¶ Deciso DEC2687 - OPNsense Firewall Appliance Review
Jochen Demmer[1]
The dutch firewall manufacturer Deciso released new entry level firewall appliances. Those devices come preinstalled with the business edition of their very popular OPNsense. A one year subscription is included, containing a 20% discount to the base support package amongst other useful supplements. Let us take a closer look at the DEC2687 which is basically the rackmount version of what they offer for the so called Desktop market, the DEC677 and DEC697. For benchmarking the OS was updated to version 24.4.2 from August 2024.
Calling this devices entry level is because they compare to the better equipped ones. They include superfast CPUs, more memory and also come with SFP+ or even SFP28 interfaces for high demand scenarios in datacenter and enterprise. [2][3]
Here are Deciso's former and current entry level appliances.
This review is about the DEC2687 which is the successor of the desktop model I tested in 2022, the DEC695. The CPU has been slightly upgraded now running on 1.8GHz instead of 1.6. The Ethernet chipsets were replaced from Intel I211 (1G) to now being Intel I226-V (2.5G) In the brochure there is a whopping up to 50% speed increase being promised. Deciso includes networking benchmark results in their brochures. We will see if those promises can be held.
One important difference between the desktop and the rack versions is that the latter use a fan for active cooling. In my - tbh - quite rudimentary audio test setup with the default iPhone 13 microphone I measured how the noisiness. It averaged on about 41 dB. Next to the raw number I would like to give my personal impression. I wouldn't want to be in the same room as this device is on a daily basis. You can definitely stand several hours even sitting right next to it which is what I did during my testings and writings. Yet I would strongly suggest; if you are in a more silent office environment, choose a desktop version 
This was measured with the device idling. When running CPU intensive tasks it would not get any louder though. Propably the default fanspeed is more than sufficient for any workload. You can see in the power consumption results below why that might be. As there is no real BIOS / UEFI menu I don't think the fan settings can be adjusted. In OPNsense there weren't any settings though.
¶ Inspecting the Hardware in detail
Both firewall generations use the so called Netboard A8. My freshly arrived example carried the Revision number R2.1 on it. In contrast to the DEC695 the DEC2687 did not try to boot via PXE on each single interface. This way the booting time has improved about 10+ seconds.
To me the most important aspect is how does the new device perform in the field, especially in comparison it to its predecessor? Let's show the technical specification of them side by side. Here are the most important specs extracted from their official brochures.
| DEC695 | DEC2687 | |
|---|---|---|
| CPU | AMD GX-420MC SOC (x86_64) | AMD GX-420MC SOC (x86_64) |
| CPU cores | 4 | 4 |
| CPU clock | 1.6 GHz | 1.8 GHz |
| RAM | 8 GB DDR3 | 8 GB DDR 3 |
| Ethernet 1 G | 4 | - |
| Ethernet 2.5G | - | 4 |
| Firewall throughput | 3.3 Gbps | 5 Gbps |
| Firewall Packets/s | 275 kpps | 420 kpps |
| Port to Port throughput | 900 Mbps | 2300 Mbps |
| Firewall Port to Port pps | 75 kpps | 195 kpps |
| Firewall latency | 200 us | 125 us |
| IPSec VPN throughput | 600 Mbps | 600 Mbps |
Deciso decided to go for a higher clockrate than before. Will the power consumption grow proportionally to it? While the dec695 clocked at 1.6G, the current model runs on 1.8G.
# Some more detailed information from the command line
sysctl hw.model hw.machine hw.ncpu
hw.model: AMD GX-420MC SOC
hw.machine: amd64
hw.ncpu: 4
grep -i cpu /var/run/dmesg.boot
CPU: AMD GX-420MC SOC (1597.10-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
The official processor's TDP is 17,5W. Keep in mind, we're looking at the exact same CPU in both firewall appliances just configured differently.
TDP is not a number directly attached to power consumption, but to the question how much heat energy needs to be dealt with.
We will see if higher clockrate will deliver better performance (below). Of course network speeds have increased due to the 2.5G interfaces replacing the old 1G ports. The market seems still to be in a transition to 2.5G. Supporting switches are still a bit rare. Yet in this review we will concentrate more on the harder to measure differences of the devices, meaning: processing power.
The amount of how many packets / sessions the device can handle did go up by a quite big margin. The firewall latency will also pay its share when it comes to how fast the firewall will feel for their users. The specs give the exact same number of IPSec throughput (600 Mbps) for both device generations.
The desktop versions come with external 12V power supplies, while the tested rackmount device has a 12V power supply built in. They once again use a Meanwell power supply which has a good reputation.
There are four 2.5G Twisted Pair ports on the front, each connected to their own Intel I226-V chips. I would have loved to see at least one SFP port so you can go fiber. More and more Internet uplinks will be realized with fiber in the future.
Also in the front there's a USB3 TypeA port as well as a mini USB port which acts as a serial connector, cable included. In the back there's the IEC power socket (cable also included), a ground connector screw, a physical power switch and the fan exhaust. Due to low power usage after disconnecting the power chord it'll take some time to dischargbe the capacitors. This is why they suggest to keep it 60 seconds disconnected (see sticker on the back).
What I really like about Deciso is them not soldering their stuff onto the mainboard. The amount of manufacturers doing this sadly is growing. In a case of a defect, repairing the device would otherwise end up in switching the whole mainboard which is nonsene.
The way Deciso is doing it, only the defective part needs to be replaced. It seems tempting to switch those parts yourself by putting in a bigger SSD or RAM. Keep in mind that warranty will be void if you open up the case yourself.
The board layout looks very tidy to me. The overall build quality of the casing is very good.
The DEC(2)600 series use Coreboot [4]. I like that a lot, since it makes the device more trustworthy. This is actually a really big thing I believe. You want a trustworthy platform for the device that is supposed to be filtering mailicious traffic. I don't know very many manufacturers who also deliver an open firmware like Libreboot or Coreboot. There's pc-engines but sadly they lack a decently performing device in 2024.
Future Coreboot versions can be upgraded by the user. Most recent firmware releases can be found here.
There are no common BIOS/UEFI menues to change settings but there are some integrated features like memtest. In contrast to its predecessor the news 600 series firewall do not try PXE for every single interface. This improves bootup time quite a lot.
¶ Operating System
OPNsense has become a major firewall solution in the market. We can be lucky there are Open Source solutions like OPNsense. There is a really active community around this project. OPNsense is of very high quality. Issues I find very rarely, upgrades appear on a regular basis including bug and security fixes as well as new features. The amount of supported features is so long, people tend to be overwhelmed by the amount of sceanrios a Deciso firewall can deal with. Just so you can read a few buzzwords.
- Intrusion Detection / Intrusion Prevention (Suricata)
- Next Gen Firewall plugin (Zenarmor)
- Monitoring integrations like Zabbix Agent
- Monitoring metrics exporter (Prometheus)
- Captive Portal
- System wide Two Factor authentication
- AES NI support
For some kind of customers it is very requested feature to have some kind of failover. OPNsense can do that. It utilizes CARP which is similar to the more widely known VRRP. Together with builtin syncing mechanisms for states and config it will offer you High Availability (HA) even when one of your two devices will fail or is in maintenance. For minimizing the downtime this is a crucial business feature.
For integrating opnsense into DevOps environnents there is this Ansible OPNsense role. [5]. See also my upcoming golem.de articles about Ansible and the Open Source community in general.
OPNsense's basic OS is FreeBSD which is popular for networking equipment in general. It is a very solid and mature OS together with a well proofed TCP/IP stack. Again Deciso is x86 CPU architecture. I haven't tried to boot other OSes but I expect them to work as well. In the past I had been successful with a dec740 installing Debian or Proxmox and I even booted VyOS on a DEC695 with success.
While BSD systems to the day offer a reliable foundation not only for heavy network loads it is much less famous than Linux. Filtering packets in its core is done via pf, a super robust and well performing packet filtering software originating from the OpenBSD project.
¶ CPU Benchmarks
Traditionally for all my reviews I use openssl based benchmarks. You can see both communities, OPNsense as well as OpenWrt transitioning from openssl 1 to openssl 3. Genereally speaking all benchmark results get worse when going from version 1 to 3. Consider this a side node. The results here were all taken with openssl 3 so they are perfectly compareable.
Results in bytes, except the RSA/DSA benchmarks.
Some DES numbers are missing because they were benchmarked using OpenWrt not supporting DES in that very version. Results I'll compare to the DEC695 as reference.
Working with hashes and different scenarios of cryptographic tasks is challenging for a CPU and gives us an idea about how powerful a processor is. Sadly we cannot deliver networking benchmarks just yet. I will try to hand in some results later. Performance gain to the DEC695 surely is measurable and lies withing the exptected margin. It's a decent upgrade for the DEC(2)6xx series firewalls.
Single threaded:
Multi threaded (4):
Single threaded:
Multi threaded (4):
Single threaded:
Multi threaded (4):
Single threaded:
Multi threaded (4):
¶ Power Consumption
Deciso has shown in the past that they really care about effeciency. All the devices I tested so far were superiour in terms of how much power they can generate on a really low energy consumption footprint. This device is no different. In contrast to the formerly tested DEC695 the power consumption went up a little bit but considering the performance gain those are really good values. In their datasheet they are giving a typical power consumption of around 13W which I can very well confirm. In idle it mostly is a bit lower but when cranking it up it may get up to 15W as well. That's astonishing as the official datasheet claims are pretty realistic.
Here are my measurements
| State | Consumption |
|---|---|
| Booting | 11-13 W |
| Idle | ~10 W |
| Throughput benchmarks | ? W |
| 4 Core OpenSSL Benchmark | ~ 15 W |
¶ Conslusion
There is a measurable performance gain coming along with the higher clockrate. The bigger argument to get the new series is the new 2.5G ethernet interfaces. While the performance gain in benchmarks is more like 10% and lower. From the new interface your gain will be tremendously higher.
I believe this type of firewall is an excellent choice for smaller companies that seek a trustworthy, non power hungry device with a decent amount of performance for smaller workgroups. With OPNsense you commit yourself to supporting a fine Open Source project. Instead of complicated feature sets to buy for a Sophos or alike you can just go with this instead and get the full package for a lower pricepoint.
For a residential user this device might be a bit too expensive, as there are much cheaper competitors running ARM and OpenWrt. On the other hand OpenWrt is hard to compare to something like OPNsense as they do not offer support for HA (High Availability) environments whatsoever and there's also no official support product.
So especially in working areas where you need to rely on your solution it's a really good choice. For more demanding scenarios Deciso also offers great products.