Transparent Bridge Filter Recommendation

[salsense]

I am looking to place a transparent bridge filter between: the Fios Quantum Router (Bridge mode) and Mikrotik Hex S Gateway. Part of this post is also my uncertainty of what opnsense plugins like Zenarmor or suricatta are necessary for my home.

I would like it to:

• Prevent outside access to my Mikrotik.
• Block my LAN from accessing malware, adware, and spyware, I use Adguard and some firewall rules on the microtik atm
• Use Wireguard VPN on occasion to access my home devices (though I don't plan to run wireguard on the transparent bridge filter, just would need to have rules in place to allow its use.)

I use Fios 1G, so I would like the filter to handle these things while having close to 1G speeds.

Part of the reason I want to get a transparent bridge filter is for learning and fun.

[Patrick M. Hausen]

If your Mikrotik is your Internet gateway and the Quantum thingy just a bridge/modem - what method does the Mikrotik use to connect to the Internet?

If it is PPPoE a transparent bridge OPNsense in that spot will be completely useless, because all it will be seeing is a PPPoE data stream which it cannot inspect.

Even if it's DHCP or some other plain Ethernet based routing (static configuration?), OPNsense will only see the connections after NAT so it will not be able to identify individual LAN devices.

The best place for a transparent bridge firewall is between the Internet router and the LAN switch for these reasons.

[salsense]

The quantum router is set to "bridge mode" so it forwards the public IP to the gateway at the moment. My FiOS uses an MTU so this device is also the ONT.

Anyhow, I'm open to using it between gateway and switch.

But my main question is what hardware is recommended that can handle the load without degrading the network speed below 1Gbs?

I've been looking at the Protectli devices and OPNSenses' DEC series, though it seems at minimum the DEC750, but elsewhere for anything beyond firewall rules... 16-32GB RAM is recommended. (I was using their benchmarks on 'Threat Protection', though I'm not sure if that's the benchmark I should be using).

Though if RAM is the main bottleneck, is it possible to get one of the DEC600s with 16 or 32GB RAM? (Is it worth it?) or is a DEC overkill outside of a business environment?

[pfry]

[...] My FiOS uses an MTU so this device is also the ONT.

Cannot parse overloaded TLA: "MTU"?

[...]
But my main question is what hardware is recommended that can handle the load without degrading the network speed below 1Gbs?
[...]

The age-old question: "How fast do you want to spend?" The answer is always "the most you can afford". Appliances such as Deciso's have their place. I guess it comes down to which you prefer to spend: time or money. But as a first serious application, I'd pick more generic PC hardware that you can re-purpose more easily if you find you don't like the software, hardware, or both. The DEC700s have the Ryzen Embedded V1500B, a fairly mellow quad-core Zen 1, so you can duplicate its specs pretty easily. The network hardware will be more of a challenge - I stay away from the micro-PCs and stick with Mini-ITX (up to 1 slot) or Micro-ATX (up to four slots), but you may choose otherwise. 16GB of RAM should be plenty, but RAM is cheap enough these days, I go straight for 32. (RAM may be cheap, but so am I, or I'd get more.) I also head straight for the 3+ DWPD SSDs, but I do not like ablative storage. I'd recommend a decent NVME device; I also do not like the M.2 form factor, but you can make it work with a decent heat sink.

Lots of folks here have practical choices (more so than I). Of course, if you have a giant pile of money, your choices are easier.