Hardware possibilities

[steppi]

Hey there,

I near to rebuild my home-it-setup and plan to use OPNsense for firewall, VPN and so on.
Best option I know and I was planing with is a PCEngines APU4D4 or APU2E4.
A bit sad, there is no "cheap" readyto use 19" mounting or case.

Is there a better option in 2021 then PCEngines or a better for the buck?

[bartjsmit]

Have you looked at these?

https://shop.opnsense.com/dec3800-series-opnsense-rack-security-appliance/

Bart...

[steppi]

Yeah for sure, but way too much for home-use.
Price should be better or near pcengines.

[hushcoden]

Have a look at Qotom and Protectli...

[steppi]

Thx for this.
Protectli looks really good.

Couldn't find it yesterday, are these Intels aware of spectre and meltdown?

[Patrick M. Hausen]

Couldn't find it yesterday, are these Intels aware of spectre and meltdown?

Spectre and Meltdown are side channel attacks in a multi-tenant environment. They are hardly relevant on a dedicated appliance without any remote user access. Unless you already have a remote code execution vulnerability in which case you have larger problems, IMHO.

Kind regards,
Patrick

[steppi]

Thx @pmhausen for explaining.

I saw your signature.
Are you satisfied with APU4D4?
You know any possibility for Rackmount? Only found wallmounting-Kits.

[Patrick M. Hausen]

APU4D4 are limited but suitable for the job in my case. I have a 50/10 Mbit/s DSL line ...
Don't expect gigabit speeds, couple of hundred M will be the most you are going to get, specifically with bridging.
And I have not even tried to run Sensei and/or Suricata. Again, they do perfectly well with a couple of less demanding services. I run AdGuardHome, WireGuard, Postfix, ... absolutely no problem.

And on the plus side, they are robust and need very little energy.

Rackmount: https://www.varia-store.com/de/produkt/104337-19-quot-dualrack-system-konfigurator-fuer-pc-engines-apu4-boards-dual-slot.html

[hushcoden]

And if you need just 3 ports (and no need for SIM socket for 3G modem), I'd suggest you go with APU2E4, as it seems the i210 NICs perform better than the i211.

[steppi]

Thx again,

atm i got 100/50 MBit DSL with perspectiv to 250mbit down.

On otherside i plan to divide my network in different zones and gigabit-link.
Beside FW, there will be Unbound, DNScrypt and VPN/ IPSEC don't know all points for now. Today there is only simple speedport and vm/ container piholes.

Thx for the rackmounting case. I thought more of cheap brackets. The case nearly costs like the Hardware itself.

@hushcoden
Thx for advice.
Normaly I wanted 4-Port, but there would be no problem using 3 Port with Vlan.

[Patrick M. Hausen]

IMHO you can definitely run those services on an APU system. If you stick to the algorithms supported by AES-NI, then IPSec won't be a problem and the other services you mentioned are not compute intensive.

Use a switch. With VLANs or without, but don't bridge the interfaces of the APU to create a cheap switch. I regularly do that, because it works, but you won't get gigabit speeds. The bridging code will be vastly improved in FreeBSD 13. Some time in 2022 for OPNsense, I hear.

Similarly WireGuard performance will improve by a great margin, but probably this year already.

As for the cheap brackets: that price is a steal! Ever ordered simple metal brackets for anything by Cisco? 

Kind regards,
Patrick

[steppi]

Sounds good so far.

Switch will be there doing the work with bridging, vlans and so on. Don't know the concret model, cause I'm figuring out different options from new home or buisness models to used enterprise models... in fact in every case ist will be managed with layer 2 oder 3 functions.