Hello,
Apologies if this has been answered, I couldn't find it anywhere.
I have an odd setup I could use some help with.
Currently, I have a UDM Pro with two 10GB SFP+ ports serving as WAN. No modem, this is straight from ISP Fiber ONT. I'll be shortly moving to 2GB ISP speed.
That is connected to a unmanaged TP-LINK switch, with basic port filtering.
I had setup a opnsense on Dell Optiplex 7070 Micro a while ago but when I was given the UDM Pro I swapped it for UDM Pro.
I noticed that I had, what seemed like, speed issues with optiplex running 1GB with any additonal security tools configured, and it has NO ability to add additional NIC's as there is No PCIE slot. Or rather the pCIE slot is dedicated to the NVME slot. the max number of Ethernet ports than is 2, 1 at 1GB and 1 at 2.5GB with a NVME wlan adapter.
I'd like to go back to opnsense since it would allow me to continue learning and exploring more options such as ZenArmour, IDS/IPS, DoH and other tools + customization's. I work in security so although these tools aren't needed for Home use I want to get better at utilizing and understanding them for my career.
I have a Dell R260 Server with multiple 4port 1GB ports and no SFP+ ports. It has dual 750Watt PSU's but they aren't really tapped that hard.
I was thinking of installing proxMox and virtualizing Opnsense on this server + using it as a replacement for my current Plex server. I'd need to purchase likely 1-2 10GB SFP+ cards and/or 1-2 2.5gb ethernet adapters in order to replace the UDM Pro as virtualized opnsense firewall. Power isn't crazy expensive but coming from the UDM pro power draw to approx 150watt minimum for the r260 would be an significant increase. Currently paying around 11KwH. Storage might also be an issue for this route but I need to see if my existing drives will play nice with 1 Raid SAS array and 1 14TB Sata drive.
the R260 has 128GB of ram and the stock Dual Xeon CPU's.
Other option would be to just purchase a different firewall such as the DEC697 but I don't want to spend $800 USD.
I could also repurpose my current plex server, a old gaming PC with a i9-9900k and a single 2.5gb NIC, I'd of course need to purchase additional NIC's but would be possible. I could virtualize this machine as well or run bare metal. Power consumption is not likely to be an issue as it seems it shouldn't pull much more than 80watts.
lastly, I have a very old HP Thin client with a PCIE expansion slot and 16GB of ram, but it's CPU is a quad Core GX-420CA which I suspect will not have enough throughput to use a 2GB ISP connection and run Zenarmour etc.
I'm struggling to find what specs I'd need for a 10+ device network with IDS/IPS on, for a 2GB internet speed.
I have approx $500USD To spend on this project, but would like to spend less if possible.
I feel like purchasing several SFP+ and 2.5GB NIC for the r260 is probably the cheapest route but I'm concerned about power draw and fan noise.
Thoughts?
Speaking only of dedicated desktop appliances, not server platforms or VMs...
Quote from: PlzKeepMeSafeOPN on Today at 03:57:04 AMI'm struggling to find what specs I'd need for a 10+ device network with IDS/IPS on, for a 2GB internet speed.
If you're expecting IDS/IDP at close to the 2Gbps rate, you're looking at a DEC850 from Deciso (as per the published specs (https://shop.opnsense.com/dec800-series-opnsense-desktop-security-appliance/)).
DEC750 gets you ~1Gbps.
DEC697 drops to ~540Mbps.
If those are out of budget, you can use them as baselines to figure what comparable CPU/memory you need and add a little bit for overhead. The DEC appliances are efficient for networking tasks and you know what to expect, whereas general purpose mini-PCs might vary in this department. Make sure the one you get has dedicated PCIe lanes for the NICs.
I don't use threat protection but I can tell you that for basic home networking my N5105 box is more than adequate for a 1-1.5Gbps ISP plan and idles most of the time, though I wouldn't dream to run Suricata on it. It can saturate the 2.5Gbps links, however, it requires at least two streams (iperf3 -P 2) in order to realize that because of CPU frequency limitations on a single core. A single stream tops out at ~1.7Gbps or less, IIRC. That's something to consider if you use older SMB protocols for NAS shares, for example, then you might be better served with an N100/N150.
Take a look at the VP66xx series of Protectli for a more capable Suricata/ZA platform. You're talking higher power draw and the need for active cooling, as the tradeoff with the DEC850.