Overview
The goal of this project was to build a low-cost, long-term router platform for my homelab and home network. I wanted something that could run pfSense Community Edition, live in a very small footprint, stay power-efficient, and still have enough performance headroom for encryption and future features over the next 10+ years.
My requirements were:
- Run pfSense CE
- Small form factor / mini-PC
- Support multiple 1 Gbps ports (or the option for 10 GbE later)
- Minimal cost while still being reliable, enterprise-adjacent hardware
- Enough CPU for routing, VPN, and firewall workloads without becoming a bottleneck
Hardware Selection
After looking at various mini-PC and appliance-style options, I landed on a Lenovo M920q Tiny and modded it to act as a dedicated router.
Base unit:
- Lenovo M920q Tiny
- Intel i5-8500T (6 cores / 6 threads)
- 8 GB RAM
- 256 GB NVMe SSD
Cost:
- Lenovo M920q Tiny: $129.99
- PCIe x16 riser for M920q: $11.97
- Expansion riser/back bracket for M920q: $10.79
Total project hardware cost: $152.75
Why This Hardware Works So Well
The i5-8500T is low-power but still very capable:
- 6 cores / 6 threads
- Base clock ~2.1 GHz, turbo up to ~3.5 GHz
- More than enough for routing, firewalling, and VPN encryption in a homelab
- Fully supports pfSense security protocols based on Netgate’s documented CPU requirements
From a longevity standpoint, this platform gives me plenty of headroom for additional services, IDS/IPS, and more complex firewall rules without needing an upgrade anytime soon.
PCIe, NICs, and Throughput Considerations
The M920q exposes a PCIe 3.0 x8 slot via the riser. That does mean:
- It won’t hit the absolute theoretical maximum of a full x16 10 GbE card
- In practice, most homelab use cases don’t notice the difference
Some users report:
- Using an IBM 49Y7952 OCE11102 dual-port 10 GbE NIC
- Getting around 9–9.5 Gbit/s with DAC cables in this chassis
- Even if you “only” see 7–8 Gbit/s, it’s still more than enough for most home links
In my build:
- I’m using a 4-port 1 Gbit/s NIC
- My WAN is 1 Gbit/s, so:
- The router is not the bottleneck
- Anything above 1 Gbit/s on the WAN side brings no benefit today
This gives me multiple physical interfaces to cleanly separate VLANs and segments while staying well within the hardware limits.
Network Design & Use Case
This router sits at the edge of a network that is fully VLAN-aware and segmented. The design goals:
- Separate Homelab, Home, and IoT traffic
- Ensure lab devices can’t directly talk to normal home devices
- Keep IoT gear isolated and limited
- Maintain flexibility for future internal L3 routing or higher-throughput switching
The plan going forward:
- Keep this M920q as the layer-3 / routing / firewall brain
- If I ever need more internal bandwidth (10–20 Gbit/s east-west), I can add a dedicated L3 switch behind it and let the router handle policy and perimeter security.
Outcome
For around $150, I ended up with:
- A compact, quiet, low-power dedicated pfSense router
- Hardware that comfortably supports my current 1 Gbit/s WAN
- Enough CPU and NIC capacity for VLAN segmentation and future security features
- A form factor that’s easy to mount with a small managed switch to create a clean, self-contained network stack
Given the price, size, power usage, and performance, this Lenovo M920q-based router is an ideal fit for my homelab and home network.
Lessons Learned
- Used business-grade tiny PCs are a fantastic value for homelab routing and firewall roles.
- A modest CPU like the i5-8500T easily handles pfSense CE, VPN, and firewall tasks with room to grow.
- PCIe 3.0 x8 is more than enough for real-world homelab 10 GbE scenarios.
- Matching router capabilities to actual WAN speed prevents overspending on hardware that won’t change real-world performance.