OPNsense Forum

Hi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

A second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

thanks in advance,
jerry

Quote from: js123 on May 11, 2026, 05:06:28 AMHi,
After a decade of running pfSense on an old tower PC, it's time to move on with the world. So I am looking for a mini PC for running OPNsense with 4 gigE or higher NICs. This is just an old network hand for our house, so there it no crazy requirements for packet rate and massive filtering.
The big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

Protectli is the way to go. They have open source coreboot BIOS for their entire line. Check out their 4 ports offers here: https://eu.protectli.com/vault-4-port/

In your case, i would go with FW4B model. Thomas Krenn and Deciso also have some nice units, but they are a bit pricier because they are in EU.. I know that Thomas Krenn used to have coreboot BIOS on their older models, but i dont see it in as an offer on new units. Worth checking out:

https://www.thomas-krenn.com/en/products/low-energy-systems
https://shop.opnsense.com/product-categorie/hardware-appliances/

With Deciso hardware you are directly supporting OPNSense project.

Quote from: js123 on May 11, 2026, 05:06:28 AMA second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

It no longer makes sense to keep those separated for home use.

If it is affordable then I recommend Deciso appliances.

• Coreboot
• Small and efficient, with good WAF
• One year of business edition, or consider that a donation
• Releases work, or at least are a better bet to do so than on a third party box

If your DNS use is internal rather than public-facing then definitely use the router for that and DHCP. All the management tools are there.

eta: I formerly used a mini-pc for Opnsense. If or when I need to replace the 697, it will be with a Deciso appliance for all the above reasons.

Quote from: passeri on May 11, 2026, 08:38:27 AMCoreboot

No coreboot in the DEC740 I got, do you know which models got coreboot?

>>>do you know which models got coreboot?

They're listed on the download page, iirc the 600 series.


I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.


The options aren't exactly excellent but some are better than others.

Quote from: patient0 on May 11, 2026, 08:43:17 AM

Quote from: passeri on May 11, 2026, 08:38:27 AMCoreboot

No coreboot in the DEC740 I got, do you know which models got coreboot?

Yes. Mine. Otherwise, check the product page. :)

It was mentioned above as a positive feature, so I mentioned it is available in a quad-port Deciso router.

Quote from: newsense on May 11, 2026, 09:11:58 AMI'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.

The options aren't exactly excellent but some are better than others.

Completely wrong way of thinking. Absence of updates means that there is nothing to fix or add. And thats a good thing. Saying that appliance sucks because it doesnt get its BIOS updated every month is just silly. My Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones. Same goes with Intel platforms. Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

As for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times. So please, do not spread false information. And lack of customization on coreboot BIOS is a feature. Thats how the firmware is designed. This is why you have a choice with Protectli. You can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.

I'm leaning towards a Protectli, it's too hard to get the OPNsense hardware in the USA, and the tariffs make it unaffordable right now. I was looking at a DEC2770, the only thing I'm missing with some of the Protectli boxes will be the 10g connections, and I don't really need that right now. It might have been nice to route between LANs at 10g, but I only have gigabit to the WAN.

They have appliances with two 10G pors like this one https://protectli.com/news/vp2440-launch/

I am running this item. No 10G installed just yet, will do that for some vlans in .1q soon
amazon.com/dp/B0F4WXKZRB

Thanks everyone for the responses, it was a great help. I'm on the left coast of the US, so the protectli products are an easier lift.

Quote from: js123 on May 11, 2026, 05:06:28 AMThe big thing I worry about from the budget systems like I see on Amazon is making sure there are no back doors and good support at the BIOS level. Those are invisible at the higher levels and I have no desire to run another level of monitoring beyond the firewall.
Are there any systems that people are happy with that have trusted BIOS level protection and support?

You are aware of the fact that both CISCO and DELL used to have backdoors in their products in the past, right ?!

As long as it's a product from a brand that many others are using I would not worry about it too much, however BIOS/UEFI updates/upgrades because of microcode updates and stuff like that are a nice to have IMHO :)

QuoteA second question is how people feel about separating DNS/DHCP from firewall servers in general? I do this currently, a carry over from my data center building days, but it seems like this is probably not worth the support effort of a second system.

I like having my OPNsense or any other kind of Router as clean as possible so I host Pi-Hole and it's own Unbound instance seperately.

Quote from: newsense on May 11, 2026, 09:11:58 AMI'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

This is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!
- If it's someone who you could consider to be on the same level as any random Custom Android ROM developer for example then things get different...

The same story goes for my Thinkpad laptop by the way and not just all these funny little Mini PCs that many use as a DIY Router or VM Lab Server and stuff like that... :)

Quote from: Nullman on May 11, 2026, 11:57:37 AMCompletely wrong way of thinking.

IMHO he is fully in his right to think that way if there is not enough clarity about the whole thing!

QuoteAbsence of updates means that there is nothing to fix or add. And thats a good thing.

Any kind of software in general is never finished so that's a very bold claim you are doing there! ;)

QuoteSaying that appliance sucks because it doesnt get its BIOS updated every month is just silly.

That's the other extreme side of the story which should be avoided too ofcourse!

QuoteMy Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones.
Same goes with Intel platforms.

Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

If I am perfectly honest : It all went wrong the moment you have chosen for ASUS hardware...

But considering the amount of crap both AMD and Intel have gone through the last 10 years or so it might be a VERY GOOD thing to have updates/upgrades as often as possible when needed no matter how annoying it can be for end users :)

QuoteAs for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times.

I think we need a timeframe for that data :
- When was the model released ?
- When did you buy it ?
- How many updates/upgrades were there in total so far ?
- Do they consider the model to be a current one or is it close to it's EOL date ?
- etc.

QuoteSo please, do not spread false information.

I feel like your claims/advice isn't perfectly neutral either to be honest...

Simple example :

QuoteAnd lack of customization on coreboot BIOS is a feature.
Thats how the firmware is designed.
This is why you have a choice with Protectli.

You can't be taken seriously after making such claims IMHO :-/

QuoteYou can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.

That's personal taste and that's fine, but it does not mean that everyone else feels the same way about it...

Quote from: nero355 on May 11, 2026, 11:52:58 PMThis is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

Coreboot for Protectli devices is outsourced to a well known and reputable open source firmware company 3mdeb. https://3mdeb.com/

Quote from: nero355 on May 11, 2026, 11:52:58 PM- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!

They have dedicated team(s) for this. And all their work is hosted on github. You can find it here https://github.com/protectli-root/protectli-firmware-updater

Quote from: nero355 on May 11, 2026, 11:52:58 PM- If it's someone who you could consider to be on the same level as any random Custom Android ROM developer for example then things get different...

These people are not some random basement dwellers from XDA forums. This is official Protecli firmware that was outsourced to 3mdeb.

Quote from: nero355 on May 11, 2026, 11:52:58 PMIMHO he is fully in his right to think that way if there is not enough clarity about the whole thing!

There is enough clarity for those who want to know. Everything im saying here is publicly available information combined with personal experience. Im not talking out of my ass nor im shilling for Protectli or any other brand. Stop playing detective. If you live in US, get Protecli. If you live in EU, get Deciso or Thomas Krenn. It is that simple.

Quote from: nero355 on May 11, 2026, 11:52:58 PMAny kind of software in general is never finished so that's a very bold claim you are doing there! ;)

By that logic, life is not worth living.

Quote from: nero355 on May 11, 2026, 11:52:58 PMThat's the other extreme side of the story which should be avoided too ofcourse!

And how do you avoid it if the ME/PSP or CPU uCode has known critical vulnerabilities and only way to fix them is to flash latest BIOS ? Your reply makes no sense.

Quote from: nero355 on May 11, 2026, 11:52:58 PMIf I am perfectly honest : It all went wrong the moment you have chosen for ASUS hardware...

Please stop embarrassing yourself. 

Quote from: nero355 on May 11, 2026, 11:52:58 PMI think we need a timeframe for that data :
- When was the model released ?
- When did you buy it ?
- How many updates/upgrades were there in total so far ?
- Do they consider the model to be a current one or is it close to it's EOL date ?
- etc.

I... i just cant...

Quote from: nero355 on May 11, 2026, 11:52:58 PMI feel like your claims/advice isn't perfectly neutral either to be honest...

Talking about neutrality with TopTon signature.

Quote from: Nullman on May 12, 2026, 12:58:01 AMIf you live in US, get Protecli. If you live in EU, get Deciso or Thomas Krenn. It is that simple.

Just pausing to mention existence of other places on the planet at which point simplicity is down the gurgler, decisions need to be made. Our relative proximity to one or two Chinas makes CWWK boxes very popular. Been there, done that, in fact finally have it on ebay at the moment.

I will stick with my own decision which I consider sound for the reasons I outlined above, all subsequent discussion (and fisking) notwithstanding. The topic is a quad port, reliable, fast router, with a side of supporting companies and principles most valuable to each person.

I have for many many years ran 100% asic based soho hardware for home fw. Now I am running freeBSD/OPNsense.
The latter has monumental more effort just to keep the device itself secure.
Two different worlds when it comes to security hardware.

Quote from: BrandyWine on May 12, 2026, 05:36:35 AMI have for many many years ran 100% asic based soho hardware for home fw.

What exactly? Most SOHO products ship a more or less current and more or less competently hacked together Linux system. E.g. Fritzbox, which are exceptionally good at updates at least.

Quote from: Patrick M. Hausen on May 12, 2026, 09:47:39 AM

Quote from: BrandyWine on May 12, 2026, 05:36:35 AMI have for many many years ran 100% asic based soho hardware for home fw.

What exactly? Most SOHO products ship a more or less current and more or less competently hacked together Linux system. E.g. Fritzbox, which are exceptionally good at updates at least.

SonicOS(sonicwall), ScreenOS(netscreen/juniper), FortiOS.


Today the common soho architecture is hybrid, all asic for data.plane, some nix version in mgmt.plane.

There's also FPGA based devices that can do security functions at specific hardware points in the system, de-centralizing sec functions. Silicom FPGA nics and such. I recall seeing this sec architecture model being touted by MIT many many years ago.

OPNsense is just a nix with some software packages installed.

Quote from: Nullman on May 12, 2026, 12:58:01 AM

Quote from: nero355 on May 11, 2026, 11:52:58 PMThis is something I might agree with you on totally, because : Who builds/maintains those CoreBoot/LibreBoot releases ?!

Coreboot for Protectli devices is outsourced to a well known and reputable open source firmware company 3mdeb. https://3mdeb.com/

Quote from: nero355 on May 11, 2026, 11:52:58 PM- If it's the manufacturer and they have a dedicated team for it that does it for all their devices : OK, let's do it!

They have dedicated team(s) for this. And all their work is hosted on github. You can find it here https://github.com/protectli-root/protectli-firmware-updater

That's something to dig into then when considering one of their products. Thnx! :)

Quotesome random basement dwellers from XDA forums.

I'm not talking out of my ass nor im shilling for Protectli or any other brand. Stop playing detective.

By that logic, life is not worth living.

Your reply makes no sense.

Please stop embarrassing yourself. 

I... i just cant...

Exactly the kind of replies I was expecting after checking your posting history here... Too bad! :-/

Yes, I like to know who I am dealing with and if that makes me a detective : So be it! ;)

QuoteTalking about neutrality with TopTon signature.

I just happen to own one by chance...

Could have been this one too :

Quote from: passeri on May 12, 2026, 02:24:12 AMOur relative proximity to one or two Chinas makes CWWK boxes very popular.
Been there, done that, in fact finally have it on ebay at the moment.

Or any other brand since I don't mind ordering stuff via eBay/AliExpress/Banggood/etc. and finding gems like my good old ZUK Z2 Pro phone which was simply a bargain many years ago! :)

Quote from: Patrick M. Hausen on May 12, 2026, 09:47:39 AM

Quote from: BrandyWine on May 12, 2026, 05:36:35 AMI have for many many years ran 100% asic based soho hardware for home fw.

What exactly? Most SOHO products ship a more or less current and more or less competently hacked together Linux system. E.g. Fritzbox, which are exceptionally good at updates at least.

For xDSL connections the products made by DrayTek are my absolute favorite! :)

It has been now 10 years later and my Vigor 2860 still got a firmware update! Impressive! :o

Quote from: nero355 on May 12, 2026, 06:49:24 PMThat's something to dig into then when considering one of their products. Thnx! :)

You are welcome.

Quote from: nero355 on May 12, 2026, 06:49:24 PMFor xDSL connections the products made by DrayTek are my absolute favorite! :)

Yes, I had two (serially) for ADSL connections. They were very solid and by reputation very secure. Fibre and a wish to do some things entailing a Draytek business licence overrode.

I handed off the first to family and sold the second only last year for a better price than one usually expects for older networking gear.

Forti (shivers)...

Quote from: passeri on May 12, 2026, 02:24:12 AMJust pausing to mention existence of other places on the planet at which point simplicity is down the gurgler, decisions need to be made.

Yes, I started out with a Fitlet2 and then moved to a GigaIPC box. The latter company is the industrial PC division of Gigabyte. There are lots of options. There's also AAEON which is the industrial PC division of ASUS. AAEON also now owns Jetway, another IPC maker. There's also Lanner, which have at various times made boxes for certain firewall companies. They don't sell directly to consumers but you can get their stuff used, with their name or another name on the box. And, of course there's Supermicro.

There's not much Supermicro anymore, not in the low end stuff that makes a good firewall. Either that or I'm no longer finding this level of stuff.

Quote from: Greg_E on May 21, 2026, 10:35:13 PMThere's not much Supermicro anymore

Supermicro make "Compact Edge System" with N97 cpus and 2x 2.5GbE. I see these selling for around $400 online but they may be using Realtek networking. The ones with 2x i226 are more like $530. Some of the GigaIPC boxes use 2x i225/i226 with N97 and are significantly cheaper.  AAEON and Jetway sell similar systems, some of which have more ports. Jetway is probably the cheapest--you can find their cheapest boxes for around $300. With all of these systems you usually need to add your own memory and drive. My experience of these type of systems is limited to a GigaIPC with 2x Intel 1GbE and a J6412 CPU. I bought it from a US reseller, although I think it shipped direct from Gigabyte USA, in November 2023 for $170. After adding memory and storage it was $250. It was cheap and it's been very reliable.

See: https://www.supermicro.com/en/products/edge/compact-edge-systems

The N97 has those pros/cons. The cpu itself is better than N150, but the 97 chews up approx 2.5x more watts !
Those Supe-u items also come with heavy graphics, which wont be used for FW purposes.

Quote from: qarkhs on May 22, 2026, 09:49:13 PM

Quote from: Greg_E on May 21, 2026, 10:35:13 PMThere's not much Supermicro anymore

Supermicro make "Compact Edge System" with N97 cpus and 2x 2.5GbE. I see these selling for around $400 online but they may be using Realtek networking. The ones with 2x i226 are more like $530. Some of the GigaIPC boxes use 2x i225/i226 with N97 and are significantly cheaper.  AAEON and Jetway sell similar systems, some of which have more ports. Jetway is probably the cheapest--you can find their cheapest boxes for around $300. With all of these systems you usually need to add your own memory and drive. My experience of these type of systems is limited to a GigaIPC with 2x Intel 1GbE and a J6412 CPU. I bought it from a US reseller, although I think it shipped direct from Gigabyte USA, in November 2023 for $170. After adding memory and storage it was $250. It was cheap and it's been very reliable.

See: https://www.supermicro.com/en/products/edge/compact-edge-systems

Thanks, I'm going to look through those compact edge models to see what I can see. Most of them come kitted out as an AI pc, but farther down it looks like I might be able to get something with a PCIe card slot. Not sure why I didn't locate those during my searches, but I need to get on this as money is about to expire so I need to spend it.

Quote from: Greg_E on May 27, 2026, 05:17:26 PMbut I need to get on this as money is about to expire so I need to spend it.

Damn, that sounds like my wife!

I ended up with a Protectli box, everything else was just too much money. Only an i5 4c/8t and 16gb of ram, but I think I do get dual boot drives which will be nice. About $900usd which seems kind of high for what you are really getting, but in the 5 days between quote and request, the price of ram went up again.

Quote from: Greg_E on June 12, 2026, 05:41:49 PMI ended up with a Protectli box, everything else was just too much money.

This isn't cheap either IMO =>

QuoteOnly an i5 4c/8t and 16gb of RAM
About $900usd

:o

Quotewhich seems kind of high for what you are really getting, but in the 5 days between quote and request, the price of ram went up again.

What does 16 GB RAM cost then these days ?!

Buying used hardware might be the better option if you can score a good deal...

Quote from: Greg_E on June 12, 2026, 05:41:49 PMI ended up with a Protectli box, everything else was just too much money.

Which model did you get? I hope you got the older FW series.

I'd have to look it up, still hasn't arrived. I can tell you what ECC server ram costs, been pricing out storage servers and it's just stupid high. I could have beaten the cost buying from different places, but not by enough to make it worth my time, that's why we have approved vendors. I think the price I put together was around $850-$875 and then I have no leverage if there is a problem.

If the firmware gives me problems, I'll go back to the reseller and have them push the manufacturer to fix it. Protectli did suggest Coreboot over the AMI BIOS, so I'll set that up when it arrives.

Now here's the part that I found really interesting... The Protectli devices are on government contract, they are being used a bunch of places that we don't know about.

Model is VP4650 with six i226 ports
Single DDR5 16GB of ram was nearly $200usd, $60 for a small NVME, and $35 for a rack shelf. That puts the rest at around $6xx. I don't have the actual invoice in hand yet.

Quote from: Greg_E on June 18, 2026, 08:10:01 PMI'd have to look it up, still hasn't arrived. I can tell you what ECC server ram costs, been pricing out storage servers and it's just stupid high. I could have beaten the cost buying from different places, but not by enough to make it worth my time, that's why we have approved vendors. I think the price I put together was around $850-$875 and then I have no leverage if there is a problem.

I dont want to talk about it. Its depressive.

Quote from: Greg_E on June 18, 2026, 08:10:01 PMIf the firmware gives me problems, I'll go back to the reseller and have them push the manufacturer to fix it. Protectli did suggest Coreboot over the AMI BIOS, so I'll set that up when it arrives.

You dont need to go to reseller. Protectli provides flashli tool that you can start from live ubuntu linux. Its a simple python script that will detect your device and then offer AMI or coreboot bios. You can switch back to AMI any time. Or vice versa. Tool is located here and it is official tool: https://github.com/protectli-root/protectli-firmware-updater

Quote from: Greg_E on June 18, 2026, 08:10:01 PMNow here's the part that I found really interesting... The Protectli devices are on government contract, they are being used a bunch of places that we don't know about.

That should not be a problem because they have open source bios.

Quote from: Greg_E on June 18, 2026, 08:10:01 PMModel is VP4650 with six i226 ports
Single DDR5 16GB of ram was nearly $200usd, $60 for a small NVME, and $35 for a rack shelf. That puts the rest at around $6xx. I don't have the actual invoice in hand yet.

Thats a beast.

Quote from: Greg_E on June 18, 2026, 08:10:01 PM[...]Model is VP4650[...]Single DDR5 16GB[...]

Those don't go together... Was the RAM for the storage server mentioned earlier, or was it a non-ECC DDR4 SODIMM? (I haven't looked at prices recently.)

I'll have to look at the quote again, I might have seen the wrong version. It's coming as a package so I assume whatever it needs will be installed and working. Either way, $200 for 16gb of ram is crazy!

I paid $200 for 2x16 (used) sodimm not too long ago and going farther back under $200 for 2x32 DDR4 sodimm. My lab is like a gold mine if I decided to sell off the parts and junk the computers. Too bad I still need them to do work.