The Sefthy Connector: inside the NanoPi R3S LTS

Q: Does Sefthy provide the Connector or do I buy it?

Included in the subscription. Sefthy ships it pre-configured.

Q: Can I use a custom Connector?

No. Security requires Sefthy hardware with Sefthy firmware.

Q: What is the hardware cost of a Connector?

In OEM about €120 + case + assembly. Sefthy includes it in the fee. For the L2 pillar, L2 tunnel for DR . For how it works, Same IP in the cloud .

Why we picked a NanoPi R3S LTS in a CNC case. SoC, real throughput, out-of-band management and why a mini-PC was the wrong call.

April 22, 2026 2 min read

TL;DR

The Sefthy Connector is a NanoPi R3S LTS (Rockchip RK3566 SoC, 2 GB LPDDR4X, dual gigabit ethernet) in a fanless CNC aluminium case. Sustained L2 throughput: 1.2-1.5 Gbps. Power: < 5 W. Why a mini-PC was the wrong call.

The hardware in detail

SoC

Rockchip RK3566: quad-core ARM Cortex-A55 at 1.6 GHz. Hardware-accelerated AES (essential to avoid saturating the CPU on the encrypted tunnel).

Memory

2 GB LPDDR4X Micron. Enough for the network stack + crypto + packet buffers.

Storage

8 GB eMMC for the OS (Linux with mainline kernel). SD slot for recovery.

Network

Two gigabit ports:

WAN (Realtek RTL8211F PHY): Internet connection;
LAN EXTENDER (Realtek RTL8111H PHY): port that extends the customer LAN into the cloud.

In practice: one WAN cable to the customer firewall, one LAN cable to the switch.

Real throughput

Measured on 2.5 Gbps FTTH:

TLS 1.3 encrypted: 1.2-1.5 Gbps sustained;
CPU load: 60-75% under full load;
power draw: < 5 W.

Out-of-band management

MASK button on the back for X-ray mode (advanced debug), RESET button for SD-card reflash.

Why NOT a mini-PC

An Intel-NUC-style mini-PC would have been cheaper in BOM. But:

power: 15-30 W (vs < 5 W);
fan: noise + maintenance;
Intel/AMD BIOS vulnerabilities;
x86 kernel complexity vs clean ARM mainline.

The NanoPi R3S is optimised for what is needed: encrypted network I/O. No overhead.

Why NOT an existing firewall

The Connector is NOT a firewall. The customer already has their own. The Connector sits behind the firewall and does one thing: extend the LAN into the Sefthy cloud.

Benefits of this separation:

no changes to the existing firewall;
independent Connector updates;
fault isolation: a Connector issue does not break Internet;
security: the Connector does not handle general traffic.

CNC aluminium case

Aluminium (not plastic) for two reasons:

passive dissipation: no fan, but a case that doubles as a heatsink;
physical resilience: datacentre or server-room environment.

The design has been tested up to 45 °C ambient without throttling.

Maintenance and replacement

The Connector is designed for 5-7 year life. Replacement is "physical swap": same firmware, same configuration pulled from Console on first boot. Time: 15 minutes.

FAQ

Does Sefthy provide the Connector or do I buy it?

Included in the subscription. Sefthy ships it pre-configured.

Can I use a custom Connector?

No. Security requires Sefthy hardware with Sefthy firmware.

What is the hardware cost of a Connector?

In OEM about €120 + case + assembly. Sefthy includes it in the fee.

For the L2 pillar, L2 tunnel for DR. For how it works, Same IP in the cloud.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo