Hello,
I am looking to buy some official OPNsense hardware. I am looking at either Protectli or Deciso. However, I do have one requirement, which is: 2x SFP+ for 2x 10G. I want to connect my core equipment by 2x 10G, which is both future proofing and performance. It won't be long until internet crosses the 1G boundary for homes, right now 1G is the max in my area, but I am sure it is going to go up in next years.
Currently firewall is connected only with 1G link, and that is often saturated.
Usage is 4 person home, I am an IT guy however, have my own homelab and stuff, shuffling data around, so often good to have the bandwidth.
Only VPN is WG one, private devices.
I have basically narrowed it down to either:
Protectli VP2440 with N150 and 8G RAM, for €534
or
Deciso DEC750 for €799.
Beside a fact that I am getting 1 year business edition for free...
Is there some other really hard reason to get the DEC750? Not so much an issue with +€160, but I have to see the reason, honestly.
If you need (paid) support at some point because you have weird issues having official (Deciso) branded hardware helps.
Also its 100% made in EU and designed and assembled by Deciso themselves. That means software and hardware are tested for each other.
I would choose Deciso hardware. I use it myself.
(Disclaimer I work for Deciso)
Quote from: kosta on November 11, 2025, 05:26:59 PM2x SFP+ for 2x 10G. I want to connect my core equipment by 2x 10G, which is both future proofing and performance.
20Gb connected how, .1q in trunk?
Even so, that's for your internal stuff, or will all fw ifaces run over this lagg?
Just be sure you get the correct SFP modules.
Thank you both. Exactly why I said Protectli and Deciso, I don't want some China-ware, both these devices are made in EU and have support, firmware etc.
Aggregated/trunked VLANs, yes. 3 links, one for WAN, and two trunked to the switch, which also has 4 SFP+ (Aruba Instant On 1930). And I would also like to connect the server with twin 10G. In that case, all internal interfaces go over a single trunk/lagg. And then two 10G links that go to my main server with Proxmox-
I have a DEC750 and I absolutely love it. Core connection is 2x 10G with DAC in an LACP bundle to my Mikrotik switch. All internal networks are VLANs on top of that. WAN is one of the 3 1G interfaces to my DSL modem.
Necessary? No. Nice to have? Absolutely!
Creating YAV (yet another VLAN) is a matter of less than 5 minutes. I just love the flexibility. All "servers" are connected with 2x 1G LACP and also VLANs on top of that (jails, VMS, Docker, ...) and the regular systems with a single 1G port.
Regarding the brand choice alone, a year ago I switched from Hunsn to a Deciso box, the 697 with 4 x 2.5Gb suiting my needs. Additional to your caution about where it was made my two principal reasons were firstly the best assurance I could get that new versions of Opnsense would run without having to worry about device compatibility, and secondly it was a handy way to support Deciso/Opnsense beyond donations. Having used it a year, I will stick with Deciso gear when I need to change.
Not as prior distinctions but from experience, I have found its thermal performance to be excellent and as a strawberry on the cake they are also aesthetically quite neat.
Four 2.5Gb ports where three are in lagg (that's 7.5Gb worth) for internal vlans, and then one 2.5Gb to the wan device, seems like plenty-proof.
4x2.5 is 10Gb, and that's a half duplex spec, can an OPNsense router handle 20Gb of throughput with 15Gb of that in a lagg? I doubt it.
The 2x10Gb is 40Gb of throughput, that's a lot of room, but not likely to get there on an OPNsense fw-router. The DEC2687 is only rated 5Gb, 3852/62 17.4Gb.
Also to note, if everything rides lagg (lan wan, etc), then your lan-wan wan-lan is a 2x hit on the lagg as lan-to-wan wan-to-lan has to go down lagg to fw, cross fw, then back up lagg to switch to reach the wan dfg, and vice-versa. I 1Gb stream from internet is 2Gb on the lagg.
I would probably choose a 4x2.5 over using 2x10Gsfp. Why? Less headache, less parts, less costly, less power, all copper.
Duly noted, published nic speeds are deceiving these days. The spec should indicate the half-duplex speed, so full-duplex is 2x that, however, many nic's cannot achieve 2x half-duplex max speed, and often attaining that rated speed does not happen when full duplexing traffic. As example, the i226V likely cannot do symmetric 1.25Gb, but it probably can get close to 2.5Gb half-duplex. Welcome to the world of nic vendor BS and hype. ;)
Quote from: BrandyWine on November 12, 2025, 05:09:26 AMFour 2.5Gb ports where three are in lagg (that's 7.5Gb worth) for internal vlans, and then one 2.5Gb to the wan device, seems like plenty-proof.
It has always been recommended for the number of links in a lagg/port-channel to be a power of two. It will work with odd numbers but you won't get even distribution across all links.
See for example this part of the Catalyst 6500 documentation (https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html#toc-hId-246812679).
Well, while 3x2,5 would maybe be enough performance-wise it would be less than what I have now (10G single) when it comes to server. And moreover, I have no 2,5G ports on my switch, and my SFP+ don't support 2,5G I think, so all would be a kind of patch-job. So, let's keep it simple :)
Thanks for the recommendations towards Deciso hardware.
Will chime in for a bit,
I use Chinese knockoffs mostly, but I like to punish myself. As well the DYI aspect its kinda a learning curve. Anyway I would choose the official DEC, if I would not feel confident that I can make the knockoff box run.
My advice is as well, go for the DECs. They have trustworthy rated parameters from the vendor and look sexy.
Quote from: Patrick M. Hausen on November 11, 2025, 09:29:32 PMto my Mikrotik switch
Can you tell me which one you have? I am thinking about to upgrade my old Zyxel.
Regards,
S.
The CRS326-24G-2S+IN (https://mikrotik.com/product/crs326_24g_2s_in). Also available as a rack mount model.
2x SFP+, 24x 1G copper, fanless (although I put a quiet USB powered fan next to it), 200 €/$ - great bang for the buck.
I picked the desktop model because I do not have a rack. It's all on two shelf boards in the cabinet behind me in my study. That's why I also added some active airflow. If you decide to buy Mikrotik, IMHO you want RouterOS, even if you use it for layer 2 only. SwitchOS is so limited in features ... well it does switching, granted. But as you might have noticed I am an SNMP nut among other things. Observium and Rancid work great with RouterOS.
Quote from: Seimus on November 12, 2025, 09:38:52 AMCan you tell me which one you have? I am thinking about to upgrade my old Zyxel.
How many ports? SFP or copper?
I am another one who uses Mikrotiks behind Opnsense. My switches comprise two CRS304 4 x 10Gb (+ 1Gb management port) in different places as the principal backbone and a CRS310 with 8 x 2.5Gb + 2 x SFP+ in the "server room" aka workshop. They are excellent switches, all running ROS, though I took advice and replaced the factory fan in the CRS310 with a Noctua for a quieter life.
Patrick & passeri many thanks for the tips. I will look them up.
Currently I run the GS1900-24E, so 24 ports copper based. I could do as well with 16P or 8P on new switch with keeping the old one, but 24P is more suitable in case I would do a drop in replacement for the old switch. This is still something I am considering (oh and I have a small rack ;))
Regards,
S.
Quote from: Seimus on November 12, 2025, 09:38:52 AMWill chime in for a bit,
I use Chinese knockoffs mostly, but I like to punish myself. As well the DYI aspect its kinda a learning curve. Anyway I would choose the official DEC, if I would not feel confident that I can make the knockoff box run.
Yeah, I punished myself enough for years now with my self built box - which is working alright - but God forbid it's not. I really want to go as far as possible away from boxes that break when power runs out. I do have UPS, but also that doesn't hold forever. Had two corruptions in last two years, it's just pain to fix. I would hope some dedicated HW box can do that better. Does it maybe come with PLP? Thought of making self built with PLP alright, but simply thinking if to get a pre-built box might be a better idea. The cost of self built with PLP would be lower also. But, consumes surely more power, on the other side.
Can you tell me what is the typical procedure if something happens to the OS? Like say you can't access it any more... reset? I see console per USB... how does that work?
Quote from: kosta on November 12, 2025, 10:30:32 AMYeah, I punished myself enough for years now with my self built box[...]
I'm doing that now, but it's a hobby. If you don't get your jollies from that punishment, the official appliance is the way to go. You can always change your mind later, and you still have a usable device - the Deciso box doesn't transform into a brick if you let support lapse, unlike most appliances. I replaced a Fortigate 61E, and I can't give the thing away - proprietary hardware, and Fortinet would want the last 2+ years of support paid for before they'd reactivate the device.
Quote[...]Had two corruptions in last two years[...]
Ouch. Were those with OPNsense? OPNsense doesn't do much with the file system - normally I'd expect some corrupted logs at most. As far as PLP, I generally use SSDs with big caps, but of course all they'll do is write the buffer on the SSD, not the system ARC. I've had some poorly-behaved UPSs, that say "batteries are great" even after they die during a self test, and never had a file system go bad on me. Not even an NTFS machine with three levels of cache (system, controller, and SSD) and no PLP (consumer SSDs). Just luck?
You probably had luck, I once had a RAID controller that ran with cache enabled and battery backup and UPS and somehow the RAID controller said "hmm lets get corrupted anyway on power off thx lol".
Quote from: pfry on November 12, 2025, 04:42:10 PMOuch. Were those with OPNsense? OPNsense doesn't do much with the file system - normally I'd expect some corrupted logs at most. As far as PLP, I generally use SSDs with big caps, but of course all they'll do is write the buffer on the SSD, not the system ARC. I've had some poorly-behaved UPSs, that say "batteries are great" even after they die during a self test, and never had a file system go bad on me. Not even an NTFS machine with three levels of cache (system, controller, and SSD) and no PLP (consumer SSDs). Just luck?
It was due to power outages, with and older Samsung SSD, I think 830 or 840. It simply didn't boot any more, and when I looked at the console - for which I would have to disconnect it, bringt it to my workplace, connect monitor, keyboard and all that, which includes searching for cables... I had some weird CRC or so errors. Now, I could have messed with fsck and boot from USB, which I would have to create etc etc, I rather just reinstalled it.
However, I must also say that since I went ZFS, I had one power outage and no issues. It's no measurement in any case, but I do have regular updates, so it's not really a lot of hassle to restore the config.
In any case, I was even thinking of paying for a mainboard with IPMI, same like my Supermicro server, which would enable me to remain flexible, without having to move the box. But, at the same time, it costs €400, so yeah, also not for free.
That is why I asked what is the way to troubleshoot the Deciso box... I have seen the USB port, but what does it do exactly?
https://docs.opnsense.org/manual/how-tos/serial_access.html
Its a built in serial to USB converter, plugging a micro USB cable in and connecting it to your PC exposes an emulated COM port.
Quote from: kosta on November 12, 2025, 10:30:32 AMYeah, I punished myself enough for years now with my self built box - which is working alright - but God forbid it's not. I really want to go as far as possible away from boxes that break when power runs out. I do have UPS, but also that doesn't hold forever
You might need a better setup to avoid the corruption issue.
Something like https://www.vueville.com/blog/how-to-automatically-shutdown-linux-using-ups-on-power-failure/
How exactly on freeBSD is your homework.
Quote from: BrandyWine on Today at 01:39:39 PMHow exactly on freeBSD is your homework.
A NUT plugin for OPNsense exists and works ;-)
I do have NUT working, however need to configure it with OPNsense. There is a new UPS with 13min uptime. Tested well with PVE. I just want to make everything go away from consumer stuff to more professional. And console would be a step in the right direction. Kind of reminds me of Cisco serial cables. :D
Do you know whether there are any issues with Macs, when it comes to the serial connection? Like MBP with an USB->USBc converter? (have seen the info on the page about macOS, just asking for experience)
@kosta works like a charm with Mac OS. You will find a /dev/cu.usbserialsomething or similar once you plugged in the USB cable.
Use with
sudo cu -l /dev/cu... -s 115200
or for more comfort with e.g. MacPorts:
sudo port install minicom
sudo minicom -s
"Cisco" serial cables were actually created by Dave Yost at UC Berkeley: https://yost.com/computers/RJ45-serial/
When we still ran an ISP with discrete modems and similar devices once I had collected enough "Cisco" cables (from renting routers to customers) I soldered adapters for all serial devices in the entire company and connected all of them in baby blue.
Quote from: Patrick M. Hausen on Today at 03:31:17 PM[...]
When we still ran an ISP with discrete modems and similar devices once I had collected enough "Cisco" cables (from renting routers to customers) I soldered adapters for all serial devices in the entire company and connected all of them in baby blue.
Not a bad idea. I bought a couple dozen (in black) from a long-gone surplus joint and took them to work, as everyone seemed to be hunting for one at one time or another. They wandered off over time; I think I have one left. Strangely, perhaps in return, we collected discarded umbrellas and handed them out to people when it rained. Go figure.
I abandoned a pile of networking gear at my workplace when I got laid off (it was all a decade or more old by then - easier to let the company clean it up). I might have something that uses a serial console, if I can find a computer with a serial port...