Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Worth going from 6gb to 8gb appliance (same cpu/dual nic/more in msg)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Worth going from 6gb to 8gb appliance (same cpu/dual nic/more in msg) (Read 1278 times)
technotic
Newbie
Posts: 8
Karma: 1
Worth going from 6gb to 8gb appliance (same cpu/dual nic/more in msg)
«
on:
May 30, 2022, 11:03:42 am »
Hello,
I am hoping to get a couple of opinions to help make a decision. I've been running opnsense now for about 6 months, replacing my damned merlinwrt off-the-shelf router, and picked up a couple of business APs. My current appliance is a Mini PC with a Celeron J4125 (2.0ghz base, 2.70 burst), dual Realtek LAN, 6GB DDR4. My ISP is Spectrum with between 200-250mbit/s down, 10-12mbit/s up. The LAN port of my appliance runs to a 5-port managed switch, which connects to my main AP (Engenius ENS357APv3, wifi 6) which connects about 20 clients. another port runs to an 8port managed switch which is filled with my PC, unraid server, 3d printer, a few other things. At any given time I have about 35-45 devices with active connections, capping out at 54 I believe one time. about 5 of those are macvlan aliases on my unraid server.
My opnsense appliance has AdGuard Home (thanks mimugmail) for blocklists. i was using unbound for private reverse lookups but switched it over to dnsmasq tonight. i want to keep the dhcp on opnsense dhcp service. I have suricata set on my WAN port in IPS mode with all the Open and unregistered ET rules downloaded (not all enabled). I run zenarmor on LAN side. it used to use mongodb and limited me to the 50 client choice, due to "poor" system specs. mostly because the 6gb ram. however, its now using sqlite set to the 100 user maximum (due to having mimugmail's repo installed). i don't have any complex setups, i'm not doing SSL intercept (once I get my VLANs set up, it'll be easier) or even SNI after running into problems with only SNI selected (port forwards were set correct). I disabled the transparent http proxy as well now. basic rules in pfilter, default allow out, drop all stateless incoming to WAN address, dns intercept to force use of the adguard dns server. netflow running as well.
current RAM usage is at about 2gb/6gb. i think the most i ever saw was up around 4 or 5gb, it was only one time. cpu sits at around 25-60% during most standard usage, including gaming while streaming.
So the point i've been trying to get to... I picked up another mini pc, has the same processor (Celeron J4125) with 8GB DDR4, dual NIC, yada yada. just got it today (well yesterday). I need to get familiar with QRadar, so I was going to install that on this new mini pc, but then I thought about swapping them. QRadar lists 8gb minimum but I believe I installed it with less before.
Given the services I'm running, the loads I mentioned, my ISP speed, and am only using 1gbps LAN, would I even notice a difference by swapping them out and using the 8GB model for opnsense? i believe one big change is that zenarmor, if reinstalled, would use elastic install of mongo or sqlite? i think after typing all this and laying it all out to myself as well, i don't think i'd benefit really from the swap and the extra ram would go to better use with QRadar. but i'd like to hear any opinions that anyone bored enough wishes to share.
Thanks in advance and for reading this overengineered post
tech
Logged
rungekutta
Full Member
Posts: 139
Karma: 11
Re: Worth going from 6gb to 8gb appliance (same cpu/dual nic/more in msg)
«
Reply #1 on:
June 01, 2022, 10:35:26 am »
Internet speeds won’t make much difference in how much RAM you need. Only marginally, in that with higher speeds you may want to tune larger buffers etc. But with the speed your mentioning you are at least an order of magnitude away, if not more, before any of that starts to matter.
You do however run an awful lot of stuff. I slightly lost track in your description and in any case I don’t have experience of zenarmor, but I think you are saying you have already been forced to compromise, so clearly more RAM could help then. Can’t give more specific answer than that, sorry.
Also, I think different philosophies at play here… Personally I look to achieve as much as possible with as little as possible, ie always looking for the minimal setup that will get the job done (well). Tends to be more stable, predictable, maintainable and performant over time. I even ditched IDS recently as I didn’t think it was worth the performance hit (despite of plenty of hardware) given that almost everything goes over encrypted lines now anyway, so not sure how effective it really is. I seemed to be spending most of the time filtering false positives.
DNS blocking (pihole) and geoip blocking feels worthwhile though. Easy to see in both cases how it regularly blocks loads of stuff - which has to be a good thing.
«
Last Edit: June 01, 2022, 10:37:01 am by rungekutta
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Worth going from 6gb to 8gb appliance (same cpu/dual nic/more in msg)