[Noob/New User] Device Recommendations

[Stephnugs]

So I've officially entered the rabbit hole of home lab/DIY home networking, and I keep second guessing myself in regards to what hardware I should get for my new router/firewall.

I was originally going to use PFSense paired with a Protectli Vault, but after a decent amount of searching around I discovered that OPNSense seems to be the logical decision amongst the community.

I did some contracting work years ago for an MSP, by the way I'm in the US, who utilized Protectli devices running PFSense. So I was thinking about getting a Protectli device, but realized they are overpriced and not worth the cost.

Then I did some searching around and found the CWWK N100. This model looks really solid. The most appealing part of this device is the fact that its fanless, and I don't have to worry about years of dust accumulating internally or more moving parts that can fail.

I plan on using this router for a very simple firewall/router. I currently have a DOCSIS provider, I get 300mbps down/20 up. However, I plan on upgrading to 1gbps down/50up soon. I don't have a need for VPN, but Wireguard would be a nice feature to have if I ever want to use it. I also want the ability to monitor traffic per IP/MAC Address if that's possible, for example I want to log exactly what device is pulling how many mbps at a given date/time, if that's possible more info would be greatly appreciated. Money isn't really a factor, I just want to be smart with my purchase. I don't want to spend $500 if I don't have too.

Anyways, some specific models and recommendations would be greatly appreciated. Looking forward to becoming part of the OPNSense community. Thanks guys!

[bartjsmit]

Welcome! There is a sub-forum specific to hardware and performance where you will likely get more replies: https://forum.opnsense.org/index.php?board=21.0

[Seimus]

Welcome,

Indeed in the HW&Perfm sub-forum you can already find topic regarding this question. With influx of new people, and current ppl going thru a upgrade cycle of their Infra there are lot of topic discussing and reviewing them.

Some examples:
https://forum.opnsense.org/index.php?topic=37496.0
https://forum.opnsense.org/index.php?topic=35504.0
https://forum.opnsense.org/index.php?topic=35603.0
https://forum.opnsense.org/index.php?topic=27938.0

You can find there more such topic. Usually the correct answer for  "what HW to get" is buy the official DEC, but if you are money restricted indeed the only option is the Build it yourself from China knockoff rabbit hole.

Regards,
S.

[Stephnugs]

Thank you for the reply guys! I really can't justify spending that much money for a simple home network such as mine. I'm looking for something that will give me the best bang for my buck. IMHO The DEC product line is way too overpriced for that kind of hardware. I'd just buy Ubiquiti at that point.

Everyone always talking down on Chinese products but at the end of the day the RAM and storage will be my own choice as the device is barebones, and where does everyone think all of the components on majority of motherboards come from anyways lol.

I will also post in the hardware forum, once again thank you.

[meyergru]

Thank you for the reply guys! I really can't justify spending that much money for a simple home network such as mine. I'm looking for something that will give me the best bang for my buck. IMHO The DEC product line is way too overpriced for that kind of hardware. I'd just buy Ubiquiti at that point.

Everyone always talking down on Chinese products but at the end of the day the RAM and storage will be my own choice as the device is barebones, and where does everyone think all of the components on majority of motherboards come from anyways lol.

1. Ubiquiti does not support OpnSense - and their routing implementation is not the best, either. More often than not, they fork off an open source basis, modify it and neglect the support. Edgemax routers were a good example - they use Vyatta OS in a completely outdated version that existed when they launched that product line, the underlying OS is a Debian 5 or 6. The current OpenVPN implementation cannot talk over IPv6, yet the DNS resolution for the endpoint prefers an IPv6 if present... cost me 4 hours to figure out. Some options will not be supported in the next OpenVPN version 2.7 (there are warnings about this). Wireguard is client-only, not site-to-site.

In short: Bad comparison.

2. Nobody talks chinese hardware down. The problem is that you won't get any support (e.g. firmware updates). Just remember to come back here if your Aliexpress Alder Lake box runs unstable. Like, I mean, really: We can help - your supplier won't.

[36thchamber]

I wonder do Deciso boxes use hardware offloading, can they lighten up the CPU usage? I have a generic x86, very powerful, but the CPU overhead is crazy. Just iperfing PC to PC via its software bridge is stealing 25% of CPU. On normal routers or switches it's 0%. I know bridges are not favored, but it's a great example of the overhead.

The Chinese boxes are cool, i'm surprised by their stability and build. Hot new BIOS there. Incredible expandability. 6*2.5Gbits as people prefer. They're a no brainer for home lab.

[meyergru]

About the "Hot new BIOS": So what microcode version is your 100° hot N305 on? To find out:

Code Select Expand


pkg install x86info
x86info -a | egrep -h 'Microcode|Family|Model|Processor'


[36thchamber]

the latest and hottest https://access.redhat.com/articles/7044453

grep -E '^(cpu family|model|stepping|microcode)' /proc/cpuinfo | sort -u
cpu family      : 6
microcode       : 0x430
model           : 154
model name      : Intel(R) Pentium(R) Gold 8505
stepping        : 4

[meyergru]

So you have it running as a VM? You were lucky as to have an Alder Lake variant that was patched a while ago, the N100, N200 and N300 variants have been fixed only a month ago und ran unstable. There were a few people who had unstable systems because of this and firmware upgrade were nowhere to be found (I would bet, they still aren't).

The 55 Watts Pmax of your CPU explain why it can reach throttling temperature when cooled passively.

[cookiemonster]

I also want the ability to monitor traffic per IP/MAC Address if that's possible, for example I want to log exactly what device is pulling how many mbps at a given date/time, if that's possible more info would be greatly appreciated.

Just this bit. Unfortunately that functionality does not exist to my knowledge. There is some limited monitoring out of the box for point in time but is very basic.

[Patrick M. Hausen]

I also want the ability to monitor traffic per IP/MAC Address if that's possible, for example I want to log exactly what device is pulling how many mbps at a given date/time, if that's possible more info would be greatly appreciated.

Just this bit. Unfortunately that functionality does not exist to my knowledge. There is some limited monitoring out of the box for point in time but is very basic.

Doesn't netflow provide just that? I don't use it so I cannot comment on the hardware requirements etc.

Kind regards,
Patrick

[cookiemonster]

it does indeed, point in time. That meas you can not go back to see what device downloaded what/used what bandwitch the day before, nor the hour prior, etc. Maybe that's not what the OP meant but how I read it Partick.

[36thchamber]

So you have it running as a VM?

Yes it's running in Opnsuse KVM (Cockpit administration), and was with the fresh BIOS and OS updated the microcode. It's so stable with podman, Opnsense, DSM running, I hardly can find a branded PC or server that can match it.

The reason to choose over N100 was just 300€ price and 6 x i226, 2x RAM, 2x SSD, 2x NVME and tons of ports. Again, the internal/external connectivity was better than on other big servers.

Performance is also pretty insane, outperforming my 16core PC IPS easily. Little I knew how will the performance be benefiting my situation too.. Without generic x86 nonoffloaded approach, CPU is busy and I hardly process 2gbit PPPoE via VPN. I'd be dead with N100. ZenArmor active/passive = forget. Ntopng = so so.

The drawbacks of Alder Lake:
- forget about GPU, since Gen10 (multi)sharing of GPU is difficult in all distros
- forget about QAT, I couldn't wait to boost VPN speed this way, but hell no, it's not enabled in the BIOS and it's not even implemented by Intel. Just like GPU, buy now, make it work 5 years later
- watchdog in BIOS doesn't work. I'd greatly help me reset the frozen boot process when Opnsuse runs into a encryption race condition (as the only OS that can store LUKS keys in TPM and it does unattended SED encryption too, I use both)
- x86 inefficiency.. simple 2.5gbit usage will draw lot of power whereas hardware offloaded devices will stay idle

I can see IP/MAC bandwidth, connections in any time of history. I don't even need to open Opnsuse to see bandwidth of devices and interfaces - Observium will show me all performance now and historically.

Welcome to the rabbit hole!