¶ Deciso DEC695 - OPNsense Firewall Appliance Review
The DEC695 is the bigger one of two models of the DEC600 series [1]. It shall not be confused with the first 600 series, the DEC670 and DEC690. The new models are smaller and more powerful. They come in a small size form factor, so target audience probably is private and SOHO. The physical dimensions are 22mm x 185mm x 134mm Height x Width x Length.
The exact same hardware can also be bought in 19" rackmount form factor. Those models then come as DEC2675 and DEC2685 [2].
I offer two different Videos, a Teardown [3] and a Review (yet to come).
¶ Hardware Details
The DEC695 is somewhat similar to the recently tested DEC740 [4], when it comes to the appearance and size. I really like the solid design and the finish of the all metal casing. Four rubber feet on the bottom cover screws that hold the case tightly together. One screw is hidden behind the void warranty sticker.
The Mainboard is called Netboard A8. The AMD CPU is a GX-420MC SOC, a second generation G series CPU. The popular PC-Engines APU4 also uses that series but a slower one, i.e. GX-412TC.
The GX-420MC is clocked down to 1.6 GHz, normally it runs on 2.0 GHz. Deciso decided to go for this step in order top optimize power efficiency. There are no moving parts whatsoever so it stays absolutely silent at all times.
sysctl hw.model hw.machine hw.ncpu
hw.model: AMD GX-420MC SOC
hw.machine: amd64
hw.ncpu: 4
grep -i cpu /var/run/dmesg.boot
CPU: AMD GX-420MC SOC (1597.08-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
There are four 1G Twisted Pair ports on the front, all run by four dedicated Intel I211 chips. Also in the front is a USB3 TypeA port as well as a mini USB port which acts as a serial connector, cable included. Finally there is the power connector, nothing out of the ordinary.
In contrast to the DEC740 an SO-DIMM slot is available to hold one module of DDR3 RAM. There is an NVME SSD connected via M.2. The smaller DEC675 does not come with an SSD but builtin uSD module, which, to my knowledge is not replacable. In general I do not suggest to open the device. First of all you will loose warranty, but you might cause damage. Repairs should be done by professional personnel.
The DEC(2)600 series uses Coreboot [5]. I like that a lot, since it makes the device more trustable. Future Coreboot versions can be upgraded by the user but they don't appear very often as Deciso told me. There are no common BIOS/UEFI menues to change settings but there are some integrated features like memtest. Sadly the device always tries to boot PXE on all four interfaces which extends the boot time by a little margin. As the boot time is really good this doesn't hurt too much.
¶ Operating System
Of course the device comes with OPNsense Business Edition [6] preinstalled but I wanted to see if other Operating Systems would boot. It turns out booting Debian Linux [7] worked as did OpenWrt [8]. I did not try other x86 compatible OSes but you could expect them to work. Just in case you would for example rather virtualize your OPNsense. In rare cases this can make sense.
In order to boot Debian I used the following sequence.
- Switch on device with Debian installer USB flash drive attached
- help
F4install console=ttyS0,115200n8 vga=F00
The Debian installer suggested to replace vga=F00 with gfxpayload=text, but I did not try it.
If you decide to reinstall OPNsense after you receive your device, Deciso suggests to make a config backup, since it comes with optimized settings to the hardware.
¶ Networking Benchmarks
I ran several different benchmarks with either iperf3 [9] or T-Rex v2.98 [10] to determine how much horsepower this neat device delivers. During all the tests the power consumption never went higher than 13 Watts, which is surprisingly low. At the same time the heatsink became only lukewarm but never hot.
¶ Maximum Throughput
In order to test the overall throughput of the device I used the following setup. The Device Under Test [11] has 4 Gigabit Ethernet interfaces. Interfaces igb2 and igb3 are connected to Server #1 with two dedicated 10G Ports. Port igb0 is connected to a desktop system while igb1 is connected to Server #2. All Ports are running on 1G.
In order to determine the maximum throughput I used iperf3 [12]. Server #1 was setup with two network Namespaces [13] for each interface to virtualize different hosts. In the graphics below you can see the iperf3 flows, each running in both directions. So there were 4 instances of iperf3 services and also 4 instances of iperf3 clients running during that test.
The measured maximum transfer rate is at 2,190 Mbit/s. This is quite a bit lower of what Deciso advertises (3,300 Mbit/s). These 3,300 Mbit/s is a theoretical maximum of what the CPU could handle. With only 4 times 1G it actually cannot be achieved. So this is a rather odd number. I also tested with only three iperf3 sessions instead of four. The result were about the same with 2,120 Mbit/s of average throughput after a duration of 60 seconds.
In order to get some dedicated Port to Port Performance benchmarks I went down to exactly two ports, i.e. OPT1 and OPT2. Again with iperf3 in both directions. This time I get a really constant value of between 940 Mbit/s per flow, which is a bit above their advertised specs of 900 Mbit/s [14].
¶ T-Rex based benchmarks
T-Rex is a high performance benchmarking suite from Cisco. It can generate very high traffic rates and emulate plenty of hosts. For those tests I used Server #1 with two interfaces connected to the DUT. The Firewall plainly routes between the T-Rex emulated hosts with packetfilter set to allow all. Those tests can give an estimate of how they will perform in real world situations.
¶ Imix 64 Byte 1Gb/sec for 100 sec
This emulates typical Internet traffice like HTTP, Email and other stuff.
./t-rex-64 -f cap2/imix_64_100k.yaml -c 8 -m 200 -d 100 -l 10
| Measured Item | Value |
|---|---|
| Packets per Second | 183,557 |
| Throughput Downstream | 762 Mbit/s |
| Throughput Upstream | 5 Kbit/s |
| Average Latency | 117 usec |
| Maximum Latency | 189 usec |
¶ Simple HTTP 1Gb/sec for 100 sec
This emulates HTTP traffic at a high rate.
./t-rex-64 -f cap2/http_simple.yaml -c 4 -m 100 -d 100 -l 1000
| Measured Item | Value |
|---|---|
| Packets per Second | 10,271 |
| Throughput Downstream | 74,5 Mbit/s |
| Throughput Upstream | 3 Mbit/s |
| Average Latency | 59 usec |
| Maximum Latency | 423 usec |
¶ Power Consumption
Again Deciso delivers really powerful hardware and at the same time, consumes very low power. Especially in current times where efficiency becomes more and more important, a really pleasant surprise. Those devices typically run 24/7 and the cost for electrical power is constantly on the rise. Deciso gives the typical power consumption to around 12 W [15] which I can confirm to be very precise.
Here are my measurements
| State | Consumption |
|---|---|
| Booting | 10-12 W |
| Idle | 8 W |
| Throughput benchmarks | 11-13 W |
¶ Conslusion
Deciso again delivers a well manufactured metal device with not only a small physical but also ecological footprint. The chosen hardware is top of the line with dedicated Intel Chips for the networking ports and a low power, passively cooled AMD CPU.
While it draws very tiny power it can deliver decent performance for home or small businesses and even in the data centre. At the same time it gives you much more trustability as OPNsense is Open Source and because it uses Coreboot. The price point seems a bit high at first glance but as it is high quality Firewall hardware I consider it worth the price.
If you need greater performance I suggest you take a look at the DEC(2)700 [16] series that offer faster CPUs and 2 times 10G SFP+ ports. It will raise the prize a little bit but considering the power consumption is nearly the same it seems to be the better deal. For High End Performance Firewalls Deciso offers the DEC(3)800 AMD Epyc based series Firewalls. [17] [18] [19] [20] [21]