Hi, I am running opnsense for some years on a 19" self made router build from spare parts.
I probably need to get rid of my 19" rack and need a smaller solution.
I have no demanding needs, it's just my home, some vlans unbound etc.
I read about cwwk N100 and N150, but I also read about heat issues on such devices. And there is a quadrillion versions of them.
Is there anything recommended?
I saw this fanless one https://www.amazon.de/CWWK-Upgraded-Firewall-Appliance-3-Display/dp/B0DTB6LZRQ and this with a fan https://www.amazon.de/CWWK-Pocket-NAS-Computer-Expandable-2-Display/dp/B0DZ5GF8J4 .
The first one has even 6 lan ports. I am not sure, whether this would have some downsides, but I might even not need my switch in this case, as this looks sufficient for my modem, my acces point, server and printer. So I could probably get rid of a complete device.
no heat issues on my N150. https://forum.opnsense.org/index.php?topic=48166.0
Small enclosed devices......... always need a cooling fan on heatsink, or a fan blowing on it. Make sure the device has some heatsink ribs, nothing flat.
N150 has max op temp of approx 120C, my N150 swings between 40-60C depending on what's it's doing.
Caveat: my temps noted are likely because currently I have device sitting directly on my R7000 wifi router, and the top of the R7000 is fairly warm.
So I am expected to bind or tape a fan ontop of those devices? From the description I thought they are passively cooled, if no fan is included.
If I take the 6*2.5GB device, can I connect my devices directly to the firewall instead of running an extra switch on it?
Currently I have a two port link aggr. to my Mikrotik switch, but I guess if I don't need that, I would be fine in that room with 5 ports.
But maybe I oversee something.
With a 6 port device you can configure a LAN bridge for 5 ports and essentially get a builtin "switch".
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Quote from: BrandyWine on August 06, 2025, 04:12:51 PM[...]
Small enclosed devices......... always need a cooling fan on heatsink, or a fan blowing on it. [...]
Pedantic nitpick: Passive cooling is practical with sufficient effort, e.g. with an HDPlex or Streacom enclosure. Example (https://www.tailbone.net/projects/H3v3/index.html). The kits tend to be (at least comparatively) expensive, require careful selection of components, and, for best results, likely require a bit of fabrication. How would I put it? Not recommended for someone who's looking for an inexpensive turnkey solution.
For commercial compact boxes, I agree: fan-cooled is probably a better bet than passive, but of course it depends on the specific implementation.
@Patrick: On the top it's mentioned one shouldn't do this if one considers to have much traffic through it. But it could be okay if the CPU has enough headroom.
So I guess it might be better to connect my mikrotik switch to it. Probably again with link agg. As I have some traffic betweeen vlans.
So if I can't use the CWWK device passively, it's kind of a bummer.
Quote from: Simaryp on August 06, 2025, 07:30:14 PM@Patrick: On the top it's mentioned one shouldn't do this if one considers to have much traffic through it.
You can just try. I easily achieved 1 Gbit/s with the FreeBSD bridge on an Atom 3000 based board. I don't have any 2.5 Gbits/s equipment.
I would have the wifi AP and a Server connected to it. Probably a printer, but this doesn't matter. And maybe a switch in another room. The AP and the server.
I wouldn't like to spent too much time, if it's a bad idea.
Quote from: Simaryp on August 06, 2025, 07:42:41 PMI would have the wifi AP and a Server connected to it. Probably a printer, but this doesn't matter. And maybe a switch in another room. The AP and the server.
I wouldn't like to spent too much time, if it's a bad idea.
Here's what I suggest. If you can afford for small i3 that has a fan, go for that.
My N150 has three 2.5G copper and two 10G SFP ports, but I am not sure the device can route&switch that fast. I right now dont even need 2.5G.
Define your metrics, go from there.
I am using currently an Asrock J something board with an embedded CPU from 2015 and qn Intel NIC in a modded 19" case.
That works, but I am looking to get something in the size of my Fritzbox and my mikrotik css611, as I want to get rid of the 19" rack and put some small devices in a shelf.
I do nothing fancy and power hungry, no suricata or dpi. It's just routing, wireguard, dhcp and unbound.
Edit: I live in Germany my ISP bandeidth is shit. So 250 down 40 up. Currently most devices are connected over 1G copper, but I probably will connect more via wifi. Probably the server upgrade brings 2.5G for the server. But worst case I am Streaming on the TV while I do some work on the file server in parallel. So no big traffic.
Quote from: Simaryp on August 06, 2025, 07:42:41 PM[...]
I wouldn't like to spent too much time, if it's a bad idea.
As far as time investment, you can set up a bridge on the LAN side of the firewall and plug in as many devices directly as you choose (and have ports assigned for, of course). You don't
have to eliminate the bridge if you don't end up using it. (I probably would, but I'm a nut.)
I've used my firewall as my central network distribution point for 15 years, with some pretty tiny devices (Fortigate 100D and 61E).
Quote from: Simaryp on August 06, 2025, 07:42:41 PMI wouldn't like to spent too much time, if it's a bad idea.
It's not a bad idea. The FreeBSD bridge has been completely rewritten with a serious amount of money thrown at the problem by the FreeBSD Foundation. The performance gains were five to ten fold. If you can reach full 2.5 Gbit/s depends on so many factors, you will just need to go and try.
It's not more than an hour or two of effort for crying out loud.
Set up a LAN bridge, then check what you can get across it from/to two different PCs, both with 2.5 Gbit/s network interfaces. Don't run iperf from/to OPNsense itself.
I don't have two PCs with 2.5 G, actually none at the moment. ^^.
I also have no clue how my switch requirements and the placement of all devices will look like. I am searching for a flat now. If all devices are in the living room, near to each other, it might be worth to connect the firewall to the switch via a 10G SFP+ module and the server as well, and all other devices which are around 5 extra too.
In that case, there is a cwwk device with 2 regular lan ports and two sfp+ ports and some small integrated fan. What do you think about that device?
https://www.amazon.de/CWWK-Firewall-Appliance-Computer-OPNsense/dp/B0DSHW8D4L?ref_=ast_sto_dp&th=1&psc=1
Quote from: Simaryp on August 07, 2025, 06:21:33 AMI don't have two PCs with 2.5 G, actually none at the moment. ^^.
I also have no clue how my switch requirements and the placement of all devices will look like. I am searching for a flat now. If all devices are in the living room, near to each other, it might be worth to connect the firewall to the switch via a 10G SFP+ module and the server as well, and all other devices which are around 5 extra too.
In that case, there is a cwwk device with 2 regular lan ports and two sfp+ ports and some small integrated fan. What do you think about that device?
https://www.amazon.de/CWWK-Firewall-Appliance-Computer-OPNsense/dp/B0DSHW8D4L?ref_=ast_sto_dp&th=1&psc=1
I would find one that has 3 copper ports, WAN LAN IOT, something like that.
10G sfp to a switch? What 10G switch are you getting?
For home, technically, 10G managed switch that supports .1q, fiber between fw and switch (only one connection, etc), then everything else is wired into their appropriate vlan (switch port). This way if you want more segments (in fw) it's just .1q config. Simple.
Quote from: BrandyWine on August 07, 2025, 08:29:45 PM10G sfp to a switch? What 10G switch are you getting?
For home, technically, 10G managed switch that supports .1q, fiber between fw and switch (only one connection, etc), then everything else is wired into their appropriate vlan (switch port). This way if you want more segments (in fw) it's just .1q config. Simple.
I've got a https://mikrotik.com/product/css610_8g_2s_in in my living room and a https://mikrotik.com/product/CSS326-24G-2SplusRM in my rack.
I am planning to get rid of at least the bigger one. And probably keep the smaller one.
It's all overkill for my needs and I thought for a momrnt to just use the ISP router again. But I like my unbound,my wireguard and the chancetoseperate stuff via VLANs.
Quote from: Simaryp on August 07, 2025, 08:41:22 PMQuote from: BrandyWine on August 07, 2025, 08:29:45 PM10G sfp to a switch? What 10G switch are you getting?
For home, technically, 10G managed switch that supports .1q, fiber between fw and switch (only one connection, etc), then everything else is wired into their appropriate vlan (switch port). This way if you want more segments (in fw) it's just .1q config. Simple.
I've got a https://mikrotik.com/product/css610_8g_2s_in in my living room and a https://mikrotik.com/product/CSS326-24G-2SplusRM in my rack.
I am planning to get rid of at least the bigger one. And probably keep the smaller one.
It's all overkill for my needs and I thought for a momrnt to just use the ISP router again. But I like my unbound,my wireguard and the chancetoseperate stuff via VLANs.
On the smaller MikroTik, what's the packet mem buffer size? I am curious about the device.
Two 10G ports, one for fw and one to the ISP, the others are just 1G. 10G to the ISP? DOCSISv4 maybe? So fiber to home?
Would be nice if they made the 1G's into 2.5G, that would be sweet. Which they have CRS310-8G+2S+IN. I still wonder buffer size though, so I have to find out.
I don't know about the buffer size.
10G to the ISPs modem/router would be useless for me. I only get 250/40 mbit/s.
I only considdered 10G from switch to a possible opnsense firewall to not get throttled if there is multiple inter-vlan routing. And I considdered using the other port for a possible 2.5G server, so that two wired clients could get full speed.
But also that is not necessary and I think a full 1G setup would be sufficient.
I only want to find a silent, small and power efficient device to replace the bigger MITX router, I build.
Quote from: BrandyWine on August 07, 2025, 08:58:21 PMOn the smaller MikroTik, what's the packet mem buffer size? I am curious about the device. [...]
Heh. We're getting way off topic here, but hey. Look at RouterOS Bridging and Switching (https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching). Lots of interesting capabilities for some devices. Mostly useless to me, since I run everything through my firewall. The CSS610 is a SwitchOS (https://help.mikrotik.com/docs/spaces/SWOS/pages/328415/SwOS) device.
Quote from: Simaryp on August 07, 2025, 09:57:05 PM[...]
But also that is not necessary and I think a full 1G setup would be sufficient. [...]
A bird in the hand... uh... makes paying for a bigger bird unattractive? Anyway, it's easy enough to upgrade when/if you care to.
Quote from: pfry on August 07, 2025, 10:51:37 PMQuote from: BrandyWine on August 07, 2025, 08:58:21 PMOn the smaller MikroTik, what's the packet mem buffer size? I am curious about the device. [...]
Heh. We're getting way off topic here, but hey. Look at RouterOS Bridging and Switching (https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching). Lots of interesting capabilities for some devices. Mostly useless to me, since I run everything through my firewall. The CSS610 is a SwitchOS (https://help.mikrotik.com/docs/spaces/SWOS/pages/328415/SwOS) device.
I have been using virtual wire setups in Palo Alto, and way older L2 bridging Fw's (decades ago),..... for a long time. Bridging is nothing new, and not all that "interesting".
Quote from: Simaryp on August 07, 2025, 09:57:05 PMI only want to find a silent, small and power efficient device to replace the bigger MITX router, I build.
N150 is very power efficient. An i3 can be easily power managed.
There's probably 1,000 mini devices with each cpu that meets your needs. Dig some up, toss up here what you found.
Quote from: BrandyWine on August 08, 2025, 04:32:10 AMQuote from: Simaryp on August 07, 2025, 09:57:05 PMI only want to find a silent, small and power efficient device to replace the bigger MITX router, I build.
N150 is very power efficient. An i3 can be easily power managed.
There's probably 1,000 mini devices with each cpu that meets your needs. Dig some up, toss up here what you found.
I linked several here already.
Active cooling 2xRJ45 2xSFP+:
https://www.amazon.de/CWWK-Firewall-Appliance-Computer-OPNsense/dp/B0DSHW8D4L
Fanless 6xRJ45:
https://www.amazon.de/CWWK-Upgraded-Firewall-Appliance-3-Display/dp/B0DTB6LZRQ
Fanless 4xRJ45:
https://www.amazon.de/CWWK-Upgraded-Firewall-Appliance-3-Display/dp/B0DTB6LZRQ
Active cooling 2xRJ45:
https://www.amazon.de/CWWK-Upgraded-Pocket-NAS-Expandable-2-Display/dp/B0DZCPLM8W
I am a person hearing the grass growing. So if I could probably get away fanless with no custom cooling and the device has no ugly coil whine etc. that would be nice, because it probably stays in my living room.
I could get this cable here:
https://mikrotik.com/product/xs_da0001
Buy the twoSFP+ variant with cooling and connect the router to the switch, and use one RJ45 for my ISP router.
If the thing stays cool and quiet, it might be a good solution I guess. Sadly I have no info about that.
If only one fiber cable, then is it .1q?
.1q to fw (1 cable) will always mean 1/2 iface for total bandwidth. But 5G is still 2x that of the copper 2.5G.
I myself like the one cable design, less mess.
Get the i3 fan version. The fan is silent during the day. At night you might hear a slight fan.
https://www.amazon.com/Firewall-Hardware-82599ES-OPNsense-Appliance/dp/B0F7QR8KLQ
When my needs get to that level, i'll replace my N150 for i3 version.
Funny how they added description like that, but the i3-N305 is dual mem channel capable, significantly way better than single mem channel N150.
Do I need the power of the N305?
Why this one instead of the N150 I linked?
I thought about simply getting this cable and plug it between switch and firewall and then forget about it forever.
https://mikrotik.com/product/xs_da0001
I should considder to connect the AP to a FW port, if I get a 2.5G capable AP I guess. But foe the moment it wouldn't matter, as it's only 1G.
I think once you start to talk about 10G links, even though you may not fill it now, choosing hardware that is better suited for that ("future proof") is not a bad idea. It's the same chassis btw.
I understand the cable, I just not sure it's needed if your fw will be a N150. With N150 I myself would probably just use the copper up to the 2.5G ability of the ifaces.
The i3-N305 is just way better than the N150.
My current performance and setup would be probably fulfilled with anything having two 1G ports.
Being future proof is nice though and with the switch I could already establish a fiber connection, although I might not need it.
But the SFP+ i3 version costs easily over 400€ and I am quite sure I cant utilize that power anyways.
My main focus is. Get rid of space consuming and power hungry 4*1G solution, with something quiet, tiny and at least on par. Ideally I can just install opnsense and upload my config. If it is better like 2.5G or SFP I hapily take it.
And quiet meens quiet. I can hear the coilwhine from my monitor if the laptop is charged in standby. I like if things don't make noise.
Then start with an N150 device, fan cooled, the one you listed.
Thanks for the help. Found also some videos on youtube with reviews. The devices from prev generation seem to be quite power hingry in idle and ptobably noisy.
I will try to find out about the powerdraw of N150. Probably,if the boards without fan have a pwm header I would go for them and strap a Noctua on them.
Probably I will also step down a bit on the vlans. If there is not much intervlan routing, the 10G between FW and switch would be wasted. And I went maybe a bit too far on segmenting everything. I read it comes also with some higher power usage.
Before I used my 10G specimen, I had a 4 port N100. YOu can easily get away with that when you configure one NIC for your main LAN and another one for IoT, Guest and so on. Matter-of-fact, if your internet connection does not give you more than 2.5 GBps, there will be no bottleneck for either path and even for bidirectional inter-VLAN traffic, it will most likely suffice.
That is because you usually only have traffic between your main LAN and any one of the others, but not between the latter.
With more than 4 ports, you can even segment into more (V)LANs like this.
I went a bit wild with VLAns, like my printer has it's own VLAN, my android and media devices have their own, and my server and linux pcs etc. And then I have roules to allow traffic to the server and so on.
But if I put all myprivate devices into one, all the traffic goes via the switch.
My internet connection is only 150Mbit/s down and 40 up. So I don't need that for net, only like if I would have parallel traffic between VLANS I would need more than 1G between switch and FW.
For the WiFi stuff I think the radio us limiting anyway. I have a EAP245 and I only get around 300Mbit between my laptop and server. I guess I could upgrade the AP, but I don't know if newer ones would bring any real world benefit.
I heard on Youtube that the fan device can become quite loud. So I thought a passive one with a noctua might work.
Something like this would be nice, passive and low power, but the price
https://shop.opnsense.com/product/dec750-opnsense-desktop-security-appliance/
Or maybe I should get something like this
https://www.kleinanzeigen.de/s-anzeige/lenovo-m720q-tiny-pc-intel-core-i3-8gb-ram-256gb-ssd/3155678802-278-1744
and put my NIC in there and maybe upgrade to SFP+ when needed.
As I said, there is mostly inter-VLAN traffic from your main LAN to any other VLAN, even if you went wild with that. So, you can combine all other VLANs on one interface and LAN on the other. Plus, the 4 or 6 NIC boxes are not gettings as hot as the ones with SFP+ adapters and are cheaper, too.
You mean making one cable for main VLAN from switch to FW and then a second one with a trunc of all other VLANs? Thats maybe a better idea than havjng two combined via link aggregation and having everything via it.
So maybe the 4Port N150 passive is the way to go.
Yes, especially considering that a LAGG does not work in practive for home setups. That is because any IP stream between two machines can only use one connection at a time. Most switches can only distribute packets by MAC, IP or port number, round robin exists only for Infiniband.
The best thing you could have is to have multiple streams between two machines, but since most switches cannot even do port distribution, it will not help, either.
And since most switches just distribute based on MAC, you can end up in situations where most or all of your machines communicate over the same link, while the other is scarcely used. LAGG functions only for large installations, where statistics play in your favor.
By dividing up the links into the probable sides of a communication, you can manually select that both links are used for inter-VLAN communications.
Thanks, that was helpfull information.
I think I can also ignore the 2.5G of my new server for the moment. I am using my laptop primarily, which over WiFi only gets 300Mbit/s and other connections are mostly strewaming, which is also not really taking lot's of bandwidth.
So I think I will go for the passive 4 Nic version with N150.
Is the RAM and SSD included goodor should I shop seperately?
I always shop separately, because it is cheaper and you know exactly what you get. Pay attention to buy an enterprise class NVME with high TBW, because RRD and Netflow on ZFS will eat through it like a hot knife through butter.
Do you have a recommendation for a specific model?
Maybe this Gigabyte one. It has a TBW of 110 TB.
GP-GSM2NE3128GNTD
I use two types NVMEs for my PRX and OPNsense
Samsung 980 500GB - 300 TBW
Lexar SSD NM790 512GB - 500 TBW
Regards,
S.
I would use a type that has at least 500 TBW, independent on capacity. Preferably, you could use a larger capacity, which you do not need specifically, but which gives you more headroom for writing. I always use specimens with real RAM cache for obvious reasons (i.e. SLC cache does not help).
On the other hand, speed does not matter at all or is even detrimental, because newer PCIE 4.0 or 5.0 NVMEs tend to get much hotter without any visible benefit.
You can search for the parameters on many product search sites, like this: https://geizhals.de/?cat=hdssd&xf=7525_M.2+(PCIe)
For these types of application, a Transcend MTE220S might be a good choice, but there are others.
That being said, I made a bad decision for my last N100 box and chose a 500 GByte Kioxia Exeria G2 (https://geizhals.de/kioxia-exceria-g2-ssd-500gb-lrc20z500gg8-a3103418.html) because of its low price. It only has a 200 TBW rating (or 400 TBW per TB).
Here is the smartctl output for that drive:
smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.3-RELEASE-p1 amd64] (local build)
Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org
=== START OF INFORMATION SECTION ===
Model Number: KIOXIA-EXCERIA G2 SSD
Serial Number: 44OA40XTK71S
Firmware Version: ECFA17.3
PCI Vendor/Subsystem ID: 0x1e0f
IEEE OUI Identifier: 0x8ce38e
Total NVM Capacity: 500,107,862,016 [500 GB]
Unallocated NVM Capacity: 0
Controller ID: 1
NVMe Version: 1.3
Number of Namespaces: 1
Namespace 1 Size/Capacity: 500,107,862,016 [500 GB]
Namespace 1 Formatted LBA Size: 4096
Namespace 1 IEEE EUI-64: 8ce38e 0300993420
Local Time is: Mon Aug 11 21:59:09 2025 CEST
Firmware Updates (0x12): 1 Slot, no Reset required
Optional Admin Commands (0x0017): Security Format Frmw_DL Self_Test
Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp
Log Page Attributes (0x0a): Cmd_Eff_Lg Telmtry_Lg
Maximum Data Transfer Size: 512 Pages
Warning Comp. Temp. Threshold: 72 Celsius
Critical Comp. Temp. Threshold: 90 Celsius
Supported Power States
St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat
0 + 7.69W - - 0 0 0 0 1 1
1 + 6.18W - - 1 1 1 1 1 1
2 + 5.42W - - 2 2 2 2 1 1
3 - 0.0500W - - 3 3 3 3 7000 5000
4 - 0.0050W - - 4 4 4 4 13000 36000
Supported LBA Sizes (NSID 0x1)
Id Fmt Data Metadt Rel_Perf
0 - 512 0 2
1 + 4096 0 1
=== START OF SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
SMART/Health Information (NVMe Log 0x02, NSID 0xffffffff)
Critical Warning: 0x00
Temperature: 58 Celsius
Available Spare: 100%
Available Spare Threshold: 5%
Percentage Used: 12%
Data Units Read: 3,532,700 [1.80 TB]
Data Units Written: 34,666,845 [17.7 TB]
Host Read Commands: 79,386,577
Host Write Commands: 266,663,545
Controller Busy Time: 560
Power Cycles: 11
Power On Hours: 3,024
Unsafe Shutdowns: 4
Media and Data Integrity Errors: 0
Error Information Log Entries: 80
Warning Comp. Temperature Time: 0
Critical Comp. Temperature Time: 0
Thermal Temp. 1 Transition Count: 100
Thermal Temp. 1 Total Time: 18823
Error Information (NVMe Log 0x01, 16 of 63 entries)
No Errors Logged
Self-test Log (NVMe Log 0x06, NSID 0xffffffff)
Self-test status: No self-test in progress
No Self-tests Logged
Notice how this drive has only 3024 hours of use (i.e. 126 days or 4 months), yet 12% or 17.7 TByte of its life has already been eaten by RRD and Netflow. At that rate, it will last much less than 3 years in total, which is probably less than the expected life of the box itself.
The Addlink D60 (https://www.addlink.com.tw/nas-d60) is a 1DWPD device (5Y warranty). Not very impressive, but more than most. It's also a burning weenie roaster, like every other M.2 SSD I've used. But if you're stuck with M.2, it's an option. There are few 3DWPD M.2 SSDs left - maybe Micron's 7300 or 7450 Max (not Pro).
As a data point, I use basic rules with logging enabled, Kea, NTP, RRD, no IPS, no netflow. Static IP Internet service with servers, so ~300 sessions average (at the moment - it's been higher). After 8 months, SMART indicates:
Data Units Read: 64,626 [33.0 GB]
Data Units Written: 1,305,190 [668 GB]
A bit less than 18TB. But then I have a 1.6TB 3DWPD device, so 18TB would be a couple weeks' worth of writes.
With a 10G fiber cable, you can use just that one cable between fw and the switch. "Trunk" as you will, more specifically .1q.
Then on switch you carve out your vlans (lan, lan2, lan3, wan, etc etc). Unless you do span all the time (ids, other), just need 1port for wan (isp).
A one-port SFP+ device is technically all that's needed if you have a decent managed switch.
I not sure what was meant by "vlans with routes". Did you build L3 vlans, and if so why? Just need L2 vlans and .1q to fw.
Quote from: Simaryp on August 11, 2025, 04:06:20 PMDo you have a recommendation for a specific model?
Maybe this Gigabyte one. It has a TBW of 110 TB.
GP-GSM2NE3128GNTD
Get the sizes you need
150 TBW https://www.amazon.com/dp/B07ZGK3K4V , noted: the Samsung 980 is way better, also about 3x the price.
Crucial https://www.amazon.com/dp/B09S2MN8JH
Get what you can out of zfs, noatime
(https://i.postimg.cc/zGW1F6fC/noatime.png)
I am familar with Geizhals.
Then maybe the 500GB Transcend MTE220S it is. And some 8GB Kingston module.
But first project will be a new no HDD server suitable for living room and then refresh of the network.
@BrandyWine. But what will be the power consumption of this 1 SFP+ fiber compared to the two RJ ports?
I know about this router on a stick model, but I had enough portsso far to use a dedicated WAN on the FW.
@Brandywine: Objection on all parts:
1. I use a 10G DAC connection as well - unless you have a specific need for an inter-VLAN or internet connection that actually uses the full speed of this, it is a waste of money and energy. Also, the NICs make the box much hotter (all of the 10G models have active cooling and deservedly so) and 10G switches are much more expensive, too.
As for the need of that speed: remember, that even a huge RAID NAS has a write speed of one HDD effectively, i.e. ~200 MByte/s or 2 GBps, which is well below what you can achieve with 2.5 Gbps NICs. So, only if your client(s) has 10G and your NAS uses SSD storage, you will gain almost nothing by using 10G. Been there, done that (actually, doing it now).
2. IMHO, 150 TBW is way too small if you want RRD and Netflow, as I already demonstrated. Notice my drive has 200 TBW and will be gone after < 3 years for home usage.
3. noatime is the default on OpnSense anyway, so there is nothing to set at all. Also, noatime - which means "do not change any metadate on access (i.e. reads)" - will do next nothing for a COW filesystem like ZFS, where the rewrites on statistics data already copy all of the written sectors.
I was just noting TBW price diffs. I did say that Samsung 980 was way better.
Using the 10G SFP+ doesn't mean the switch needs to be 10G. It's like using CAT6 cable when all you need now is a CAT5E.
noatime, I was kinda just mentioning it as a check. It's in bsd tuning guides, I perhaps didn't realize it was the default.
All the SFP's come with a fan? Seems to be the case, but I did also mention (I think) that should get whatever with a fan. They are pretty quiet, makes you want to check it from time to time just to make sure it's spinning. Heat is heat, whether fan is there or not, the diff is device temp.
I don't know about the power usage. 2-3 coppers vs 1 SFP+ , fan vs fanless. I think all those N150 items come with same PSU. Most of the power wasting will be in the PSU. Save power with a window solar panel and a 12v batt that can get through the night. ;)
I think the time horizon where I cqn expect that I could route more than 2.5G is way beyond any devices lifetime.
But I realized today that they are realizing a fiber initiative in my town and on many places I could probably get a FTTH qnd 1Gb down and .5 up 😀.
Start with a 6port no-fan, see how that works.