Considering a OPNsense setup

[JoK]

Hi

I have spend a lot of time finding the right hardware for my, soon to come, OPNsense router/firewall.
Any words about this one https://www.thomas-krenn.com/en/products/application/opnsense-firewalls/les-compact-4l.html

Its almost perfect I think, except the price is a little steep, small, no fans, low power, support AES-NI for future VPN and Intel chipset and NIC's

What can i expect from ordenary use with this and Opnsense Vs my Cisco RV-340? I'm thinking performance/speed and stability?

I really don't trust these factory routers and there proprietary firmware, and specially not Cisco after been reading about backdoors in there routers.

Thanks

I would like to have a router that I can trust, and I think I'll get a lot closer to that with Opnsense

[mr.sarge]

Hi!

I'am also interested for this hardware version but not sure if it has enough power for 100/100Mbit WAN with security features enabled.

best regards,

Sarge

[JoK]

Anyone?

The only thing I'll use it for, is ordinary router use by 10-15 clients, but I'll like to use the IDS/IPS if its possible and its not cripple my gigabit line, is this plausible?

[rungekutta]

In that series, and with the performance requirements for gigabit and ids I would probably have looked at this model instead: https://www.thomas-krenn.com/en/products/application/opnsense-firewalls/les-network-plus-opnsense.html

Or alternatively a Qotom Q355G4, can be found cheaper

Or alternatively a custom build around for example a Asus P10S-I mini itx board. You’d have to add a dual or quad Ethernet card (PCI).
https://www.asus.com/Commercial-Servers-Workstations/P10S-I/

[rungekutta]

(sorry, regarding gigabit and ids, I must have mixed up the threads. ;-) anyway, take the advise for what it is - if you want more performance, look at those other options, and Qotom is likely to give you the best bang for the buck depending on where you live and whether you can order them direct from AliExpress or not... I’m using an i5 mode with great success for my gigabit wan.)

[mimugmail]

Compact 4L will achieve GB without IDS. I had a test sample here and also hosted a webinar with it. As it has 4 cores it should also fit for AV scanning for up to 15 users.

[JoK]

Thanks guys, so I will benefit in full from my gigabit line without IPS but with IDS?

Its not an option to get a Qotom, I cant buy them here in Denmark, I guess AliExpres og similar sites is the only way, and that makes them expensive with fees, customs and sh't

I really like this one, looks like its good quality

[mimugmail]

I didnt benchmark with IDS and already returned the sample, osorry. But as it have the i210 NIC I dont have any concerns

[JoK]

Yeah, as I can understand from this forum, intel NIC's is the way to go :-)

There isn't a lot of user experiences with this box, so your posts is really appreciated 

[rungekutta]

For what it's worth, I'm running on an i5-5250U and Intel NICs and get about 600-700MBit with Suricata and some rules enabled. Easily saturate gigabit without Suricata.

I wouldn't have gone below i5 with gigabit wan. Next machine is going to be beefier to ensure some headroom, likely Xeon. Probably still possible to keep it quiet, with careful selection of chassis and coolers.

[JoK]

Thanks, but if I cant expect to get full gigabit with the setup you got, I wouldn't want to go with suricata or anyting else "heavy"

Damn, I get full giga with my Cisco RV-340 and that is like a 900mhz sh*t CPU and 1 gig RAM

[rungekutta]

I like the idea of it (Suricata), although must confess I don’t think I’ve ever caught anything with it ;-) (lots of false positives though)

Just another point worth considering too.. to whatever extent you plan to run services on the box beyond vanilla routing and firewall, like caching & filtering web proxy (squid), dns, vpn (site-to-site, outbound or road warrior) etc - it’s nice to have them sharp & snappy. I’m kind of used to it from back home and don’t think about it but can often tell the difference when I’m on other networks.

[mimugmail]

Most of the rules are kinda useless when you have a private home net and not serving any services to outside

[JoK]

I like the idea of it (Suricata), although must confess I don’t think I’ve ever caught anything with it ;-) (lots of false positives though)

Just another point worth considering too.. to whatever extent you plan to run services on the box beyond vanilla routing and firewall, like caching & filtering web proxy (squid), dns, vpn (site-to-site, outbound or road warrior) etc - it’s nice to have them sharp & snappy. I’m kind of used to it from back home and don’t think about it but can often tell the difference when I’m on other networks.

How do you experience the "speed" or responstime in daily use, I'm thinking websurf, compared to standard routers?

[rungekutta]

Well I guess it’s hard to know what’s what in the whole chain of ISP, router and network including WiFi.. so maybe I’m reading too much into it. But with the combination of an ISP well-known for reliability and speed, gigabit fiber, opnsense on i5 and then WiFi on Ubiquiti access points it’s more the *absense* of any sort of discernible lag or uneven performance, ever, unless it is evidently at the other end (e.g. Apple iCloud...). And that includes most of the family computers that accesses the web through Squid on opnsense so that I can filter content (using one of those public lists) to block some of the really bad stuff. Opnsense also running its own caching nameserver, dhcp and ntp.

I frequently find on other networks that performance is much more uneven or even categorically slower even if on paper it should be the same of faster.

But as mentioned, never easy to know what is what... but I like headroom. ;-)