OPNsense Forum

English Forums => Hardware and Performance => Topic started by: Vortex on November 25, 2019, 09:42:58 am

Title: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: Vortex on November 25, 2019, 09:42:58 am

Dear all,

I'm new into OPNSense, just installed it yesterday in a VirtualBox VM to play around with it. And I like it, omg, what a great software. Respect to the whole team and all developers involved in the project.

Now the big question regarding hardware:
- I'd like to buy/build a small appliance to place it next to the Broadband router I got from my ISP

- I managed with them a bridge mode so PPPoE dial-up and everything is done now via an ASUS router

- router CPU is weak when I enable OpenVPN + OpenVPN uses 1 thread only.. a true bottleneck when one of my friends connects to my network.

- WAN is 1Gbit FTTH (1000/300)

- Power consumption is an question so I'd like to balance it out nicely, I don't want to use old appliances & old PCs because they're good but still a waste of heat and energy

- Like for women, size matters here too: I'd like to place it next to my media converter's small box so ITX it the absolute maximum I think.

Are there any good best buys ? I need a good price/performance (who doesn't ?).. shall I jump into those x86 Atom/Celeron bases mini ITX fancy boards or look for some more decent CPU ? (i3, Ryzen3 maybe?)

I'd run tons of things on the system, like openvpn at great speeds, suricata, squid and all other CPU intensive things + NAS function too (not sure if OPNSense has a NAS service, if not, I might consider to run it in a VM on the host and run the NAS&DLNA server part separately in another VM instance).

Title: Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: monstermania on November 25, 2019, 12:16:39 pm

Quote from: Vortex on November 25, 2019, 09:42:58 am

I'd run tons of things on the system, like openvpn at great speeds, suricata, squid and all other CPU intensive things + NAS function too (not sure if OPNSense has a NAS service, if not, I might consider to run it in a VM on the host and run the NAS&DLNA server part separately in another VM instance).

Well,
take a look to the devices from Qotom. They offer quite a good performance for a nice price tag. You'll find many experiences from other users when you use the forum search for Qotom!

A NAS running on a firewall!? No good idea for me. I know that i.e. ipfire offer such a solution, but IMHO this is nuts! Of course you can run a FW and a NAS as vm on same hw. But a NAS IMHO should be work with raid config for the storage... 

Title: Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: harshw on November 25, 2019, 08:36:18 pm

I've used this: https://www.supermicro.com/en/products/motherboard/X11SCL-iF along with a Xeon-E 2126G. I have gigabit up and down and run traffic shaping + IPS/IDS as well. No slowdowns (that I can observe)

There's loads of small ITX chassis that you can use for the SM mobo

Title: Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: rungekutta on December 02, 2019, 08:51:42 pm

Quote from: harshw on November 25, 2019, 08:36:18 pm

I've used this: https://www.supermicro.com/en/products/motherboard/X11SCL-iF along with a Xeon-E 2126G. I have gigabit up and down and run traffic shaping + IPS/IDS as well. No slowdowns (that I can observe)

Nice solution. NB this version https://www.supermicro.com/en/products/motherboard/X11SCL-LN4F has 4 gigabit ports but otherwise looks similar except larger form factor (microATX). It's about €70 more expensive here (Sweden).

Another variant is this: https://www.supermicro.com/en/products/motherboard/M11SDV-4CT-LN4F
Bit slower than the Xenon above but fanless, still Mini-ITX and more energy efficient (35W). Also a bit cheaper than above m/board + CPU, at least in Sweden.

8 core version: https://www.supermicro.com/en/products/motherboard/M11SDV-8CT-LN4F
Still low power (30W). Similarly priced to X11SCL-LN4F + Xeon CPU.

Title: Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: harshw on December 03, 2019, 08:31:53 pm

Quote from: rungekutta on December 02, 2019, 08:51:42 pm

Another variant is this: https://www.supermicro.com/en/products/motherboard/M11SDV-4CT-LN4F
Bit slower than the Xenon above but fanless, still Mini-ITX and more energy efficient (35W). Also a bit cheaper than above m/board + CPU, at least in Sweden.

The X11SCL-iF is ~ $180 in US. And the Xeon E-2126 can be had for $270. That's ~ $450. The last time I checked the M11SDV-4CT-LN4F was ~ $700, which is one of the reasons I did not purchase it. The other reason was FreeBSD/HardenedBSD performance on EPYC.

Speaking of which - has anyone using a hyperthreading-capable CPU with HardenedBSD, enabled HT? I thought BSD disabled HT, which is why I purchased a non HT CPU ...

Title: Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..
Post by: Antaris on December 09, 2019, 07:47:11 pm

I've build some OPNsense routers for my clients. So far i didn't find better bang for the buck that second hand brand SFF PC with additional i350-T4. HP Z230/230 is a good example to consider...