Disk size for transparent proxy

[patrick3000]

I have OPNsense set up on a home network which is used by both me and my spouse for working from home and also for our phones, television, etc.

I am going to create a transparent proxy, initially on only one vlan that contains my Linux laptops and Truenas servers, and possibly on the other vlans at a later point in time. The purpose of the transparent proxy will be so that I can install Zenarmor and ClamAV.

My question is about disk sizing. I have OPNsense installed in a VM running on Truenas SCALE that, similar to Proxmox, uses KVM. I currently have it on a virtual disk that's only 40GB. Presumably, I will need more than that for a transparent proxy, since there will be a bunch of logging involved.

Does anyone know what size I should expand the OPNsense virtual disk to? Would 120GB be enough? I also realize that I'll need to allocate more memory, as I currently only have 8 GB memory allocated, but I have plenty more I can allocate and will probably eventually bump it to 16 GB. It's resizing the disk that's a bit more of a hassle, so I'd like to figure out in advance how large a disk I will need.

[franco]

Although the values are a bit out of date I think you should aim for the "recommended" size/cpu here:

https://docs.opnsense.org/manual/hardware.html#hardware-requirements

1.5 GHz multi core cpu
8 GB RAM
120 GB SSD

You could always sidestep logging by not logging locally and sending your logs elsewhere (where enough storage space exists).


Cheers,
Franco

[patrick3000]

Thanks! That's helpful.

[CJ]

Are you planning on doing SSL interception with your proxy?  I can't imagine you'll be able to easily install a CA on a lot of your devices, and unless you're self employed, I would assume your employers would take issue with it.

With the majority of the internet moved to HTTPS, I'm not sure there's much benefit to transparent proxies anymore.

[patrick3000]

CJ,

I tentatively plan to include an SSL proxy server and install CAs on each client device, at least on the one vlan that only has five Linux PCs (real and virtual), two Windows PCs (real and virtual), and a couple of Truenas servers that don't access the Internet and likely wouldn't need CAs.

The other vlans have my spouse's laptop, phones, TV, thermostat, etc., and I do not currently plan to set up a transparent proxy on those vlans.

However, I'm debating whether it's worth it. As you say, SSL has pretty much taken over, and I'd need a bunch of pass-throughs, so I'm on the fence.

[CJ]

IMO it's more trouble than it's worth.  Additionally, it prevents you from being able to inspect certificates in your browser.

DNS blocking with good lists will go a good way towards securing things.  As well limiting the connectivity of the IoT devices, etc.  Although everyone using AWS for their backend makes it more difficult.  However, you can use ASIN aliases to limit it at least a bit.