Recommendation on builing a budget PC for running OpnSense

[NickOps]

Hi All,

I'm looking into building a small setup for my home and planning to run OpnSense for Security and not quite sure which HW to select.

I could find one mini PC matching most of the requirements for running OpnSense but seems like the only problem with this set of HW is Intel i226. It's running Intel 12th Gen N100, with 4 x 2.5G ports and Intel i226 LAN port. I see a lot of discussion around this controller causing all sorts of issues and me being new to setting up this software FW using OpnSense don't want to end up troubleshooting issues during the initial setup.

I looked up the FreeBSD site, but it quite confusing when checking about the supported Ethernet controllers I could use. I was thinking may be I build the machine from scratch but not sure if I will end up deciding the right set of components (which are compatible with OpnSense).

Does anybody have a budget recommendation for components (that should be easily available to grab at my or any location for that matter)? If I build it from scratch, I don't see a motherboard that comes with 2 GE ports so I will have to plug-in an extra adapter into the PCI slot so how do I make sure I choose the right adapter to plug in? I can't seem to find Intel 2.5/1 Gb Ethernet motherboard? I think I'm stuck while selecting a motherboard for the processor (
Intel Core i5-12400F Processor) I picked based on my budget?

I would appreciate if someone could provide a list of compatible components like CPU, Ethernet Controller, or anything that should be considered?

I'm quite excited to take on this project for myself so any guidance/suggestion would be really motivating.

Thank you in advance.

Regards,
Nikhil
 

[bimbar]

I-226V works very well for me.

[meyergru]

For me, too.

@OP: You should re-think this, because with a normal PC build, you are going to have more power draw than with a dedicated FW machine from Aliexpress or the likes. The machine will be up for 24/7 and PC power supplies are not in the 90% power efficiency range with low loads.

An N100 or N150 will suffice for most applications.

[NickOps]

Thank you @bimbar & @meyergru for your confirmation! Is there a specific steps I need to follow to configure this with i226 or nothing specific?

Please share any step-by-step document/tutorial, if you could for me to follow.

Thank you!

Cheers,
NickOps

[Greg_E]

Used HP T740 and add in an Intel i350 card with 4 ports, about $150usd when you are done.

That gives you 4 gigabit ports plus a gigabit Realtek port. If you want you can add an a+e Intel i226 card where the wifi card goes (another $30usd)

You can opt for an i226 card if you need 2.5gbps. If you really want faster, you can opt for a 4 port x710 based card for up to 10gbps. Will that cpu route at 10gbps? Not sure as I have no use case to test it (I also don't have one of the x710 cards on hand).

The CWWK "firewall" devices look nice, go with n100 or n305, n305 will probably draw twice the idle power since it has 8 cores. The power draw at idle for the T740 will definitely be more than an n100 and probably more than an n305.

You can run this down on an HP t620+ and probably do it cheaper, but I don't think it will route everything fully loaded at gigabit speed (4 ports with Intel card). Power use will again be more than a modern n100 based system.

Just options.

[NickOps]

Thank you @GregE! Are you guys running the Opnsense on Proxmox VE or bare metal?

 

[Greg_E]

I always run it bare metal, but probably no real reason for this. Soon I'll have another of these set up with 4 port i350 card and an extra i226 port glued on the back.

The HP T740 will be a little lower performance with Proxmox or other hypervisor running things. Might still be OK, VMware8 runs fairly well on these devices when you consider that I'm really just learning the hypervisor itself and VMs are kind of secondary. Soon XCP-ng will be on another set of them which again, for lab use will probably be enough performance for my learning needs. If you see an opportunity for T755, this will be "better" 6 cores and 12 threads, still up to 64GB of DDR4 SODIMM and still with a PCIe 3.0 x 8 lanes for a half height card and an a+e slot for an i226 card for one more port.

For those interested in the T740 (and probably T755), keep and eye out for lots of machines with locked BIOS, it's not too much money to buy a programmer and fix this, procedure written up on Badcaps forums. I had to use the CH341a v1.7 with the voltage switch set to 3.3 volts and NeoProgrammer for the Windows software. Most of these kits come with the spring loaded socket needed to read and write the chip.

[poningru]

I will come in with a different opinion: the N100s are not the way to go.
If you are money constrained then ebay is the way to go. Find a C3000 based older appliance: e.g https://www.ebay.com/itm/365297922565 or https://www.ebay.com/itm/356679220079 or https://www.ebay.com/itm/186959526492 etc.
These are still in the sub 20watt idle and goes upto maybe 40 watts on high traffic (obviously higher if you are doing something like ids).
the atom C3000 Denverton based procs are at a sweet spot of high processing power and low used appliance price right now. They still can only handle around 2gb for natting and would not be recommended if you have an isp with >2.5gb download/upload bandwidth.

Having said all that if you can get a ~i3-9100 or 10th gen based equivalent for the same price range I'd take it. It has a similar power usage (30-60 watts) with freebsd depending on the rest of the system.

[Greg_E]

The t740 is a 30 watt range device, I finally measured mine. They will go up past 60 watts during high load, but I never saw enough load from OPNsense to trigger it up too much when I was running my work system on OPN for a few months. You need to be 25% CPU or higher for the power to really start coming up. In this, the n100/n150 devices are really good choices. Pay for it now with hardware cost or pay for it slowly with electricity and cooling costs.

Contrast: n100 based NAS with six 2.5 inch spinning drives is going at around 30 watts idle and just below 50 watts when I'm benchmarking the drives (up to 6-7gbps). Just a point for comparison.

I would not let the i226-v2 worry me, there are lots of those in service and fewer problems in the last year.

[meyergru]

It all depends on what you pay for electricity, but here in Germany, where 1kWh equals 0,28€ in average, every Watt more equals 2,44€ per year. So, even with only 10 Watts more power draw, a price difference of ~100€ is equalized in 5 years.

Plus, an N100 can easily handle a 2.5 Gbps NAT internet connection, or 1 GBps VPN or IDS, plus it can route 10 Gbps between local VLANs. There are devices now for ~200€ which have 2 x SFP+ plus 3x I226V. That is hard to beat by any (even used) alternative.

Having Intel NICs is notoriously better than Realtek and also, 2.5 Gbps can yield higher results on "nominal" 1 GBps connections as 1 GBps NICs can (they always cap out at < 1Gbps, even more so with PPPoE). Just look at my signature and you will see...