
- 16GB SSD
- AES-NI support
- 4 Gigabit ports (1x WAN, 3x LAN)
- 2x USB 2.0 ports
- 2x USB 3.0 ports
- 1x HDMI
#3 – The Zotac ZBOX (Mini-PC w/dual Ethernet)
This box is an outlier for a best pfSense box rundown. However, it’s really fantastic! Rather than being a network appliance, the Zotac ZBOX actually just a mini-PC built for running Windows or Linux in a tiny form factor. However, the fact that it has dual Ethernet ports makes it a perfect small pfSense firewall appliance too!
In addition to being super small, it has the ability to mount to any VESA mount. This means it can be mounted virtually anywhere. And of course, it is fanless and silent!
- Quad-core Intel N4100 Processor @ 1.1GHz (up to 2.4GHz turbo)
- VGA, HDMI, and Display Port video
- 4 x USB 3.0 (1 x Type-C)
- 1 x USB 2.0
#4 – The Firewall Appliance
Next on our picks for the best pfSense box is the Firewall Appliance is a beast of a little firewall for home users. Its a little more expensive than our first choice, but it comes with a quad-core Celeron processor. Additionally it drops the VGA port in favor of two HDMI ports. Additionally, it has a barrel lock connector to keep unauthorized access out of the box, protecting the hard drive from access. Here’s the spec rundown for this little guy:
- Intel Quad Core Celeron J3160, 64 bit, up to 2.2GHz
- Full support for AES-NI
- 8GB DDR3L RAM
- 128GB mSATA SSD
- 4x Intel i210 Gigabit Ethernet ports
- 2x USB 3.0
- 1x RJ-45 COM
- 2x HDMI
- Solid State, Fanless Silent Operation
This device combines the power of pfSense in a small fully consumer friendly device. It will also route and filter at close to Gigabit speeds for even the fastest ISPs.
Runner Up – The Netgate SG-3100
Some of you are going to want to stick to Netgate products since we know they will most likely remain 100% compatible through their usable life. There are examples of course where manufacturers dropped support for their own products before they were truly end-of-life (we are looking at you Apple!), the chances are pretty low. The Netgate box while overpriced and under spec’ed is a solid box that should perform reliably enough. It’s specs include:
- ARM v7 Cortex-A9 @ 1.6 GHz Dual Core
- 2X 1GB LAN/WAN ports
- 4X 1GB Switched only ports
- 2GB RAM
- 8GB Storage
- 1X USB
So that wraps up my pics for the best pfSense box for ordinary home users! Happy pfSensing!
I picked up an SG-2440 from my work for $50, but I’ve recently gotten gigabit fiber at home and the sg-2440 seems to top out at around 750/750 on a good day. Can the little no-name box keep up with gigabit?
On the SG-3100 are the dual WAN ports capable of WAN Link Aggregation? As my WiFi router is capable of link aggregation by using the Wan and first port to be 2.5Gb link.
Can the no-name box keep up with gigabit and pfBlockger-NG (I want to GeoIP block some countries) What would you recommend for gigabit and pfBlocker-NG ? Many thanks
huge vote for “no name” amazon box. I bought it based on this review and can vouch for what they say. its silent. like dead silent. as in no fans at all. perfect for home where my wife complains about noisy computers.
What is the openvpn client speed performance with pfsene on this no-name box?
That’s a good question, and I need to test it fully. I am running a 300Mb/s Fiber connection and am able to 100% max it out with the pfSense OpenVPN client connected to PIA.
Maybe I’ll setup a 2nd box this weekend and do a point to point Gig and see what I can reach.
Thanks Mike, please let me know. Could you also let me know which no-name box exact you did test.
You get that openvpn speed with a no-name box with Intel Quad Core Celeron J3160, 64 bit, up to 2.2GHz cpu?
What about the APU2 devices.. interestingly one of them is used as the banner for your website. I was considering them because of power consideration.. The intel device can be a power draw especially for something to be used for home. I would appreciate your take. (I was actually considering an SBC but I could not find one stable/supported/reliable enough for the purpose)
Seeing that both #1 and #2 have the same price on Amazon right now ($309), would you still prefer #1 over #2? It seems to me that #2 is the more powerful box, or am I missing something?
Price change daily. But if you can get #2 for the same price sure!
I use the no name box and it works great! I’ve been using it for a couple of years. Just googled this to see if there was anything newer and it seems this is still the go to box.
Looks like the same link for both the “No-Name Micro Firewall Appliance” and “The Firewall Appliance.” I think you wanted this for the no-name: https://amzn.to/2JBuzsf
“Starting with version 2.4 pfSense will only run on hardware supporting AES-NI” – not true any more, maybe you should update:
“The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.” Ref: https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html
Why do you call boxes made by various Chinese companies “no name boxes”? Is it because manufacturer names are difficult to pronounce and remember, so no “QUOTOM”, “Protectli”, “HUNSN”, etc., but rather: “no name”? How about simplifying it for non-English speakers, and replacing Cisco, Ubiquity, Netgate, etc., with “various (who cares about their names) American boxes”?
Well let’s see. I only own about 7 of these boxes. I have three right in front of me. No where on the box is there a manufacturer name inside or outside the box, with the exception of Intel and other various chips. So if the manufacturer wants their name on my site, they should put it on the box.
Because many people said “do not use cheap Chinese usb cable to flash your phone” , and those manufacturer names only sell on Amazon , why ? the defective and much more cheaper product they use another name sell on Chinese market.
yes , those names is not official and not a trademark , no name boxes is very accurate.
Hey, ty for your post.
I`am still not sure which one to buy. Since days am I looking for the right cpu that doesnt cost that much and fit my needs.
My biggest problem atm is that none of my routers or even my older qnap nas ts-453pro with the Celeron J1900 processor is able to run OpenVPN at a decent rate.
I am looking for an processor that is able to handle at least an 200-300mbit connection. Because I dont have any experiences with aes-ni processors, it is hard to say which one fits my needs.
Atm I was thinking to buy the HSIPC Celeron 3855U but duno if its enough…
What do u think? could u give me any advices to fit my needs?
HI Mike, great blog! Can you not sell me or tell me what parts to buy to setup a PFSENSE hardware box like the red one? Or can you sell me one.Your builds are just amazing. Thanks
It’s not been made for years unfortunately.
Hi Mike, how about PC Engines APU4C4/2 (or APU3C4/2)? How do they compare with the no name boxes from the article (they seem to be cheaper)? Cheers!
Tell them to send me a box for review. I am happy to test it and add it to the list if it performs.
Starting with version 2.4 pfSense will only run on hardware supporting AES-NI.
You should check your facts as this is completely wrong, version 2.4 pfSense doesn’t need AES-NI
Actually, you should probably check your facts. When we wrote this article, it was indeed required. pfSense has since changed their direction due to user feedback and removed the requirement.
“The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.”
Original announcements on pfSense 2.5 and AES-NI https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html https://www.netgate.com/blog/more-on-aes-ni.html
However, AES-NI is still highly recommended.
Hi Mike – Thanks for your recommendations! Can the Celeron box support 500/500Mbps ethernet with packet inspection and intrusion detection turned on? How is the VPN performance? Thanks!
Thank you for your efforts and the article.
You mentioned you would argue these could be used for a small office? How about a 13 user Insurance office where much of the work is web based (logging into home and auto insurance companies) 1 to 2 offsite logins for RDP (or similar) per day? About how many users would you feel comfortable in this device being able to handle? Assume the office has cable or fiber internet around 500 to 700Mbps
Easily. You should have no issues.
Thank you for this article, it’s very useful for me. I have been mulling over introducing a PfSense box for some time to replace the semi-useless router supplied by my ISP. The one thing stopping me from going for one of the devices mentioned in this article is that none of these devices appear to include native WiFi hardware which I think would mean that I’d have to add a WiFi AP or a USB WiFi dongle. Are you aware of anything that also includes WiFi hardware?
All you need to do is add your favorite USB Wi-Fi dongle to these. But anyone who wants good Wi-Fi will want to mount dedicated wireless access points in their home to get good coverage. 95% of people who complain to me about their ISP are actually upset about their Wi-Fi signals (and their ISP is fine).
Hey Mike, Fellow renaissance man here…I stumbled over your youtube vid after a recent networking crisis in my house (great vid!). I was always a computer geek growing up, but ended up taking the engineering route in the military. A family and two kids later, I’ve had it with consumer grade products. I’ve been running an Fios and Orbi Mesh since replacing the old Airport Extreme for a few years, along with a Synology Ds416play, 4 Amcrest HD cams (wifi), Directv (wired and wifi), Sonos, and a few other things. Ive just had it with the Orbi routing so I’m beginning my quest for a personal degree in home networking. What would be your recommended setup for this situation? As of now I just purchased an XR700 with the DumaOS so curious on your experience if any with that. Is that worth a shot or should I return it and go with PfSense firewall/routing solution? I don’t care what it takes, I just want a fast ass snappy wired and wifi setup that works reliably for a few years. Countless hours messing with router config, ipcam config, and rebooting systems needs to be in the past. I’m tired of crap that doesnt work!!!
Have you tried running Opt #1 into the -20F range or up into the 140F range? I am looking for something to replace a Mikrotik hEX I have in an outdoor box with no temp controls on a hill. It’s just an insulated fiberglass box that is in the sun the whole day, so it can get really cold (not sure exactly how cold) or get cooking hot.
Mike thank you for this article! I understand this article was updated so I read through the questions and responses and wanted to ask about the last line you said about #2, which appears to be your recommendation for a more powerful but possibly more expensive device. You say ” It will also route and filter at close to Gigabit speeds for even the fastest ISPs.” When you wrote that, were you referring to the overhead of a gigabit Comcast line for example? In other words, was this box tested internally, without an ISP, and with firewall enabled and it could not reach full gigabit? And this is faster than choice #1? I have true gigabit fiber, tests out at 980-999Mbps when hooked straight into my modem. I am looking for a box that will take that bandwidth and not step on the throughput due to lack of power with firewall enabled and security IPS. I may go to 1.5Gbps is my reason for asking. Thank you for your reply. I understand this is an older article and you may not be able to respond.
Thanks for all the informative posts. Your site is awesome! I’ve been using an APU2c4 board for awhile now. I can attest to it being cheaper than the no name boxes, and it works very well for home small office deployments. Though I’m not sure about the throughput in comparison. I’m only getting 300/20 at home. Cheers!
Yep. The APUC4 is a nice board, but its not going handle more than about 350mb… and only about ~40mbit with VPN.
Is your gigabit fiber coming in via PPPOE? Seems to be an issue with the intel NIC driver.
I got 330/50Mbps FTTP delivered over a PPPoE session, do you know if that is an issue for pfsense and one of the ‘noname’ Intel based boxes you mentioned?
I would love to pick up a No Name and I have a lot of tech experience but not with a firewall. Can you recommend a config site if I were to pick one of these up? I would like to review what it would take before I purchase one.
I have had 2 + netgate boexes knocked into serial port unresponsiveness. One cost $1300 (sg4860)and the other is sg1100. I think somebody out there really does HATE me. It also includes a older NUC unit. Qubes 4 (from April 2019 LInux Format) does not seem to be of any use. Can I buy a copy of an RPM repository or something?? I am aware of several operations that sold dvds of various Linux strains but they were usually corrupt and untrustable.
Hi Mike, thanks for the straight to the meat review of these devices, especially the no-name ones which is what I’m looking into now. Question for you regarding what seems taxed more, CPU or RAM? The ones you listed are Atom and Celeron based but I know you can also get these with an i3 or i5 CPU. Generally there seems to be a price trade off between included RAM on the i3/i5 vs the Atom/Celeron variants.
My current home cable connection is capped at 330 but I see that increasing in the next few years.
Hey Mike, Curious to know if your hardware recommendations are still the same as of now? Thx
Does anyone know where to buy teh THE NO-NAME MICRO FIREWALL APPLIANCE in germany or in europe? Or is there any suggestion for a newer version to buy? Thanks guys! Take care!
“It’s not going to run lots of VPNs or do SSL decryption/encryption for squid proxy or anything. ”
Who does that sort of thing on a home network anyway? Being able to efficiently run hundreds of VPN connections to a frewall router is something only a medium to large enterprise will do. Even most small businesses could get by with software encryption/decryption on older hardware. I repurpose used watchguard vpn firewalls on ebay and install pfsense on them. I work in software engineering and I have multiple home LANs. One is dedicated to my company laptop and devices. It is where I do my daily work from my home office. Oh yeah I forgot to mention I don’t drive into an office. For the last 10 years I have been telecommuting to work from home and I have gone through a myriad of different firewalls. From home built 1U servers that were noisy and hot to a commercial ZyWall 310 that cost me a frigging thousand dollars four years ago. Guess what I never used the VPN cryptography feature of that hardware. So when it started to flake out on me I decided to buy an old used appliance on ebay and perform some simple upgrades on it to get pfsense working. The watchguard firewalls have been my favorite so far. They are quiet and plenty powerful if you upgrade their cpu. Even if I do decide to use VPN the capacity of software VPN on a Pentium E5700 running on my watchguard will be able to manage it no problems. There will be at most a handful of people who would use it so I will never really push the hardware/software the point where performance becomes unacceptable. Now for a medium to large enterprise that has an army of road warriors who need secure VPN access to corporate then I would go with the Netgate Enterprise hardware solutions in the 1U rack mountable form factor!
Any recommendations for boxes with Multigig Ethernet? The backbone in my house runs at 2.5GBE except my router. Comcast is pushing play gigabit speeds in my area and I’d like to take full advantage of that.
I’m a big fan of Pfsense, use it at a big scale in Angola. Liked you’re review.
I have a new project where I must have GSM connection. Do you know any reliable Pfsense box with onboard SIM/GSM?
I know it’s possible with network modem (like huawey pen) but it makes an additional variable/problem on remote sites (very remote).
I meant to say, Comcast is pushing PAST gigabit speeds. My modem has a 2.5 GBE port and so do my switches, but I can’t find a relatively inexpensive router that doesn’t involve converting an SFP port to ethernet and hoping it works to get a 2.5 GBE connection. New consumer routers are coming out with a single 2.5 GBE port on either the WAN or LAN side, but not both. This is very frustrating. At least one gets around it by letting you use LAG for the LAN side for a 2 GB connection, but it’s still not quite the same. Any recommendations would be appreciated.
What would be best create a cheaper version of NETGATE 6100 MAX PFSENSE+ SECURITY GATEWAY. I need to create one that can handle unlimited devices and not lose gig speeds or create network perform issues and can handle anything and everything including future proofing
Great article. Would you recommend the 2-port no-name box?
hey Mike! what are your thoughts on 2.5gb/5gb now that At&t fiber is offering faster speeds? Using a 4 port qotom i5 at the moment, but one of the ports is damaged and will only operate at 100mb so was looking at replacing. J4125 based replacement looks to have 2.5gbe with multiple ports?
None of these support 2.5Gbps Ethernet though. I need one that has a 5 or 2.5Gbps WAN port. What are the best solutions for 2.5 or faster?