Messages

Hey @rungekutta, thanks for the answer;)
My internet is not fast 30/4, but enough for here..
[...]
Buy a refurbished cheap quad gigabit card, probably from a datacenter, you'll mostly be more than fine.
Don't think your network will only run good with 'the latest and greatest' I myself find it challenging to use small hardware(low specs)
I'm a hobbyist in heart and soul;)

We both run OPNSense at home so are clearly both tinkerers ;-) but coming at this from different perspectives. You enjoy repurposing and pushing low spec hardware to the limit - all respect to that. I'm more from the perspective of building solutions that just run and run, and I like headroom... also, my WAN connection is 33x faster than yours, those speed are not uncommon here where I live (and the teenagers at home expect them ;-)). So if your CPU can just about manage your connection, by extrapolation I'd need 33x more performance if the router is not going to be the bottleneck... In real terms it's probably more like 10x according to passmark and that currently allows me 80% of my WAN capacity with IDS switched on which is good enough... right now ;-)

As for ECC... it doesn't add much to the overall cost these days if you choose components carefully so I'd definitely get it if I did a new build tomorrow. YMMV.

Hi, I guess we're talking about a router used in the home domain. Depending on your needs anything would do. Here a supermicro d-410 with a HP-364T quad gigabit adapter, such you can probably buy on your well known marketplace for a few dollar. It runs IDS, a proxy for 'shitware', a VPN, not so fast, there's no AES-ni, etc.. Though for the common home hobbyist this could be more than enough to run a dozen servers and the same amount of clients without a glitch

Fair enough and each to their own and their needs of course. How fast is your WAN?

Then there is said in this thread you should consider using ecc because you may need to reboot because of problems.. and the root cause would be non-ecc! really?,  cmon don't make me laugh, boxes here run for ever without ecc, I run a debian server on an Upboard first edition which easily achieves an uptime of 150 days++(mostly rebooted due to kernel upgrades, the supermicro board(OPNsense) also has no trouble with this), ecc would maybe (very maybe) have an effect on self healing file-systems like ZFS though, if one bit more is destroyed in a million it's still not repairable.

ECC has much lower failure rate than non-ECC RAM. And non-ECC RAM is more likely to cause system instability by memory errors. That doesn't mean all non-ECC systems are inherently unstable, and most of the world's computers still run non-ECC RAM. While a large proportion of the world's enterprise servers run ECC, as do many professional workstations aimed at CAD, audio/video production, medical imaging, etc. At the end of the day, all about risk assessment and choice. Personally I run ECC on my NAS but currently non-ECC on my OPNSense router (which is still very stable) - but next build will probably be ECC.

Oh and than IPMI, for your home server, why? do you run some datacenter at home? agreed nice toys which you use a few times, but you need it?, I think you don't, my 50 cents.

I find it extremely practical. Saves having to carry the server to somewhere you can plug it into a screen and keyboard, or vice versa. Even BIOS updates and config changes can be done remotely over the network. Again YMMV depending on your layout / setup at home.

Thanks. That makes a lot of sense.

Ok guys, thanks for that tip, will come in handy. I managed to figure this one out without it though. It was kind of in the instructions... but not to its full implication, so to speak.

I cleared out browser caches to do some more debugging on access to wpad.dat and realised I had SSL redirection enabled (80 -> 443) on the OPNSense web gui. And it runs the default self-signed certificate - I had taught my browser to trust it so didn't notice at first. But the invalid certificate is why I got erratic and different behaviour from different clients and browsers with respect to loading and parsing wpad.dat.

So it left me with two options; either get a valid certificate for OPNSense's LAN web gui, or switch the whole GUI to port 80 and http, which is kind of terrible but the lazy option. It's a shame that OPNSense won't let me serve out wpad.dat on http/80 and run the web gui on https/443 at the same time.

In any case, I got it to work reliably now across all the clients I've tried including Mac and Windows.

Run a trace on the interface that the iOS devices connect with to confirm that they are sending WPAD packets and to compare the traffic with a Chrome client. Interfaces, Diagnostics, Packet capture.
Wireshark is your friend https://www.wireshark.org/

Thanks. How do I do that in practise? Do I need to install on OPNSense and run from shell or are there standard tools in the GUI somewhere to run the capture (later to be downloaded and analysed in Wireshark)?

Another test - added a block rule in the firewall for ports 80 and 443. Unfortunately that still didn't get Safari to use the proxy settings, it just fails to load the pages instead.

Chrome in the meanwhile continues to read and respect the proxy settings as configured.

Just tried an iOS client. That also silently ignores the wpad.dat settings whether I set it to full auto-discovery or whether I give it the wpad.dat URL. Just hits the web pages direct irrespective.

Hi all,

I've been trying to get auto discovery of my web proxy to work on my LAN with limited success and I'm not sure how to debug it so wondering if there are success stories out there or if this is just intrinsically flaky with a diverse set of clients...?

My test client is Mac OS X 10.14.3. I have followed the guide, although not managing to make it work, experimented a bit further. My current config in OPNSense generates this file:

Code Select Expand


/*
  PAC file created via OPNsense
  To use this file you have to enter its URL into your browsers network settings.
*/
function FindProxyForURL(url, host) {

if (!((isPlainHostName(host)) || (shExpMatch(host, "*.mydomain.com")))) {
return "PROXY 192.168.200.1:3128";
}

   // If no rule exists - use a direct connection
   return "DIRECT";
}


... which I think should work. I have added an option to the DHCP server to send the URL on field 252 according to the instructions.

Indeed, on the client:

Code Select Expand


$ scutil --proxy
<dictionary> {
  ExceptionsList : <array> {
    0 : *.local
    1 : 169.254/16
  }
  FTPPassive : 1
  HTTPEnable : 0
  HTTPSEnable : 0
  ProxyAutoConfigEnable : 1
  ProxyAutoConfigURLString : http://192.168.200.1/wpad.dat
  ProxyAutoDiscoveryEnable : 1
}


... looks promising (the URL is picked up from DHCP).

HOWEVER. Safari completely ignores the proxy setting and just loads pages direct instead. Chrome on the other hand actually honours the proxy setting... unless in "incognity mode" in which case it also ignores the proxy setting and hits the pages directly! I can see this by following Squid's access log while loading up different pages on the client using various browsers.

Do I need to block direct access in order to get the browsers to actually use the proxy settings specified?

Very odd... Anyone got experience from this?

Sorry, I mean E-2100 of course

Check this ASUS P11C-I as well, I like the Supermicros better, but if you don't need integrated IPMI or DC power supply, this might be nice as well: https://www.asus.com/us/Commercial-Servers-Workstations/P11C-I/

Nice. Yes, looks equivalent to https://www.supermicro.com/products/motherboard/X11/X11SCL-IF.cfm but without IPMI as you say. It probably varies but where I am they are basically the same price, so for an i3 or Xeon D-2100 build I would probably still go SuperMicro.

why just not buy something like this for performance: https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-4C-TLN2F.cfm this should be about 6900 PassMark points, but much more efficient and and you could use this to power it https://www.logicsupply.com/cbl-pwrpd73/

That looks sweet! In this local market that m/board is priced approx €45 over the combination X11SCL-IF + i3 8th gen but as you say would run more efficient and maybe more quiet too.

By the way I see SuperMicro recommends this case for it:
https://www.supermicro.com/products/chassis/1u/504/SC504-203B

That actually comes with a 200W Gold level PSU and doesn't seem stupidly expensive so that would probably be the best option..?

That motherboard + abovementioned case + 8GB RAM + SSD would be something like €850 here, with 8GB RAM instead of 16GB. Only 2 LAN ports though. At least in my config I would also need to add a PCI card with additional 2 NICs.

I feel like the barebones are overpriced...
In general I like the i3 idea for high performance firewall builds.
What about using just 8GB ram, 16GB seems to be just too much for most cases. I have 16 GB by my self and I use only 4GB and out of it about 2,5 GB for Ram disk only.
450W PSU and 67W TDP CPU makes no sense it will be so ineffective, tha what you save on HW, you'll pay for electricity.

Yes completely agree, I did it pretty quickly and just picked the smallest SeaSonic on the list, wasn't even that cheap.. a smaller one and ideally more efficient too would be better of course. Agreed on the RAM also, probably too much overkill. I have 8GB in my current install, tbh 4GB would probably have been fine too.

Having said all that. In the comparison I used the same single 16GB RAM stick for all 3 options, so taking it down to 8GB would shave the same €90 or so off all of 3 alternatives.

why just not buy something like this for performance: https://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-4C-TLN2F.cfm this should be about 6900 PassMark points, but much more efficient and and you could use this to power it https://www.logicsupply.com/cbl-pwrpd73/

That looks sweet! In this local market that m/board is priced approx €45 over the combination X11SCL-IF + i3 8th gen but as you say would run more efficient and maybe more quiet too.

I specced up 3 Mini-ITX builds for kicks.

Motherboard: SuperMicro X11SCL-IF (inc 2x Gb LAN ports)
Case: Fractal Design Node 304
CPU: Intel Core i3 8300 with stock cooler
PSU: Seasonic 450W PSU
RAM: 1x Samsung DDR4 2400MHz ECC 16GB
SSD: Intel 600p Series M.2 2280 SSD 128GB
LAN: HP Intel Ethernet I350-T2 2-Port 1Gb NIC
Parts available in Sweden for the sum total equiv of €883

Or

Barebone: SuperMicro E300-9A-4C 5500 (Intel Atom C3558)
(https://www.supermicro.com/products/system/Mini-ITX/SYS-E300-9A-4C.cfm)
RAM: 1x Samsung DDR4 2400MHz ECC 16GB
SSD: Intel 600p Series M.2 2280 SSD 128GB
Available in Sweden for €760


Or

Barebone: SuperMicro E300-9A-8C 7400 (Intel Atom C3758)
(https://www.supermicro.com/products/system/Mini-ITX/SYS-E300-9A-8C.cfm)
RAM: 1x Samsung DDR4 2400MHz ECC 16GB
SSD: Intel 600p Series M.2 2280 SSD 128GB
Available in Sweden for €940

So how do the CPUs compare?

According to https://www.cpubenchmark.net:
Intel Atom C3558 (4 cores): 2538, single thread 876
Intel Atom C3758 (8 cores): ??
Intel Core i3-8300 (4 cores): 8661, single thread 2167

So the custom build seems to deliver more bang for the buck and also flexibility (can stick a Xeon CPU in there in the future if needed/desired) but obviously not as neat a solution as the SuperMicro barebones. Also the SuperMicro boxes probably run very quiet if not completely silent.

Agreed those are nice machines, not cheap though. At least for what they retail for here (Sweden), you can get a SuperMicro board + much more powerful CPU in a non-SuperMicro case for less than this Atom-based barebone.

What about these for that matter, has anyone tested them? I think this is better than Asus as it has IPMI inbuilt without having to buy an extra module and with celeron G4900T it would be cheap and it would perform fairly well, while still having ECC memory:
X11SCL-iF https://www.supermicro.com/products/motherboard/X11/X11SCL-iF.cfm

That SuperMicro board looks awesome.