Hey everyone,
i would like to ask for some help.
We would like to switch over from another Firewall distribution to OPNsense. But at the moment we are struggeling, which are the best hardware to choose.
What would we like to to.
- We would like trying to install ZENarmor (to block social Networks / VPN / Adult pages)
- Clients are about 1500
- WAN -> 2 Uplinks which each 1000 Mbit/s / 50 Mbit/s
-> The modems should connected via RJ 45 (1 Gbit/s) directly to the firewall
-> The uplink to our internal network is not relay specified. Here it is possibile to use SFP+ uplinks or an Copper uplink.
> We thought about an "IPU 456A" System
Prozessor: AMD Ryzen 5 5600U (Cezanne, Zen 3), Hexa Core (12 Threads), 2,3 bis 4,2 GHz
Cache: 6x32 KByte L1 Instruction, 6x32 KByte L1 Data, 6x512 KByte L2, 16 MByte L3
Features: AES-NI, Hyper-Threading, MMX, SSE, SSE2, SSE3, SSSE3, SSE4A, SSE4.1, SSE4.2, AVX, AVX2, BMI1, BMI2, SHA, F16C, FMA3, AMD64, EVP, AMD-V, SMAP, SMEP, SMT, Precision Boost 2, XFR 2
AMD Radeon RX Vega 7 Grafikprozessor (bis 1800 MHz)
2 x DDR4-3200 (1600 MHz) SO-DIMM-Sockel (bis zu 64 GByte möglich)
4 x 10/100/1000/2500 MBit/s Intel i226-V Netzwerkschnittstellen
2 x SATA 6 GBit/s mit 5V-Stromanschluß (1 x interne 2,5-Zoll-Halterung vorhanden)
1 x M.2 2280 NVMe SSD Sockel (PCIe 3.0 x4, max. 4 GByte/s brutto)
1 x Mini PCIe Sockel (PCIe 3.0 x4)
1 x HDMI 2.0
1 x DisplayPort 1.4a
1 x USB 3.1 (USB 3.2 Gen 2x1, bis zu 10 GBit/s, USB-C);
2 x USB 3.1 (USB 3.2 Gen 2x1, bis zu 10 GBit/s, USB-A)
2 x USB 2.0 (bis zu 480 MBit/s, USB-A)
1 x TPM 2.0
There will be a upgrade to 32GB/RAM and an 256 SSD Drive.
But does someone have any experiences with a Gateway and ZENarmor with so many cllients ?
Thanks a lot
Mario
To reach up to 2 Gbit/s with threat protection (Zenarmor) you need at least this model:
https://shop.opnsense.com/dec800-series-opnsense-desktop-security-appliance/
You can browse the specs of the other systems if you want some room for growth or prefer a rackmound appliance. Buy from Deciso, their systems work great. I don't know of any other option with throughput specs specified in advance.
Hey,
thanks for your reply. I've had a look at the dec800 series and realized there are only 8Gb of memory installed.
Is this enough to run "Zenarmor" properly ?
> Thanks for the Link to the shop. After looking at the shop - Maybe we have to select the DEC3860 ?
https://shop.opnsense.com/product/dec3860-opnsense-rack-security-appliance/?attribute_powercord=EU
But is it necessary to use the appliance with OpenSense for Business ? Or can i also run the community edition on it?
Thanks a lot for helping me.
Mario
You can perfectly well run the community edition on the Deciso appliances. In fact this is what I do with 6 production systems, currently.
Buying from Deciso gives some support back to the project and you get an appliance that is guaranteed to work with OPNsense. No trouble with specific network interfaces etc. Also they are really nice as far as energy consumption is concerned. The desktop units are passively cooled and run on 20 Watts on average in my experience.
I prefer the community edition because that is where new features are at and where I can (as I did) actually fix things myself and get merge requests into the code base. When we moved from Sidewinder to OPNsense some of our IPsec tunnels to customers stalled regularly. I fixed that in the code.
As you probably already noticed reading this forum, occasionally the community edition breaks things and hotfixes are published within a day or so. So if you want to go that route, I suggest to have a test environment and/or a staged rollout plan.
I have
- development environment to test new major releases
- my home network which gets new minor releases immediately
- three office networks @work which have a standard single firewall + NAT setup - these get new minor releases when stable at home
- two HA clusters in our data centre which frequently are a full major release behind until I can schedule a maintenance window - HA or not, things do fail
HTH, kind regards,
Patrick