"I am thinking about using the zeek package for opnsense to monitor all routed traffic, and knowingly ignoring all unrouted traffic that stays local to a collision domain.
The rationale is that I am interested in traffic crossing networks while not interested traffic staying confined in the VLAN where the traffic originates.
At the same time I am hoping that this brings down the resource requirements for zeek to perform properly, since it doesn't need to capture everything as it would need to do when connected to a span port.
Do we have people here with experience in running zeek in such a setup?
What is your estimate of what are the additional requirements for CPU cores, GBs of RAM and SSD storage on top of what opnSense is requiring for itself?
My setup would be opnSense router with 2x 1Gbps interfaces, 1 for the traffic to be routed and filtered, and 1 for managing the opnSense machine.
I am currently using a Qotom with:
CPU: i7 2C 4T
NIC: 6x 1GBps Intel
RAM: 4GB
Storage: 50GB SSD
Would there still be enough room to run zeek next to opnSense on this machine? If not, how many additional cores would I need, how much more RAM and SSD storage?
I understand that this also depends on the traffic mix and amount of traffic I have. This is just a home lab with lots of segregated VLANs - so there is clearly more traffic going through the router than you would see in a flat homelab network.
