Messages

Prices being what they are, I'm having to think about what I can use to replace my current firewall. I wanted to go with a nice DEC2770, but my budget keeps being shrunk, and they are not allowing me to add $2k for that firewall.

So I'm looking at n355 powered "generic" boxes (probably CWWK inside) that have 6x i226 connections, dual nvme slots and a single DDR5 slot for either 16gb or maybe more.

Are the i226 drivers worked out to the point where I won't have to fool with things too much? Are these "generic" boxes even worth bothering?

On pf long ago, Suricata was multithreaded which gave a performance boost over Snort.

As far as performance impact, if every rule is turned on, every rule must be checked and that takes time and RAM. Pass it through Zenarmor too and down it does.

With both Suricata and Zenarmor on my old low power Xeon based system (4c8t) and 16gb of ram, my gigabit connection give me about 600mbps down and we still get nearly gigabit up. More cores, faster clock, plenty of RAM seems to be the way to go. With modern i3 or n305 processors, you should out perform my firewall by a lot.

Suricata should be multithreaded, it definitely was when I was running it on pfsense, and I'm guessing it is on OPNsense. Snort was single threaded for a long time, I think they may have fixed this by now (but not sure).

Is it really paying OPNsense or is it paying Microsoft? I could see a 50/50 split, but OPNsense better get something.

How long did it take Linux to really get rolling on x86? RISC-V is fairly new still.

I've generally found that blocking anything related to outlook.com will break stuff your users need. We are a Microsoft plant so this could break way too many things for me to even try. There are only a few Microsoft related things I can block (a couple of trackers) without getting problems in applications I actually need.

Not to be too far off topic, I can't even get gigabit fiber to my house, and cable is not reliable because they haven't upgraded their plant in 20 years.

And then the question of a static IP... Generally no or lots of money.

Jealous of your 10g connections.

I'm buying my lab x710 used, a quad port was only around $125 a few months ago, now they are probably on par with weight in gold. And so far I've only used them at 10g and 1g speeds, so not sure about nbase. Mine are also the Supermicro variant, they always seem to draw less power and I know I can get drivers and firmware if needed.

the dual port x710 were going for around $40 on ebay back then, I almost went that direction but decided I would get a couple quad port. I do want to upgrade the rest of my lab with dual port, I have x520-da2 installed into PCIe 3.0 slots, may be dragging the computers down a little. Most lab upgrades are on hold due to rising prices and lack of time to work in it.

Good news on the AQ driver coming soon, that should open up a few options.

As of about a year ago, the Marvell AQ drivers were not available, whether I wanted to use it or not, I had to go with Truenas Scale on a mini-NAS I was building. Marvell AQ drivers are available in Linux (for as good as they are, have a new problem with Truenas 25.10.x).

Intel still rules the roost and thankfully the x710 are (were) coming down in price.

And I sure hope RAM and SSD prices come back down, not going to waste time buying when they get back into the comfortable range, I could use some 2-4TB nvme drives and $50 per TB sure is better than $100+ right now.

Digging a little deeper into webmin, I think I'm going to go ISC dhcp and Bind DNS, those are both supported under webmin and right now I want stupid gui.

I've had no issues with windows with dual servers for DHCP or DNS, also for AD, they integrate nicely at least for my small network. And really easy to configure with the gui. Been using it since 2003 and dual servers since 2016 or so when I got budget for more hardware. Also running the same on a single mini-pc in my lab because I know it well enough to get work done, and get it done quickly.

The webmin module was orphaned about two years ago. Might still work and might still be a decent idea.

Sadly, if this was Windows server I would have had this done by now, so much easier with the gui provided.

This has nothing to do with OPNsense, but I'm guessing I'll find good help here.

I'm looking for something a little more "conversational" than the man page for dnsmasq, and specifically on Debian 13 if the OS matters.

I recently bought a cheap NVR device, they have all kind of drivers for Windows, but I want to run Frigate with is really linux (in a docker container). This thing has 2 gigabit ethernet phy that they run into two separate switch chips to yield two pairs of 8x100mb ports, these also have POE up to 120 watts per 8 ports. Obviously I'm going to need a DHCP server and really should have DNS server running for those 16 ports.

I have a rough idea of what I think I need to do, but would like to find a nice guide to all the features that dnsmasq can provide, one that is easier to read than the man pages and gives a little better explanation.

If you want to see the device in question, here is a thread, it was cheap enough on ebay to give it a try (since I had ram and drives):
https://forums.servethehome.com/index.php?threads/nexcom-nvis-14162-nvr-device.54703/

I think I can just assign IPs to both of those gigabit interfaces, putting them on the same lan, then bind dnsmasq to both of those interfaces to serve up IP and DNS to all 16 of those ports. The actual syntax is in question, but I think I might have a starting point. I might need to form a bridge between them, not really sure yet.

And a question... Why has no one ever built a GUI for dnsmasq, Bind, Kea, etc. And yes, I know, real admins don't use GUIs. Been told that a few times.

I think I might have used Raspberry Pi Imager the last time I wrote one of these to USB (25.x), I also use Ventoy for a lot of these things so I can't really remember what I did the last time I set up a new machine.

You should add in mindlessly paste from AI.