• Save 15% on ALL SFF Network merch, until Dec 31st! Use code SFF2024 at checkout. Click here!

Log Lenovo M720Q Tiny router/firewall build with aftermarket 4 port NIC

THUMPer

SFF Lingo Aficionado
Feb 5, 2020
107
58
Part #: 5M10U50350
Description: MECH_ASM PCI BKT I350-T4 QUAD PORTS GEA
Link: https://lenovo.encompass.com/item/12575455/Lenovo/5M10U50350/

I also know of a Redditor who can 3d print the baffle.
Awesome! I went with the superbuy route and bought 2. I'm only using a 2 port card though, so it looks a little weird, but does the job just fine. Thanks for the FRU though. Hopefully my friends will be able to use it.

Can the person that 3d prints do a dual port baffle?
 

wentfrom10gbeto40gbe

What's an ITX?
New User
Sep 30, 2021
1
0
Very NOOB question. So when i click the super buy link, i see the riser and bracket but the item i can add to the cart is a shirt. Lol is that like a thing. Or is the link no longer good?
 

THUMPer

SFF Lingo Aficionado
Feb 5, 2020
107
58
Very NOOB question. So when i click the super buy link, i see the riser and bracket but the item i can add to the cart is a shirt. Lol is that like a thing. Or is the link no longer good?
Plug this link into super buy search - For anyone else wondering.
 

unaimed

What's an ITX?
New User
Oct 22, 2021
1
1
Anyone with the M920q managed to enable AES-NI in BIOS? No options, tried everything. Latest bios installed and I have options of discrete TPM 2.0 or firmware TPM, neither of which allow me to enable AES-NI.
 
  • Like
Reactions: elyot

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Plug this link into super buy search - For anyone else wondering.
Thanks. I've updated the original post with a link to the riser card, since I can no longer find the riser + baffle in one lot. The baffle link works fine, you'll just have to buy the two separately and hey Superbuy to consolidate it for you.
 
  • Like
Reactions: nerdbit

duotronic

What's an ITX?
New User
Sep 27, 2022
1
3
Greetings all, I promised an update on my work to do an aftermarket conversion of a Lenovo M720Q Tiny to have an extra 4 port NIC - and here it is. I've not been able to find another report on such a build elsewhere, so it's a bit of hyperbole but let's call this a world exclusive. ? You can read the background here.

The purpose is to build a very compact, quiet, power efficient yet powerful router/firewall box with more than two ports on it and all Intel NICs. There are plenty of "pfSense" boxes you can find on Ali Express but I found them underpowered for what I wanted, unweildy in terms of form factor (quite tall for the footprint), and many had Realtek NICs.

For those that don't yet know and love the Lenovo Tiny range, here's a quick idea of just how small they are :



This particular one is an M720Q Tiny, but they're all the same in terms of form factor : 179mm x 36.5mm x 182.9mm (7 inches x 1.4 inches x 7.2 inches) and this one weighs 1.32kg (2.91 lbs). I bought it second hand through eBay UK for £360 (£1 = ~$1.31) and it has an Intel i5-8400T CPU (6C/6T), 16GB of DDR4 RAM in 2 x 8GB SODIMMs, and a 256GB M.2 NVME SSD. Mine included an M.2 wireless LAN card but I'm not using it. Despite its diminutive form factor it also has space for a 2.5" drive inside - I have another Tiny, a Ryzen 5 3400G-based M75-1q, with a 256GB M.2 drive and a 512GB SSD for example. Not surprisingly they have an external power brick.

Although Lenovo has been making these for years, what makes the later models special is the M720Q, M920Q, M920x, P340 and possibly others (M910) include what purports to be a PCIe 8x slot on the motherboard (here you can also see the loose cable for connecting a 2.5" drive which flaps around inside making you think your expensive new Tiny is broken already, and the M.2 wireless card) :



As you can read in the thread I linked earlier the things to remember are :
  • Beware, earlier models do not have this slot. Low end current models like the M620Q do not either, nor do the Ryzen-based M75Q and M75-1Q.
  • Despite what the motherboard says, as far as I can read online this is physically and functionally similar to but not actually a PCIe slot. You will require a (as far as I can tell) proprietary Lenovo riser card.
  • I can't test that the "8x" moniker is actually correct either since I only have a 4x card.
  • The PCI card "baffle" (facing or backing plate) is also proprietary. You cannot fit a standard low-profile PCIe card. At a pinch you can remove the backing plate altogether and support the card somehow.
  • Non-Lenovo NIC cards may or may not work. Mine did, but again beware.
  • The NIC card will take up the space for the 2.5" hard drive. You will need an M.2 (NVME or SATA) drive.
Lenovo actually sell a version of the M920Q and M720Q with an Intel i350-T4 4 port NIC in addition to the built-in single port i211 NIC, but they will only do so in the US, Canada, and Australian markets (no, I don't know why either - I was told it was not sold in the EMEA region because the regional product manager decided not to). Bear in mind however it is priced from the perspective that Lenovo think their branded 4 port NIC is worth a retail price in the £350 range instead of the £35 you can buy second hand ones off eBay for. If you can't or won't buy one new, then the only alternative is to do what I did and Frankenstein one together. To the Batmobile!

You will need :
  • One Lenovo Tiny with a "PCIe" slot onboard. If you're (even more) adventurous you can buy the motherboard off AliExpress as a spare part and either buy a Lenovo case spare or build a case for it. Otherwise either eBay or you could take advantage of Lenovo's frequent sales and generous financing terms.
  • One Intel i350-T4 NIC. Doing the research I read some worrying stories online about people trying to use cards they bought and finding the BIOS of the Tiny only whitelists genuine Lenovo cards. I bought a random unbranded card and it was fine, but YMMV. If you want the real thing from Lenovo, its FRU (spare part) reference is 03T8760.
  • One Tiny baffle plate for the card. I'm calling it a baffle because that is what Lenovo calls it and usually how you will find it on Taobao etc. I cannot find the FRU for this. The only way I can see to buy it by itself is through someone like Superbuy (linked to the item you need) who will buy it off Taobao for you and it is about £10 plus shipping - bargain.
  • One Tiny PCIe riser card. The FRU is 01AJ902 for the 8x version, or else the "16x" version I got works fine and is 01AJ940, and I think 01AJ929 will also work. I originally bought both the riser card and baffle at once through Superbuy, but now I can only find the riser itself (again linked to the item you need) and it is about £18 plus £7 shipping. Still worth the wait for China shipping since the cheapest riser I can find locally is £38-40.
  • Your standard set of screwdrivers. Some of the screws are pretty small so you will need PH0/PH1 size.
  • To make sure your Tiny has the latest BIOS installed. Not because this adds any functionality, just because it's disruptive to do once you've set up your system.
In passing : It's the first time I've used Superbuy, it's superb and the service excellent. Also note there are many, often cheaper, shipping options than what they show you at first, so make sure to open up the full list - I used DHL ecommerce and it took 2 weeks, of which a week was the box sitting around doing nothing at Heathrow. Similarly, be aware you can pay by credit card directly instead of funding a balance, just expand the options again and use Stripe as the card processor.

If you do what I did you will receive a legitimate (well, it had holograms on the sticker) Lenovo FRU box with both parts inside and 3 screws for the baffle.



Step 1. Open the Tiny's case and remove the existing baffle :



Step 2. Remove the bracket from your 4 port NIC :



Step 3. Unscrew this screw from the riser card :




Step 4. Attach the new baffle to the NIC :



Step 5. Insert the NIC into the riser card, insert the riser card into the Tiny, and screw the riser into the side of the case with the screw from step 3 :



Step 6. Use the two small black screws from step 1 to secure the new baffle :



Step 7 : Reassemble the case, sliding it forward over the newly installed NIC :



And you're done! :



For me the next steps were to install Proxmox. This is not because I intend to do a lot of virtualisation on the box, but I might run a honeypot like TPot on it in the future, and in the meantime it is useful to essentially use Proxmox as a poor man's lights-out management platform so I can see what the firewall is doing if I have to reboot. It also makes backing up the OPNsesnse image through snapshots easy.

Next was to install OPNsense in a VM, then boot and configure it. I'm using the onboard NIC as a management port, and the four port NIC for one WAN port and 3 VLAN-tagged local LAN ports. I have a 400Mbit Internet connection and I only needed to assign two (out of 6) cores to run it with a full WAF (via Sensei), IDS (via Suricata), etc. in 4GB of RAM (I offload the Sensei log analytics to an Elasticsearch instance on one of my Docker hosts).

Costs :
Lenovo M720Q i5-8400T/16GB RAM/256GB M.2 : £360 inc shipping (eBay)
Generic Intel i350-T4 card (4x 1Gbit ports) : £34 inc shipping (eBay)
Lenovo Tiny riser card + baffle : ~£25 + ~£7 shipping = £32 (Superbuy)

Total : £426 + about 30 minutes of my time

Overall an excellent experience with the sole exception of waiting a week for the package from China to negotiate Heathrow, and I'm very happy with the box. I think you would struggle to replicate the capabilities for the price in such a compact box (just over 1L). Please let me know your thoughts below and I'll answer any questions I can.

Edit : changed the order of the steps to show that it's better to insert the NIC into the riser card before plugging the whole assembly into the Tiny.
Edit 17/12/21 : Can't find the baffle + riser in one item so I have updated the links to buy the riser by itself.

Thanks. I've updated the original post with a link to the riser card, since I can no longer find the riser + baffle in one lot. The baffle link works fine, you'll just have to buy the two separately and hey Superbuy to consolidate it for you.

Very helpful post. I was able to find the baffle and riser on ebay by searching for
"Lenovo tiny5 m920x m720q p330 adapter card graphics card network card adapter board 01AJ940"
I'm sure you could improve the search, but that's how I found it.
All bits and pieces are on the way to me this week. Thanks!
 

superdupe

What's an ITX?
New User
Oct 3, 2023
1
0
Hello everyone. First, thanks @Parallax for putting together this guide. I just got finished building my m720q with a i350-T4 NIC and installed Proxmox on it. Using a another guide to install an OpnSense VM, I'm having trouble passing the i350-T4 NIC through to the VM. Can anyone give me some pointers and direction on how to accomplish that? I'm faily new to both Promox and OpnSense, but able to make command line modifications to Promox if needed... :)
 

Jip-Hop

What's an ITX?
New User
Oct 7, 2023
1
0
Interesting project! Can anyone share their experience regarding idle power consumption? How much power does the m720q + quad NIC use when sitting idle? Is there a big difference using OPNsense compared to e.g. debian? Has anyone tried to minimize the idle power consumption using powertop --auto-tune?

Has anyone tried Wireguard VPN performance on this system?
 

beefy

What's an ITX?
New User
Oct 11, 2023
1
0
Thanks @Parallax for this guide. I ordered my components for a little under $200 (usd) out the door. I plan to do testing with different configurations of bare metal and proxmox, and trying to see if I can get sriov working with the latter. I also have some plans to experiment with dual-WAN configurations with both ZeroTier and Speedify.

I'll post back with findings if anything useful comes of it all.
 

WoodyBABL

What's an ITX?
New User
Apr 6, 2024
1
0
Great post. Do you know if this card will work?

LENOVO 00AG522 INTEL I350-T4 4xGbE BaseT ADAPTER FRU:00JY854 (LOW PROFILE)
 

ItsSonnyInIT

What's an ITX?
New User
Jun 28, 2024
1
0
Have you yet tested firewall throughput? I'm excited to do this as well and I'm hoping that my Gb WAN connection can be fully utilized.