Hardware recommendations for running OpenSense as a Firewall?
from pjusk@lemmy.dbzer0.com to selfhosted@lemmy.world on 01 Jul 21:58
https://lemmy.dbzer0.com/post/71556303

Hiya, looking the a firewall for my homelab, mostly to experiment but also for a added layer of security. There are just two of us in this household with a few laptops, phones and my servers, so nothing much. Therefore looking for something affordable and not “overkill”.

Anyone got any recommendations for this? Also how do you run your opensense/pfsense instance?

Appreciate any tips!

#selfhosted

threaded - newest

irmadlad@lemmy.world on 01 Jul 22:20 next collapse

It wouldn’t take much really. I run a little fanless standalone pFsense box:

  • Intel® Celeron® CPU J3160 @ 1.60GHz
  • Current: 1600 MHz, Max: 1601 MHz
  • 4 CPUs : 1 package(s) x 4 core(s)
  • 8 GB RAM
  • 1 TB SSD

Last time someone asked this question, I believe the going eBay price was in the $175 to $275 USD range. Mine sits between my modem and everything else, servers, cams, PCs, laptops, et al. I haven’t experienced any bottlenecks or sluggishness.

neonmagician@lemmy.dbzer0.com on 01 Jul 22:20 next collapse

Any dual-nic SBC should be fine. My roommate & I run it on a i3 dual-nic small machine, but that’s almost overpowered. prior to that I ran it on a vm on proxmox, worked fine mostly, just a bit of a headache setting up the networking initially.

cmnybo@discuss.tchncs.de on 01 Jul 23:01 collapse

If you’re buying a PC for OPNsense or pfSense, look for one with Intel NICs. Realtek NICs tend to be unreliable.

Morgikan@fedia.io on 01 Jul 22:45 next collapse

I had pfSense running on an old Core 2 Duo machine from around 2010 when I worked in MSP. You can run it on just about anything.

The only trouble I had was when I switched to gigabit+ service and had snort running. Snort is single-threaded and that CPU just could not keep up. Suricata would be a better choice given it's natively multi-threaded, but the real limitation there was my setup and not pfSense.

irmadlad@lemmy.world on 01 Jul 23:41 collapse

Suricata would be a better choice given it’s natively multi-threaded

+1 for Suricata/inline

poVoq@slrpnk.net on 01 Jul 22:50 next collapse

Opensense is based on BSD, which has a single threaded network stack. This means that low end CPUs can struggle to do >1gbit throughputs. Depending on your WAN this could be an issue.

drkt@scribe.disroot.org on 01 Jul 23:29 next collapse

My Pentium G3220 box running OpnSense has never bottlenecked me, so I imagine you can run it on basically anything you can find in a dumpster.

monkeyman512@lemmy.world on 01 Jul 23:31 next collapse

If your Internet connection is 1g or slower just about any desktop built in the last 10 years should be fast enough. The critical thing is having a good network card. Intel is generally very reliable for network cards and you can get used ones on eBay for not to much.

bytepursuits@programming.dev on 02 Jul 00:00 next collapse

Nowadays I think most homelabbers are buying those n150 mini PCs from AliExpress. Specifically for opnsense

elettrona@poliversity.it on 02 Jul 00:21 collapse

@bytepursuits @selfhosted I've tried one mini-pc about 10 years ago; what a disappointment! It was a small jewel, touching it. It ran Win10, 64GB hard disk. For a couple years it has been my emergency portable aid - I installed NVDA (non visual desktop access) screen reader in it, as JAWS for Windows, the commercial one, is very heavy. So, after a few updates from Win10, this poor machine literally became so, so slow. And, hot. It seemed to have a little oven in my hands.
Now, I don't find anything interesting; those machine, low-priced, sold in extra-EU e-commerces, don't seem trustworthy. The second one I bought was bigger, about the size of an iPad mini. But it arrived with broken LCD screen. As a blind user, I was relying just on audio. But in the end, gearbest said "you have broken it" - money thrown in the toilet.

MuttMutt@lemmy.world on 02 Jul 00:30 next collapse

Both OpnSense and PfSense have FreeBSD as a base. That means you really want to avoid realtek NIC’s.

I’m running OpnSense on a Supermicro X10SLL-F, with a Xeon E3-1226 v3, 16GB of RAM, and an Intel X520 10G NIC with the OS installed on a mirrored pair of 240GB Intel D3-S4510’s. I underprovioned the drives by about 50GB to lower write amplification and allow the drive controller a scratch pad space for garbage collection even if the drive fills up with logs and snapshots. This is simply done with:

zfs set quota=190G zroot

I have the following services (beyond the routing and firewall) running:

ACME Client - let’s encrypt certificates

Caddy - to expose my home services for access via reverse proxy

Chrony - network time server

CrowdSec - running all free rules

Intrusion Detection (also known as Suricata) - just under 193K rules

Kea DHCP for IPv4 providing IP addresses for 5 vLan’s

Monit

Ntopng with Redis as the database

NUT

Router Advertisements for IPv6 for 3 vLAN’s

SMART - for dive testing but it basically consumes no resources

UnboundDNS with abuse.ch, Steven Blacklist, and Hagezi multi Pro++ Blocklists.

Firewall has 79 rules, NAT has 8 Destination entries, IPv6 is provided by Route64 over Wireguard, remote management access is done via Wireguard tunnel. vLAN’s are Management, Trusted, Smarthome, Cameras, and a Guest network which is WiFi only. Smarthome and Cameras vLAN’s do not have internet access except for my HomeAssistant server.

I’m using a Quanta LB6M for my fiber backbone which is 10G with a LAG connection to a Dell PowerConnect 5548 and 5548P gigabit network stack.

I’m utilizing approximately 62% of RAM (which begins to have issues once you get over 80% used) and a load average that generally sits at .30 unless the GUI is open. Swap is 0

I have a 1Gbps fiber internet connection through a Callix 803g and a cellular backup via a Netgear LM1200 that is controlled by OpnSense when a 20% or greater packetloss is detected.

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

This is because by default FreeBSD sets a 20 minute ARP maximum age while many ONT’s set a 9 minute maximum age.

If you plan to use Intrusion Detection the required RAM will balloon quickly and the UnboundDNS Blocklists live in RAM as well. You can easily get a similar setup to mine on Ebay for 200 or less, old server boards or workstation boards with IPMI are great to have if something acts up and the router is living in a closet without a monitor. The old server boards IMHO are also super stable and they are designed to run for years without being shut down.

Monument@piefed.world on 02 Jul 04:45 collapse

If you have a fiber connection or notice packetloss/slowdowns after 9 minutes you may need to set:

net.link.ether.inet.max_age = 540

Oooooh.

libretech@reddthat.com on 02 Jul 03:13 collapse

I was going through this process about a year ago. I ended up settling on the Protectli V1410 (Intel N5105 and 4 Intel I226-V 2.5Gbps ports) because: a) I wanted coreboot, b) I was a little wary of lesser-known Ali Express sellers c) Protectli seemed like a decent company and I felt good about supporting people investing in an open source firmware (minus proprietary blobs which you can’t do much about). None of that was strictly necessary, and you probably would be fine just going with a cheaper NUC or mini PC. I would definitely second some of the other comments on avoiding Realtek NICs though.