¶ Deciso DEC740 - OPNsense Firewall Appliance Review
Link to the video review: https://youtu.be/853y4ShbpZg
The dutch company Deciso B.V. offers very powerful but humble DEC 700 series [1] firewalls in a compact form factor. One special attribute is the very low power consumption of around 15W. This is possible with the AMD Ryzen Embedded v1000 series, which not only delivers astonishing performance but also versatility. Two SFP+ ports for 10G interfacing are unseen of in this sector.
As a networking guy my heart skips a beat when reading the data sheet. This review will show if my expectiations can be fulfilled. This article will focus on the DEC740 model [2].
Deciso also offers the DEC 800 series which consumes double the power but also doubles the cpu performance.[3]. All devices offer dual SFP+ 10G Ethernet.
¶ Focus: Hardware
The enclosure is of high quality and completely made of metal. The form factor is really small with 31mm x 190mm x 160mm (Height x Width x Depth). Compared to a PC-Engines APU it's roughly 18% added volume, so still quite small. Sadly the salmon coloured part of the case if not very scratch resistant. The underlying silver color then becomes visible.
The top part of the case is held in anthracite which is a nice contrast to the more colourful part. In the front a bright blue LED shows when the device is running. The grey part of the case is also the radiator for the SoC. You won't hear a thing of the appliance because it has no moving parts whatsoever.
Since end of 2021 the DEC 700 series is being sold and consists of two models.
| DEC 740 | DEC 750 | |
|---|---|---|
| CPU | Ryzen Embedded v1500b | Ryzen Embedded v1500b |
| Clock speed | 2,2 GHz | 2,2 GHz |
| Cores / Threads | 4/8 | 4/8 |
| RAM | 4 GB DDR4 | 8 GB DDR4 |
| CPU TDP | 12-25W | 12-25W |
| Power consumption (manufacturer's data) |
15 W | 15 W |
| SSD | M.2 128 GB | M.2 256 GB |
| SFP+ | 2 | 2 |
| 1000Base-T | 3 | 3 |
| price (net) | 699 € | 799 € |
The only difference between both models are the installed RAM and SSD modules. Apart from that they are identical.
In Passmark the processor hits about 4000 points which is really good for such a small and passivly cooled device[4]. This performance is needed when you want to route line rate 10G or work with Intrustion Detection or VPN.
There are three dedicated 1G copper ports made possible by Intel I210 chips. The 10G ports are realized within the AMD SoC and the axp [5] FreeBSD driver.
There is a USB 3.0 port and a serial ineterface in mini USB format. What really comes in handy is the fact that the USB to serial adapter is integrated into the device so all you need is a USB A to mini USB cable.
Deciso calls the Mainboard Netboard A10 Gen.3 [6] [7]. It looks like they don't want you to do firmware updates as they suggest they should be done by authorized personell only. On the homepage there is a firmware update linked but only for an older Netboard version. The EFI menu sometimes is a bit sparse. Some entries are greyed out or even empty. This probably won't affect the quality of the firewall though.
As the device is so small you will mainly find it in SOHO (Small Office / Home) environments. Most of those potential customers won't be able to get a 10G internet uplink. That's why it will be a good fit for environments that need to route 10G between subnets. For data centres there is the dec2750 that has the exact same specs as the DEC750 but comes in a rack mountable enclosure.
Shipment carton:
- Deciso DEC740 Firewall Appliance
- Meanwell quality power supply 12V 3A
- USB to Mini USB cable
- Getting Started sheet in English
Digital shipment:
- Download Link eBook Markus Stubbig OPNsense Praktiker (German)
- Download Link eBook Markus Stubbig Prtactical OPNsense (English)
- OPNsense Business Key
- Download Link OPNsense OVA Image
¶ more hardware details
With default settings the device will only boot EFI Images. You can switch in the EFI menu to also allow legacy BIOS OSes. At first I was not very succesfull with booting different operating systems but after some tinkering I booted into Debian as well as Alpine Linux. For debian I had to enable legacy UART features in: Setup Utility - AMD CBS - FCH Common Options - Uart configuration options:
Uart 0 Enable: Enabled
Uart 0 Legacy Options: COM1 0x3F8
Uart Driver Type: AMD Serial Driver
For OPNsense disable the Legacy Options.
In order to boot I attached the following command line options in grub
console=ttyS0,115200n8
It looks like the INSYDE Corp. [8] developed the EFI software. That's what I can find when running dmidecode. It also shows me of the device to be DEC2700 rather than DEC740, which is somewhat understandable, because the DEC2700 is the same device, just in a 19" rack mountable case. The built in RAM module is a Very Low Profile (VLP) DDR4 2666 by Transcend [9]. The same manufacturer had been chosen for the M.2 SSD [10].
I tried to replace the RAM for a bigger module. At first I got the Kingston ValueRAM 8GB KVR26N19S8L/8 which produced sporadic crashes and reboots. Another try with a Crucial 16GB module (MTA18ADF2G72AZ-3G2R) worked just fine. The crucial memory has ECC error correction as well. If you plan to try a module, make sure you're using unbuffered / unregistered modules.
I also tried to replace the NVME SSD which in no part made any problems. The ports runs at PCIe Gen3 x4, meaning 8 GT/s or 4 GB/s.
¶ Opening the device
You cannot open the device without voiding warranty. There is a little sticker revealing if the device had been opened. If you still choose to do so you need to remove four Torx screws on the bottom of the device. By pulling you can divide the device into two halfs. The mainboard again is screwed together to the heatsink. There are four Philips screws you need to remove so you can lift the heatsink off. There is of course conductive paste. Make sure there is enough left when reassembled. Consider renewing the paste after some time. For me the paste was super dry after about one year and I replaced it with new conductive paste. I had to scratch it off very gently.
Now you can easily replace SSD or RAM which I really like since many manufacturers solder those parts. This way you can repair a broken SSD or RAM module all by yourself when the warranty is gone. I do not suggest to open the device on a regular basis. It might get damaged if you don't watch out. Take your time when putting it back together, you might deal damage or do scratches.
¶ OPNsense Software
OPNsense is of course preinstalled. Upgrading from version 21.1.7 to the more current 21.1.10 worked without any problems. For my tests I reinstalled the community edition because I wanted to have OPNsense 22.1 / FreeBSD 13 on it for my benchmarks.
There are of course some advantages having the business edition [11]. It won't take much time until a FreeBSD 13 based business edition will also be available.
¶ First Boot
The device is being shipped with OPNsense on UFS instead of ZFS. As Deciso told me they are in the process of migration to a deployment process based on ZFS. I reinstalled the device with 22.1 Community Edition on ZFS which I think is more reliable than UFS. New devices will be shipped with ZFS as default Filesystem except the DEC675 that runs on integrated microSD.
You can connect to the device via serial since it's headless via screen /dev/ttyUSB0 115200 [12]. After supplying it with power it takes about 35 seconds to boot up, which I believe is really fast. If you want to boot from USB you need to hit ESC shortly after turned on. While reinstalling I experienced a bug which Deciso promised to fix. The new installer sometimes doesn't recognize key strokes of the arrow keys.This installer bug has been resolved by Deciso.
Now you can connect to the 1G port with the 0 label via https://192.168.1.1 and enter the default credentials (root/opnsense). You can enter the Business Edition Key in System - Fimrware - Settings - Subscription.
On Deciso's website you can read what SFP+ modules were successfully tested [13]. I was successfull with different modules from FS.com that were intended for Cisco, Mellanox or HP. 10G BASE-CX1 as well as 10G BASE-SR worked just fine with OPNsense. In OpenWrt the DAC did not work.
¶ Routing Performance
I used this setup in order to test routing performance.
Cisco's Open Source solution TREX version 2.93 was used making those tests [14]. It is a really versatile tool for different benchmarking scenarios.
In the following list you can find my results compared to what Deciso advertises.
| Deciso's value | My value | |
|---|---|---|
| Throughput | 8,5 Gbps | 9,9 Gbps |
| Throughput with Threat Protection | 1 Gbps | not tested |
| Packets per second PPS | 830k | 1.148k |
| Packete per second with Threat Protection | 85.000 | not tested |
| Sessions | 3.000.000 | 3.490.000 |
| Latency | 150us | average 52 usec |
¶ Routing performance
The 10G ports were set to an MTU of 9000 to test routing performance. Those are the exact parameters for the benchmark.
./t-rex-64 -f cap2/imix_9k.yaml -l 1000 -m 20 --hdrh
You can see very stable rate of about 9,9 Gbps. Power consumption during that period was at about 14W.
This is the WebGUI of OPNsense confirming the speed.
¶ Packets Per Second
In order to be able to get as many packets through the wire I ran 64 Byte sized packets. In the test duration of two minutes there were 275.551.874 packets transferred which rougly translates to about 1,1 million packets per seconds.
./t-rex-64 -f cap2/imix_64_100k.yaml -c8 -m 200 -d 120 -l 10
¶ VPN Performance
There are different VPN protocols available in OPNsense to do Site 2 Site or Roadwarrior setups. They vary very strongly in performance as well as easyness and robustness. For wireguard there is an implementation in GO that runs in userspace [15]. In contrast to Linux that has a kernel implementation, it lacks speed [16]. OpenVPN had been the standard for long but it cannot compete with nowadays solutions. This is what the setup looks like.
iperf3 Server:
- virtualized Rocky Linux 8
- 4 GB RAM
- 16 cores Intel i7 10700t
- Mellanox ConnectX 3
iperf3 Client:
- Bare Metal Fedora 35
- 16 GB RAM
- AMD Ryzen 7 3700X
- Mellanox ConnectX 3
For benchmark I used iperf3 with the following parameters.
Server:
iperf3 -s
Client:
iperf3 -P 20 -t 60 -c 192.168.1.101
The results may vary in your environment because they were measured under ideal conditions. There is only few Allow All filter rules yet those benchmarks show that pf is quite stable when the amount of rules get bigger. [17] For all tests Intrusion Deteciton was deactivated. [18]
¶ IPsec Performance
In their data sheets Deciso promises to deliver up to 1,2 GBit/s IPsec throughput. [Deciso DEC740 Datenblatt]. My results devlivered even better performance of 1,6 to 2,0 Gbit/s. The average was about 1,8 Gbit/s.
¶ Wireguard Performance
As expected wireguard was not able to beat those IPsec scores. In the benchmark the throughput went as high as 800 Mbit/s. As Wireguard is extremely easy to setup it might still be an alternative for certain scenarios. I'm really looking forward to the FreeBSD kernel implementation of wireguard which will deliver much better numbers.
¶ Power consumption
Deciso's technical specifications advertise around 15W of power consumption which is really low for such a powerful device. AMD's specs give a TDP [19] of 12-25 W, which tells how much heat needs to be dissipated by the cooling system. I measured the actual power consumpmtion of the device in different workload situations. For that purpose I used the Voltcraft Engergy Monitor 3000 [20].
Those are the results.
| Power consumption in Watt | |
|---|---|
| Boot process | 8-14W |
| Idle | 8W |
| Idle with both SFP+ modules connected | 9,3W |
| Routing Benchmark | 12,7 - 13,4W |
| IPsec Benchmark | 16,4W |
| Wireguard Benchmark | 17,1W |
As the case itself is the heatspreader it becomes warm but never hot. The low power consumption of the DEC Firewall is really a highlight. As most firewalls run 24/7 it really lowers the total costs of ownership. In Germany the price for electrical power is rising constantly so it becomes more and more important to consider when buying a firewall.
¶ Support
During testing and benchmarking the firewall, a few obstacles arose. Deciso was always able to help in a prompt manner. If you plan to run such a device in a productive environment a support plan will be helpful [21]. There are also some FAQ articles that turned out to be helpful [22] [23].
¶ Conclusion
There are plenty of Firewall appliances available that are very good for Open Source solutions like OPNsense, pfSense or Openwrt. To my knowledge there are no other devices that combine the Attributes of the DEC 700 series. I find that Deciso's firewall appliances are formidable devices that have a perfect combination of performance, power consumption and form factor at a very reasonable price. Especially in offices they really shine as they have a beautiful design, are absolutely silent and perform incredibly.
FreeBSD AMD SoC 10G Treiber commits (AMD EPYC integrated NIC) ↩︎