Starting homelab network - hardware choices

[hacktheplanet]

Hi all!

I will be building out a homelab and would like to have the router running OPNSense. I am coming from a Fritzbox 7530 AX.

I am considering a number of hardware options and would appreciate some advice to help me narrow it down.

Use Case

My use case, as I implied above, is to set up a homelab but also just have a secure and functional home network, so I can do the following:

• Segment my network into multiple VLANs
• Set up semi-managed switches
• Set up access points
• Explore the IDS/IPS features - will probably run CrowdSec
• Support personal devices for a household of 2-4 people
• Set up PoE security cameras on seperate VLAN
• Establish homelab to mess about with things like HomeAssistant, etc.
• Set up a VPN or similar means of accessing self-hosted services when away from home
• Future proof my network, at least 2.5G capable

My maximum budget would be €800, though ideally I'd like to stay well under that if possible.

Ready and Purpose Built Options

As far as brand new devices, I have been looking at the following:

1. Protectli VP2430

Pros:

• From my understanding, specs wise it should be able to handle everything I need.
• I can also configure it to have more than 8GB of RAM or just get it with 8GB and update it myself down the road if I see the need.
• Can be configured with Coreboot
• Can be configured with a TPM
• Has a standard 2-year warranty

Cons

• American company (with EU offices) - would prefer to support an EU company and not have to worry about current/future international relations
• Relatively pricey, considering similar devices are available from Ali Express and other similar marketplaces

Overkill alternative:

Protecli VP2440

Similar pros and cons, just not sure if getting 10GbE is worth it.

I am not really convinced of the various Chinese brands that do similar devices, primarily due to concerns regarding ongoing support and security updates, but if somebody has similar suggestions that address these concerns somewhat, I would be interested in finding out more.

2. DEC697

Pros:

• From my understanding, specs wise it should also be able to handle everything I need.
• Supports OPNSense development
• European
• Comes with 2 year warranty
• Comes with 1 year OPNSense Business Edition

Cons

• RAM not upgradable, may not be as future proof?
• Also pretty pricey

Questions I have about this product:
- Since this is running an AMD chip, does the lack of Coreboot still present a loss in terms of privacy and security?
- How limiting will 8GB be going forward?

Overkill alternative:

DEC750

Again, mainly for 10G future proofing.

Mini PCs

I have also looked into repurposing a SSF/USFF device as a router, like for example a Lenovo ThinkCentre M720q. I also have access to a bunch of Optiplex 5070 Micros, but these don't have the advantage of the PCIe slot (when used with a riser) that the Lenovo has.

Pros

• Much cheaper
• Possibly slightly better specs
• Can be configured with more RAM later
• Relatively low power still

Cons

• Sourcing a device that's in good condition, with original power brick may be difficult
• Need to source reputable/genuine Intel NIC
• Need to source riser for PCIe slot or alternative for the Optiplex option
• Very DIY, would feel afraid of misconfiguring the device and exposing myself to security issues
• No warranty or support
• Not as quiet
• Higher power consumption

I also have an old Intel i5-4960k and GTX 970 system lying about in a big case, which maybe I could look at converting into a small form factor build, similar concerns as above though (mainly around security). In general, I am comfortable enough with problem solving with servers and personal devices as a Linux user, but ideally my router would be fairly set and forget (and reliable!), which I'm not sure these options would provide.

Bonus questions:

• Has anybody had luck putting a device with OPNSense on it downstream of a FritzBox (which doesn't seem to support bridge mode) without too many issues due to double NAT? I've heard mixed reports that you can put the OPNSense router in the DMZ and forward traffic there, in order to avoid some issues with double NAT.
• Does anybody have any suggestions for PoE capable switches and access points that play nicely with OPNSense - I've been considering MicroTik but I'm not entirely sure what to look for.

Any advice very much appreciated. Happy to elaborate on anything if need be.

[bimbar]

I would suggest some cheap N100 box with 2 network ports.

For switches, TP-Link or Mikrotik (but with swos).

[Patrick M. Hausen]

Mikrotik CRS326 is a heck of a capable switch for 200 €/$. I run it with Router OS. Good thing is you are free to choose. It does not support PoE, though.

Keep in mind that active PoE in a switch means

- way more expensive than without
- most units are deep 19" devices
- passive cooling is very rare

Depending on how "home" your home lab is going to be (do you have an extra room for a rack?) a switch like the mentioned CSR326, available in either rack or desktop format and passive cooling might be preferable to a loud rack mount only unit intended for data centres.

P.S. The CRS326 does not support 2.5 G Ethernet.

[meyergru]

I would not recommend N1x0 boxes with only two ports:

a. those often tend use Realtek chips, unlike their 4 or more port equivalents, which mostly use Intel I226V. Also, they often are actively cooled.
b. If you want to set up VLANs, you will want to have inter-VLAN traffic at full 2.5 Gbps speed, for which you need multiple physical 2.5 Gbps (V)LAN ports. Thus, two ports will not suffice.

[hacktheplanet]

Keep in mind that active PoE in a switch means

- way more expensive than without
- most units are deep 19" devices
- passive cooling is very rare

Depending on how "home" your home lab is going to be (do you have an extra room for a rack?) a switch like the mentioned CSR326, available in either rack or desktop format and passive cooling might be preferable to a loud rack mount only unit intended for data centres.

P.S. The CSR326 does not support 2.5 G Ethernet.

Thanks for sharing that model and your experiences with it. I'm not sure about a rack yet, space is at a bit of a premium so I am considering a mini-rack of the type that seem to be quite popular currently. I will set up a patch panel, so a rack probably makes sense.

I mainly would need PoE for some cameras (2 initally) and possibly later some single board computers and such.

[hacktheplanet]

I would not recommend N1x0 boxes with only two ports:

a. those often tend use Realtek chips, unlike their 4 or more port equivalents, which mostly use Intel I226V. Also, they often are actively cooled.
b. If you want to set up VLANs, you will want to have inter-VLAN traffic at full 2.5 Gbps speed, for which you need multiple physical 2.5 Gbps (V)LAN ports. Thus, two ports will not suffice.

Great tips, thanks! Yes, I am hoping to get at least 4 ports, or a mini PC with a full PCIe slot that would let me add a 4+ port Intel NIC. I'm leaning towards the latter currently, as it offers me some ability to update components as time goes on.

[Patrick M. Hausen]

Yes, 10 inch racks seem to all the rage right now. The Mikrotik CRS310-8G+2S+IN would fit into one. Only 8 1G ports compared to 24, though.

Multiport PoE+ injectors exist:

https://www.amazon.com/dp/B085Z6BYNV/

[dmurphy]

If you have the funding, I can't say enough great things about the Deciso hardware.  It's rock solid reliable, and supports OPNsense development.

I have the rack mount version of the DEC750 (I have the DEC2752) --> it's been nothing but a workhorse.  Only issues I've ever had have been my own misconfigurations!

[OPNenthu]

Do I dare mention this?  I'm on the fence.

You already took American companies off your list (I don't blame you) but just mentioning as an option in between 19" and 10" switches: the UniFi USW-Pro-Max-16-PoE is a 12.8"x6.3" desktop fanless (also wall or rack mountable) with PoE+/PoE++.  I mention this specific model because I have it as my sole home network switch for the last year and some months and the hardware has been reliable.  It's a good value, with caveats mainly around firmware and software.

The number of 2.5GbE ports and the distribution of PoE profiles is hit or miss depending on your needs.  It's technically an L3 switch but I haven't toyed with that.

Pros:
- 12x1GbE (PoE+), 4x2.5GbE (PoE++), 2xSFP+
- 180W power budget
- Silent
- Power components external to switch (tradeoff: large power brick)
- Das blinkenlights! (Etherlighting)

Cons:
- Provisioning isn't easy without a native/untagged network or a VLAN with ID 1 (UniFi default)
  * no OOB mgmt. or serial port
- Requires a centralized management app even for small or single-switch deployments
  * this in turn uses MongoDB which now requires CPUs with AVX
- Phones home with telemetry (mitigations exist)
- IPv6 and 802.1X had some gaps and issues early on; coming to maturity now
  * credit @meyergru and @apalrd (via YT) for pushing many of these issues with upstream
- LACP hashing limited to L2/L3 so not useful for small networks
  * credit @meyergru for documenting this
- Das blinkenlights! (yes, you can disable it)

Having said this- I would strongly consider my next upgrade being a MikroTik if they can more closely match the UniFi hardware offering and without fans, but I do honestly quite like the UniFi APs which integrate perfectly with their stack. :-/

[meyergru]

Great tips, thanks! Yes, I am hoping to get at least 4 ports, or a mini PC with a full PCIe slot that would let me add a 4+ port Intel NIC. I'm leaning towards the latter currently, as it offers me some ability to update components as time goes on.

I would refrain from a modular PC unless it is really great with power efficiency (most are not). The dedicated firewall boxes have less unneeded components, like audio chips and stuff. Your firewall is a 24/7 device where it makes a difference if it draws 10 Watts more or less. Also, AFAIK, 4-port Intel PCIe cards have 1 Gbps only, whereas most china firewall boxes have 4x I226V with 2.5 Gbps build in.

[RobertoZ]

Great tips, thanks! Yes, I am hoping to get at least 4 ports, or a mini PC with a full PCIe slot that would let me add a 4+ port Intel NIC. I'm leaning towards the latter currently, as it offers me some ability to update components as time goes on.

I would refrain from a modular PC unless it is really great with power efficiency (most are not). The dedicated firewall boxes have less unneeded components, like audio chips and stuff. Your firewall is a 24/7 device where it makes a difference if it draws 10 Watts more or less. Also, AFAIK, 4-port Intel PCIe cards have 1 Gbps only, whereas most china firewall boxes have 4x I226V with 2.5 Gbps build in.

You can get 4 port i226 cards.  They are all over AliExpress.  I was looking at them and just ended up ordering a Fenvi i226 2 port. 

I have a Dell 7020 SFF i5-4590 8GB RAM that draws about 25 watts average. It's a little more electricity but it would take many many years to make up the difference in electricity cost.