Looking for guidelines to help choose the optimal hardware or opnsense ?

[shade_ch]

Hi,

I'm looking for opnsense hardware selection tool / guidelines to help choosing the right hardware (especially optimal CPU and RAM to avoid wasting resources and money). I would like it to take as inputs criteria such as :

• ISP link speed (up/down)
• # firewall rules
• # of IP addresses in aliases
• NAT usage
• IDS usage
• IPS usage
• VPN usage
• VPN type
• # VPN connections
• exclusive usage for opnsense or not (for instance proxmox)
• traffic shaping
• ...

In my case, I have the following context:

• ISP link speed (up/down): asymetric 300/10
• # firewall rules : 17 + 8 floating
• # of IP addresses in rules aliases : ~7k IPs (checked by two aliases used by two floating rules)
• NAT usage: 7 port forward rules + automatic outbound NAT
• IDS usage: yes
• IPS usage: yes on 4 interfaces
• VPN usage: yes
• VPN type: openvpn
• # VPN connections: max 4 simultaneous
• exclusive usage for opnsense or not (for instance proxmox): exclusive for opnsense
• traffic shaping: yes, upload / download limiters with CoDel Flow-Queue

Opnsense is currently running on a N5105 with 16GB RAM. Currently <25% RAM is used and most of the time CPU usage is below 20%... and the device acts as a heater... Would there be a more efficient solution in my context ?

Thanks in advance for your help

[Patrick M. Hausen]

I recommend looking here:
https://shop.opnsense.com/product-categorie/hardware-appliances/

[newsense]

The IDS and IPS will be the main consumers there, I wouldn't go below N5105 and investing in a N100-N300 would be overkill as well.

[shade_ch]

I recommend looking here:
https://shop.opnsense.com/product-categorie/hardware-appliances/

Why and how does it answer my question ?

[Patrick M. Hausen]

I recommend looking here:
https://shop.opnsense.com/product-categorie/hardware-appliances/

Why and how does it answer my question ?

All of the systems listed come with full specs, so you can pick the one matching your interface and performance needs. And they are highly recommended for running OPNsense.

[shade_ch]

All of the systems listed come with full specs, so you can pick the one matching your interface and performance needs. And they are highly recommended for running OPNsense.

Ok, but the question was:

I'm looking for opnsense hardware selection tool / guidelines to help choosing the right hardware (especially optimal CPU and RAM to avoid wasting resources and money).

To answer your suggestion to buy one of the official hardware sold by Decisio, sorry to say that, but they are so expensive that I could run another manufacturer's device for years before I get a ROI with one of Decisio's hardware. I am willing to support a product/project but not at that cost. Not saying that I have an issue paying so much for a device when the sales team does not even bother answer my emails (but this is another story, maybe I'm the only one having this issue)

[connervt]

Opnsense is currently running on a N5105 with 16GB RAM. Currently <25% RAM is used and most of the time CPU usage is below 20%... and the device acts as a heater... Would there be a more efficient solution in my context ?

What exactly are you trying to remedy?  It seems that your N5105 is performing all the tasks you specified, and is not overtaxed.  If your goal is to use less power, you will likely find that the current sweet spot for power/performance is the N5105.  The older and newer CPUs both tend to use a bit more wattage, which you will especially see if you move down one generation (as the CPU will be working harder and on an older technology node).

You may want to see if tweaking your P-State values may help power usage.  Some systems, out of the box, don't clock down as low as they could.  Your savings with this would still be minimal, and dependent on how much traffic is going through your firewall.

If it is the heat that's bothering you (and I may be incorrectly assuming you are using one of the Chinese 4 port appliances, as I run), that's just a function of a fanless system.  Without a fan, it takes more time for heat to slowly dissipate.  If you are okay with using another watt or two, there are USB fans with speed control available.  I put one which just sits on top of the case heatsink, and keeps my temps between 32-38C.

[Patrick M. Hausen]

To answer your suggestion to buy one of the official hardware sold by Decisio, sorry to say that, but they are so expensive that I could run another manufacturer's device for years before I get a ROI with one of Decisio's hardware. I am willing to support a product/project but not at that cost.

We seem to have a different perception of "expensive". I think they are well worth the price given what you get. My company runs 6 of them currently and all my customers migrating from Sidewinder found ~ 1500€ for a rack mount appliance with decent performance and no software/maintenance cost an absolute no-brainer.

Our 600 series model runs on less than 20 W power and drives a gigabit fiber line with PPPoE without a hitch. Energy is expensive these days.

You do you, I generally recommend buying Deciso. At home I run a Supermicro Atom based server board with IPMI, ECC memory etc. You probably will not like the price tag of that, either. For me it is worth the cost to have all systems in my home lab come with solid IPMI and ECC.

[arvendui]

I use a Sophos SG230v2: https://www.enterpriseav.com/SG-230.asp

Likely overkill, but you can't swing a dead cat on eBay without hitting one.

[shade_ch]

To answer your suggestion to buy one of the official hardware sold by Decisio, sorry to say that, but they are so expensive that I could run another manufacturer's device for years before I get a ROI with one of Decisio's hardware. I am willing to support a product/project but not at that cost.

We seem to have a different perception of "expensive". I think they are well worth the price given what you get. My company runs 6 of them currently and all my customers migrating from Sidewinder found ~ 1500€ for a rack mount appliance with decent performance and no software/maintenance cost an absolute no-brainer.

Our 600 series model runs on less than 20 W power and drives a gigabit fiber line with PPPoE without a hitch. Energy is expensive these days.

You do you, I generally recommend buying Deciso. At home I run a Supermicro Atom based server board with IPMI, ECC memory etc. You probably will not like the price tag of that, either. For me it is worth the cost to have all systems in my home lab come with solid IPMI and ECC.

The goal of my question was to have a way to select the hardware which will best cover one's requirements, while consuming as little as possible electricity and not costing a kidney. The information on opnsense website are not precise enough to achieve this.

You're suggesting Deciso's products but this does not answer my question as I was looking for a tool/process/methodology. But ok even if it's off-topic, let's talk about it and their DEC695 to be more precise (I chose this one because it's one of their cheapest devices, it's a 600 series you own, and it has enough memory to run IPS).

As of today, the price tag of the DEC 695 is around 750 CHF after VAT and import taxes to Switzerland. Compared to the N5105 device with i226v NICs that I own and which I paid less than 150 CHF (all included), the DEC695 has a CPU (GX-420MC) which is at least half that powerful (in fact the N5105 is 130% more powerful, and the GX-420MC runs at 1.6Ghz instead of 2Ghz for power efficiency reasons so it should be closer to 150% more powerful), 75% more power hungry, and the DEC695 has slower NICs and is 5 time more expensive. Maybe you run them at work and they cover your requirements, and you consider the device "worth" its price, that's great and I'm happy for you. But for me yes this device is neat and nicely packaged, I love it's orange color and it would look great on my rack's shelf at home, but I definitively don't see the "worth it" aspect of the product.

And I agree when you say that electricity cost is important. But it must be put in perspective of the cost of the device, so we need to do some calculation. The way the DEC 695 device is optimized, it may be using 5W less at full load than my N5105 solution, I would however as the DEC695 costs 600 CHF more, I would need to run it 24/7 for more than 40 years to start saving money compared to my N5105 device... Here again I don't see the "worth it" aspect of this choice.

What's remaining is the "risk" taken when buying products from abroad (but Deciso is also abroad), the contact with the seller (which was non-existent in my case) and the will to support Deciso's work on Opnsense. The only valid argument for me could be the last one... if I cousld afford it.

That being said, I agree: it "seems that we do not have the same perception of expensive". :-)

P.S. you're stating a bit hastily that I "would not like" the price tag of your Supermicro server : I run a X12SCZ-TLN4F-O based server and I ordered a SYS-510D-4C-FN6P server a week ago. Trying to optimize the way I spend money does not mean that I refuse to spend money when it's needed, it just means that I try to save money where I can in order to spend more when I need to.

[passeri]

shade_ch, I too looked into 'ideal' sizing. For practical purposes there are too many variables to make this conveniently formulaic. With your criteria and results with the 5105 you have done well, whereas my first effort was over-kill. As advised earlier, passively cooled x86 devices (and I have several) will by their nature feel uncomfortably hot while functioning exactly as they should. Internal fan-cooling conceals the same level of heat dissipation, making such devices seem cooler yet they are no more efficient. I do not see that you have a current problem with sizing or heat.

If the heat itself really bothers you, try AC Infinity or the like. I use a six-stage thermostatically controlled USB fan which keeps my 5105-similar device very comfortable inside a cupboard in an unconditioned room through Australian Summers; has rarely even reached stage three. Other than that need I prefer passive heatsinking, for its silence and lack of tendency to move dust into the system.

[Patrick M. Hausen]

As of today, the price tag of the DEC 695 is around 750 CHF after VAT and import taxes to Switzerland. Compared to the N5105 device with i226v NICs that I own and which I paid less than 150 CHF (all included)

That's what I would call "dirt cheap"  ;) Care to share a link, please?

BTW: Deciso is located in the Netherlands, so for EU customers all great, for Switzerland it should be similarly so - I am not familiar with import/export regulations for your country, but you are relatively closely associated with the EU.

Kind regards,
Patrick

[shade_ch]

As of today, the price tag of the DEC 695 is around 750 CHF after VAT and import taxes to Switzerland. Compared to the N5105 device with i226v NICs that I own and which I paid less than 150 CHF (all included)

That's what I would call "dirt cheap"  ;) Care to share a link, please?

For the DEC695: https://shop.opnsense.com/product/dec695-opnsense-desktop-security-appliance/
Product price: 649€ == 623 CHF
Shipping: free
Custom fees: 3% of "product price + 15CHF" + 15 CHF == 34 CHF
VAT: 7.7% of "product price + custom fees" == 51 CHF
So I made a mistake, it's 708 CHF, not 750 CHF.

For the N5105: https://vi.aliexpress.com/item/1005004880536701.html
I paid for it 140.47 CHF including shipping and custom fees during a promo in March. As I had a spare m.2 ssd and memory from a dead laptop, I could order the device with no RAM and no SSD.

[qarkhs]

I'm looking for opnsense hardware selection tool / guidelines to help choosing the right hardware (especially optimal CPU and RAM to avoid wasting resources and money).

I am curious why there isn't more discussion of what I would label middle-ground options that lie somewhere between Decisio and Supermicro on the one hand and stuff you can buy on AliExpress on the other hand. They would seem to offer a better balance of price/performance/quality. Less pricey than the former but much better manufacturing quality control than the stuff being sold on AliExpress and, presumably, also better support. I am thinking of gear from Taiwanese companies like AAEON, Jetway, Up Systems (all affiliated in some way with Asus), GigaIPC (Gigabyte) and Lanner. The latter's hardware is often sold for network firewalls under other labels. Most of these companies are selling boxes with Elkhart Lake CPUs which have roughly equivalent performance to the N5105 mentioned above as well as having similar power and thermal properties and Intel LAN ports.

A couple of examples: J6412, 4 Intel LAN ports, around $370 (~330CHF). Add your own memory and storage.
https://www.jetwayipc.com/products/hbfdf13-6412-b-series/
https://www.aaeon.com/en/p/desktop-network-appliance-atom-x6000e-fws-2280

[shade_ch]

I am curious why there isn't more discussion of what I would label middle-ground options that lie somewhere between Decisio and Supermicro on the one hand and stuff you can buy on AliExpress on the other hand. They would seem to offer a better balance of price/performance/quality. Less pricey than the former but much better manufacturing quality control than the stuff being sold on AliExpress and, presumably, also better support. I am thinking of gear from Taiwanese companies like AAEON, Jetway, Up Systems (all affiliated in some way with Asus), GigaIPC (Gigabyte) and Lanner.

Well the initial question was to help me "select the right hardware based on requirements", but yes as a next step, I agree with you. I already had a look at the brands you listed as well as at lanner and other brands too. The problem is their availability, factory lead times (for instance there is a 27 week factory lead time on one product I'm interested in) shipping costs and "how to make sure that it will work as expected" as nobody seems to have tried before to run opnsense on it (and who wants to be a "guinea pig" ?)