Homelabbers rejoice! In this review we are welcoming the Protectli 6 Port Vault to the home security hardware market. We have been in the market for something like this for a few months and while researching several products we stumbled across a CPU requirement for pfSense version 2.5. This requires chipsets that support AES-NI and even though pfSense 2.4 isn’t out yet we at Hackmethod always like to future proof as much as possible. For full disclosure, we reached out to Brent at Protecli and asked when/if they would have hardware to support the AES-NI requirement. We were informed that they were working on a new line of products due for release in a few months and wanted to know if we would like to get our hands on one for review. That lands us here today with Protecli graciously providing the Hackmethod team with some hardware to test out. Thanks Brent!
Brent sent two barebone devices which are both identical with the exception of chipset. One Kaby Lake Intel i3 7100U and one Intel Kaby Lake 3865U. All other specs listed below are the same across both devices. For the purposes of this review we’ll be focusing only on the i3 box.
- 2x SODIM DDR4 1866/2133 MHz，Max: 32 GB
- 6x Intel 82583V 1000M LAN, support for Wake On LAN
- 4x USB 3.0
- 1x HDMI (No Sound)
- 1x RJ45 COM (cable included)
- 1x MINI SATA
- 1x SATA
- 1x CPU Fan HeaderQ
For hardware, we installed a 500GB 5200RPM 2.5″ SATA hard drive laying around. Of a note, an mSATA is the preferable option due to the performance boost but also because of the heat that a spinning disk creates as well. We switched from spinning disk to a KingSpec 64GB mSATA in our production deployment. Brent stated that RAM was important and recommended using Crucial 8GB Single DDR4 2133 Memory and we went with his suggestion. We weren’t planning on getting too crazy with the i3 so we only installed 8GB initially. As you’ll see later we started to need a bit more RAM. We recommend if someone was planning on using this as an ESXi box to go with 16GB of RAM right off the bat.
First Impressions & Overview
We installed ESXi, pfSense and ELK with very little issues and gave pfSense 1GB of RAM and ELK 4GB to start. The real worry we had was how it would do with ELK. Elastic doesn’t really publish a very specific hardware guide and that’s because ELK is so flexible there really is no standard use. From our experience with ELK in production environments we know that ELK is a RAM hog but on a small home network we feel like we can get away with 4GB of RAM to start.
- ESXi running on a USB Flash Drive
- pfSense VM with 1 CPU, 1GB of RAM
- ELK Stack with 1 CPU, 4GB of RAM
- 4 vSwitches (WAN, LAN, WAP, MGMT)
- 3 Physical Ports (WAN, LAN, WAP)
With various network loads and syslog/firewall rules being sent to the ELK stack we really never hit any resource ceilings. Making queries is a little slow going and after this writing we gave ELK another CPU which helped speed things up a bit. ELK is known to bottleneck mostly on Disk I/O and in our case we’re running a 5200 RPM spinning disk dinosaur. If we were running an mSAtA SSD we would see a drastic improvement.
We’re only going to hit some overview things and provide a few notes on this guide. In our experience it’s risky to create these guides because of the rapid change in technologies, and versions. Instead we’re going to focus on the hardware setup and give broad installation steps that we used to get this specific setup working.
- Step 1: Install the hard drive and RAM into your Protectli 7100 i3 Vault.
Step 2: Install ESXi onto your USB drive. ESXi 6.5 does not recognize the ne1000 drivers that the Protecli Vault uses and will show “No Network Adapters” when you try to install it. To fix this create a custom ESXi iso with the drives loaded using the guide on virten.net. Or you can use ESXi 6.0 and have no issues. We like to take the hard way.
Step 3: Map your network. We kept ours pretty simple, you can see our logical network map in the image below. For the sake of testing we do have the ESXi management interface accessible from the LAN but is something that we remove when going into production for the sake of security. The only way to access the ESXi management subnet is through a physical connection. Physically we have three things plugged into the Vault: ISP Modem -> Vault (WAN), LAN Switch -> Vault (LAN), Wireless Access Point (DHCP turned off) -> Vault (OPT 1).
If you wanted to get even more ambitious you could build an IDS monitoring sensor and send that data to the ELK stack. Additionally you could virtualize a Pi-Hole and route your DNS traffic through it. As this is a product review we wanted to highlight the hardware and not the software. We’ll be providing detailed guides in the future.
We would be remiss to discuss what could kind of be the Vault’s competitor; the Netgate SG-4860. We say “kind of a competitor” because the Netgate box is primarily for bare metal pfsense installations with plugins such as Snort, Suricata and OpenVPN. At the cost of $749.00 (with 32 GB of HD flash storage and 8GB of RAM) we prefer the Protectli box for the RAM/HD flexibility and extra processing power.
Overall the Protectli 7100 i3 Vault is a great device to virtualize pfSense in and run a few ancillary virtual machines. I would recommend purchasing with an SSD and 16GB of RAM if you’re looking at running ELK and pfSense. We recommend this to anyone wanting to run a home security stack that is COMPLETELY silent and has relatively low power draw. A barebones price of $519.00 from the Protectli website at first glance is a little heavy, especially when you consider the RAM and HD cost if you compared it to a larger server solution such as an R710. For us, the small form factor and fanless design make it perfect to put in an office, closet or event mounted in an access panel.