Recommendations for new hardware for opnsense 25.7?

[phanos]

Hi all,

I have been running opnsense for almost two years now on a fujitsu futro S920 with 8GB ram and AMD GX-222GC SOC CPU. I know this machine is not the strongest out there but it serve me well on my previous connection which was 200MB/50MB (download/upload). In that setup I was also running Openvpn, wireguard, suricata on wan in ids mode and zenarmor in LAN in ips mode. I have arround 50-60 devices connected to the internet (but most of them are IOT devices). Ok things were not ideal due to one of the nics being a realtek but still I was happy giving the amount of money put to it.

Now I have upgrade to a fiber connection of 1GB/250MB (download/upload) speed. In order to get the most of my router I replaced zenarmor with adguard and make some tweaks on the tunnables of the router. Overall I do not see the cpu gets bottleneck all the time but when I speedtest (from a wired pc directly connected to the router) I only get in the best case scenario ~850MB download. Most of the times my speed is capped at around ~550MB. Not sure if there is something I can do more to get more of my speed, I tried disabling suricata and stopping other services but the result was the same.

So I am thinking to moving to new hardware and migrating everything to a new router. I search online to either a dell/HP/lenovo SFF pc or either a ready made router from aliexpress (with N150 cpu and 16GB ram) but I having trouble figuring out whether the new system will be enough.

My requirements are:
1) Being able to get my full speed 1GB/250MB
2) Run OpenVPN for 2-3 clients (not heavy traffic all the time)
3) Run wireguard for 2-3 clients (not heavy traffic all the time)
4) Have a few VLans configured
5) Enable IPv6 in the near future
and ideally ...
6) Run Suricata in IPS mode in wan
7) Run Zenarmor in IPS mode  in LAN

Is the N150 even close enough to what I want to achieve or I need to stay clear? What is the recommended hardware for my setup? What are your thoughts on the matter?

Thanks

Phanos

[BrandyWine]

N150 can do it.
It usually boils down to OPNsense stuff.

Read my N150 post (https://forum.opnsense.org/index.php?topic=48166.0), note the hardware being used, three 2.5G copper and two 10G sfp. I run Suricata IPS mode, it's the resource hog. Look for similar hardware. Load testing (LAN clients accessing internet via WAN, etc) is always key when it come to performance. IPS, IPsec, Proxy, plugins, etc etc.

My mem usage is very low, disk usage about nill. 16GB ram 512GB ssd (nvme, etc) seems good. If you can squeeze in 32BG ram that's good too. Choose hardware that can run the fastest RAM, etc.

That device I got has a low noise fan, I saw temps from Lobby saying it got near 61C, N150 has max op temp of about 110C. I will add two small 40mm fans to the bottom plate in push-pull orientation (i'll 3d print a thin cradle for the device to sit in, etc). To keep fans quiet (albeit lowering cfm) I run 24v fans on 12v power.

Above 2.5G the LAN side switching then becomes another look-at point. Can have fast on WAN side, but the LAN side needs it too.

[phanos]

thanks BrandyWine for the info. are you running zenarmor on lan as well or just suricata on the wan? how much tweak did you perform on the opnsense side after installing?

I also thinking of going with a cpu i3-1215u instead of the N150 but not sure if it is worth it.

[BrandyWine]

No zenarmor yet. Suricata on wan is the ET Pro Telemetry (free) plugin.
I tweaked just a few items using Tunables, nothing crazy. See "Built on N150" thread.

i3 is in every metric way better than the N150. You are comparing different classes of cpu though.
https://www.cpu-monkey.com/en/compare_cpu-intel_processor_n150-vs-intel_core_i3_1215u

i3, 32GB ram, 512G or 1T NVMe, makes for an OPNsense device that will last a long time.
Be sure to seek out hardware that has fastest mem controller.

And from what I can see, the better i3 will run near +$60-100(US) over N150 device.
In % though, getting i3 is approx 50% more money.

[phanos]

I end up buying a pentium 8505 with 16GB ram and 4 2.5GB network ports. I think running zenarmor will still not be enough and get the full 1GB speed of my ISP but the alternative options were too expensive anyway. Will try of course the setup and see how it goes when it arrives.

[BrandyWine]

8505 is substantially better than N150. i3 is better, perhaps due to it's bigger cache in all levels.

8505 w/ 16GB RAM and some decent SSD, should be ok.

[raberrio]

Hi! new member here! Sorry for using this thread but I am just pulling the trigger on a Topton 2x10Gbps SFP + 3x2,5Gbps eth i-226 N150 8GB DDR5 128GB Nvme.

I wonder if 8GB DDR5 is just enough for home use. I plan to use it same way the original post of this thread.

thanks!

[meyergru]

Yes, it should do just fine. Heed the N1x0 warnings in #23 here. Also, disable ASPM in BIOS or set hw.pci.enable_aspm=0 in tuneables. Both I226 and 82599ES expose problems when ASPM is enabled.

[blackie333]

Hello, I want to build a new low power OPNsense firewall(as Proxmox VM) and consider Odroid H4 + Netcard2(4x i226).
Is it a good candidate for low idle power consumption (7-8w idle max)?

Odroid H4 has good ASPM support but here I found the warning about Intel i226 related problems with ASPM enabled.
Does the ASPM-enabled problem also affecting virtual OPNsense installations @Proxmox with VTNET virtual adaptors?

Can I use the Netcard board 4-ports for virtual adaptors in proxmox?
Thanks in advance for advice

[meyergru]

I do not believe that this goal is achievable. The H4 with the N97 CPU has a CPU TDP of 12W, which is worse than the N100 at 6W, while the N305 has 15W. Of course, at idle, the CPU draws less power, but really, those numbers are overoptimistic - I see my N100 draw 25W at peak load.

Also, You need ~2W for the chipset, at least 1W for RAM, 0.5-1W for each NIC, so you will be at least at ~10W. Considering efficiency of your power supply, you will end up with more like 12-15W at the wall.

All of that is not even considering using OpnSense as a VM on Proxmox, which also has background tasks running.

What do you consider "good ASPM support"? Does the BIOS allow for disabling it? If not, you may get into trouble, because on these platforms, FreeBSD does not support it, so you will have network freezes, see this: https://forum.opnsense.org/index.php?topic=48562

[Seimus]

I neither understand what is the meaning of "good ASPM support"?

When you are researching HW for OPNsense, do not look what kind of ASPN support device has, more or less look for if it can be disabled. Taking ASPM support into the equation of which HW to buy sounds to me pointless.

If you want a future proof device you have two choices currently
1. Official OPNsense DEC HW
2. Mini PC N100 and above (N100 is more than enough)

Regards,
S.

[blackie333]

OK, sorry, I'm not native speaker and that phrase was too simple. By "Good ASPM support" I mean:
1. Firmware/bios is tuned so power saving modes are working properly with all hardware components integrated onboard
2. Enabling ASPM causes significant reduction of power consumption in idle

There are not many companies who take power saving seriously but Hardkernel is one of the exceptions.
You can google several H3/H4-related fine-tuned builds online which can go down to around 3-5 watts idle (in Linux):
https://www.hardkernel.com/shop/odroid-h4/
https://forums.unraid.net/topic/167669-odroid-h4-intel-n97-2x25gbit-4x-sata-1x-m2-ddr5-max-48gb-with-ecc/

I know OPNsense is not based on Linux but Proxmox is. That's why I want to try a build with H4@Proxmox with it's linux drivers.
Maybe it's completely stupid idea, VM-related performance/power penalty will be too high and I end-up with ASPM-disabled physical server installation like most of you recommend... but I'd like to try and test :)

[BrandyWine]

You can set cpu power states without using powerd or aspm.
Search for my "Built on N150" thread, in there are some tunables for cpu power states.
I not sure why anything else in the system should be powered down (sleep, etc), it's a fw device.