Newbie questions

[jl_678]

Hi,

I have decided to go down the path of building a homebuilt router and purchased an embedded server with 8GB of RAM, a Celeron 3150U and 128GB SSD.  I have a few questions that I hope knowledgeable folks could answer:

1. I noticed questions about 32bit vs 64bit.  Does this imply that Opnsense will not support anything beyond 4GB of RAM?  I assume that 8GB will not be an issue, but that I will just not use half of it.  Is that correct?

2. I am using this for a home firewall and so want web filtering.  Ideally, I would like to customize filtering so that some devices are strongly filtered and others are not filtered at all.  Is that possible?

3. As a follow-on to #2, I am thinking about Proxy configuration.  I have some IOT devices that don't natively support proxies.  My assumption is that I can set rules to allow certain IPs to bypass the proxy, correct?  Also will we need manual proxy configuration on all clients?

TIA for any thoughts.

JL

[monstermania]

1. I noticed questions about 32bit vs 64bit.  Does this imply that Opnsense will not support anything beyond 4GB of RAM?  I assume that 8GB will not be an issue, but that I will just not use half of it.  Is that correct?

Of course supports the x64-Version more than 4 GB RAM!
But if 8 GB make sense into OPNsense, depends of your requirements.  For an home used firewall 8GB RAM is IMHO absolute overkill!

2. I am using this for a home firewall and so want web filtering.  Ideally, I would like to customize filtering so that some devices are strongly filtered and others are not filtered at all.  Is that possible?

Hmm,
you can configure the web proxy that some ip adresses passes all proxy filtering rules. If you uses fixed ip adresses on your devices you can do so.
But right now there is no possibility to combine proxy rulesets with users/groups from directory services (like AD or LDAP).

3. As a follow-on to #2, I am thinking about Proxy configuration.  I have some IOT devices that don't natively support proxies.  My assumption is that I can set rules to allow certain IPs to bypass the proxy, correct?  Also will we need manual proxy configuration on all clients?

You can configure the web proxy in transparent mode. In transparent mode all http and/or https traffic routing over the proxy so you don't need to configure anything onto your IoT devices. 
Another option is to separate the IoT devices into an own vLAN. For this vLAN you can explicit allow the traffic to the adresses your IoT schould have access.

[franco]

Hi there!

Not much to add to Dirk's detailed answers.

WRT to 32-bit, works fine but only 4 GB show up in the box. If that box is capable of 64-bit there is no reason to run it in 32-bit anymore. Or slap ESXi on it and use it for multiple things.


Cheers,
Franco

[jl_678]

Hi,

Thank you both for your thorough responses.  They are much appreciated.  The idea of using ESXi is an interesting one that I need to think about more....

[xinnan]

When you say "filtering", what exactly do you mean?

I ask because suricata "filters" quite a bit and can be configured per interface. 

But thats not the same sort of filtering you get with a proxy or transparent proxy. 

Just checking to see that terminology wasn't causing problems.