Messages

@kbreit
Like you I'm still on ISC DHCP. When Kea appeared as an option I was going to switch but decided to wait. Now I think my switch will be to DNSmasq, as that is now what is recommended for my type of small, simple setup. Up to this point, at least, I have no regrets waiting for the various alternatives to appear and cook a little within OPNsense. As Meyergru says, "there is no rush". But at some point, maybe soon, maybe when it becomes a plug-in, it's going to make more sense to switch than stick with ISC.

Thanks. Next time this happens I will check this it out but, as you suggest, it may be worth getting a UPS.

This time it turned out to be more problematic than usual. I had the Asus sitting in for a couple of days and every few hours the WAN would disappear and then reappear after rebooting the Asus. Eventually I got round to swapping my OPNSense box back in and everything has been working as it was before.

This morning there was a one second blip in the power and every electronic device in the house went down. The cable modem and Opnsense box came back up but there's no Internet connection. I log into the OpnSense box and everything seems fine aside from the missing WAN address.  I reboot the cable modem (Arris SB2800) and then reboot the OpnSense box. No change. I swap the OpnSense box out for an Asus Router and I have an Internet connection.

This has happened several times before. The solution is always swap in the Asus box. Based on past experience, if I reconnect the OpnSense box in a couple of hours, everything will work fine. Any idea what's going ion here and how to fix it?

There was a bios update (0041) for the ASUS NUC 13 Rugged released on 1/16/2025. Link.

@aleco

Home Network Guy has a lot of useful guides. Maybe start here: https://homenetworkguy.com/how-to/install-and-configure-opnsense/

This was from 2 years ago so some parts may be a little dated (e.g. ZFS is now the default install).

@Greg_E You might find something on https://mitxpc.com/

I'd go with the 8GB of RAM model. Default install now uses ZFS and it will use the extra memory if it is available. My system is currently using about 6GB. And you want to use ZFS so you can use bectl.

I think Netgate 2100 uses a ARM CPU. Not sure Opnsense runs on that, at least official builds.

Why not include the Elkhart Lake CPUs as well (e.g. J6412)? The performance is similar to N5105, N5095 (Jasper Lake). Take with a pinch of salt but:
https://www.cpubenchmark.net/compare/5157vs5337vs4474vs4472vs4412/Intel-N100-vs-Intel-N97-vs-Intel-Celeron-J6412-vs-Intel-Celeron-N5095-vs-Intel-Celeron-N5105

Other thoughts. There appear to be lots of people running OpnSense on Alder Lake CPUs (e.g. N100) bought from PRC companies. You may need to do a microcode update. See:
https://forum.opnsense.org/index.php?topic=36139.0

I believe Protectli machines are made in PRC as well but you get better warranty, support and product is more consistent but you pay quite a bit more for similar features. There are lots of posts here that give you some idea of the manufacturing quality control of PRC companies selling on Ali Express e.g.: https://forum.opnsense.org/index.php?topic=41232.msg203797. Some people appear to buy these units and have great success and others have problems. You roll the dice...

The Taiwanese companies mentioned previously (GigaIPC, Jetway, AAEON) may also manufacture in PRC but to ISO manufacturing standards. They appear to be mostly making industrial PCs to sell to businesses rather than consumers and people who are happy to tinker. But again, you are likely to pay more. And they are slower to bring latest and greatest low-power CPUs to market compared to PRC companies selling on Ali Express and elsewhere.

You have to decide what trade-off is right for you in terms of CPU performance/features -- manufacturing quality/reliability/support -- cost. 

A thought on heat issue: I installed an NVMe drive on my last machine. Faster but I think the extra speed is unnecessary for this application and likely generates more heat than other storage options.

I couldn't find a Mini PC from these manufacturers with an N100 chip, and fanless models seem to be scarce.

https://www.jetwaycomputer.com/BFTADN1.html
https://www.jetwaycomputer.com/BFDADN1.html

https://www.gigaipc.com/en/products-detail/QBiX-Pro-ADNAN97H-A2/

These are all fanless with N97. N97 is closely related to N100. See comparison here:
https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=231803,233090

I'd avoid the Fitlet3. The Fitlet2 was a nice machine but the built-in LAN ports on the Fitlet3 appear not to play well with BSD. See https://fit-pc.com/wiki/index.php?title=Fitlet3_Errata_Notes#FITLET3ERR005:_fitlet3_default_LAN_interfaces_are_not_recognized_by_some_-nix_based_OS

Other options that might be worth a look are AAEON and Jetway (these are both Asus companies) and GigaIPC (Gigabyte). These companies all make industrial minipcs for various purposes. They will generally be more expensive than the boxes made in the PRC but manufacturing standards are likely to be higher and you'll get better support. I'm currently using a GigaIPC with J6412 and dual Intel 1G LAN ports to run Opnsense. Barebones cost me $169 last year but cheapest I can find it for now is $240. I have no experience with Jetway boxes but you can find their J6412 barebones online with 2 to 4 i225v for under $300. They also sell a couple of Alder Lake N systems with dual i225v.

I am using a small box with a J6412 (https://www.gigaipc.com/en/products-detail/QBiX-EHLA6412-A1/), 16GB Ram, and running a paid version of Zenarmor. There's miles of headroom but the network load is not exactly demanding and I am not running either Suricata or a VPN.

There are Taiwanese options if you are looking for better manufacturing, quality control, and support e.g. AAEON and Jetway (both Asus companies). GigaIPC (Gigabyte) sells a barebone box with a J6412 and two Intel I211 that can be had for as little as $225.

Yes, although preferably Webauthn/FIDO2. This is likely to become increasingly popular now passkeys are supported on iOS, Android and other devices. The US Federal government is also keen to get rid of any form of authentication that isn't phishing resistant. See https://zerotrust.cyber.gov/federal-zero-trust-strategy/#identity

MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale.

Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government's Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)'s open "Web Authentication" standard, another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services.

Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.

If you plan on having more than one AP, you might want to look at Ubiquiti Unifi, TP-Link Omada, and Aruba Instant-On. Those are the more affordable systems that people use in home setups that are a step up from mesh systems (e.g. Eero). There are reviews and comparisons of all three systems at https://evanmccann.net/. If you use this type of system rather than a router in AP mode, you'll probably want a switch that supports PoE with sufficient PoE ports and power to support however many APs or other PoE devices you are likely to attach to the network.

Presumably, you already have a fairly good idea what sort of CPU and how much memory you need based on your current N5105 machine. Does it handle the requirements above? If not, there are review sites that benchmark various 11th and 12th gen Intel mobile and embedded CPUs running Opnsense in various configurations. Memory and storage is cheap, especially if you buy and install it yourself, so you may not save much by being economic.

I agree with Patrick that for business users, going with a Decisio or Supermicro makes sense. In the overall scheme of things those products are likely to be seen as good value for money in that context. As a home user I'm not sure I want to spend that sort of money but think the AliExpress route has a fairly substantial risk of being a false economy. Reading accounts here and elsewhere of some the heating and other issues that users sometimes run into doesn't make me want to buy.  I guess some people love tinkering but I just want a reliable box that won't get me into trouble with family members working from home. I'd rather just pay another $100-$200 for improved design, manufacturing and proper quality control. If you buy something from AliExpress I think you are guaranteed to be a guinea pig no matter what you buy because the models and components are constantly changing. See discussion here: https://forum.opnsense.org/index.php?topic=27938.msg139706#msg139706.

You didn't state which product you are interested in. There are probably decent options that would arrive much quicker. The downside with the manufacturers like the ones I mentioned previously are that they are selling 'industrial' PCs  to businesses who want/need reliability. I think for that reason the product cycle is a bit slower. That means if you want a fanless box with the latest and greatest low-wattage CPU, say an Alder Lake N, you have to wait or go with a cheap PRC box from AliExpress or elsewhere.