Log Lenovo M720Q Tiny router/firewall build with aftermarket 4 port NIC

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Greetings all, I promised an update on my work to do an aftermarket conversion of a Lenovo M720Q Tiny to have an extra 4 port NIC - and here it is. I've not been able to find another report on such a build elsewhere, so it's a bit of hyperbole but let's call this a world exclusive. ? You can read the background here.

The purpose is to build a very compact, quiet, power efficient yet powerful router/firewall box with more than two ports on it and all Intel NICs. There are plenty of "pfSense" boxes you can find on Ali Express but I found them underpowered for what I wanted, unweildy in terms of form factor (quite tall for the footprint), and many had Realtek NICs.

For those that don't yet know and love the Lenovo Tiny range, here's a quick idea of just how small they are :



This particular one is an M720Q Tiny, but they're all the same in terms of form factor : 179mm x 36.5mm x 182.9mm (7 inches x 1.4 inches x 7.2 inches) and this one weighs 1.32kg (2.91 lbs). I bought it second hand through eBay UK for £360 (£1 = ~$1.31) and it has an Intel i5-8400T CPU (6C/6T), 16GB of DDR4 RAM in 2 x 8GB SODIMMs, and a 256GB M.2 NVME SSD. Mine included an M.2 wireless LAN card but I'm not using it. Despite its diminutive form factor it also has space for a 2.5" drive inside - I have another Tiny, a Ryzen 5 3400G-based M75-1q, with a 256GB M.2 drive and a 512GB SSD for example. Not surprisingly they have an external power brick.

Although Lenovo has been making these for years, what makes the later models special is the M720Q, M920Q, M920x, P340 and possibly others (M910) include what purports to be a PCIe 8x slot on the motherboard (here you can also see the loose cable for connecting a 2.5" drive which flaps around inside making you think your expensive new Tiny is broken already, and the M.2 wireless card) :



As you can read in the thread I linked earlier the things to remember are :
  • Beware, earlier models do not have this slot. Low end current models like the M620Q do not either, nor do the Ryzen-based M75Q and M75-1Q.
  • Despite what the motherboard says, as far as I can read online this is physically and functionally similar to but not actually a PCIe slot. You will require a (as far as I can tell) proprietary Lenovo riser card.
  • I can't test that the "8x" moniker is actually correct either since I only have a 4x card.
  • The PCI card "baffle" (facing or backing plate) is also proprietary. You cannot fit a standard low-profile PCIe card. At a pinch you can remove the backing plate altogether and support the card somehow.
  • Non-Lenovo NIC cards may or may not work. Mine did, but again beware.
  • The NIC card will take up the space for the 2.5" hard drive. You will need an M.2 (NVME or SATA) drive.
Lenovo actually sell a version of the M920Q and M720Q with an Intel i350-T4 4 port NIC in addition to the built-in single port i211 NIC, but they will only do so in the US, Canada, and Australian markets (no, I don't know why either - I was told it was not sold in the EMEA region because the regional product manager decided not to). Bear in mind however it is priced from the perspective that Lenovo think their branded 4 port NIC is worth a retail price in the £350 range instead of the £35 you can buy second hand ones off eBay for. If you can't or won't buy one new, then the only alternative is to do what I did and Frankenstein one together. To the Batmobile!

You will need :
  • One Lenovo Tiny with a "PCIe" slot onboard. If you're (even more) adventurous you can buy the motherboard off AliExpress as a spare part and either buy a Lenovo case spare or build a case for it. Otherwise either eBay or you could take advantage of Lenovo's frequent sales and generous financing terms.
  • One Intel i350-T4 NIC. Doing the research I read some worrying stories online about people trying to use cards they bought and finding the BIOS of the Tiny only whitelists genuine Lenovo cards. I bought a random unbranded card and it was fine, but YMMV. If you want the real thing from Lenovo, its FRU (spare part) reference is 03T8760.
  • One Tiny baffle plate for the card. I'm calling it a baffle because that is what Lenovo calls it and usually how you will find it on Taobao etc. I cannot find the FRU for this. The only way I can see to buy it by itself is through someone like Superbuy (linked to the item you need) who will buy it off Taobao for you and it is about £10 plus shipping - bargain.
  • One Tiny PCIe riser card. The FRU is 01AJ902 for the 8x version, or else the "16x" version I got works fine and is 01AJ940, and I think 01AJ929 will also work. I originally bought both the riser card and baffle at once through Superbuy, but now I can only find the riser itself (again linked to the item you need) and it is about £18 plus £7 shipping. Still worth the wait for China shipping since the cheapest riser I can find locally is £38-40.
  • Your standard set of screwdrivers. Some of the screws are pretty small so you will need PH0/PH1 size.
  • To make sure your Tiny has the latest BIOS installed. Not because this adds any functionality, just because it's disruptive to do once you've set up your system.
In passing : It's the first time I've used Superbuy, it's superb and the service excellent. Also note there are many, often cheaper, shipping options than what they show you at first, so make sure to open up the full list - I used DHL ecommerce and it took 2 weeks, of which a week was the box sitting around doing nothing at Heathrow. Similarly, be aware you can pay by credit card directly instead of funding a balance, just expand the options again and use Stripe as the card processor.

If you do what I did you will receive a legitimate (well, it had holograms on the sticker) Lenovo FRU box with both parts inside and 3 screws for the baffle.



Step 1. Open the Tiny's case and remove the existing baffle :



Step 2. Remove the bracket from your 4 port NIC :



Step 3. Unscrew this screw from the riser card :




Step 4. Attach the new baffle to the NIC :



Step 5. Insert the NIC into the riser card, insert the riser card into the Tiny, and screw the riser into the side of the case with the screw from step 3 :



Step 6. Use the two small black screws from step 1 to secure the new baffle :



Step 7 : Reassemble the case, sliding it forward over the newly installed NIC :



And you're done! :



For me the next steps were to install Proxmox. This is not because I intend to do a lot of virtualisation on the box, but I might run a honeypot like TPot on it in the future, and in the meantime it is useful to essentially use Proxmox as a poor man's lights-out management platform so I can see what the firewall is doing if I have to reboot. It also makes backing up the OPNsesnse image through snapshots easy.

Next was to install OPNsense in a VM, then boot and configure it. I'm using the onboard NIC as a management port, and the four port NIC for one WAN port and 3 VLAN-tagged local LAN ports. I have a 400Mbit Internet connection and I only needed to assign two (out of 6) cores to run it with a full WAF (via Sensei), IDS (via Suricata), etc. in 4GB of RAM (I offload the Sensei log analytics to an Elasticsearch instance on one of my Docker hosts).

Costs :
Lenovo M720Q i5-8400T/16GB RAM/256GB M.2 : £360 inc shipping (eBay)
Generic Intel i350-T4 card (4x 1Gbit ports) : £34 inc shipping (eBay)
Lenovo Tiny riser card + baffle : ~£25 + ~£7 shipping = £32 (Superbuy)

Total : £426 + about 30 minutes of my time

Overall an excellent experience with the sole exception of waiting a week for the package from China to negotiate Heathrow, and I'm very happy with the box. I think you would struggle to replicate the capabilities for the price in such a compact box (just over 1L). Please let me know your thoughts below and I'll answer any questions I can.

Edit : changed the order of the steps to show that it's better to insert the NIC into the riser card before plugging the whole assembly into the Tiny.
Edit 17/12/21 : Can't find the baffle + riser in one item so I have updated the links to buy the riser by itself.
 
Last edited:

chx

Master of Cramming
May 18, 2016
547
281
Wow, very nice! You might want to link to the card because the screw holes lining up like that is insanely lucky. I do not think there's any standard where the "baffle" is supposed to screw in.
 

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Wow, very nice! You might want to link to the card because the screw holes lining up like that is insanely lucky. I do not think there's any standard where the "baffle" is supposed to screw in.
It was just a random eBay sale I'm afraid, whatever was cheapest on the day. It's a 2014 vintage card I think and only has Intel branding, so it's as generic as they come. I have another 2 port one which also lines up with the holes, so I think the spacing of the screw holes is standardised.
 

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
If only you could fit a two slot LP GPU in there... It would be legit bonkers.
Well you could just not put the top of the case back on...

You might need to Dremel the baffle/backplate a bit to get it to fit - and remember it's a low profile card only. And you definitely need some support there because the Tiny is so... small... that the card will be right up next to some important electrical stuff (that's a technical term) you probably don't want to short by accident.
 

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Nice work mate do you think P320 will work with NIC too?
Sorry for the delay in responding. It should in theory, and you probably have the riser already in place? The only concern I would have is that I think the P320s have an extended heatsink to look after the graphic card (if it was ever fitted) which may or may not get in the way. I think it will depend how your unit was configured when it was sold. But, heatsink aside, logistically it should all work as shown.
 

Greelan

Minimal Tinkerer
New User
Oct 19, 2020
3
0
Great post, nice work. I stumbled on this because I’ve decided to go a similar route - have bought a M720 Tiny with i3-9100T with 8GB RAM and 256GB NVMe M.2 SSD. I also got the Lenovo I350-T4 NIC. I realise your build is a bit higher spec but I’m very happy with mine given what I paid.

Anyway, I was wondering how I would install OPNsense given the config I have bought does not have a serial or VGA port (the NIC takes the place where those ports would otherwise go). I am new to OPNsense so was wondering how to reconcile the official installation instructions with the absence of those ports. Did you consider at all installing on bare metal and if so how you would have gone about it?

I realise on the other hand that virtualising OPNsense gives more flexibility to use the box for other things as well (although given I have another server running all my other services I am unlikely to need much on the Lenovo). Couple of questions re your Proxmox setup:
  1. Am I right in assuming that once you set up the OPNsense VM you pass through the WAN/LAN ports to it through Proxmox? Any tips on installing OPNsense on a VM (eg what installer image did you use)?
  2. I’m interested in your using the onboard NIC as a management interface. Can you explain a bit more? Is that how you interact with Proxmox?
Thanks
 

Greelan

Minimal Tinkerer
New User
Oct 19, 2020
3
0
Update: no need to respond to my questions above. I have figured it all out. Can’t wait until I get my kit and can put it into action!
 

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Hi, welcome to the M720q-as-a-router club. 😉

I see you've figured it all out yourself, but I'll answer anyway since people use these threads as reference and it annoys me in forums when people ask "Can you help me with <the exact same problem I have>?" and then say, "don't worry, I solved it myself" a few posts later and you're none the wiser. 😅

So : Really it's no different to install OPNsense (using an ISO written to a USB stick with Balena Etcher) than what I did and install Proxmox (using an ISO written to a USB stick with Balena Etcher). You will still need a keyboard plugged in as a minimum and a monitor for the initial setup, the only way to avoid that is on platforms where you have an iLO (HPE) or DRAC (Dell) type solution that lets you see the output without a screen attached. In essence I can use Proxmox as an iLO anyway because once it's up you can see the booting of the VMs you install through the web interface console, and you can upload ISOs into Proxmox directly from your local machine.

You just boot the Lenovo off your USB stick and configure it with a keyboard, mouse (not needed for OPNsense install but a help with Proxmox) and screen, even with the 4 port NIC installed you still have both Display Port and HDMI outputs so as long as you have a monitor that supports one of those, you're good. As soon as you've finished the install, you unplug everything except power and LAN since both can be run through their respective web interfaces and SSH as required; although in fact I've almost never had to log into OPNsense because the web interface does 99+% of what you need. On the M75-1q, by the way if you expand your fleet of Tinys, unplugging the monitor has an additional benefit that after a while the box shuts down the Vega graphics portion of the Ryzen 3400GE and you save ~6-8W of power.

I chose to virtualise OPNsense largely for the reasons I gave in the post - I thought I would have some other network gateway-related things it made sense to put on the same box, and it was wise to keep them isolated. So far I have installed (in a minimal Debian VM running Docker) a speed testing container (using the Ookla Speed Test CLI) and I'm considering installing a Zabbix server on there as well. In the future I may move the Debian VM to be an LXC container, I've found that a good way to go on some of my other servers because it's less resource consumptive and you can still control them through the Proxmox GUI.

And finally yes, I use the onboard NIC dedicated to Proxmox and in the management VLAN of my network, then on the 4 port card one port is used for WAN and one port for LAN, then I have another port used for an IOT/untrusted VLAN and one spare. All of the the physical ports have virtual bridges attached to them in Proxmox (vmbr0 etc) and you then attach whatever VMs or LXCs to whichever bridge(s)/LANs they should be talking to.

On the pricing point, in the UK there has been a little flood (perhaps thanks to Covid) of corporate M720qs lately on eBay so you can potentially shave £100+ off what I paid for the box - my second M720q was £214, albeit it is the i3 model like you have and "only" 8GB of RAM, but like you say more than enough for firewall duties given I run my OPNsense off 2 cores (out of 6) and 2GB of RAM is OK and 4GB plenty.

@Greelan Please do drop back here and let us know how it all went. Did you buy the riser card through Superbuy?
 
Last edited:
  • Like
Reactions: zadorski

Greelan

Minimal Tinkerer
New User
Oct 19, 2020
3
0
@Parallax Hey, thanks for the reply, and sorry for my delay in reporting back - I didn't have notifications on.

I understand your comment about not following up with how a question is resolved - in this case it was just a matter of me missing the obvious originally (example: the OPNsense VGA image is for any video-based installation, whether VGA, HDMI or DVI) so I didn't think it worth it. ?

Well, I got the box a couple of weeks ago, spent a little while configuring OPNsense on it to fit into my existing network (VLANs, ULAs, FW rules etc), and it is now operating in place of my previous router. I decided in the end to install OPNsense on bare metal, rather than in a VM - I know there are differing views out there about the merits or otherwise of bare metal for security, but that's the side I landed on.

I'm very happy so far. The Tiny itself seems to run very well, and is very quiet other than the slight tick of the CPU fan. And I'm also very impressed with OPNsense. I haven't fully configured it yet - I am working through the various features step by step and gradually introducing those I want. So far it has been a smooth experience - yes, there are a LOT of buttons to twiddle, and the documentation ain't brilliant (the pfSense docs can sometimes be a more useful resource), but I think it has been worth the effort.

On the 4-port NIC, no I bought it directly from Lenovo (half price).
 

jairbj

Minimal Tinkerer
New User
Jan 12, 2021
3
2
Hi friend, thank you a lot for sharing this with us.

Do you think it's possible for installing a SATA card instead of a nic card? I'm thinking about building a mini NAS (2 x 3.5 drive) with an M920q. What do you think?
 
  • Like
Reactions: nerdbit

mannz

What's an ITX?
New User
Jan 9, 2021
1
1
@Parallax Thanks for your detailed post, exactly what I was looking for and saved me a good deal of time researching options.

Got my hands on an M920q i5-v8, now just waiting on the parts from China (via Superbuy). Very tempted to order another and max out the CPU and memory for a home lab.
 
  • Like
Reactions: nerdbit

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
Hi friend, thank you a lot for sharing this with us.

Do you think it's possible for installing a SATA card instead of a nic card? I'm thinking about building a mini NAS (2 x 3.5 drive) with an M920q. What do you think?
I think you'll be limited on space within the box, there is only room for one 2.5" drive OR a PCIe card, not both. You could put in a SATA card and then use an eSATA connection to an enclosure, or potentially put in a PCIe card with 2x m.2 slots in, but then I would be worried about thermals.

If you have to use an enclosure anyway, you may as well just use one of the USB ports?
 

Parallax

Caliper Novice
Original poster
Jun 3, 2020
24
51
@Parallax Thanks for your detailed post, exactly what I was looking for and saved me a good deal of time researching options.

Got my hands on an M920q i5-v8, now just waiting on the parts from China (via Superbuy). Very tempted to order another and max out the CPU and memory for a home lab.
Pleasure. Yeah, that's what I did in the end, I bought an(other) M920q off eBay with the lowest model Pentium Gold CPU (£150), then bought an i9-9900T (8C/16T) off Taobao through Superbuy. I have a short thread on that as well.
 

jairbj

Minimal Tinkerer
New User
Jan 12, 2021
3
2
I think you'll be limited on space within the box, there is only room for one 2.5" drive OR a PCIe card, not both. You could put in a SATA card and then use an eSATA connection to an enclosure, or potentially put in a PCIe card with 2x m.2 slots in, but then I would be worried about thermals.

If you have to use an enclosure anyway, you may as well just use one of the USB ports?
My plan is 3d print an "extended case" for it and replaces its side panel, so I can fit two 3.5 hds. Of course, I'll need a power supply for powering the hds.
 

Siderean

What's an ITX?
New User
May 28, 2021
1
0
I was able to fit a 2.5" sata ssd after installing an i340-t4 pcie nic into the m720q. It's tight but it fits