How To Pick The Best And Low Powered Hardware For PfSense


We always want the best in everything: the best CPU, the best graphics card, the best hard drive. Unfortunately, once we sink into the world of hardware, we quickly discover that there are so many components, with so many variables that to find “the best”, we have to spend weeks in research.

Even then, there is always something “better”.

When choosing hardware for PfSense, we have to ask ourselves one fundamental question: what do I want to do with it? Answer this question, and you will have most of your queries sorted.

I do another step by using a method that helped me and the others establish what I need in hardware terms and why.

We usually have two major issues with purchasing hardware: price for our bits and how much they will take off the wall (we all want low powered devices, do we?). On the other note: don’t get too excited about TDP values. Usually, it’s not what you think.

I will do a bit more: calculate the overall first-year cost and total cost in incoming years, with 5-years increments.



Because of so many variables, we have to put everything under a common denominator. For most of us, it will be money. How much we have to spend to get what we want (at least for what we think we need).

What we should take into consideration is not what we pay now, but how much we pay in total over let say 1st year of ownership, and how much will cost me to run over five years (the usual length of ownership for PCs)?

Why? You can have the latest low powered CPU and board for £500, and it will very low powered device, running 10W on idle, but you have paid £500! Or you can repurpose older PC you had for years, but it’s having 80W idling.

My Lenovo S30 with CPU Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 128GB ECC RAM and 4 HDDs is idling at around that value.

Now, let us get to standard values I mentioned previously: in the UK where I am, I pay 15.79 pence per 1 kWh. Both PCs will run for 24h per day per 365 days in a year. It is the base for us, and it’s the router, it will have to run for 24h whether you like it or not.

 Low Powered PCRepurposed PC
Initial Price:£500£0
Typical idle:10W80W
Cost of running 24h3.79p30.32p
Cost of running 365 days£13.84£110.67
1st Year Cost (Initial price+1 year running)£513.84£110.67
5 Years Running Cost£569.20£553.35

So, as you can see: even after five years, you are still in front of your money. Moral of this part of the story? If you have a spare PC from a SandyBridge or later era, use it, don’t buy new components.

The other thing about my juicy Lenovo S30: this is a fully-fledged server, I have Proxmox virtual environment installed with PfSense and a few different servers. I don’t need another machine if I want to create something new.

I would not be able to do it on the 10W CPU with 4-8GB of RAM. Most of the time, it will be one purpose build. In my case, by virtualising all other PCs, I saved money in the long run.


When asking yourself about what CPU to use with PfSense, you have to lower to another standardised value. It’s not what CPU you need to use. It’s what CPU power it has, to do what you want it to do.

You have different CPUs, different manufactures, clocks, features. Easy to get lost, but. For me, it is a straightforward solution: all you need is the CPU computing power, not make or model. Guess, who is the most qualified to tell you that?

CPU Passmark. It will give the two most important measures: single-core and multi-core tests. Most of the features in PfSense are single-threaded, so the number of cores will not replace actual single-core power. Of course, if you have both then happy days.

From Netgate own website, they specify few bits of information like throughput for their several hardware devices and CPUs they use, so let see the typical network based on 1460 bytes packets:

ModelCPUClock (Cores)TCP – 1460BPassmark (single/multi)
SG-1100ARM Cortex A531.2 GHz (2)656 Mbit/sN/A
SG-3100ARMv7 Cortex-A91.6 GHz (2)2.44 Gbit/sN/A
SG-5100Intel Atom C35582.2 GHz (4)3.65 Gbit/s876 /   2539
XG-1537Intel Xeon-DE D-15371.7 GHz (8)14.48 Gbit/s940 /   8445
XG-1541Intel Xeon-DE D-15412.1 GHz (8)14.63 Gbit/s1372 / 10929

I will add a few more CPUs onto the list with their CPU benchmarks:

CPUClock (Cores)Passmark (single/multi)
Xeon E3-1220L V31.1 GHz (2)785 /   1429
Core i3-4130T2.9 GHz (2)1648 /   2849
Xeon e5-26433.3 GHz (4)1653 /   5700
Celeron J19002.0 GHz (4)614 /   1110
Celeron N31501.6 GHz (4)562 /   1182
Xeon E3-1265L2.5 GHz (2)1649 /   4869
Xeon E5-26233.0 GHz (4)1890 /   6674
AMD 3000G3.5 GHz (2)2076 /   4618

As you can see from hose tables, for the device to work as a simple router, you don’t need much. It can work on nearly any CPU. The trouble starts when you add additional functionality.

If you want to add VPN, you have to either have AES-NI enabled CPU (all CPUs for the last five years should have them) or speedy one to keep up with the network. Again, high frequency is more important than core-count. The encryption used by VPN (usually based on OpenSSL), will use hardware acceleration if present on the system.

I’ve used my old E3-1220L V3 @ 1.1GHz (and 1.5GHz turbo) as a benchmark base for me. It struggled with Anti Virus Clam-AV, as soon as it tried to scan bigger files, it just chocked up. No VPN used at all, but I had Snort and Squid running.

The next upgrade was i3-4130T @ 2.9GHz (no turbo). Same set up as previously. Not even slightest slow down, but no VPN to use as yet.

OpenSSL: speed test with AES-256-CBC – AES-NI on/off, which will be more accurate with the VPN usage.

openssl speed -evp AES-256-CBC ; with AES-NI
openssl speed AES-256-CBC      ; without AES-NI

The OpenSSL test is done on the 8192 blocks, with AES-NI on and off.

CPUClockPassmark single coreOpenSSL
AES-NI off
Manufactured Year
Xeon e5-26433.3 GHz1650492817.07k153974.10kQ2 2012
Xeon e3-1265L2.5 GHz164929080158.21k NAQ2 2012
Core i3-4130T2.9 GHz1648467648.55k 90944.65kQ1 2013
Celeron J19002.0 GHz614NA 28806.25kQ1 2014
Xeon E5-26233.0 GHz1890544980.99k 107216.90kQ1 2015
Celeron N31501.6 GHz562203194.03k 76390.40kQ2 2015
Atom C25582.4 GHz55124345837.57k NAQ2 2015
Atom C23581.7 GHz44814241549.52kNAQ2 2016
AMD 53702.2 GHz73318390712.32k NAQ2 2016
AMD 3000G3.5 GHz2076101515438.76k 242988.05kQ4 2019
I think this will give you definite answer

As you can see, for primarily as a router only, you can use nearly any low cost, low powered Intel’s Atom or AMD’s APU series CPUs, but soon as you step up with your additions, it will need more oomph.

Doing the research, I’ve found one common thing, especially on the AMD side: newer CPUs (even the cheapest ones), have a massive increase in speed for AES-NI hardware encryption.

Look at my older Xeon E5-2643 V1 @ 3.3GHz, in the OpenSSL speed test vs AMD Athlon 5370 @ 2.2 GHz, but with 3.5 times faster encryption at half of the clock speed and a lot lower power consumption.


CPU. AMD’s newer CPU, the Athlon 3000G is looking very attractive, and this is from two different points.

Firstly, the single-core PassMark score of 2076 points, and for a dual-core CPU, this is amazing. Secondly, the low powered idle at around 26W, make this one looking good long term investment with its AM4 board with plenty of upgrades capabilities.

COOLER. I’ve tried a few before, and for low powered CPU, there is not much difference. As long as it will fit in the case, and it’s quiet, I’m happy. The Noctua NH-L9a AM4, low profile is an excellent choice. Don’t get distracted about CPU temps going up to 70 degrees centigrade; it will be fine. If it goes above, reducing CPU max clock speed (reducing overall TDP this way), will help you, but with Athlon 3000G, this shouldn’t be a problem. If you want to get bigger brother, the Noctua NH-L9x65, 65mm Premium Low-Profile CPU Cooler for a little bit more.

MOTHERBOARD: The choice here is ASRock Mini-ITX Motherboard – AB350 GAMING-ITX/AC. Why? It’s one of the cheapest, it can use ECC, it has Intel NIC onboard. Perfect for the job.

CASE. I prefer the small Antec ISK-300 with external power brick (it’s more efficient, but not that far). It has space for low profile PCIe card and 2x 2.5” HDD/SSD. Perfect for a small router. Unfortunately, they are not very common these days, so you can look up on flee-bay, to spot one for cheap.

MEMORY. I will add the third one, not that important, but if you are like me, then you will want full ECC memory protection, as it will be 24/7/365 days a year working device. It’s not a gaming rig, and it needs to be safe than sorry.

Unfortunately, ECC memory is not available on this CPU. Still, the motherboard like ASRock Mini-ITX Motherboard – AB350 GAMING-ITX/AC, does have this feature available if you are running PRO versions of Ryzen.

Having this in mind, when purchasing the DDR4 memory, try to get the ECC version. It’s not much more then NON-ECC version, but then you do not have to replace it later, just add more if you want to. It will work just fine with NON-ECC CPUs. The ECC  will not be activated.

BTW, 8GB is more than enough for 99% of us running all sorts of configurations.

STORAGE. To run PfSense from HDD is advisable, but you can mitigate a few troubles by moving to a good SSDs. Best to set it up in the ZFS mirror, and PfSense installation will ask you when to set it up.

Cheap, but good SSDs are from Crucial BX500 series. Low powered, resistant, with excellent speeds in reading and writing. Also, quite inexpensive. Don’t buy big sizes, as you will not utilise it most of the time. 120/240GB is more than enough. Instead of one 240GB get two 120GB. Safeguarding, remember?

You can use HDD or SSHD like Seagate Firecuda, just remember about head parking issue (and how to fix that in this article).

The main difference you feel is when you download a large file with proxy caching, with high-speed internet access. It may take a longer time to write this file to slow HDD than it would on SSD itself.

NIC. I would give you just one option: Intel NIC. They are worth every penny, seriously. With the Antec case, you can install Intel Pro 1000 VT/ET or I-340/350, with 2/4 Ethernet ports, more than you will ever need. Realtek is OK…ish, but there are many reports that they are not as fast as Intel’s, and if there is more traffic to manage, they like to hang.


There are a few different schools, but as I mentioned earlier: It All Depends!

If you have something laying around, use it. If not, then the setup I’ve given to you will accomplish both needs: low power consumption, but also headroom, if your needs grow. Also, it can provide you with ECC option, if that bothers you too much.

Just remember, the lowest ECC compatible AMD CPU is AMD Ryzen 3 PRO 2200G/GE, for three times more money than Athlon 3000G, but ten times more computing power and ECC.

Ultimately, the choice is yours. This set up is my next job, with an upgrade to the PRO version, as soon as I get my hands on one. I will do some more testing, as I go along. Why not Intel CPUs? Yes, you can, but: low powered options are costly. To utilise ECC, you have to have a server board, again expensive. All low powered CPUs included with the boards are only with PCIe x1-x4 (if you are lucky).
Is it worth the hustle? Naaah.

Below is a compilation of hardware from Amazon UK, they will send Worldwide like with anything Amazon. By using our affiliate account, we will get a small percentage, and You will help us maintain the blog.
Remember, Every Little Help Counts.

ECC Memory For A Bigger CPU

You may also like...