*Newbie* Seeking advice new OPNSense setup & network organisation

[Kiwi]

I'm about to setup a new OPNSense on a Topton N5105 and I'm looking for some guidance/best practice and help. Right now I've an APU running pfSense but that had a few crashes in the last months and had problems running pfBlockerNG, probably underpowered. While setting up the new box I would also simplify my network setup.

Alltogether maintenance should be simple because there's limited time to look after it and family cursings getting loud quickly when the internet is down ;-)

Base setup is simple:
Fibre ONT > WAN router from provider > N5105 Router (12GB RAM, 256 SSD, x4 intel 226 NICs) > Netgear GS716T Switch

1) First on the agenda, virtual or bare metal? The APU with pfSense runs bare metal but every time something went wrong (e.g. failed upgrade, broken hardware) it took a lot of time to get everything back up and running again.

I'm running Proxmox on a NUC and really appreciate the snapshot/backup facility. That's probably the main reason why I like the idea of running OPNSense as VM. That way you could also roll back changes easily when misconfigurations happened. I read you can can also do backups with ZFS but fiddling on the command line, setting up CronJobs etc. doesn't sound easier and it won't help if something during an OS update went wrong.

Of course using Proxmox would be exposed it to the internet (problem?) and it adds some complexity to the setup. I read that there are sometimes issues with Proxmox and assigning NICs to the VM?

So, does Proxmox really add that much complexity? On my NUC it runs stable. At the moment I only plan to run an OPNSense VM, maybe if necessary a PiHole and that's it.


2) LAN setup
At the moment the LAN runs on subnet 192.168.1.x, wired devices are straight forward and are all plugged into the Netgear Switch.


3) WiFI setup
At the moment I use a Archer C7 with Gargoyle which could be changed to OpenWRT or so if necessary and it's plugged in at its own port in the pfSense firewall but could of course it can be plugged into the switch. The WiFi subnet is currently 192.168.3.x. For most things that's fine but DLNA and other services that need broadcasting(?) just don't work across subnets and are a pain, hence I would put all on the same subnet 192.168.1.x

Now for security concerns I would like to separate IoT devices and Guest WiFi devices from most other devices in the LAN.
IoT devices only need to see my HomeAssistant (LAN) and maybe my PC on the LAN so I can manage them. They probably also should be isolated from each other?

Other WiFi devices like my phone, laptop, tablet should have access to all devices (except IoT).
What would be the best (maintenance friendly) approach to set this up, VLANs? I mean the IoT devices could theoretically have their own subnet and then I can route them in OPNSense. My only problem in this case would be, that I only want to use 1 WiFi AP and that probably can't handle 2 separate WiFi networks with different subnets, or? Then VLAN tagging could be an option but I'm also not sure if OpenWRT could handle 2 WiFi networks with different VLAN tags?

Is OPNSense 23.x the version to go with? I read you need at least 22.1 because of the intel 226 NICs?

[zyghom]

I am where you are.
Yesterday I had:
Fiber ONT-> VF router -> switch -> Proxmox (LAN)
                                                -> Other machines (LAN)
                                                -> AP1 (wifi) home network
                                                -> AP2 (wifi) IoT at home

I changed to:
Fiber ONT-> Proxmox Opnsense (NIC1 = WAN) -> Proxmox Opnsense (NIC2 = LAN) -> switch -> Other machines (LAN)
                                                                                                                                          -> AP1 (wifi) home network
                                                                                                                                          -> AP2 (wifi) IoT at home
DNS on pihole (in "other machines LAN"), DHCP on Opnsense. My Proxmox has 3 NICs - 3rd one I use for PVE management.
VF router used as AP only now (before it was both: router and AP), as I managed to get into ISP from Opnsense (WAN) using PPoE

I am at the very beginning of the journey but I like it ;-)
I am also looking for some advices on how to but slowly will get there

[Dinmiller]

Same here, I've got it up and running, but not well it seems. I have the basics working and port forwarding done as I have a dedicated server for hosting games. My old router run running into some issues So I decided to switch this as I had the parts laying around. But it seems like I have having some troubles with network traffic, game server is lagging pretty bad. Not to sure what I need to do from here, Shaper maybe?

[yourfriendarmando]

Try it bare metal and compare. My VMs do well scaling and with throughout, however, virtual has to incur some amount of latency