Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Experience building opnsense firewall on via mini-ITX mainboard
« previous
next »
Print
Pages: [
1
]
Author
Topic: Experience building opnsense firewall on via mini-ITX mainboard (Read 5185 times)
ljrickwood
Newbie
Posts: 4
Karma: 1
Experience building opnsense firewall on via mini-ITX mainboard
«
on:
January 12, 2019, 01:28:22 am »
I recently built a home/SOHO firewall box around OPNSense, a VIA VB7009 mini-ITX board (
https://www.viatech.com/en/boards/mini-itx/vb7009
) and an Intel quad-port Ethernet PCI card. I'm recording the experience here in the hope that others might find it useful.
Long story short - OPNSense installed on the hardware and works well. It currently manages five subnets, using the four Ethernet ports on the Intel NIC and one of the two ports on the mainboard itself.
The details;
I used the VB7009 variant with the VIA C7 CPU as it’s cheap, fan-less and has low power requirements. OPNSense runs on it without problems and appears to use the CPUs PadLock crypto acceleration hardware.
The VB7009 can accommodate a single RAM module with a maximum capacity of 4GB. I installed a 2GB module, which appears to be sufficient as RAM usage hovers around 10%.
I fitted a SanDisk 64GB SATA SSD as that was what was in the spares box. OPNSense occupies 6% of the drive. I'd have used a smaller, 32GB, drive if one had been to hand but in either case having a
lot
of free space on an SSD that runs continuously for a long time is a good idea as it spreads the wear, which extends the lifespan.
In order to keep the build fan-less I fitted a 120W PicoPSU solid-state power supply (
https://www.mini-itx.com/store/~picoPSU-120-WI-25
). This gives plenty of headroom as the old Belkin netbook power adapter that feeds it maxs out at 40W. (
https://www.ebay.co.uk/itm/Belkin-40W-AC-DC-Travel-Netbook-Power-Adapter-with-car-charger-High-Quality-EU-/251275477077
)
The build was installed in a Sugo SG13B case, (
https://www.overclockers.co.uk/silverstone-sugo-sg13b-mini-itx-chassis-black-ca-403-sv.html
). This can accommodate a full-sized PCI card and is well-enough ventilated to allow adequate passive cooling. The hanger bracket intended to support the ATX supply was repurposed to hold the Belkin power adapter and the ATX PSU shaped opening left in the rear of the case filled with a spare piece of plastic card.
The build used an Intel-branded 4-port T-100 NIC. This worked perfectly and OPNSense is able to use it's hardware offload capabilities.
And now, the caveats;
OPNSense requires a minimum of 1GB of
available
RAM in order to install. It will not install successfully on systems with 1GB of RAM installed as not all of that RAM will actually be available to OPNSense.
The C7 CPU is a 32-bit single-core, single-threaded processor. It copes with the relatively light domestic traffic, with load averages typically around 1.1, but it probably wouldn’t hack heavier traffic. There is a VB7009 variant with the more powerful 64-bit, but still fan-less, Eden X4 CPU which probably would.
With the four-port network card in the PCI slot the two ethernet ports built into the mainboard were not visible to OPNSense until the PCI configuration in the BIOS was switched from ‘auto’ to ‘manual’.
A four-port T100 network card can exceed the bandwidth of a 32-bit PCI slot. This isn't much of a problem for a domestic router connected to a broadband uplink but for more demanding situations a PCIe NIC card and bus would be a much better choice.
I tried a couple of four-port NICs, a D-Link and a some no-name unit, but both showed the same odd behaviour: The ports were identified and could be configured but all of them used the firewall settings from the first configured interface. (The same problem showed up with other firewall distros such as IPFire.) The only way I could find to avoid this was to use an Intel NIC. Presumably any NIC that uses an Intel chipset would work, not just an Intel branded one, but other chipsets seem unlikely to work.
I happened to have one in the spares box but it turns out that while cheap generic 32-bit PCI four-port NICs can be found online those with an Intel chipset are hard to find at any price. Basically, they were superseded by 64-bit PCI cards that did not suffer from the bandwidth limitations, and in turn by PCIe cards. (Intel-based 32-bit dual-port PCI NICs don't hit the bandwidth limit and are fairly common.)
A 64-bit PCI card can be used in a 32-bit PCI slot provided that there is clearance behind the slot for the unused additional connector pins. The VB7009 has this but it uses a 5v PCI bus and all of the Intel-based 64-bit PCI NICs I've been able to find are built for the electrically incompatible 3.5v PCI bus standard.
To conclude; OPNSense works on a VB7009 but the paucity of suitable quad-port NICs limits it to situations in which a maximum of four ports is required (2 on the board plus a dual-port NIC). Similarly, it's limited to relatively low-traffic deployments. For situations requiring a quad NIC and/or high traffic a better mini-ITX option would be the VIA EPIA-M920 (
https://www.viatech.com/en/boards/mini-itx/epia-m920/
). The M920 costs about twice as much as the VB7009 but has a PCIe bus - making suitable NICs easier to find - and supports fan-less Eden CPUs - allowing it handle heavier traffic. In all cases, and regardless of the number of ports, use a NIC with an Intel chipset to avoid a lot of aggravation.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Experience building opnsense firewall on via mini-ITX mainboard