Buyer's Guide
Finding the right hardware that fits your needs is one of the most commonly asked questions we get. There are several models of the Protectli Vault which can be easily differentiated by number of ports, CPU and price. In addition, all Vaults can be customized for RAM and storage.
This buyer’s guide will examine the variables of network design, traffic, performance and Vault configurations to serve as a general guide to select the proper Vault.
One of the main variables is the Operating System (OS) and application that is installed on the Vault. In the coming sections we will use pfSense® CE configured as a firewall and router as the baseline configuration. Where applicable, we will reference differences in performance to a Vault running a hypervisor such as VMWare ESXi or a desktop OS such as Ubuntu.
Overview: What to consider before buying
1. Application
The most important consideration for choosing your hardware is what application it will be used for. The Protectli Vault can be used in a number of different applications. Customers have deployed Vaults as Windows Clients, Linux Desktops and Servers, Hypervisors, and of course firewalls.
Thinking about the requirements for your use case will help to narrow your choice when it comes to picking your Vault.
Our recommendation: Simple client machines will work great on our smaller 2-port Vaults, while you may want to consider a 4-port or 6-port for firewall or hypervisor applications.
2. Ports
The number of ethernet ports you need depends on your application. Firewalls can be configured on as little as a two physical ports, but for simplicity and throughput, consider that you may want multiple physical ports to segment traffic for multiple networks (i.e. a ‘secure’ network, an ‘IoT’ network, a ‘guest’ network, etc).
For hypervisor applications, consider that a physical port can be ‘passed through’ to an individual virtual machine so multiple virtual machines may need more physical ports.
The Vault is currently available in 2-Port, 4-Port, and 6-Port variations. In addition, some models have 2.5G or 10G Ethernet ports.
Our recommendation: It is smart to think about future-proofing your Vault from the start, so consider a model with more Ethernet ports and 2.5G or 10G NICs to stay flexible if your needs change.
2-Port Vault
4-Port Vault
6-Port Vault
Note: Every Vault supports virtual LAN networking (802.1q) as long as the software installed also supports the use of VLANs. Every Vault’s network ports are PCIe connected to the CPU.
3. Memory
For firewall applications, the number of connections, commonly called a “state,” refers to the TCP/IP connections between clients that traverse network segments. As an example, if a user has a PC and browses out to the Internet, there will typically be multiple “connections” between the browser and the web site. It is not unusual to have 20 or more connections just from a single visit to a web site due to various content, advertisements, etc. On a firewall, each connection has two “states”. One for entering the firewall through the WAN port and one for exiting the WAN port. More states and therefore more clients will require more memory. As per OPNsense documentation:
…each state table entry requires about 1 kB (kilobytes) of RAM. The average state table, filled with 1000 entries will occupy about ~1 MB (megabytes)…
For hypervisor applications, memory comes at a premium as memory generally needs to be statically allocated to each Virtual Machine (VM) It usually cannot be shared between multiple VM’s like CPU resources can. Memory needs are going to be dictated by the type of VM’s that you are running.
Our recommendation: Many common home or small business firewall applications only require 4GB of RAM, although 8GB is the most popular configuration. If you expect a larger amount of connections, or in depth packet inspection, configure more RAM for your Vault accordingly. For hypervisor applications, consider a Vault that has 2 memory slots, like our 6-Port devices.
4. Storage
Most firewall applications require little storage space. OPNsense and pfSense® easily fit on drives as small as 32 GB, but 120 GB is the most popular. More storage is only needed for intensive logging.
Hypervisor applications will typically require more storage than a firewall application. This will depend on which hypervisor is used (and whether thin provisioning is supported), as well as how many virtual machines are implemented and for what purpose.
Linux Desktop and Server applications typically require more storage than firewalls, but the amount is highly dependent on the actual use cases.
Our recommendation: We typically recommend a 120GB drive for most firewall applications and from 500GB to 1TB or more for hypervisor applications. Note that for hypervisor applications, the VP4600 Series supports the simultaneous use of both a NVMe/SATA and 2.5″ SATA drive for high data storage use. Also consider the VP6600 series with 10G SFP+ NICs for hypervisors.
5. Throughput Requirements
Every Vault’s Ethernet ports are PCIe connected to the CPU and can run at linerate of either 1 Gbps, 2.5 Gbps or 10 Gbps.
FIREWALL
As a firewall, every Vault has tested at full wire speed between ports using iperf as a synthetic load. As such, for basic routing applications any Vault is capable of gigabit throughput. However, in most firewall application, additional services will be turned on that consume CPU and thus may reduce throughput. These include modest services such as DHCP and DNS or heavy CPU users such as Deep Packet Inspection (DPI). A key consideration is Virtual Private Networking (VPN) support. VPN requires processor intensive encryption.
Our recommendation: With a modest throughput of up to ~300 Mbps, you can run many firewall applications in ‘basic’ routing and firewall mode on any of our 2-Port or 4-Port port models. With increased throughput (especially gigabit service) or if implementing VPN, DPI, IPS/IDS, SNORT, Sensei, or other firewall add-ons, we recommend a Vault with a performant CPU such as the VP4600 or VP6600.
HYPERVISOR
For hypervisor applications, the Vault’s multiple gigabit ports are ideal for dedicated physical connections passed through to individual VM’s.
Our recommendation: In most circumstances, using a Vault as a hypervisor means that the user will want to run multiple operating systems, requiring CPU, memory, and network connections. As such, we recommend the 6-Port Units.
6. Security
Security is an important consideration for any network or compute appliance. coreboot is available as an open source BIOS on all the Vaults. In addition, the Vault Pro (VP) series have additional security features.
Our recommendation: If security is important, we recommend coreboot in general and the advanced security features available on the Vault Pro Series.
7. Workload and Hardware Requirements by OS
The OS you choose to run can greatly affect the performance requirements of the Vault. Some customers use the Vault to run a basic firewall, while others use it as a hypervisor, desktop, or SD-WAN. Therefore, hardware requirements vary widely. Here are a few examples of usage that typically require a stronger CPU.
- Routing all network traffic through a VPN requires higher CPU clock speeds, especially at higher throughput. Click here for more performance results.
- Running add-on packages like pfBlocker (pfSense®), SNORT (pfSense®), or Sensei (OPNsense)
- Using the Vault to run a hypervisor, and/or having other software running on the same device.
Here are hardware recommendations for common OS’s:
Recommended
Component | Recommended Value |
---|---|
Processor | 1.5 GHz multi core cpu |
RAM | 8GB |
Storage Space | 120GB SSD |
You can find more information on the official pages:
Component | Recommended Value |
---|---|
1-50 Users | 1 core, 2GB RAM, 10GB Storage |
51-100 Users | 2 core, 4GB RAM, 40GB Storage |
101-150 Users | 4 cores, 8GB RAM, 80GB Storage |
151-500 Users | 4+ cores, 16GB RAM, 160GB Storage |
501-1500 Users | 4+ cores, 16GB RAM, 250GB Storage |
1500+ Users | 6+ cores, 32GB RAM, 500GB Storage |
You can find more information on the official pages:
All Protectli Vaults can be configured to meet the recommended requirements and run Sophos.
You can find more information on the official pages:
Component | Recommended Value |
---|---|
Processor | Intel i3 (VP4630) / Intel i5 (VP4650) / Intel i7 (VP4670) |
RAM | 16GB RAM |
Storage Space | 240GB |
To run ESXi on the Vault, we recommend going with the VP4600 or the VP6600 series.
You can find more information on the official pages:
Component | Recommended Value |
---|---|
Processor | 2 GHz dual core |
RAM | 8GB RAM |
Storage Space | 120GB |
All Protectli Vaults can be configured to meet the recommended requirements for Ubuntu. Note the additional disk space that is needed for Ubuntu.
You can find more information on the official pages:
General Guidelines for Picking the Right Vault
In addition to the variables above, you can use the guidelines below and view the key differences between the models of the Vault. They are not definitive for any specific situation, but should help users to make a good selection. Please also consider our Product Comparison for an easy way to see how the Vaults stack up.
2 PORT
FW2B: Small, compact & featuring AES-NI, HDMI, console, additional USB ports, and more.
V1210: Intel N5101 Quad-Core with 4GB RAM & 32GB eMMC on-board with 2.5G ports and NVMe support.
4 PORT
FW4B: Features a compact design and HDMI ports. The FW4B with 8G memory and 120G storage is the most popular unit and configuration.
FW4C: Features a compact design and HDMI ports. Similar to the FW4B but with 2.5G ports.
V1410: Intel N5101 Quad-Core with 8GB RAM & 32GB eMMC on-board with 2.5G ports and NVMe support.
VP2410: Powerful 4-Port Vault with up to 16GB DDR RAM, a strong CPU (Intel J4125) and the inclusion of M.2.
VP2420: More powerful CPU (Intel J6412) than VP2410 and has 2.5G ports.
6 PORT
FW6A: Best for more complex networks. 6 Ethernet ports for more physical network segments and additional AES-NI power for more VPN performance.
FW6Br2: Same as FW6A but with more CPU power for more rules, packages, VPNs, VLANs, etc. Successor to the previous gen model FW6B.
FW6D: Updated Intel 8th Generation CPU (i5) and new network interfaces. Slightly larger chassis to accommodate the more powerful CPU.
FW6E: Same as FW6D but with an Intel i7-8550U Quad Core CPU with Hyper-threading.
VP4630: Intel 10th Generation CPU (i3-10110U) with 2.5G ports, M.2 NVMe/SATA. Larger chassis to accommodate the more powerful CPU.
VP4650: Intel 10th Generation CPU (i5-10210U) with 2.5G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
VP4670: Intel 10th Generation CPU (i7-10810U) with 2.5G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
VP6630: Intel 12th Generation CPU (i3-1215U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
VP6650: Intel 12th Generation CPU (i5-1235U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
VP6670: Intel 12th Generation CPU (i7-1255U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
General Guidelines for Picking the Right Vault
In addition to the variables above, you can use the guidelines below and view the key differences between the models of the Vault. They are not definitive for any specific situation, but should help users to make a good selection. Please also consider our Product Comparison for an easy way to see how the Vaults stack up.
2 PORT
FW2B: Small, compact & featuring AES-NI, HDMI, console, additional USB ports, and more.
V1210: Intel N5101 Quad-Core with 4GB RAM & 32GB eMMC on-board with 2.5G ports and NVMe support.
4 PORT
FW4B: Features a compact design and HDMI ports. The FW4B with 8G memory and 120G storage is the most popular unit and configuration.
FW4C: Features a compact design and HDMI ports. Similar to the FW4B but with 2.5G ports.
V1410: Intel N5101 Quad-Core with 8GB RAM & 32GB eMMC on-board with 2.5G ports and NVMe support.
VP2410: Powerful 4-Port Vault with up to 16GB DDR RAM, a strong CPU (Intel J4125) and the inclusion of M.2.
VP2420: More powerful CPU (Intel J6412) than VP2410 and has 2.5G ports.
6 PORT
FW6A: Best for more complex networks. 6 Ethernet ports for more physical network segments and additional AES-NI power for more VPN performance.
FW6Br2: Same as FW6A but with more CPU power for more rules, packages, VPNs, VLANs, etc. Successor to the previous gen model FW6B.
FW6D: Updated Intel 8th Generation CPU (i5) and new network interfaces. Slightly larger chassis to accommodate the more powerful CPU.
FW6E: Same as FW6D but with an Intel i7-8550U Quad Core CPU with Hyper-threading.
V1610: Intel N6005 Quad-Core with 16GB RAM and 32GB eMMC on-board. 2.5G ports and NVMe support.
VP4630: Intel 10th Generation CPU (i3-10110U) with 2.5G ports, M.2 NVMe/SATA. Larger chassis to accommodate the more powerful CPU.
VP4650: Intel 10th Generation CPU (i5-10210U) with 2.5G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
VP4670: Intel 10th Generation CPU (i7-10810U) with 2.5G ports, M.2 NVMe/SATA. Same form factor as the VP4630.
VP6630: Intel 12th Generation CPU (i3-1215U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
VP6650: Intel 12th Generation CPU (i5-1235U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
VP6670: Intel 12th Generation CPU (i7-1255U) with 2x 10G SFP+ ports, DDR5 RAM and M.2 NVMe/SATA.
Congrats, you’ve made it all the way through this guide and you’re still with us!
Still not sure which Vault you want? Feel free to reach out!