First off, this isn't a question of choosing Opnsense over something else.
This is a question of, should I take on another thing that I have to manage? When it doesn't work for a technical problem I'll be the only one who can fix it. When it needs updating I'll be the only one doing that.
Here's my position, I really like this stuff but I can't necessarily always dedicate as much time as I would like. I'm a photography/ videography professional and I already run my own Unraid server to store my footage, stream media, and that can take up time and expertise I may not have and when something goes wrong I end up dedicating days so I know what I'm doing. I like doing it, on my own time, but when things go wrong, I have no choice, things need to get fixed now.
So when it comes to Opnsense I'm hoping I can get some insight from you folks on the forum.
Firstly, I've been doing a lot of research on components and that's already taken a lot of time. So I'll ask about that now.
1. I have an Intel 4770k, an atx motherboard, with 4 sticks of 4GB ddr3 1600mhz ram, a tower cooler measuring 150mm tall and all I need is a NIC with duel 2.5GB. However, I have a few questions.
1a) Does my RAM speed matter?
1b) Any suggestions for a case? The case I have for this possible Opnsense system is huge. Get a smaller cooler is fine as well and isn't expensive.
1c) If I want to make this router nice and small I'm spending a decent amount of money. New itx case, itx motherboard, wireless access point, new ram since I'm limited to 2 sticks in a itx case (please advise on 8GB vs 16GB), and powersupply since I don't need the old 850W and it starts to add up fast, so...is it worth it? Time and money? I'm not sure and want to get the perspective of
2. I can do a far bit of reading and do the tutorials, etc, etc.
2a) But at the end of the day is having an Opnsense router a lot of work? Is most of the work upfront?
2b) Can I set it and forget it?
2c) Will it just be periodic updates by just doing a few clicks?
2d) Will I even notice the difference with my internet? And what about added security?...worth it?
One of my goals is to simply not throw away an old Intel chip that can be used for something genuinely useful. Added security would be nice.
3. So in short, any suggestions on hardware?
4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)
Sorry for the extended post but after doing some research I feel like this might be more time and money than it's worth. Would like some advice on things.
Finally one that has the correct approach, asking questions before thinking: "Everyone is doing it, why can't I?"
To answer your questions:
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM1a) Does my RAM speed matter?
Not really, unless you have more than 1 Gbit/s speed.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM1b) Any suggestions for a case? The case I have for this possible Opnsense system is huge. Get a smaller cooler is fine as well and isn't expensive.
No, this only depends on the space you can put it in.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM1c) If I want to make this router nice and small I'm spending a decent amount of money. New itx case, itx motherboard, wireless access point, new ram since I'm limited to 2 sticks in a itx case (please advise on 8GB vs 16GB), and powersupply since I don't need the old 850W and it starts to add up fast, so...is it worth it? Time and money? I'm not sure and want to get the perspective of
This is clearly a tradeoff. However, you should consider that using modern hardware will save you money with a device that is running 24/7. Depending on your local energy cost, buying a new china box with a N100 or N150 will amortize its costs over three years of operation, so I see no good reason to reuse old hardware that usually uses more power.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM2. I can do a far bit of reading and do the tutorials, etc, etc.
2a) But at the end of the day is having an Opnsense router a lot of work? Is most of the work upfront?
Yes. Depending on your networking knowledge, you should plan at least a week for first setup. Also, this is not just "following tutorials", as experience has shown. Many of the tutorials out on Youtube and the wider internet are of questionable quality and do not fit all needs.
I would strongly suggest to read this now (https://forum.opnsense.org/index.php?topic=42985.0) and then look at the first two pages of the tutorial section to get a first impression of what lies ahead of you.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM2b) Can I set it and forget it?
No. OpnSense being a security appliance, it has to be kept updated. Frankly speaking, if you do not buy the business licence, you will be the guinea pig for the community version - sometimes, upgrades
will break things.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM2c) Will it just be periodic updates by just doing a few clicks?
Not realistically, see above.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM2d) Will I even notice the difference with my internet? And what about added security?...worth it?
That is two questions:
1. Is OpnSense an add-on to security?
Probably, if you need the features. Otherwise, any hardware store variety of router can do NAT and shield your network from outside access.
2. Do you need to keep OpnSense current?
That is a philosophic question. Do you update your current router? There have been many example of security leaks caused by routers and firewalls in the past. Because OpnSense is a complex product, there are a lot of chances something goes wrong, this applies to both of the features you use and the components OpnSense is made of.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AMOne of my goals is to simply not throw away an old Intel chip that can be used for something genuinely useful. Added security would be nice.
3. So in short, any suggestions on hardware?
See above. I think you would have to invest anyway to make your old system less power-hungry, probably more than just to buy a dedicated appliance.
An old desktop can be put to better use as a Proxmox server with internal storage, IMHO. You can then build a homelab (which is another time-consuming hobby in itself), even letting you operate OpnSense as a VM on top of that. Energy and cost-wise, that would be a much better way of repurposing your old PC. However, this is even more complex (https://forum.opnsense.org/index.php?topic=44159.0) to set up than a bare-metal installation.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)
I think it is a hobby. For me, it is.
Quote from: Herdie27 on July 28, 2025, 07:52:56 AMSorry for the extended post but after doing some research I feel like this might be more time and money than it's worth. Would like some advice on things.
If you want a new hobby or have specific security needs, go for it, there is nothing much better.
In fact, there are a lot of features that many other routers do not offer, like:
a. different VPNs (OpenVPN, IPsec, WireGuard)
b. reverse proxies (Caddy, Nginx, HAproxy, Apache) including ACME certificates
c. proper DNS (Unbound, DNSmasq, others)
d. separation of security zones via VLANs (if your switches and APs allow it)
Remember that for each nice feature,
you have to set it up (securely), so what sounds flashy first, may turn into a multi-day journey to set up and keeping it up-to-date later on.
If you are just a home user, you will be better of by buing a dedicated, yet more limited product like a Fritzbox, that is updated when there is need and uses much less power. Plus, you can install and forget it.
Repurposing an old PC or "going with the flow" is not a good sole reason to use OpnSense, IMHO. Sure thing is that you will find yourself either:
1. having found a new hobby inadvertently, with steep learning curves about networking
2. give up frustrated
3. ignore all advice and install the device in a suboptimal manner, causing security risks, probably leaving your installation untouched for years after installation.
I have seen all. Choose your poison.
P.S.: I know that there were no hardware recommendations in here besides buing a china box. If you still want to repurpose your old PC, avoid using Realtek adapters at all cost, and consider a smaller, modern power supply like a picoPSU.
For me things always go along the line: Problem -> Solution.
If *sense is not the solution to any of your problems, don't do it.
Or start thinking new, if you don't see the problem with Fritz*-things or alike plastic routers (sometimes pawned by your ISP) ;-)
Then *sense is a very, very versatile tool with a steep learning curve, which can solve many problems. At the same time it needs some time and intellectual effort to get it started and maintained over the years.
You do not describe any special requirements so the Fritzbox or equivalent option could be good.
It seems to me that wanting to build your own machine while not distracting from your real work is inconsistent with not wanting to invest too much effort in Opnsense software.
If you think there is any chance you might want to exploit some aspect of Opnsense in the future, you could buy a Deciso box with business licence for something closer to an OOB solution with reliable and suitable hardware, lower maintenance effort, updates for security rather than for the leading edge.
My situation is somewhere in the substantial space between yourself and meyergru. I like playing and learning with routers yet I want something I can afford to ignore for a while, so I run the CE edition on Deciso hardware despite holding a current business licence.
Most of the questions were very nicely explained and expanded by @meyergru
Quote from: Herdie27 on July 28, 2025, 07:52:56 AM4, Is Opnsense a hobby you put time into? Or a means to an end? (Plus being a very part-time network technician)
Well this is a interesting one. I would say its both, but mostly hobby. Running anything extra at a homelab other than an off-the-shelf-router can be considered a hobby. We are doing it not cause we can but cause we want, want to learn, want to have control and want to participate.
In theory you can just set it up and forget about it. But whats the point then? Just use an off-the-shelf-router...
Regards,
S.
Quote from: Seimus on July 28, 2025, 10:32:20 AMIn theory you can just set it up and forget about it. But whats the point then? Just use an off-the-shelf-router...
The problem with these is arbitrarily short supported lifetimes before they go EOL and become susceptible to this kind of crap:
https://www.securityweek.com/us-gov-disrupts-soho-router-botnet-used-by-chinese-apt-volt-typhoon/
https://www.pcmag.com/news/us-disinfects-routers-that-china-allegedly-used-for-hacking
https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
(In this instance, the US govt. demonstrated its ability to infiltrate consumer devices on court order.)
Vendors haven't given us a great reason to trust that they can make secure products:
https://www.reddit.com/r/HomeNetworking/comments/kdf3wv/the_superuser_password_for_the_tplink_archer/
https://nvd.nist.gov/vuln/detail/CVE-2024-57040
There are many more examples.
At least with OPNsense you control the root account! I also have (at least more) confidence that none of the base system components contain hard-coded credentials.
Read again what I wrote: OpnSense is just as insecure as an off-the-shelf (i.e. unsupported) router if you do not update regularly.
That is mostly because you trade in security-by-obscurity in commercial products for an open source based product like OpnSense, which in turn can be easily analyzed for weaknesses. These exploits can and will be found after some time has passed, which makes it all the more essential to update.
That holds true for the whole stack of software that is underneath OpnSense.
You gain the sincerity that there is no builtin backdoor, true. But official actors have the means to employ 0day exploits as well, so they are not reliant on backdoors.
And lastly, product such as Fritzboxen are usually well supported.
@meyergru but also if you just run the default setup - allow and NAT anything out, block anything in on WAN, I do not see much risk with just hitting "update" for every new release. Like you would with a Fritzbox, too.
In my experience poroblems after upgrades almost always concerned more special use cases.
Use ZFS and snapshots and you should be fine.
The only maintenance that an open sense instance needs is the regular banning of IPs/subnets if you are so inclined. You do not have to do it if you do not want to spend time or do not have a policy. I am under a policy, so I have to block some types of access, and this is why I mention this task.
As to hardware, FreeBSD-based routers are very forgiving to it. Your config will be redundant as long as you use a high-quality Intel or other enterprise-class NIC. If you face SSL high-traffic, an instruction set that supports HW acceleration is beneficial but not really necessary. Your use case unlikely fits this description, so 4770 will certainly suffice. My router never uses more than 2GB of RAM, but I also do not run intrusion detection or other bells and whistles - just a plain router-firewall.
Maintenance-wise, an open sense instance is not too different from any cisco, microtic, or juniper. If you want flexibility and the best user-friendliness of the admin UI, open sense has no equals.
Then again a default setup does not warrant the use of OpnSense, anyway... ;-)
True, but again only if you believe that off-the-shelf products have at least comparable competence and execution in secure design. It's not just about having a "default deny" policy on a firewall. It's also about not actively helping bad actors to have a constant supply of back doors.
I'm not suggesting that FreeBSD or OPNsense are immune to exploit (to say nothing of firmware). It's just my impression that they don't go out of their way to do obviously stupid things in the name of plug-and-play convenience. They also don't create e-waste or leave you hanging by choosing to deny you updates after 2-3 years.
Of course Deciso could go out of business and stop developing OPNsense, but I'll hope not. :)
There's a small matrix for OPNsense.
Buy OPNsense device + biz lic
Buy OPNsense device + free community lic
Buy xyz + biz lic
Buy xyz + free community lic
Nobody escapes 100% from any vulns/problems/0day from any option, and it's no different than buy other make/model/names, etc.
To what level of risk you are willing to take is up to you. Least risk is probably OPNsense device + biz lic, but costs more. Lowering risk usually costs more.
I run OPNsense on xyz + community (see https://forum.opnsense.org/index.php?topic=48166.0). 2.5Gb copper, 10Gb sfp. Seems to work ok. I now need to keep an eye out for OPNsense vulns by monitoring MITRE CVE and NIST NVD (eg; https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:opnsense:opnsense:25.7:*:*:*:*:*:*:*). You can use the bsd part of OPNsense install to create a script that uses API to comb various databases for related OPNsense issues, and then that script can email you a notice, or even throw you a popup message when you login to the web gui. See, right there you have flexibility over other router items.
The argument "should I take on a new thing to manage" is a bit of nuance in logic, because that statement applies to anything being "new". A simple upgrade of anything means you are taking on something new.
Should you use OPNsense? Who knows, what are your choices, pros & cons to everything. I bought a N150 mini pc, china made item, I have no clue as to the quality, I not relying on the few amzon reviews, it may burn up on me in 30d, maybe 6mo, or maybe never. But I know enough that keeping it as cool as I can means it should last longer, but how much longer I have no idea. I went in under the cover to take a look at the PCB, it looked fairly decent, it was not hand soldered, etc. Obviously my choice means it's a device that is not servicing high value stuff, if it dies I just buy something else and rebuild.
For the OP a question begs,
What are your future lookups with a FW/GW?
OPNsense has a ton of features (VLANs, VPNs, RProxy, Captive portal, DHCP/NTP servers, etc.), if you can imagine yourself that you would in time need one of this features. Than you should go with OPNsense.
I have friends who have been looking to replace their off-the-shelf and most of them ended on OPNsense instead due to few reasons:
1. Money/performance ratio
2. Longevity
3. Features
Usually most of the people are interested in the 1. 2., cause they want most of their buck. The point 3. they started to explore as they explored OPNsense, realizing they need VLANs, VPNs etc. the fact they had a system capable of this made it easy for them and made them to learn.
Regards,
S.
Quote from: Seimus on July 29, 2025, 12:00:38 PMThan you should go with OPNsense.
Agreed. Just do it.
Hey all, I really appreciate all the responses they're very helpful! There's a few things that are going through my mind.
1. I can take things one at a time and simply start with a good, fast, router. Adding on additional features later for simplicity sake.
This will still take some time since I'll do a ton of reading and listening in order to understand what setting control what and getting to know how things work.
2. There were a few comments on a regular desktop chip consuming a lot of power compared to prebuilt options. I'm sure this is possible, but has anyone ever tried tuning a desktop chip to be as efficient as possible in order to sip power? Ultimately saving a buck.
3. What about solutions to get notifications of opnsense updates? Whether through email, rss feed, etc? If I can get a notification on my phone to update opnsense and jot it down in my notes app or something that would be of great help! I'm sure there's many ways to do something like that.
Again, thank you all for being gracious about your time, especially meyergru. I always hate to bother a forum with a long question/s with not solid answer. As much as I'm into this stuff and other things like it. It can get to be a lot if you're not experienced enough yet.
Quote from: Herdie27 on July 30, 2025, 05:08:47 AM[...]
2. There were a few comments on a regular desktop chip consuming a lot of power compared to prebuilt options. I'm sure this is possible, but has anyone ever tried tuning a desktop chip to be as efficient as possible in order to sip power? Ultimately saving a buck.
Sure, you can set clocks and power targets on many CPUs, but using a low-power device to start tends to be easier. Your Haswell may offer such (K model CPU), but I believe you'd need a higher-end motherboard chipset to take advantage of it. I always used the C series (workstation) chipsets, so my Intel stuff was always locked down (and all of my motherboards were factory configured for unlimited long-term turbo).
The power draw is less influenced by the CPU than it is by the components.
For example, a Desktop mainboard has 8 SATA Ports, 24 PCIe lanes, a Sound Chip, many USB Ports, and often a WiFi Chips. Each of Those increases power draw by 0.5-1 Watts.
Then, your typical Desktop has a power supply that is Rated for 600 Watts or more to accomodate a graphics Card. Power supplies Tend to have Their best efficiency at about half of their Rated power. At 25 Watt Idle power draw, Most pc supplies have an efficiency rate of less than 50%.
That is why I recommended a PicoPSU with a Max Rating of 80 Watts. Yet that alone will set you back so much that Buying a dedicated System may be worthwhile.
There is a YouTube Channel called Wolfgang's Channel who shows how to do that.
Quote from: meyergru on July 30, 2025, 05:47:05 PMThere is a YouTube Channel called Wolfgang's Channel who shows how to do that.
Coworker of mine ;-)
Quote from: Herdie27 on July 30, 2025, 05:08:47 AMI can take things one at a time and simply start with a good, fast, router.
But w/o some metrics how do we now what you mean by "good" and "fast"?
Are you talking about 10Gb all day long, a 100Mb on occasion? How much encryption will be done?
You can tune cpu power down to whatever min level you can tolerate. Dozing cpu means it takes longer to wake up.
What's the concern about power use? Cost of the power, the heat it makes, other?
As far as notify on updates, check this one https://forum.opnsense.org/index.php?topic=23227.0
I however have a shell script (for another product I have) that checks to see if a web path has something new, and if it does the script pulls it down via wget. You can easily do checking using any scripting you like, just go look at a download mirror to see what that latest version is. This is just for OPNsense. Just open a mirror and look:
https://mirror.sfo12.us.leaseweb.net/opnsense/releases/
https://mirror.vraphim.com/opnsense/releases/
https://mirror.raiolanetworks.com/opnsense/releases/
Quote from: meyergru on July 30, 2025, 05:47:05 PM[...]
That is why I recommended a PicoPSU with a Max Rating of 80 Watts. Yet that alone will set you back so much that Buying a dedicated System may be worthwhile. [...]
Er, $25-50? Although you'll need a decent AC supply, too, so there's that expense. These days I'd try the HDPlex "250W GaN Passive AIO ATX Power Supply", largely as it's a single unit. Worth the price? Probably not. But hey. In the past the PicoPSU's limited 3.3 and 5V output was a constraint, but these days more devices use 12V (even a few motherboards), so the ones with a 12V input should be... well, better.
Quote from: BrandyWine on July 30, 2025, 06:49:25 PM[...]
What's the concern about power use? Cost of the power, the heat it makes, other? [...]
One or more of the above. Some are legitimate, some are... elective. Like most folks, I have some real constraints, and I go out of my way to find others.
Quote from: pfry on July 30, 2025, 10:07:39 PMOne or more of the above. Some are legitimate, some are... elective. Like most folks, I have some real constraints, and I go out of my way to find others.
Well, there's two solutions for that.
1) Obtain some free power from sunlight, have a battery (charged by sunlight) that powers it when the sunlight is dark. So free power here.
2) Lower heat means lower used wattage. Devices rarely use full rated power, but using less power means less heat. If the heat dissipation vectors are an issue (like in small enclosure or room), then some sort of ductwork and fan is needed to move the heat elsewhere.
Not knowing the actual constraints means less fruitful answers.
Here in Germany 1 Watt of 24/7 Operation is around 2€ per Year. With a typical Desktop drawing 30 Watts more power, a dedicated N100 for around 250€ pays for itself after 3 years of Operation.
I would rather Sell the old desktop on EBay than to repurpose it as a Firewall.
Of course, this depends on actual Energy cost and if you can use alternative power sources.
Quote from: meyergru on July 31, 2025, 09:04:02 AMHere in Germany 1 Watt of 24/7 Operation is around 2€ per Year. With a typical Desktop drawing 30 Watts more power, a dedicated N100 for around 250€ pays for itself after 3 years of Operation.
I would rather Sell the old desktop on EBay than to repurpose it as a Firewall.
Of course, this depends on actual Energy cost and if you can use alternative power sources.
Germany ranked #8 for most expensive.
There's no ROI when using power. The best you get is a TCO comparison. Power using devices only have ROI if they can give back more than they use, like solar panels, but these days the electric companies do not care to pay you money, they often times just give credits to some max threshold, making ROI about impossible to achieve.
If you have to pay 250€ more than just using something you already have (= 0€), but you Save 80€ per year, that invest will be amortized After 3 years. Period.
It does not matter what you call it, ROI or TCO. I did not call it either.
The simple fact is that in Germany, After 4 years, you will have less total cost when you do but a dedicated box instand of repurposing an old Desktop. And the cost difference will only increase with more time passing. Easy as that.
Quote from: meyergru on August 01, 2025, 09:58:11 PMIf you have to pay 250€ more than just using something you already have (= 0€), but you Save 80€ per year, that invest will be amortized After 3 years. Period.
I get it.
However......
spend 250 for device, spend 250 for 3yrs, = 500 for 3yrs
spend 0 for existing, spend 250 for 3yrs, = 250 for 3yrs
It's like saying "come to the big sale at Macy's, all day today save 25%"
Blahhhhhahahaha. You not saving anything, you just spending less (less money out of your wallet).
A ROI means pos money flow into your account (we usually choose the pos nature of "ROI", ROI can also be negative, like depreciating value of car or home). No power using device ever gives you pos ROI. A device like solar panels might, depends on who buys the juice coming out of it.
So, the TCO parts just means how much you spent over time, A vs B. That's only the cost view, then layer on performance/features/ability to upgrade, yada yada yada.
I would opt to spend a little now, because both choices age over time, so why start with something that is already aged?
We're on the same page. Cheers.
Quote from: BrandyWine on August 01, 2025, 11:03:16 PMspend 250 for device, spend 250 for 3yrs, = 500 for 3yrs
spend 0 for existing, spend 250 for 3yrs, = 250 for 3yrs
The new 250 $/€ device will use roughly 80 $/€ worth of electricity bill
less per year than the repurposed 0 $/€ desktop machine. That's why it pays after 3 years.
Quote from: Patrick M. Hausen on August 01, 2025, 11:06:33 PMQuote from: BrandyWine on August 01, 2025, 11:03:16 PMspend 250 for device, spend 250 for 3yrs, = 500 for 3yrs
spend 0 for existing, spend 250 for 3yrs, = 250 for 3yrs
The new 250 $/€ device will use roughly 80 $/€ worth of electricity bill less per year than the repurposed 0 $/€ desktop machine. That's why it pays after 3 years.
So what was the 3yr electric cost for old vs new device? I perhaps misunderstood that part.
And as long as you are paying for electric, no ROI, just TCO A vs B.
Desktop draws at least 30 W more power than an embedded device (Protectli or similar from Aliexpress). Which results in 80 € more per year for electricity. The absolute numbers are not that interesting.
Quote from: Patrick M. Hausen on August 01, 2025, 11:19:49 PMDesktop draws at least 30 W more power than an embedded device (Protectli or similar from Aliexpress). Which results in 80 € more per year for electricity. The absolute numbers are not that interesting.
I don't follow.
So regardless of the embedded device, the desktop is always +30w? Doesn't make much sense.
If my embedded is 1w, desktop is 31w?
If my embedded is 15w, desktop is 45w?
Need real world example, real numbers.
The difference in power costs is embedded power costs vs desktop power costs.
If the example was embedded was 10 and the desktop was 40, ok, diff of +30 for the desktop. 3yrs worth is +30 x 3yr x cost per unit.
@meyergru was comparing the desktop in the initial post with a common embedded firewall device. The latter clock in at 20 W or below, typically.