Hardware recommendations for running OpenSense as a Firewall?
from pjusk@lemmy.dbzer0.com to selfhosted@lemmy.world on 01 Jul 21:58
https://lemmy.dbzer0.com/post/71556303

Hiya, looking the a firewall for my homelab, mostly to experiment but also for a added layer of security. There are just two of us in this household with a few laptops, phones and my servers, so nothing much. Therefore looking for something affordable and not “overkill”.

Anyone got any recommendations for this? Also how do you run your opensense/pfsense instance?

Appreciate any tips!

#selfhosted

threaded - newest

irmadlad@lemmy.world on 01 Jul 22:20 next collapse

It wouldn’t take much really. I run a little fanless standalone pFsense box:

  • Intel® Celeron® CPU J3160 @ 1.60GHz
  • Current: 1600 MHz, Max: 1601 MHz
  • 4 CPUs : 1 package(s) x 4 core(s)
  • 8 GB RAM
  • 1 TB SSD

Last time someone asked this question, I believe the going eBay price was in the $175 to $275 USD range. Mine sits between my modem and everything else, servers, cams, PCs, laptops, et al. I haven’t experienced any bottlenecks or sluggishness.

neonmagician@lemmy.dbzer0.com on 01 Jul 22:20 next collapse

Any dual-nic SBC should be fine. My roommate & I run it on a i3 dual-nic small machine, but that’s almost overpowered. prior to that I ran it on a vm on proxmox, worked fine mostly, just a bit of a headache setting up the networking initially.

cmnybo@discuss.tchncs.de on 01 Jul 23:01 collapse

If you’re buying a PC for OPNsense or pfSense, look for one with Intel NICs. Realtek NICs tend to be unreliable.

Morgikan@fedia.io on 01 Jul 22:45 next collapse

I had pfSense running on an old Core 2 Duo machine from around 2010 when I worked in MSP. You can run it on just about anything.

The only trouble I had was when I switched to gigabit+ service and had snort running. Snort is single-threaded and that CPU just could not keep up. Suricata would be a better choice given it's natively multi-threaded, but the real limitation there was my setup and not pfSense.

irmadlad@lemmy.world on 01 Jul 23:41 collapse

Suricata would be a better choice given it’s natively multi-threaded

+1 for Suricata/inline

poVoq@slrpnk.net on 01 Jul 22:50 next collapse

Opensense is based on BSD, which has a single threaded network stack. This means that low end CPUs can struggle to do >1gbit throughputs. Depending on your WAN this could be an issue.

drkt@scribe.disroot.org on 01 Jul 23:29 next collapse

My Pentium G3220 box running OpnSense has never bottlenecked me, so I imagine you can run it on basically anything you can find in a dumpster.

monkeyman512@lemmy.world on 01 Jul 23:31 next collapse

If your Internet connection is 1g or slower just about any desktop built in the last 10 years should be fast enough. The critical thing is having a good network card. Intel is generally very reliable for network cards and you can get used ones on eBay for not to much.

bytepursuits@programming.dev on 02 Jul 00:00 next collapse

Nowadays I think most homelabbers are buying those n150 mini PCs from AliExpress. Specifically for opnsense

elettrona@poliversity.it on 02 Jul 00:21 collapse

@bytepursuits @selfhosted I've tried one mini-pc about 10 years ago; what a disappointment! It was a small jewel, touching it. It ran Win10, 64GB hard disk. For a couple years it has been my emergency portable aid - I installed NVDA (non visual desktop access) screen reader in it, as JAWS for Windows, the commercial one, is very heavy. So, after a few updates from Win10, this poor machine literally became so, so slow. And, hot. It seemed to have a little oven in my hands.
Now, I don't find anything interesting; those machine, low-priced, sold in extra-EU e-commerces, don't seem trustworthy. The second one I bought was bigger, about the size of an iPad mini. But it arrived with broken LCD screen. As a blind user, I was relying just on audio. But in the end, gearbest said "you have broken it" - money thrown in the toilet.

bytepursuits@programming.dev on 02 Jul 14:29 collapse

Those are exactly same products that are sold on Amazon.
You can buy exactly these same opnsense devices from Amazon.

Also I’m not sure what it was 10 years ago. But these days mini PCs is how most people homelab. 10w idle and enough firepower typically for most tasks.
Obviously pick modern and some name for hardware, they are great.

MuttMutt@lemmy.world on 02 Jul 00:30 next collapse

Both OpnSense and PfSense have FreeBSD as a base. That means you really want to avoid realtek NIC’s.

I’m running OpnSense on a Supermicro X10SLL-F, with a Xeon E3-1226 v3, 16GB of RAM, and an Intel X520 10G NIC with the OS installed on a mirrored pair of 240GB Intel D3-S4510’s. I underprovioned the drives by about 50GB to lower write amplification and allow the drive controller a scratch pad space for garbage collection even if the drive fills up with logs and snapshots. This is simply done with:

zfs set quota=190G zroot

I have the following services (beyond the routing and firewall) running:

ACME Client - let’s encrypt certificates

Caddy - to expose my home services for access via reverse proxy

Chrony - network time server

CrowdSec - running all free rules

Intrusion Detection (also known as Suricata) - just under 193K rules

Kea DHCP for IPv4 providing IP addresses for 5 vLan’s

Monit

Ntopng with Redis as the database

NUT

Router Advertisements for IPv6 for 3 vLAN’s

SMART - for dive testing but it basically consumes no resources

UnboundDNS with abuse.ch, Steven Blacklist, and Hagezi multi Pro++ Blocklists.

Firewall has 79 rules, NAT has 8 Destination entries, IPv6 is provided by Route64 over Wireguard, remote management access is done via Wireguard tunnel. vLAN’s are Management, Trusted, Smarthome, Cameras, and a Guest network which is WiFi only. Smarthome and Cameras vLAN’s do not have internet access except for my HomeAssistant server.

I’m using a Quanta LB6M for my fiber backbone which is 10G with a LAG connection to a Dell PowerConnect 5548 and 5548P gigabit network stack.

I’m utilizing approximately 62% of RAM (which begins to have issues once you get over 80% used) and a load average that generally sits at .30 unless the GUI is open. Swap is 0

I have a 1Gbps fiber internet connection through a Callix 803g and a cellular backup via a Netgear LM1200 that is controlled by OpnSense when a 20% or greater packetloss is detected.

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

This is because by default FreeBSD sets a 20 minute ARP maximum age while many ONT’s set a 9 minute maximum age.

If you plan to use Intrusion Detection the required RAM will balloon quickly and the UnboundDNS Blocklists live in RAM as well. You can easily get a similar setup to mine on Ebay for 200 or less, old server boards or workstation boards with IPMI are great to have if something acts up and the router is living in a closet without a monitor. The old server boards IMHO are also super stable and they are designed to run for years without being shut down.

Monument@piefed.world on 02 Jul 04:45 collapse

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

Oooooh.

libretech@reddthat.com on 02 Jul 03:13 next collapse

I was going through this process about a year ago. I ended up settling on the Protectli V1410 (Intel N5105 and 4 Intel I226-V 2.5Gbps ports) because: a) I wanted coreboot, b) I was a little wary of lesser-known Ali Express sellers c) Protectli seemed like a decent company and I felt good about supporting people investing in an open source firmware (minus proprietary blobs which you can’t do much about). None of that was strictly necessary, and you probably would be fine just going with a cheaper NUC or mini PC. I would definitely second some of the other comments on avoiding Realtek NICs though.

melroy@kbin.melroy.org on 02 Jul 11:09 next collapse

Yes don't buy their expensive hardware is whet I recommend. It's not worth it.

brickfrog@lemmy.dbzer0.com on 02 Jul 13:36 next collapse

I made the jump to OPNsense recently, ended up buying a Protecli to install it on and its been working great so far. For me it sort of made sense since I wanted to have a little purpose built fanless system with Intel NICs, and Coreboot and Console access via USB are nice bonuses too. My original thinking was to try running other services on the same hardware (using Proxmox maybe) but for now it just runs OPNsense and nothing else… maybe it’s better for the network firewall to just be the network firewall, it’s the one thing I don’t want to crash and have an outage with.

But you don’t have to do that, pretty much any Intel/AMD based system with multiple Intel NICs should work with an OPNsense install. The other mini pc vendors will be a bit cheaper for sure, just be mindful of RAM and storage prices right now.

thelittleblackbird@lemmy.world on 02 Jul 18:12 collapse

Take a sophos second hand FW.

Intel nic, low power consumption processors and full opnsense support.

Go at least for 4gb ram and the most powerful processor you can safely get. It will come with a lot of eth ports too on top.

And it will cost close to 100€, probably less if you struck a good deal