Modding a Chromebox Into a pfSense Router

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,743
Hey all,

Thought I'd start talking about a little project I'm working on.

I've been using a little Asus Chromebox hacked to run Linux as a HTPC with Kodi for a while now, but I really want to start using discrete NVIDIA graphics instead for the prowess of their VDPAU implementation.

This leaves me with a perfect little low power machine, and nothing to do with it.

I also happen to have a Mini-ITX Haswell Core i5-4750T in a total overkill pfSense box. The lightbulb struck a few days ago. What if I could switch them?

The Core i5 with it's x16 slot would be great with a 720GT as a HTPC with Nvidia graphics, and the Asus Chromebox with its 2GB of RAM, 16GB SSD and a Haswell Celeron 2955U (Dual core 1.4Ghz) is more than capable of keeping up with home router loads at 150/150.


The biggest problem is that the Chromebox doesn't have very good Ethernet (just a single Realtek port, and Atheros Wifi) Firstly I never use Realtek Ethernet for anything other than low priority client applications. Secondly, with just one Ethernet port, I'm not going to be doing much in the way of routing.


That's when I came across the NISK300LAN Mini-PCIe dual Intel 210-IT Ethernet adapter.

e6340db8-a3d6-464b-aa47-535bf2bf7191


I could just pull the Atheros WLAN card, insert this dual Intel mini-PCIe card and be off to the races!

There are a few issues though:

1.) Many of these mini-PCIe slots are WLAN only. I have no guarantee this will actually work, and the port in this mini-computer is able to detect and use the Ethernet ports when connected, and is able to provide enough power. (Tech specs I can find suggest that i210 chips use 0.81W each, but I have no idea how much power the Atheros WLAN card I am removing used.)

2.) There isn't much space to fit the extra ports. At first my plan was sawing a hole for it in the side of the Chrome Box, and just tightening the bracket over the hole, but after some checking of dimensions I don't think it will fit. (see the insides oft he Asus Chromebox here)


As far as the space issues go, I figure I can just take the bottom lid off the case, and design my own box for the bottom, 3D print it, and then install the dual LAN adapter back into it, and tighten it back on. Piece of cake.

The "will it actually work, be stable and be detected" issue is my only concern here. I've got my fingers crossed. If it works this could be a great low power, cheap and very capable pfSense router.

In its current duty the Chromebox uses about 5-6W at idle, as measured at the wall with my trusty Kill-A-Watt. I've never seen it go above 12W, but I only really use it for video playback.

If you shop around you can find one of these Asus Chromeboxes for ~$150 (or less if you are willing to take a chance on a used one) which is a fantastically low amount of money considering the hardware it comes with. They are very easy to hack into running other OS:es. The dual i210 mini-pcie NIC cost me $159, so a full fledged Haswell based low power pfSense router for a total of $309 is pretty damned good if you ask me. You are unlikely to match it unless you use existing and old parts, in which case you are going to use much more power.

I'm looking forward to this project. When my mini-PCIe dual NIC arrives I'll do a brief test to make sure it is detected, and then go about taking detailed measurements for my CAD model for 3D printing. I'll keep you guys posted.

I know it is a big risk that the NIC won't work in the Chromebox, but it is one I am willing to take for the awesome potential if it works, and the ability to spread the joy in confirming compatibility so others can do the same. If you google around, lots of people are looking to find a NUC with dual Intel NIC ports for something like this. If this works we've just found one. (it will just take a little hacking)
 
I'd be more worried about the SSD. I've had pfsense kill a 16GB flash drive in under a year.
 
I'd be more worried about the SSD. I've had pfsense kill a 16GB flash drive in under a year.


That's interesting. I would not have expected pfSense to be particularly write heavy. Other than some light text based logs, once it is fully booted up, what is it really writing?

Drives are replaceable though. my current pfSense box is booting off of a Sandisk USB stick I picked up for $6. If it fails, I can get another for $6 :p
 
realtek's not THAT bad, and with a smart switch you could do a router on a stick
 
If the slot is wired for pci-e x1 (not just usb) and there is no stupid bios whitelist crap, it will work. Keep in mind the card you linked is a full length, many wifi slots are only half length. Power should be fine ([email protected] + [email protected] or something) I've even seen i350 versions of that card.

If pfsense killed your drive, either the drive was crap (cheap thumbdrives usually are), you had a bizarre/OCD configuration pointlessly spamming the logs (out of the box it won't) or both. I have some routers with ssds for years now, their wear level is nonexistent.

Realtek is garbage, especially combined with doing the awful practice of single-porting your router and depending on vlans. Its 2016, people need to stop doing that crap.
 
If the slot is wired for pci-e x1 (not just usb) and there is no stupid bios whitelist crap, it will work. Keep in mind the card you linked is a full length, many wifi slots are only half length. Power should be fine ([email protected] + [email protected] or something) I've even seen i350 versions of that card.

If pfsense killed your drive, either the drive was crap (cheap thumbdrives usually are), you had a bizarre/OCD configuration pointlessly spamming the logs (out of the box it won't) or both. I have some routers with ssds for years now, their wear level is nonexistent.

Realtek is garbage, especially combined with doing the awful practice of single-porting your router and depending on vlans. Its 2016, people need to stop doing that crap.

yet somehow i don't think either would negatively impact this guy's connection in any appreciable way
 
yet somehow i don't think either would negatively impact this guy's connection in any appreciable way

It would probably be possible to do the VLAN thing. It would eat up an extra port on my switch, which I'd rather not do, might add extra latencies, and I'm not sure how reliable it would be, but from a raw bandwidth perspective a gigabit adapter should be able to handle it.

Realtek Ethernet - however - I just don't trust at all. I have seen them randomly drop out for no apparent reason needing frequent restarts, getting flaky latencies, packet loss, etc. etc. I - for one - wish Realtek would just drop out of the Ethernet market all together so motherboard manufacturers would drive to penny pinch and integrate their garbage on their boards. I go out of my way to shop for motherboards with Integrated Intel chips, and if that isn't possible, I usually pop an old spare Intel 82571 based adapter in there to avoid having to use them.

If the slot is wired for pci-e x1 (not just usb) and there is no stupid bios whitelist crap, it will work. Keep in mind the card you linked is a full length, many wifi slots are only half length. Power should be fine ([email protected] + [email protected] or something) I've even seen i350 versions of that card.

If pfsense killed your drive, either the drive was crap (cheap thumbdrives usually are), you had a bizarre/OCD configuration pointlessly spamming the logs (out of the box it won't) or both. I have some routers with ssds for years now, their wear level is nonexistent.

Realtek is garbage, especially combined with doing the awful practice of single-porting your router and depending on vlans. Its 2016, people need to stop doing that crap.

Yeah, I figured that was the case, but people have had mixed results trying to use the mini-pci slots in the past, so we'll see what happens.

I know for sure that the slot has PCIe because that's how the current Atheros chip is connected:
Code:
$ sudo lspci -vvvs 02:00
[sudo] password for htpc:
02:00.0 Network controller: Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
    Subsystem: AzureWave Device 2110
    Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
    Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
    Latency: 0, Cache Line Size: 64 bytes
    Interrupt: pin A routed to IRQ 19
    Region 0: Memory at e0600000 (64-bit, non-prefetchable) [size=512K]
    Expansion ROM at e0680000 [disabled] [size=64K]
    Capabilities: [40] Power Management version 3
        Flags: PMEClk- DSI- D1+ D2- AuxCurrent=375mA PME(D0+,D1+,D2-,D3hot+,D3cold-)
        Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
    Capabilities: [50] MSI: Enable- Count=1/4 Maskable+ 64bit+
        Address: 0000000000000000  Data: 0000
        Masking: 00000000  Pending: 00000000
    Capabilities: [70] Express (v2) Endpoint, MSI 00
        DevCap:    MaxPayload 128 bytes, PhantFunc 0, Latency L0s unlimited, L1 <64us
            ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset-
        DevCtl:    Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
            RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
            MaxPayload 128 bytes, MaxReadReq 512 bytes
        DevSta:    CorrErr+ UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
        LnkCap:    Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <4us, L1 <64us
            ClockPM- Surprise- LLActRep- BwNot-
        LnkCtl:    ASPM L0s L1 Enabled; RCB 64 bytes Disabled- CommClk+
            ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
        LnkSta:    Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
        DevCap2: Completion Timeout: Not Supported, TimeoutDis+, LTR-, OBFF Not Supported
        DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled
        LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
            Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
            Compliance De-emphasis: -6dB
        LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
            EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
    Capabilities: [100 v1] Advanced Error Reporting
        UESta:    DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
        UEMsk:    DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
        UESvrt:    DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
        CESta:    RxErr+ BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
        CEMsk:    RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
        AERCap:    First Error Pointer: 00, GenCap- CGenEn- ChkCap- ChkEn-
    Capabilities: [140 v1] Virtual Channel
        Caps:    LPEVC=0 RefClk=100ns PATEntryBits=1
        Arb:    Fixed- WRR32- WRR64- WRR128-
        Ctrl:    ArbSelect=Fixed
        Status:    InProgress-
        VC0:    Caps:    PATOffset=00 MaxTimeSlots=1 RejSnoopTrans-
            Arb:    Fixed- WRR32- WRR64- WRR128- TWRR128- WRR256-
            Ctrl:    Enable+ ID=0 ArbSelect=Fixed TC/VC=ff
            Status:    NegoPending- InProgress-
    Capabilities: [160 v1] Device Serial Number 00-00-00-00-00-00-00-00
    Kernel driver in use: ath9k

I'm slightly concerned because it says that the Atheros card is PCIe v2, but it's only connected at v1 speeds (2.5GT/s), but this might just be because it is in power save mode, as I'm not using it.

For full bandwidth the dual i210 adapter, I'll need v2 speeds. Due to Ethernet overhead, I have read that a single lane of PCIe v1 will only give me about 1.4gbit. That should be more than enough for my 150/150 mbit connection, but it would be nice to be future proof to gigabit speeds :p

Man i350 would have been nice! This is the only Intel based one with two ports I've been able to find.
 
First, Intel is a much better choice than nVidia for a HTPC. Less power consumption and heat dispatch (less noise) and cheaper. If your Celeron can't handle it a nVidia card wont be any better. That said, I'd highly recommend you to get at least i3 (haswell or newer) CPU as 10-bit and/or (styled) subtitles can really bog down the render in Kodi. If you go for Haswell (NUC, Gigabyte Brix, HP/Dell/Lenovo/Fujitsu SFF etc) it's going to run just fine.

Just do VLANs as goodcooper suggested, you're just wasting money otherwise tbh.
 
First, Intel is a much better choice than nVidia for a HTPC. Less power consumption and heat dispatch (less noise) and cheaper. If your Celeron can't handle it a nVidia card wont be any better. That said, I'd highly recommend you to get at least i3 (haswell or newer) CPU as 10-bit and/or (styled) subtitles can really bog down the render in Kodi. If you go for Haswell (NUC, Gigabyte Brix, HP/Dell/Lenovo/Fujitsu SFF etc) it's going to run just fine.

Have you tried using Kodi under Linux with Haswell IGP's?

The Intel VAAPI implementation is shamefully bad, and in order to get it to work well at all, you have to use a combination of alpha and beta Kodi binaries, X-Server components and Intel Linux drivers as described here, and it is not exactly the paragon of stability.

I've got it to MOSTLY work well with my local media library, but playback of live TV MPEG2 streams causes freezing issues, and studdering as the VAAPI deinterlacing filter doesn't seem to be able to handle things.

Same system, just add a cheap low end Nvidia adapter (like a GT630 or GT720) with Nvidia's binary blob drivers and configured to use VDPAU instead of VAAPI and everything just works, works smoothly and works well.


Just do VLANs as goodcooper suggested, you're just wasting money otherwise tbh.

Nah, I'll pass on that.

Firstly, the one port in the box is Realtek ethernet. I wouldn't use a realtek chip to support my NAS or my server NIC, let alone something that's going to affect all of my network traffic. Realtek ethernet is simply garbage. I'll use the on board chips if they happen to be Realtek (they usually are) for individual clients that don't see heavy network loads, but that's about it.

Other issues would be that I'm slowly running out of ports on my main switch, and I don't want to waste another port for a VLAN setup. You'll also likely see slightly reduced performance, as there are likely to be more packet collisions in a VLAN setup using the same port for WAN and LAN.

Furthermore, I have to admit I am a little bit uncomfortable with exposing my switch to the WAN, even with VLAN's set up. pfSense gets security updates way more often than the firmware on my ProCurve is updated. It might be fine, but it really seems like an unnecessary risk.

The whole routing on a single port using VLAN's just seems way to hack like for me, and tha'ts coming from someone who is about to literally physically hack a chromebox :p
 
I haven't tried it on my newer boxes but my Sandy Bridge box works fine running LibreELEC (nightly) apart from a minor audio issue. The devs are also recommending Intel IGPs (newer models) and it seems to work fine in general unless you're going to for bleeding edge (your milage may wary). You can toggle MPEG2 decoding and doing it software isn't an issue at all.

I think your making issue out of something that isn't really an issue and what's been suggested is perfectly fine, it's just your personal opinion that's the real issue.
 
I haven't tried it on my newer boxes but my Sandy Bridge box works fine running LibreELEC (nightly) apart from a minor audio issue. The devs are also recommending Intel IGPs (newer models) and it seems to work fine in general unless you're going to for bleeding edge (your milage may wary). You can toggle MPEG2 decoding and doing it software isn't an issue at all.

Well - again - I've found that regular media folder type content it can handle OK. There are some issues (like menu flickering, and occasions where the video will lock up for a couple of seconds and you only have audio until it catches up, even when several hundred megs worth of content is cached in RAM) but it mostly works.

Where I find the Haswell IGP completely falls on its face is when using it with the MythTV plugin. Theoretically this ought to be an easier task, as it is just MPEG2 stuff, but it struggles, causing horrendous visual artifacts especially when using deinterlacing, crashing back to the main screen and occasionally crashing the entire x server when using MythTV content.

None of the above happens with Nvidia and VDPAU for me.

Now, I've never tried LibreElec (never heard of it before this). I did test OpenElec, but I found it a little limited compared to a regular Kodi install in Linux so I went that route instead. I've tested stable builds on Ubuntu 14.04 as well as the bleeding edge stuff above, and I've actually found that the bleeding edge stuff worked better, presumably due to better VAAPI hardware video decode support, but still beta and alpha stuff is never really stable.

I think your making issue out of something that isn't really an issue and what's been suggested is perfectly fine, it's just your personal opinion that's the real issue.

Nah man, this is not one of those "audiophile" things where the difference is barely perceptible. It's borderline unusable in some cases. I've had the Fiance complain and ask why we can't just have regular TV like everyone else, after the Kodi frontend crashed 4 times in a row during the same show...

It seems counter-intuitive that the GPU might be a contributing factor here. A reasonable person would conclude it is a MythTV plugin problem... But then, install a Nvidia GPU and switch to VDPAU, and like magic, everything is perfect, it never crashes, quality is smoother, deinterlacing looks great, no video freezing, etc. etc.

You are not going to convince me that this is just in my head :p
 
Obviously running 14.04 is going to work less than ideal, that's a nobrainer but you already seem to have this all figured all questions out or already have your own ideas so I doubt anymore input would change anything. That includes the network part too....
 
Obviously running 14.04 is going to work less than ideal, that's a nobrainer but you already seem to have this all figured all questions out or already have your own ideas so I doubt anymore input would change anything. That includes the network part too....

What I meant was, I've tried it on 14.04 as well as on bleeding edge (so 16.04, and everything in between, 15.04 and 15.10) both with stable builds of everything, and the alpha/beta stuff from that thread I linked above. The experience has always been better on Nvidia hardware, and running on good old stable 14.04 with Nvidia binary blob drivers just works.
 
Your last post on the forum date from May, but have you been able to test if the mini pcie slot is okay with a LAN adapter?

Cheers!
 
Your last post on the forum date from May, but have you been able to test if the mini pcie slot is okay with a LAN adapter?

Cheers!

I too am curious about this

My apologies guys. I thought I had updated the status here, but apparently I forgot.

So I decided to abort this project. I have no doubt it would have worked, but the cost of the mini PCIe dual NIC wound up being more than the cost of an entire system for use with pfSense, so I opted to go that route instead.

I wound up going with a PC Engines APU2C4 as follows:
  • APU2C4 board: $114
  • CASE1D2BLKU Black Enclosure: $9.40
  • AC12VUS2 US AC adapter: $4.10
  • MSATA16D 16GB msata SSD: $16.00
  • Shipping & handling: $29.40
Total: $172.90

The mini-pcie adapter was going to cost over $200, and was going to take several weeks to get here. I had thought that I had actually ordered it at first, but then they got back to me and told me it was going to cost more and take longer to ship, so I changed my mind.
Despite ordering from Europe the APU2C4 got here quickly and cheaply.

It does an admirable job in pfSense, sufficient for ~600Mbit/s according to my tests, so unless Google Fiber plans on coming to my neighborhood any time soon, this will likely be enough :p

Idle in pfSense with “Hidaptive” power mode, it hovers around 5.8W-6.5W at the wall according to my Kill-A-Watt.
Loading it up with iperf to saturate the interfaces as much as possible (~600Mbit/s) it goes up to 6.5W-7.2W at the wall.

So I am very happy with the power use of this unit.

It was a little tricky to install, as it does not have any monitor outputs. You have to install it using a serial console and a serial null-modem cable, which took some trial and error to get to work, but once up and running, I’m very happy with it.
 
Wish I would've seen that system previously. Significantly cheaper than the Netgate 4860 I bought!
 
That's a slick little setup!

Any chance you've tested VPN performance?

I have not. I intended to, but I've been busy and never got around to it. It does have AES-NI support, so it shouldn't be terrible, but apparently the AES-NI acceleration is not quite as fast as it could be.

From what I've read, since OpenVPN is still single threaded it doesn't take much to max out one of those four weak cores. I've seen 50Mbit/s thrown around as max VPN speed, but it is unclear if they had their settings set up to properly take advantage of AES-NI.

I have seen others that suggest ~100Mbit/s of VPN is possible.
 
Last edited:
Back
Top